NFC relay attacks on access cards

[Papa Carder]

Overview of NFC Relay Attacks on Access Cards​

NFC relay attacks on access cards involve intercepting and relaying wireless signals between an NFC-enabled access card (or smartphone acting as one) and a reader, such as those used for door entry in offices, buildings, events, public transportation, or secure facilities. These cards typically operate under standards like ISO/IEC 14443, similar to contactless payment systems, but focus on granting physical access rather than financial transactions. The attack exploits the assumption of physical proximity (usually <10 cm) by using proxy devices to extend the range, allowing unauthorized entry without the cardholder's knowledge. While much research and incidents center on payment cards, the underlying technology is analogous, making access systems equally vulnerable. As of 2026, with increasing adoption of NFC for access control, these attacks pose risks in corporate, residential, and public sectors, often amplified by malware or custom hardware.

How NFC Relay Attacks Work on Access Cards​

The mechanics mirror those in payment systems but target authentication protocols for entry:

1. Setup: An attacker uses a rogue NFC reader (e.g., a modified smartphone or device like Flipper Zero) placed near the victim's access card, often in a pocket or bag, without direct contact. A second device is positioned at the target access reader (e.g., a door lock).
2. Interception and Relay: When the second device initiates or mimics an access request, signals are relayed in real-time via channels like Bluetooth, Wi-Fi, or cellular data. The rogue reader "wakes up" the victim's card, captures authentication data (e.g., UID, challenge-response via APDUs), and forwards it. The access reader processes this as a legitimate tap, granting entry.
3. Execution: The relay happens live, preserving dynamic elements like cryptograms or session keys in secure systems (e.g., MIFARE DESFire). Variants may use malware on smartphones to emulate the relay, abusing Android's Host Card Emulation (HCE) for stealthy operation.

This differs from cloning (copying static data) as it handles real-time interactions, making it effective against systems with anti-cloning measures.

Risks Associated with These Attacks​

• Unauthorized Physical Access: Attackers can enter restricted areas, leading to theft, espionage, or sabotage in offices, apartments, or transit systems.
• Privacy and Data Breach: Intercepted signals may expose personal info, like employee IDs or location data.
• Combined Threats: If the access card doubles as a payment or ID card, it could enable financial fraud or identity theft.
• Business Impacts: Loss of trust, regulatory fines, and operational disruptions for organizations relying on NFC access.
• Scalability via Malware: Tools like SuperCard X or NFCGate enable MaaS for relays, increasing attack frequency.

While specific large-scale incidents on access cards are less publicized than payment ones, demonstrations have shown vulnerabilities in systems like hotel locks or corporate badges.

Mitigations and Protections​

To counter these attacks, combine technical, behavioral, and systemic measures:

• Distance Bounding Protocols: Implement timing-based checks to ensure signals aren't delayed by relays, bounding the distance to <10 cm.
• Secure Hardware and Protocols: Use cards with advanced encryption (e.g., AES in DESFire) and secure elements; enable mutual authentication. Disable NFC when not needed and keep firmware updated.
• Multi-Factor Authentication (MFA): Add biometrics, PINs, or secondary factors for access; integrate with apps for real-time alerts.
• Physical Shields: Use RFID-blocking wallets or sleeves to prevent unintended activation.
• Monitoring and Detection: Employ intrusion detection systems; monitor for anomalies like mismatched locations or rapid accesses.
• User Awareness: Avoid crowded areas for sensitive taps; stay informed via security forums.

Future standards may include better encryption and AI-based detection to reduce risks. For organizations, regular audits of access systems are recommended.