NFCGate: The Tool, Setup & Test

Intro

NFCGate is an open source project for security research purposes. It was designed by some Secure Mobile Networking Lab students from TU Darmstadt.

The design is similar to NFCProxy which was presented in DEF CON 20. Implementing Android technology to achieved the NFC relay. The NFCProxy was a direct connection using WiFi connectivity.

Moreover, the NFCGate has different and special capabilities such as clone, replay, relay or capture. To do this, NFCGate is flexible. It could use different technologies like WiFi or cellular services. Therefore, this project uses a server as MiTM option. The server is a Python script which implements Google Protocol Buffers technology to handle and interchange data between connections.

---

Adding the server as Networking component

---

Setup

For the setup purposes, I used two Google Nexus 5X. Following the compatibility for all the supported modes:

• NFC support
• Android 4.4+ (API level 19+)
• Xposed: On-device capture, relay tag mode, replay tag mode, clone mode.
• ARMv8-A, ARMv7: Relay tag mode, replay tag mode, clone mode.
• HCE: Relay tag mode, replay tag mode, clone mode.

It is very important to install the Xposed framework using the Root Toolkit software or the Xposed install apk.

I bought two Nexus 5X in Amazon. Some of them are listed as “Unlocked phones”, but when the package arrived, they were locked; First, I had to unlocked them before rooted them. To unlock and root them, I used the “Nexus Root Toolkit“. Be careful, this process might brick the phone and make it unusable.

After the setup is completed, the NFCGate installation is very straightforward. Download the apk and install it.

---

Test

The first thing is to check the status in the NFCGate app. It will let us know if everything is running as expected.

In the app settings section, I added the server local ip address to test the relay part. After that, I run the Python server.

sal@Netxing-8:~/Downloads/server-2$ python3 server.py
2019-11-06 10:32:14.558544 [server] 0 NFCGate server listening on (‘0.0.0.0’, 5566)

At this point, you will be able to connect both Android devices to the server in the relay section:

After both NFCGate established the connection, the server will show you the information right away:

---

The relay in action:

Otro de los ataques que analizaremos en el taller de RFID y NFC de esta edición de la @8dot8 son los ataques de relay; no importando la distancia entre los dispositivos, ya que estos pueden enviar los datos por internet!

Los esperamos!#rfid #nfc pic.twitter.com/vF4vb8TmcA

— Salvador Mendoza (@Netxing) October 18, 2019

---

For future posts, I will write about how to alter data in real-time using this project.

---

If you want to support my research, please join me at Patreon: https://www.patreon.com/salmg