Deep-Learning-Aided RF Fingerprinting for NFC Relay Attack Detection

Abstract

Near field communication (NFC) has been a widely used radiofrequency identification (RFID) technology, credited to its convenience and security features. However, the transmitted signals can be easily eavesdropped or relayed in an open wireless channel. One of the challenges is relay attack, where an attacker simply relays the signal and bypasses encryption or other means in the application layer. Prior works on relay attack countermeasures have focused on distance-bounding protocols or ambient-based solutions. This paper focuses on ISO/IEC 14443-A and proposes an NFC relay detection method based on RF fingerprinting of transmitted wireless signals in the physical layer. To this end, we first designed and implemented two realizations of NFC relay attacks, wired and wireless relays, and built an SDR-based testbed. We collected the normal and relayed signals of four NFC tags, and the answer to request type A (ATQA) segments were selected for RF fingerprinting. The created dataset comprised 66,366 samples, with four tags’ normal and wired relayed signals and the wireless relayed signals. The dataset was then fed into a deep CNN for training. Finally, our experiment results showed that the method effectively distinguished normal and relayed signals with a high accuracy of 99%, confirming that RF fingerprinting can be a promising countermeasure to NFC relay attacks.

1. Introduction

Near field communication (NFC) has been a widely used radiofrequency identification (RFID) technology in recent years. It enables short-distance contactless communication functionality on smartphones and other devices, providing convenient services such as mobile payment, a wearable device, and passive keyless entry and start systems (PKES). However, all users can receive the information transmitted over the air. This means the security risks exist in RFID/NFC communication systems, and the risks may cause the property loss as the NFC is being applied in various devices.

Among the security risks is the relay attack that be conducted even when the information is protected by encryption methods. Francillon et al. [1] conducted a study on wired and wireless relay attacks on PKES, and showed that simply relaying the signal between the key fob and the car could realize an attack even when they were far away from each other. Their risk evaluation on ten car models from eight car manufacturers showed that the PKES of the cars were vulnerable to relay attacks. In a relay attack, the attacker just relays the communication signal without analyzing or modifying it. The attacker deceives two communication entities to conduct the NFC transactions by relaying the signal between the two entities even when they are far away from each other. Although many RF systems apply data encryption to protect the transmitted information, the encryption measure is unable to address the relay attack since the attacker does not need or attempt to decipher the encrypted information.

To address the relay attack, many methods have been proposed. Two representative methods are distance-bounding (DB)-based and ambient-based methods [2]. Both schemes focus on verifying proximity in the physical space of the (two) communicating entities. Distance bounding depends on the round-trip time measurement of challenging bits for proximity checking in an authentication phase. Because the signal’s travel speed and distance are assumed constant, a delay in the RTT can indicate that the signal may have been relayed. The distance-bounding methods proposed in the literature [3,4] have laid the foundation of current canonical distance-bounding schemes, known as the Brands–Chaum protocol and the Hancke–Kuhn protocol. Some following studies such as [5,6,7] proposed improvements on the above two distance-bounding protocols. In [5], an improved solution of the Hancke–Khun protocol with a symmetric cryptography implementation was proposed that was capable of addressing both terrorist fraud relay and mafia relay attacks. Ref. [6] addressed the vulnerabilities in the previous protocols. The authors proposed a modified DB protocol for RFID systems with more encryption loops and a better probability of defending against terrorist fraud relay attacks. Rasmussen et al. [8] addressed the information leakage issue in DB protocols and put forward a location-private DB protocol. In [7], the RFID DB protocol “Swiss Knife” was proposed with improvements in the aspects of computation overhead, error resistance, and privacy protection compared to previous protocols. Refs. [9,10] utilized quantum bits and proposed more secure and efficient DB protocols for RF systems. Comprehensive reviews on distance-bounding protocols can be found in recent studies such as [11,12]. However, DB-based methods may suffer from an imprecise distance estimation due to the short RFID/NFC communication distance and the fast signal propagation speed. In addition, additional modifications of specific protocols are required, which may impede the widespread implementation of such protocols in applications.

The ambient-based methods [13,14,15] check the similarity degree of ambient conditions of the two entities to identify the relay attack. These ambient-based methods may suffer from misjudgment problems when the ambient conditions are similar. Moreover, the high detection accuracy relies on the sensors’ proper and good functioning, which raises concerns about the reliability of these proposed methods over long-time runs.

Some recent works such as [16,17,18] studied information embedding or watermark techniques to embed digital information imperceptibly for the authenticity and security of data in wireless networks. Refs. [19,20,21] demonstrated that watermarks could be employed to detect replay attacks, thus improving wireless network security. However, in an RF/NFC relay attack which can be different from replay attacks, the attacker does not read or modify the content of transmitted signals throughout the attack, and the signals are simply relayed as a whole. Therefore, watermarks are unable to serve as an effective way of identifying relay attacks.

This paper employs RF fingerprinting to identify wireless devices and NFC relay attacks. RF fingerprints refer to the device-specific features extracted from the emitted wireless signals of RF devices. RF fingerprinting is a noteworthy research field regarding the domain of wireless signals and is now intersecting with machine learning methodologies.

Danev et al. [22] pointed out that physical-layer device identification can be feasible because of the hardware defects in the analog circuitry introduced at the manufacturing process. The defects can be reduced to some extent by more sophisticated manufacturing procedures, but they will not be eliminated completely. The residual hardware defects usually differ slightly from one device to another, and consequently, every device emits a device-specific wireless signal which can be used to generate the RF fingerprint.

Extracting RF fingerprint features from transmitted signals is a critical step in our proposed method since the relaying devices will modify the signals’ waveform in its device-specific way. Therefore, our goal is to identify relay attacks from the perspective of the analysis and identification of transmitted wireless signals.

In the past, many methods have been proposed to extract hand-engineered RF fingerprints from I/Q imbalance [23], wavelet transforms [24], or synthetic statistical features [25]. The hand-engineered features may be able to identify the relay attack rather well for a smaller number of devices. For a large number of devices, however, the interclass distance between the hand-engineered RF fingerprints of the legal devices and that of the relay attacks may be too small, and thus the performance of identifying attacks deteriorates dramatically.

Deep learning has been applied to various applications in recent years for its strong ability to represent features. Related works on deep-learning-based RF fingerprinting demonstrated that deep learning could automatically extract RF fingerprints from raw signal data, reducing the efforts of manual fingerprint extraction based on expert domain knowledge. Riyaz et al. [26] used raw I/Q samples of the complex signal and proposed a convolutional neural network (CNN) structure for classifying five RF transmitter devices with a high accuracy of 90–99. Chatterjee et al. [27] used RF characteristics of wireless communication nodes as physical unclonable functions (RF-PUF), and an ANN structure was used to identify and authenticate IoT devices. Lee et al. [28] truncated the collected data and demonstrated that the pulses in the waveform corresponding to data bits could be used to extract RF features of the NFC tags. The considered deep learning models outperformed the conventional machine learning algorithms such as logistic regression or support vector machines (SVMs).

However, in the field of relay attacks, little research has been focused on RF-fingerprinting-based methods. To investigate the ability of the deep learning techniques identifying relay attacks, this work designed an SDR-based piece of equipment for collecting RF signal data of NFC transaction and then trained a convolutional neural network (CNN) classifier with these data.

The main contributions of this work are summarized as follows:

-

This article proposes a method that can effectively detect and identify NFC relay attacks by the waveforms of transmitted signals based on RF fingerprinting and deep learning.

-

To the best of our knowledge, no public dataset is available for identifying NFC relay attacks. This work first implemented two types of devices emulating wired and wireless NFC relay attacks. A testbed based on an SDR was built for the data acquisition. We created a dataset that contained 66,366 samples with four types of normal NFC tag samples, one type of wireless NFC attack samples, and four types of wired NFC attack samples.

-

Our proposed method utilizes deep learning and relies on signal waveform data in the physical layer. We prove the feasibility of relay attack detection when additional relaying devices other than the original tags are used. Moreover, the proposed method enables detection before the key-based authentication interaction in an NFC transaction, allowing for timely handling of relay attacks.

2. Technical Background

This section introduces the technical background on NFC and relay attacks. Radiofrequency (RF) identification is a technology that uses RF signals’ spatial coupling to realize automatic recognition of an object. NFC is one of the RFID technologies supporting fast access capability. Owing to its short communication distance, NFC can be applied to applications requiring higher security, for example, mobile payment, ticketing, PKES, etc. As an international standard for contactless smart cards, ISO/IEC 14443 discusses the contactless interaction mechanisms and related transport protocols for proximity coupling devices (PCDs) and proximity integrated circuit cards (PICCs). The two communication signal interfaces, type A and type B, are specified in 14443-2.

NFC-A is a widely used type of NFC and compatible with the 14443 type A standard. Therefore, the proposed method in this paper focuses on the NFC-A compatible with the ISO/IEC 14443A standard. ISO/IEC 14443-3 [29] describes the initialization and anti-collision of contactless IC cards. When the NFC tag is placed in the operating RF field of the PCD, the PCD initiates the process of establishing communication with the NFC tag. An activation sequence from the PCD includes three steps: request, anticollision loop, and select. In order to detect whether a PICC enters the PCD energy field, the PCD repeatedly sends the request command, type A (REQA), until it gets the response from a PICC’s answer to request type A (ATQA). The PICC now changes from the IDLE state to the READY state. Then, if the PICC passes the anticollision process, it becomes the ACTIVE state. The PICC in the ACTIVE state begins to listen to the messages from the higher layer that are about specific applications. Note that all NFC transactions start from the initialization and anticollision process, and the ATQA response from the NFC tag is also required in each transaction. Therefore, the ATQA can be used as a generic data segment for extracting RF fingerprints.

The data acquisition procedure is described in Section 4.

2.1. Amplitude Modulation and Encoding

In NFC-A, the signal carrier frequency transmitted from the PCD, i.e., the reader, to the PICC, i.e., the NFC tag, is 13.56 MHz. The data transmission rate is 106 Kb/s during the initialization of the anticollision process, and the period for one bit is 9.4 $\mathsf{\mu }$s. The PCD–PICC signal is 100% ASK modulated (OOK), while the PICC–PCD signal uses the load modulation, where the used subcarrier is generated from the carrier of the PCD signal.

The request and response command frames are transmitted pairwise. The transmission encoding is a modified Miller code from the PCD to the PICC and a Manchester encoding from the PICC to the PCD. The data in the frame are transmitted LSB first.

2.2. Adversarial Model

NFC improves security by its short communications range, which implies that the authentic tag (prover) is in the hand of the rightful owner and is close to the reader (verifier). To implement a relay attack, an adversary attempts to deceive the authentic prover and verifier into thinking they are in physical proximity, even if this is not the case. An adversary of an RFID/NFC relay attack simply relays the signal without decoding or modifying the contents of the message between P and V. The most common type of NFC relay attack is noted in [2] as the mafia relay attack, where the adversary uses a pair of fake tag and reader as emulating devices to fool authentic readers and tags. The devices forward and relay the signals between the reader and the tag in both directions. A typical example is the relay attack on PKES, in which the thieves relay the signals between the key fob and the car. This enables them to eventually get into and start the car even when the owner’s key fob is far away from the car. The second type of relay attack described in [2] refers to terrorist fraud relay attack, where an adversary takes control of the tag while the reader is still unaware of it. Relay attacks ignore the actual distance between the tag and the reader and target the physical layer. Consequently, higher-layer data encryption methods or security protocols cannot effectively defend against relay attacks. Moreover, legitimate tags and readers are often unaware of such an attack, making it difficult to defend against RFID/NFC relay attacks. A mafia relay attack is the more commonly seen type of NFC relay attacks in real life, where both communicating parties are unaware of the adversary. This article focuses on the mafia relay attack of NFC-Type A. We propose a method for effectively detecting and identifying this type of relay attack.

3. Related Works

3.1. Methods Addressing Relay Attacks

The methods of addressing RFID/NFC relay attacks can be classified into two categories, the distance-bounding based methods and the ambient-conditions-based methods [2]. Both categories aim to check whether the two communication entities are physically close.

The distance-bounding-based methods check the NFC tag and PICC proximity by computing their distance. Brands et al. [3] proposed the distance-bounding (DB) protocol that estimated the distance by measuring the round-trip time (RTT) between the sent bit and its corresponding response. Some follow-up studies such as Hancke et al. [4] optimized the DB protocol to be lightweight for resource-constrained devices such as RFID tags. Refs. [3,4] are now the existing canonical DB protocols [11]. Trujillo-Rasua et al. [30] proposed a background-noise-resilient DB protocol to cope with the noise’s impact on the performance of round-dependent DB protocols. Refs. [9,10] explored the feasibility of combining DB with quantum communications, where they utilized a qubit for the fast bit exchange in the challenge/response phase. The security capability of the proposed protocols benefited from the unpredictability of bits in quantum communications.

The distance estimation in some of the previous solutions can be calculation-error-prone due to the fast transmission speed of RF signals, the short communication range, or noisy environments. Other methods that share the distance-bounding concept, such as [31], suggested using a signal’s received signal strength indicator (RSSI) for the distance estimation. However, an attacker altering the signal’s power was not considered.

The ambient-based approaches verify the copresence of ambient conditions of the two communicating parties. Ma et al. [13] proposed a context-detection method that utilized the position and speed information derived from GPS data to defend against relay attacks. The premise of their method was that the tags were sensor-enabled, i.e., modified with GPS receivers. In addition, they fixed the application scenarios to toll station or gate access control to ensure the accessibility of accurate GPS data. Shrestha et al. [14] considered ambient temperature, carbon monoxide content, humidity, and altitude. Truong in [15] proposed their ambient-based approach for resisting relay attacks in zero-interaction authentication. They considered the RSSI of WiFi AP, Bluetooth RSSI, GPS satellites, the corresponding SNRs, and environmental parameters such as ambient sound. Their experiments also showed that measuring multiple sensor parameters could enhance reliability.

The ambient-based methods measure the similarity degree of the environmental parameters around the NFC tag and that around the PICC. They may fail to identify the relay attacks in the case where the NFC tag is far away from the PICC, but they have similar environmental parameters. Moreover, Truong et al. in [15] pointed out that parameter measurement failures could impact the performance of ambient-based methods.

The methods mentioned above either require a modification of specific protocols or limit acquisition parameters based on the chosen sensors, which may hinder the implementation of such schemes in the existing and widely deployed NFC applications. While DB protocols appear to be more promising, their applications in NFC in practice have yet to be seen. Regarding NXP Mifare contactless products, the DB protocols are either not activated by default or lack explanations for evaluating the RTT’s upper bound value on datasheets. In addition, these DB protocols can still be vulnerable to purpose-built relays because the measurement resolution may not be high enough to detect those fast relays, as was pointed out in [11].

3.2. Extracting Fingerprints for Identifying RF Devices

RF fingerprint is a widely used technique for identifying specific wireless devices. RF fingerprints can represent the intrinsic features of the hardware circuit defects resulting from manufacturing or the drift tolerance of electronic components, and hence are specific to individual devices. Danev et al. [32] classified and recognized RF transponders by extracting the fingerprints from modulation shapes and spectral features of the RF signals. Zhang et al. [25] derived fingerprints from the statistics of ATQA envelopes, used a multiple discriminant analysis (MDA) to maximize between-class separability, and achieved 100% accuracy on the set of 300 HF cards for all six types of cards.

Riyaz et al. [26] used SDR to collect I/Q samples of the complex signal at the physical layer, and then extracted device-specific features. A CNN structure was used for identifying five similar devices, and their work demonstrated an accuracy of 90–99 in noisy multipath wireless channels with distances ranging from 2 to 50 feet.

Chatterjee et al. [27] used RF characteristics extracted from the manufacturing process of wireless communication nodes as physical unclonable functions (RF-PUF) to identify and authenticate IoT network devices. They used an ANN structure and demonstrated the feasibility of implementing a low-cost, secure, and robust system with high accuracy.

Lee et al. in [28] truncated the collected data and proved that the pulses corresponding to one data bit could be used to extract RF features of the NFC tags. They applied and compared three deep learning models for classification and recognition of the NFC tags.

Some recent RF fingerprinting works [33,34] on WiFi and ADS-B studied the impact of confounding factors, time-varying channel, temperature, etc., on deep learning models. Ref. [35] suggested that dataset collection should span a more extended time to create a richer and more diverse dataset and a better model generalization.

The above methods focused on RF fingerprinting WIFI, IoT, and NFC devices; however, based on our knowledge, scarcely any research on addressing relay attacks with RF fingerprinting and deep learning techniques has been reported.

Applying deep learning techniques to identify relay attacks for RFID remains an open problem due to the lack of sufficient data samples collected from real NFC devices. In order to collect data samples for training deep neural networks, we designed and made two types of devices to simulate NFC relay attacks: a wired device and a wireless device.

With the two devices, we firstly collected the normal and relayed NFC signals, then localized the segments containing ATQA commands. These segments were taken out of the original signals and served as the data samples. A total of 66,366 samples (segments) were acquired. Once the data samples were ready, we trained a CNN structure on them and conducted experimental comparisons.

The rest of the paper is organized as follows. Section 4 describes the data acquisition procedure, where we describe the testbed we built, the two hardware devices we made for NFC relay attack realization and the dataset we created. We then describe the deep learning technique employed for RF fingerprint extraction in Section 5, then we present the experimental results and analysis. Finally, Section 6 concludes our work and discusses future work.

4. Materials and Methods

4.1. Dataset Creation for NFC Relay Attack Detection

This section presents the detailed process of making the dataset for deep-learning-aided NFC relay attack detection. Supervised deep learning typically requires a large quantity of annotated data. Since no public dataset was available, we created a dataset in this work. Specifically, we built an SDR-based testbed for data acquisition and collected the normal and relayed signal data of M1-type NFC tags at the physical layer. Then, the segments containing ATQA commands were located and sifted out. Finally, we manually screened all segments to ensure every segment was a valid sample.

4.1.1. Building Testbed for Data Acquisition

The data acquisition testbed included an SDR hardware platform, a sniffing coil, a tag reader, and two types of NFC relay devices, as shown in Figure 1.

SDR is a radio communication system that uses software to implement or define the components that require hardware implementation in traditional radio systems. We used AirSPY as the SDR hardware platform, which supports a sampling rate of 10 MSPS. A sniffing coil served as an antenna to capture the transmitted NFC signals between the reader and the NFC tags. The antenna was connected to the SDR hardware platform by a wire to collect the transmitted signals. Figure 2 displays the measurement setup for capturing the NFC signals.

The NFC reader was a general card reader based on the NXP’s NFC chip. We used 4 NFC tags from the same batch and same manufacturer with NXP MIFARE CLASSIC 1K chips. They had the same ATQA content and complied with the communication protocol ISO/IEC 14443-3, with the RF interface operating at 13.56 MHz.

4.1.2. NFC Relay Device

In this work, we made two typical types of devices for NFC relay attacks: wired relay attack and wireless relay attack. The two devices helped simulate NFC relay attacks, and with them, we acquired the relayed signals.

A wired relay attack is a simple but effective passive relay attack. To simulate a wired relay attack, we connected the two coils with a wire, with one coil (reader-emulating coil) being placed close to the normal NFC tag and the other coil (tag-emulating coil) placed within the NFC reader’s radiation field. A wired relay attack includes the following steps. The reader firstly activates the tag-emulating coil and they start to communicate. The tag-emulating coil then sends the signals to the reader-emulating coil through the wire. Finally, the NFC tag and the reader-emulating coil communicate, completing an NFC transaction. We proved the effectiveness of our device, and a better-designed and undetectable realization of such a relay can be found in recent works [36]. Figure 3a shows the process of a wired relay attack and the two coils.

A wireless relay attack device simulates the NFC relay attack over WiFi. The wireless relay attack device simulates an over-the-air scenario where the relay range is no longer limited to the length of the wire. Such attack form is usually conducted using devices with wireless connectivity, e.g., smartphones with BT or Wifi in mobile payment or access control system scenarios [37,38,39,40,41]. In line with previous works on wireless implementations of NFC relay attacks, we implemented a wireless relay attack over WiFi. Note that the realization can be generalized to other wireless techniques, e.g., LTE or 5G.

We developed a set of two emulators: a tag emulator and a reader emulator, as shown in Figure 3b. We started by designing a schematic and PCB (printed circuit board). Then, the tag/reader emulator was fabricated according to the designed PCB. The tag emulator mainly comprised three ICs: TRF7970, STM32F405, and ESP32. TRF7970 worked in the “card emulating” mode for the control of the STM32F405 IC, and TRF7970 was responsible for the communication with the (real) reader. It received the commands sent by the (real) reader and sent the commands to the reader emulator through the WiFi built by the ESP32 IC, and in the other direction, it received the commands sent by the reader emulator and sent the commands to the (real) reader. The reader emulator mainly comprised two ICs: PN532 and ESP32. PN532 worked in the “reader emulating” mode for the control of the ESP32 IC. It was responsible for the communication with the (real) tag.

We conducted experiments with the two emulators to ensure that they both could realize the relay attacks, i.e., they could successfully deceive the real reader and tag.

4.1.3. Data Collection

We used 4 NFC tags of the same batch and manufacturer to generate 4 types of normal NFC signals. For the wired relay attack, we used SDR (see Section 4.1) to collect the relayed signal data samples for each of the NFC tags, ending up with 4 types of wired relay signals. For the wireless relay attack, we acquired the signal from the emulator to the (real) reader, ending with 1 type of wireless relay signal. Eventually, 9 types of signals’ data were collected.

To preserve more details reflecting hardware characteristics, we adopted a high data sampling rate of 10 MSPS. We stored the signals from the physical layer in WAV format files. For each type of signal, we repeated acquiring the signals multiple times, and then located the segments containing ATQAs. All the segments were extracted and served as the data samples. Figure 4 illustrates some collected data samples.

We located and saved the ATQA command segments in the recording files. The data sampling rate was 10 MSPS. As is specified in 14443-A [29], the period for each bit of data was 9.4 $\mathsf{\mu }$s. Equation (1) gives the minimum of sampling points to contain the full segment of ATQA command by

$$N_s=\frac{N_B}{\frac{f_c}{128}}·f_s$$

(1)

where $N_s$ is the number of sampling points, $N_B$ is the number of bits in a single ATQA command, i.e., 19 bits (16 bits of data, 1 starting bit, and 2 parity bits), $f_c$ is the carrier frequency of NFC, and $f_s$ is the sampling rate. The $N_s$ is calculated and rounded to 1794 with $N_B$ = 19, $f_c$ = $13.56\times {10}^6$, and $f_s$ = $10\times {10}^6$. We set each of our data samples to have 1800 sampling points to contain the complete segment of a single ATQA.

Inspired by previous works on considerations regarding dataset collections, we conducted several intensive data collection phases, one week apart, to make our dataset contain sufficient data samples over the span of several weeks. Figure 5 shows the randomly picked waveform data samples. The normal signals of tags 1–4 from top to bottom are shown in Figure 5a. Figure 5b shows the samples of relayed signals.

4.1.4. Dataset Description

The dataset description is shown below.

• Dataset content: 66,366 data samples (9 type of tags, i.e., 4 normal + 4 wire-relayed + 1 wireless-relayed signals);
• Sample rate: 10 M samples/s;
• Data support for each class: 7474 samples with 1800 sampling points each;
• Size of each data sample: 4 KBytes;
• Content of data: ATQA segments (04 00 (hex) in Manchester encoding);
• Total size of dataset: 230 MBytes.

4.2. Relay Attack Identification with Convolutional Neural Networks

Recent works on DL and RF fingerprinting showed that CNNs achieved a high performance in RF fingerprinting tasks on raw wireless signals, demonstrating their capability for extracting features from raw signal data [26,42,43,44]. CNNs automatically extract high-dimensional features, avoiding manual fingerprint extraction, and such advantage is magnified in RF fingerprinting because signal imperfections are typically a synthesis of various sources and exhibit nontrivial spatial and temporal patterns [45]. Moreover, a CNN works in a protocol-independent fashion, which means it is possible to generalize the method to protocols other than NFC or to other wireless devices.

Based on the above advantages of CNNs, we utilize a CNN on raw waveform data to classify normal and relay NFC signals in this work. We apply 1D convolution layers on the 1D data for shift invariance since the hardware impairment features could appear in arbitrary locations.

Structure of CNN

This section employs a convolutional neural network (CNN) to extract the RF fingerprints from the 1D signals for classification. The input signals were classified into 9 types: 4 normal signals, 1 wireless relay attack, and 4 wired relay attacks. We employed a simple CNN structure containing three convolution layers followed by one fully connected layer. The first convolutional layer had 72 kernels of size 8, the second convolutional layer had 64 kernels of size 6, and the third convolutional layer had 32 kernels of size 6. The fully connected layer contained 256 hidden units. Each convolutional layer was followed by the ReLU. The output of the fully connected layer was fed into the softmax activation function for a multiclass classification. In addition, we normalized the data to improve the convergence speed of the training while retaining the original shape of the signals. The proposed CNN architecture is shown in Figure 6.

The CNN structure was built with Keras’s high-level deep learning APIs on TensorFlowGPU 2.4.0 installed on two desktops with NVIDIA RTX 2070S and RTX 3060 GPUs. In the training stage, the cross-entropy was used as the loss function and the Adam optimizer was used with a batch size of 1024. We applied early stop** with the callback of TensorFlow by monitoring the loss on the validation set on every epoch. The tolerance was set to 6 for the early stop**.

5. Results and Analysis

We compared the performance of the built CNN structure with a DNN. The DNN contained four fully connected layers with each layer followed by a ReLU. The L2 regularization penalty terms were used and the dropout rate was set to 0.25. We trained the CNN on our created dataset consisting of 66,366 samples. The dataset was split into a training set, a validation set, and a test set with the proportion of 70%, 20%, and 10%, respectively.

5.1. Performance Metrics

We applied the commonly used metrics, accuracy, precision, recall, and F1-score, to measure the performance. Accuracy is a base evaluation metric calculated by the sum of all correct predictions over all predictions. Precision is the correct positive predictions over all positive predictions. Recall is the fraction of correctly predicted positive samples among all positive samples. The F1-score is a metric that combines precision and recall. We used $N_{TP}$, $N_{FP}$, $N_{TN}$, and $N_{FN}$ to denote a true positive (TP), a false positive (FP), a true negative (TN), and a false negative (FN). The formula for the calculation of the metrics is given in Equation (2).

$$\begin{array}{c}\hfill \mathrm{Precision}=\frac{N_{TP}}{N_{TP}+N_{FP}}\\ \\ \hfill \mathrm{F}=2·\frac{precision·recall}{precision+recall}\\ \\ \hfill \mathrm{Recall}=\frac{N_{TP}}{N_{TP}+N_{FN}}\\ \\ \hfill \mathrm{Accuracy}=\frac{N_{TP}+N_{TN}}{N_{TP}+N_{TN}+N_{FP}+N_{FN}}\end{array}$$

(2)

Table 1. Performance Metrics of Considered Models.

Method	Precision	Recall	Accuracy	F1-Score
CNN	0.9890	0.9890	0.9889	0.9889
DNN	0.9677	0.9669	0.9669	0.9669
SVM	0.8638	0.8657	0.8657	0.8645

gives the performance of the built CNN, DNN, and SVM. While the current task was a multiclassification task, we reported the averaged performance metrics over the nine types of signals. The built CNN outperformed the DNN and SVM in distinguishing nine types of NFC tag signals, achieving 98.90% for the average precision over the nine types of signals, 98.90% for the average recall, 98.89% for the average accuracy, and 98.89% for the average F1-score. The DNN also achieved a rather satisfying performance owing to the large number of data samples. Both the CNN structure and DNN performed better than the SVM since they could learn a better feature representation (fingerprints) from the large dataset we created in this work.

Table 2. Performance Metrics of CNN.

Classes	Precision	Recall	F1-Score	Data Support
1	1.0000	0.9987	0.9993	759
2	0.9752	0.9354	0.9549	758
3	0.9443	0.9891	0.9662	737
4	0.9832	0.9791	0.9812	719
5	1.0000	1.0000	1.0000	750
6	1.0000	1.0000	1.0000	734
7	1.0000	0.9986	0.9993	722
8	1.0000	1.0000	1.0000	743
9	0.9986	1.0000	0.9993	715

gives the precision, recall, accuracy, and F1-score of the built CNN for every type of signal. For the normal signals from the first to fourth type, the built CNN made some prediction errors due to the close similarity of the four signals generated by the four tags from the same batch and manufacturer. For the wireless relayed signals (the fifth type), the built CNN obtained a precision and recall of 100%, all of the attacks were successfully identified and there was no false positive identification. For the sixth and eighth types of wired-relayed signals, the predicted recall and precision were also 100%. The relay process was able to enhance the distinctive features of the NFC signals, and the relayed signals could be better distinguished between the four types of wired relayed signals.

Figure 7 shows the confusion matrix of the classification results by the built CNN model. It is worth noting that Figure 7 also shows the built model could effectively classify the normal and relayed NFC signals. If we take the first type to the fourth type as the normal category and the other types as the relay category, the built CNN model achieved a 100% classification accuracy in terms of the binary classification between the normal and relay categories.

5.2. Model Comparison

Furthermore, we considered the receiver operating characteristic curve (ROC) for the proposed RF fingerprinting method. The goal was to evaluate the performance of our CNN model from a data-independent perspective. The ROC curve takes the true positive rate as the Y-axis and the false positive rate as the X-axis.

Since ROC curves are typically used to analyze a binary model, we first performed a binarization and computed the ROC in the one-vs.-rest scheme to extend and apply it in this multiclassification.

Figure 8 shows the ROC curve of the CNN model plotted for each label based on the backup dataset. The backup dataset was intentionally created for evaluation, which had the same size as the dataset used in the training phase, but the model had never seen the samples before. As seen from the ROC curves’ steepness, the model performed well with AUCs ranging from 0.9990 to 1. The proposed CNN classifier proved to be an effective and stable model for the task.

6. Discussion

Practicability

Finally, we should return to our discussion on the feasibility of DL-aided RF fingerprints for relay attack identification. To verify the practicability of our method, we trialed the model on a trial dataset. In addition, we verified if the model distinguished relayed signals from normal ones on new incoming data.

The trial dataset was obtained on different days than the first data collection in Section 4.1.4, and the two data acquisition rounds were separated by two weeks. Note that the testing dataset contained “completely new data” that the model had never seen in previous training or testing phases. This testing dataset had the exact composition of the nine labels (labels 1–4 for normal signals of four tags, and corresponding wire-relayed signals labeled 6–9, label 5 for the wireless-relayed signal) as the previous one, with only fewer data samples—only 6000 samples per label. The prediction result on the trial dataset is shown in

Table 3. Result of distinguishing between normal and relayed signals on testing dataset.

Normal but Rejected	Relay but Accepted
107	0

.

The result showed that the model achieved an accuracy of 99.8% on 54,000 samples, with 107 normal signals miscategorized as relayed signals and thus rejected even if they were from authentic tags. On the other hand, as expected, none of the relayed signals were recognized as normal. A relayed signal being accepted is usually a worse case since an attacker may succeed and cause property loss.

Finally, the time required for the prediction on 54,000 data samples was 8.603 s, equivalent to 0.159 ms for a single prediction if averaged over all samples. Note that the proposed method relied on the ATQA segment returned by the tags at the beginning of transactions, hence it enabled the identification of relay attacks in advance of the completion of NFC transactions rather than responding to it after the fact. Meanwhile, the single inference time was relatively short and met existing requirements for NFC verification time.

7. Conclusions

We focused on one of NFC’s potential security problems of susceptibility to relay attacks and provided an RF-fingerprinting-based solution as a countermeasure to such attacks. The main contributions of this article are summarized as follows: First, we reviewed current mainstream countermeasures of NFC relay attacks, and we suggested that RF fingerprinting techniques could be used to identify relay attacks. Second, we demonstrated in detail two typical realizations for NFC relay attacks, namely, the wired and wireless relay attacks. We created the NFC ATQA waveform dataset of four M1 NFC tags’ normal and relayed signals, which consisted of 66,366 data samples. Based on our knowledge, the public datasets relating to the current research are scarce, so we made our dataset publicly available as a supplement. Third, we proved the feasibility of employing deep learning techniques for NFC relay attack identification. The CNN built and trained on our dataset effectively distinguished the relayed NFC signals from normal ones on the test set and the new arrival data samples on the trial dataset. In addition, our deep-learning-based method did not require additional manual fingerprint feature extraction on raw data samples.

Compared to previous proposals on distance-bounding and ambient-based methods that also served as effective countermeasures, our proposed method did not add additional DB verification operations, thus not requiring a modification of a specific protocol. Meanwhile, the method did not require monitoring a set of specified ambient parameters. Finally, the proposed model could identify relay attacks in the early stage of NFC transactions, preventing loss in such applications as PKES of cars or NFC payments.

8. Limitations and Future Work

The current study has certain limitations: 1. The current dataset consists of only one typical way of wireless relay using WiFi. At the same time, wireless relay attacks can also be conducted using Bluetooth or cellular networks, etc. One of our future works will be proving the feasibility of such implementations and enlarging the dataset with multiple realizations of relays for enhanced sample diversity. 2. While the current dataset consists of signal samples from different positions of the tag and reader, we did not include different communication ranges, since the off-the-shelf product-level NFC reader used power suppression, lowering its range for transaction safety considerations and requiring the tags be placed close to the reader.

Other open research directions worth further investigations include the interpretation of RF fingerprints, optimal deep learning model structure, and the acquisition and efficient utilization of data on terminal devices. As for our future work, we intend to further optimize our data acquisition method and develop lightweight (CNN) models and deploy them on low-power-consumption microcontrollers. Therefore, the computation cost of deep learning should be taken into consideration. Possible techniques include quantization methods or adopting a lightweight training framework, e.g., TFLite, to meet the requirements of resource-constrained devices.