NFCGate: Opening the Door for NFC Security Research with a Smartphone-Based Toolkit


Steffen Klee, Alexandros Roussos, Max Maass, and Matthias Hollick, Secure Mobile Networking Lab, TU Darmstadt


Near Field Communication (NFC) is being used in a variety of security-critical applications, from access control to payment systems. However, NFC protocol analysis typically requires expensive or conspicuous dedicated hardware, or is severely limited on smartphones. In 2015, the NFCGate proof of concept aimed at solving this issue by providing capabilities for NFC analysis employing off-the-shelf Android smartphones. In this paper, we present an extended and improved NFC toolkit based on the functionally limited original open-source codebase. With in-flight traffic analysis and modification, relay, and replay features this toolkit turns an off-the-shelf smartphone into a powerful NFC research tool. To support the development of countermeasures against relay attacks, we investigate the latency incurred by NFCGate in different configurations. Our newly implemented features and improvements enable the case study of an award-winning, enterprise-level NFC lock from a well-known European lock vendor, which would otherwise require dedicated hardware. The analysis of the lock reveals several security issues, which were disclosed to the vendor.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {257188,
author = {Steffen Klee and Alexandros Roussos and Max Maass and Matthias Hollick},
title = {{NFCGate}: Opening the Door for {NFC} Security Research with a {Smartphone-Based} Toolkit},
booktitle = {14th USENIX Workshop on Offensive Technologies (WOOT 20)},
year = {2020},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video