WO2025056162A1 - Relay attack detection - Google Patents

Relay attack detection Download PDF

Info

Publication number
WO2025056162A1
WO2025056162A1 PCT/EP2023/075281 EP2023075281W WO2025056162A1 WO 2025056162 A1 WO2025056162 A1 WO 2025056162A1 EP 2023075281 W EP2023075281 W EP 2023075281W WO 2025056162 A1 WO2025056162 A1 WO 2025056162A1
Authority
WO
WIPO (PCT)
Prior art keywords
time
responder
command
initiator
relay attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2023/075281
Other languages
French (fr)
Inventor
Martin Kaufmann
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Assa Abloy AB
Original Assignee
Assa Abloy AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Assa Abloy AB filed Critical Assa Abloy AB
Priority to PCT/EP2023/075281 priority Critical patent/WO2025056162A1/en
Publication of WO2025056162A1 publication Critical patent/WO2025056162A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • Embodiments illustrated and described herein generally relate to access control systems and to preventing security breaches in access control systems.
  • Access control systems grant physical access to an authorized user through a controlled portal such as a secured door.
  • remote identity authentication for applications such as mobile online shopping or mobile banking is now a common practice. Remote authentication often involves authentication information being exchanged between a user’s mobile phone and a server performing authentication. Unfortunately, attempts to defeat systems that provide secure authentication often occur. A relay attack is a type of hacking technique that can lead to a security breach of an access control system.
  • FIG. 1 is an illustration of an example of an access control system structure.
  • FIG. 2 is a timing diagram representing an example of a command sent by an initiator device and received by a receiving device.
  • FIG. 3 is a timing diagram representing an example of a relay attack involving a command sent by an initiator device received by a receiving device.
  • FIG. 4 is a flow diagram of an example of a method of operating an access control system.
  • FIG. 5 is a block diagram schematic of portions of an example of a verifier device.
  • a physical access control system provides automatic physical access to an authorized user through a physical access point such as a secured door. Seamless access control systems grant physical access to an authorized user through the controlled portal without requiring intrusive actions of the user such as entering or swiping an access card at a card reader or entering a personal identification number (PIN) or password.
  • PACS personal identification number
  • the architecture of a PACS may vary significantly based on the application (e.g., a hotel, a residence, an office, etc.), the technology (e.g., access interfaces technology, door type, etc.), and the manufacturer.
  • FIG. 1 is an illustration of a basic PACS structure useful for an office application.
  • the Access Credential is a data object, a piece of knowledge (e.g., PIN, password, etc.), or a facet of the person’s physical being (e.g., face, fingerprint, etc.) that provides proof of the person’s identity.
  • the Credential Device 104 stores the Access Credential when the Access Credential is a data object.
  • the Credential Device 104 may be a smartcard or smartphone.
  • Credential Devices include, but are not limited to, proximity radio frequency identification based (RFID-based) cards, access control cards, credit cards, debit cards, passports, identification cards, key fobs, near field communication (NFC) enabled devices, mobile phones, personal digital assistants (PDAs), tags, or any other device configurable to emulate a virtual credential.
  • RFID-based proximity radio frequency identification based
  • NFC near field communication
  • PDAs personal digital assistants
  • the Credential Device 104 can be referred to as the Access Credential.
  • the Reader device 102 or other verifier device retrieves and authenticates the Access Credential when a Credential Device is used and sends the Access Credential to the Access Controller 106.
  • the Access Controller 106 compares the Access Credential to an Access Control list and grants or denies access based on the comparison, such as by controlling an automatic lock on a door for example.
  • an Access Controller 106 may be included in the Reader device 102. These Reader devices can be referred to as offline readers or standalone readers. If the unlocking mechanism is included as well, a device is referred to as smart door lock which is more typically used in residential applications. Devices such as smart door locks are often battery powered, and power consumption and battery lifetime can be key parameters for the devices.
  • an access sequence consists of four parts: Proof of Presence, Intent Detection, Authentication, and Authorization.
  • the user approaches the door and presents their access credential or credential device. This provides the Proof of Presence and Intent portions of the sequence.
  • the reader device checks the validity of the access credential (the Authentication portion) and sends it to the access controller (e.g., using a local area network or LAN), which grants or denies access (the Authorization portion).
  • seamless access is access granted without intrusive actions to show Intent (e.g., presenting a card, entering a password etc.), while maintaining the same level of security as a conventional access system.
  • FIG. 2 is a timing diagram representing a command sent by an initiator device and received by a responder device.
  • the initiator device may be an interface terminal of a physical access control system (e.g., a Reader Device of a PACS or another type of verifier device) and the responder device may be a Credential Device.
  • the initiator device and the responder device include protocol layer circuitry and processing circuitry.
  • the protocol layer circuitry can include a medium access control (MAC) layer and a physical (PHY) layer.
  • the initiator device transmits a command 210 to the responder device.
  • the command 210 may be included in an authentication protocol communicated between the initiator device and the responder device.
  • FIG. 2 shows a time delay or communication time gap Tc between the time the start of the command 210 is sent by the initiator device until it begins to arrive at the responder device.
  • FIG. 2 also shows a time delay or initiator sending time TA ⁇ I between the time the command is signaled to the processing circuitry of the initiator device as being sent and the time the last byte is actually sent by the physical layer circuitry of the initiator device. After the initiator sending time TA ⁇ I, the initiator execution time TA of executing the command begins.
  • FIG. 2 shows another time delay that is a responder receiving time Tsgi, which is the time between the responder device receiving all of the command and the responder device recognizing the command (e.g., by decoding the command data) and an application of the responder device starting to execute the command over the responder execution time TB.
  • Tsgi the time between the responder device receiving all of the command and the responder device recognizing the command (e.g., by decoding the command data) and an application of the responder device starting to execute the command over the responder execution time TB.
  • FIG. 2 shows a time delay that is the responder sending time TB ⁇ 2, which is the time between the protocol layer of the responder device preparing the response data and the protocol layer beginning to send the response 212 to the command 210.
  • FIG. 2 also shows an initiator sending time TA ⁇ 2 at the initiator device after the initiator execution time TA.
  • the initiator sending time TA ⁇ 2 is the time between the initiator device beginning to receive the response data to the time the response 212 is recognized (e.g., by decoding the response data) by the initiator device. There is also a second communication gap Tc between the time that the responder device starts to send the response 212 and the initiator device starts to receive the response data.
  • TA + T Agi + TAg2 TB + T Bgi + T Bg 2 + 2(Tc) .
  • Tc ⁇ TA - (T B + T Bgi + T Bg 2 - TAgi - TAg2) ⁇ / 2 .
  • FIG. 3 is a timing diagram representing a command 310 sent by an initiator device, relayed by two attacking devices (ATTACKER 1, ATTACKER 2) in a relay attack, and then received by a responder device.
  • the attacking devices add a communication gap Tc to the sending of the command 310 by the initiator device and the receiving of the command 310 by the responder device.
  • the communication gap TCA between the attacking devices may be less than the communication Tc.
  • the communication between the attacking devices can be very efficient because the attacking devices can use any proprietary communication protocol.
  • the communication gap TCA is added to the sending of the command 310 by the initiator device and the receiving of the command 310 by the responder device.
  • the attacking devices also add the Tc and TCA communication gaps to the sending of the response 312 by the responder device and the receiving of the response 312 by the initiator device.
  • the total time from when the initiator device starts to send the command to when the initiator device recognizes receiving the response 312 to the command is
  • the difference in time between the normal communication and the relay attack communication is 2(Tc) +2(TCA). If the communication time gaps are different between directions from initiator to responder and responder to initiator, the time difference may be (Tci + Tc?) + (TCAI + TCA2). If all the communication time gaps are all the same, the time difference is 4(Tc).
  • the difference in communication time for the command 210 and response 212 can be used by the initiator device to detect the relay attack.
  • the initiator device may measure a communication time gap. If the measured communication time gap is greater than a predetermined relay attack detection threshold, then there may be a relay attack.
  • the initiator device measures the time from sending the command 210 to receiving the response 212.
  • the responder device sends a value of the responder execution time TB to the initiator device.
  • the initiator device sends a second command to the responder device and the responder device includes the responder execution time TB in a response to the second command.
  • the responder device includes the responder execution time TB in a response to the first command sent by the initiator device.
  • the processing circuitry of the initiator device uses the received value of the responder execution time and the measured time for sending and receiving the command-response pair to detect a relay attack.
  • the processing circuitry may calculate a communication time gap between the initiator execution time of TA + T Agi + TA ⁇ 2 and the expected responder response time of TB + TB ⁇ I + TB ⁇ 2 and the expected communication gap of 2(Tc), or
  • Gap (TA + TAgi + TAg2) - (TB + TB ⁇ I + Tn g 2 + 2Tc) .
  • the initiator device may interpret the increase in communication time as a relay attack and take some action, such as denying the access requested, sending an alert message or alert signal to another device in the access control system, suspending communication for a predetermined period of time, etc.
  • FIG. 4 is a flow diagram of an example of a method 400 of operating an access control system.
  • a command is transmitted from an initiator device of the access control system to a responder device.
  • the initiator device may be a verifier device of the access control system (e.g., a reader device 102 in FIG. 1) and the responder device may be a credential device (e.g., credential device 104 in FIG. 1).
  • the command may be transmitted wirelessly to the responder device according to a wireless communication protocol (e.g., the Bluetooth® protocol) using physical layer circuitry of the verifier device.
  • the responder device may be a smart credential device (e.g., a smartphone or smartcard) storing access credential information.
  • the interface between the initiator device and the responder device may be a wired interface, and the measurement command can be transmitted according to a wired communication protocol.
  • the initiator device may be an authorization-only device that compares the credential information to credential information that is allowed access, or the initiator device may be a combination authorization and control device that evaluates credential information and provides access through a physical portal (e.g., a door) when the credential information meets the criteria for access.
  • the initiator device may be the credential device, and the responder device is the verifier device of the access control system.
  • the initiator device determines a time duration from the end of sending the command 210 to the start of receiving the response 212 to the command from the responder device.
  • the command 210 may be a measurement command sent by the initiator device specifically to measure the communication time between the initiator device and the responder device.
  • the initiator device sends a second command to the responder device and receives a value of the responder execution time (TB) in the response to the command from the responder device.
  • the processing circuitry of the initiator device computes a value of the communication time gap between the devices.
  • the initiator device stores (e.g., in a memory) an expected value for the normal communication time gap.
  • the expected value may be determined from previous measurements and programmed into the initiator device.
  • the processing circuitry of the initiator device may compare the computed communication time gap to the stored expected time. If attacker devices are relaying the command, the computed communication time gap will be longer than the expected time gap, and the initiator device will detect the relay attack.
  • the processing circuitry of the initiator device computes the difference between the initiator execution time and the responder execution time, and detects a relay attack when the time difference is longer than a predetermined threshold time difference.
  • the time returned by the responder device includes the actual responder execution time (TB), the responder receiving time (T Bg i), and the responder sending time (TB ⁇ 2).
  • the time measured by the initiator device includes the actual initiator execution time (TB), the initiator sending time (TA ⁇ I), and the initiator receiving time (TA ⁇ 2).
  • the time difference computed by the processing circuitry of the initiator device may be the computed communication time gap (Gap) in Equation (4) described previously herein. If the computed time difference is more than a threshold time (e.g., Gap > (T Agi + TA ⁇ 2 + threshold)), then the initiator device detects a relay attack.
  • a threshold time e.g., Gap > (T Agi + TA ⁇ 2 + threshold
  • the processing circuitry of the initiator device generates an indication when the initiator device detects relay attack.
  • the indication may be a signal sent to alarm circuitry of the initiator device or alarm circuitry of a separate device (e.g., an access controller 106 in FIG. 1).
  • the indication may be a predetermined message transmitted from the verifier device to the separate device.
  • the command 210 may be recurrently transmitted, and the response to the command measured to recurrently check for a relay attack.
  • One or both of the initiator device and the responder device may measure or compute any of the time durations described for the command and use the determined time to detect a relay attack.
  • the comparison of the timing measurements is used to decide whether the command 210 is relayed.
  • the timing measurement values may be based on the type of responder device.
  • the behavior of a hardware platform of a responder device may result in using different comparison algorithms. For example, when a command is received on the responder device for some platforms, it is not guaranteed it will be immediately executed. In another example, when a command is executed on the responder device it is not guaranteed that the response will be immediately sent.
  • Any communication mechanism that is not restarted or repeated can be used for the command and used in the timing measurements. Conversely, communication mechanism that are restarted or repeated should not be used.
  • error correction e.g., error correction coding or ECC
  • FIG. 5 is a block diagram schematic of various example components of a device 500 (e.g., an embedded device) for supporting the device architectures described and illustrated herein.
  • the device 500 of FIG. 5 could be, for example, a verifier or reader device that authenticates credential information of authority, status, rights, and/or entitlement to privileges for the holder of a credential device.
  • a reader device can include an interface (e.g., one or more antennas and Integrated Circuit (IC) chip(s)), which permit the reader device to exchange data with another device, such as a credential device or another verifier device.
  • an interface e.g., one or more antennas and Integrated Circuit (IC) chip(s)
  • IC Integrated Circuit
  • credential device is an RFID smartcard that has data stored thereon allowing a holder of the credential device to access a secure area or asset protected by the reader device.
  • additional examples of a device 500 for supporting the device architecture described and illustrated herein may generally include one or more of a memory 502, a processor 504, one or more antennas 506, a communication port or communication module 508, a network interface device 510, a user interface 512, and a power source 514 or power supply.
  • Memory 502 can be used in connection with the execution of application programming or instructions by processing circuitry, and for the temporary or long-term storage of program instructions or instruction sets 516 and/or authorization data 518, such as credential data, credential authorization data, or access control data or instructions, as well as any data, data structures, and/or computer-executable instructions needed or desired to support the above-described device architecture.
  • memory 502 can contain executable instructions 516 that are used by a processor 504 of the processing circuitry to run other components of device 500, to make access determinations based on credential or authorization data 518, and/or to perform any of the functions or operations described herein, such as the method of FIG. 4 for example.
  • Memory 502 can comprise a computer readable medium that can be any medium that can contain, store, communicate, or transport data, program code, or instructions for use by or in connection with device 500.
  • the computer readable medium can be, for example but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device. More specific examples of suitable computer readable medium include, but are not limited to, an electrical connection having one or more wires or a tangible storage medium such as a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory
  • ROM read-only memory
  • EPROM erasable programmable read-only memory
  • DRAM Dynamic RAM
  • CD-ROM compact disc read-only memory
  • Computer-readable media includes, but is not to be confused with, computer-readable storage medium, which is intended to cover all physical, non-transitory, or similar embodiments of computer-readable media.
  • Processor 504 can correspond to one or more computer processing devices or resources.
  • processor 504 can be provided as silicon, as a Field Programmable Gate Array (FPGA), an Application-Specific Integrated Circuit (ASIC), any other type of Integrated Circuit (IC) chip, a collection of IC chips, or the like.
  • processor 504 can be provided as a microprocessor, Central Processing Unit (CPU), or plurality of microprocessors or CPUs that are configured to execute instructions sets stored in an internal memory 520 and/or memory 502.
  • Antenna 506 can correspond to one or multiple antennas and can be configured to provide for wireless communications between device 500 and another device.
  • Antenna(s) 506 can be coupled to one or more physical (PHY) layers 524 to operate using one or more wireless communication protocols and operating frequencies including, but not limited to, the IEEE 802.15.1, Bluetooth, Bluetooth Low Energy (BLE), near field communications (NFC), ZigBee, GSM, CDMA, Wi-Fi, RF, UWB, and the like.
  • Processor 504 may implement a MAC layer that forms a protocol layer with a physical layer 524.
  • antenna 506 may include one or more antennas coupled to one or more physical layers 524 to operate using ultra-wide band (UWB) for in band activity/communi cation and Bluetooth (e.g., BLE) for out-of-band (OOB) activity/communi cation.
  • UWB ultra-wide band
  • BLE Bluetooth
  • OOB out-of-band
  • any RFID or personal area network (PAN) technologies such as the IEEE 502.15.1, near field communications (NFC), ZigBee, GSM, CDMA, Wi-Fi, etc., may alternatively or additionally be used for the OOB activity/communi cation described herein.
  • Device 500 may additionally include a communication module 508 and/or network interface device 510.
  • Communication module 508 can be configured to communicate according to any suitable communications protocol with one or more different systems or devices either remote or local to device 500.
  • Network interface device 510 includes hardware to facilitate communications with other devices over a communication network utilizing any one of a number of transfer protocols (e.g., frame relay, internet protocol (IP), transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), etc.).
  • transfer protocols e.g., frame relay, internet protocol (IP), transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), etc.
  • Example communication networks can include a local area network (LAN), a wide area network (WAN), a packet data network (e.g., the Internet), mobile telephone networks (e.g., cellular networks), Plain Old Telephone (POTS) networks, wireless data networks (e.g., IEEE 802.11 family of standards known as Wi-Fi, IEEE 802.16 family of standards known as WiMax), IEEE 802.15.4 family of standards, and peer-to-peer (P2P) networks, among others.
  • network interface device 510 can include an Ethernet port or other physical jack, a Wi-Fi card, a Network Interface Card (NIC), a cellular interface (e.g., antenna, filters, and associated circuitry), or the like.
  • network interface device 510 can include a plurality of antennas to wirelessly communicate using at least one of single-input multiple-output (SIMO), multiple-input multiple-output (MIMO), or multiple-input single-output (MISO) techniques.
  • SIMO single-input multiple-output
  • MIMO multiple-input multiple-output
  • MISO multiple-input single-output
  • one or more of the antennas 506, communication module 508, and/or network interface device 510 or subcomponents thereof may be integrated as a single module or device, function or operate as if they were a single module or device, or may comprise of elements that are shared between them.
  • User interface 512 can include one or more input devices and/or display devices. Examples of suitable user input devices that can be included in user interface 512 include, without limitation, one or more buttons, a keyboard, a mouse, a touch-sensitive surface, a stylus, a camera, a microphone, etc. Examples of suitable user output devices that can be included in user interface 512 include, without limitation, one or more LEDs, an LCD panel, a display screen, a touchscreen, one or more lights, a speaker, etc. It should be appreciated that user interface 512 can also include a combined user input and user output device, such as a touch-sensitive display or the like. The user interface 512 may include a separate alarm circuit 526 to indicate an alarm condition such as a relay attack or other security breach. Alarm circuit 526 may provide an audio signal to a speaker or may activate a light or present an alarm condition using a display device.
  • Alarm circuit 526 may provide an audio signal to a speaker or may activate a light or present an alarm condition using a display device.
  • Power source 514 can be any suitable internal power source, such as a battery, capacitive power source or similar type of charge-storage device, etc., and/or can include one or more power conversion circuits suitable to convert external power into suitable power (e.g., conversion of externally-supplied AC power into DC power) for components of the device 500.
  • suitable power e.g., conversion of externally-supplied AC power into DC power
  • Device 500 can also include one or more interlinks or buses 522 operable to transmit communications between the various hardware components of the device.
  • a system bus 522 can be any of several types of commercially available bus structures or bus architectures. ADDITIONAL DISCLOSURE AND EXAMPLES
  • Example 1 includes subject matter (such as an initiator device of an access control system) comprising protocol layer circuitry and processing circuitry operatively coupled to the protocol layer circuitry.
  • the processing circuitry is configured to initiate transmission of a command to a responder device, determine a first time measurement of a time duration from an end of sending the command to the responder device to a start of receiving a response to the command from the responder device, receive a response from the responder device that includes a second time measurement of a responder execution time of the command by the responder device, and generate an indication when the first time measurement and second time measurement indicate a relay attack.
  • Example 3 the subject matter of one or both of Examples 1 and 2 optionally includes processing circuitry configured to initiate transmission of a second command to the responder device, receive the second time measurement in a response to the second command, compute a time difference between the first time measurement and the second time measurement, and determine whether the time duration indicates a relay attack using the computed time difference.
  • Example 4 the subject matter of one or any combination of Examples 1-3 optionally includes processing circuitry configured to compute a communication time gap between a time the command is sent by the initiator device to a time the command is received by the responder device, compare the computed communication time gap to a specified relay attack detection time gap, and generate the indication when the computed communication time gap exceeds the specified relay attack detection time gap.
  • Example 5 the subject matter of one or any combination of Examples 1-4 optionally includes processing circuitry configured to compute the first time measurement to include an initiator execution time of the command, an initiator sending time that is a time duration between the protocol layer of the initiator device signaling that the command is sent and a last byte of the command sent by the protocol layer of the initiator device, and an initiator receiving time that is a time after the initiator execution time that the response to the command is recognized; compute a second time duration that includes the responder execution time, a responder receiving time that is a time duration for the responder to recognize the command, and a responder sending time that is a time duration between a protocol layer of the responder device signaling that the response is sent and a last byte of the response sent by the protocol layer of the responder device; compute a time difference between the first time measurement and the second time duration; and generate the indication when the computed time difference indicates a relay attack.
  • Example 6 the subject matter of one or any combination of Examples 1-5 optionally includes processing circuitry configured to initiate transmission of a multi-frame measurement command to the responder device, and determine the time duration as a time from an end of transmitting the multi-frame command to a start of receiving a response to the multi-frame command from the responder device.
  • Example 7 the subject matter of one or any combination of Examples 1-6 optionally includes protocol layer circuitry configured to receive a response to the command from a responder device that is a smart card.
  • Example 8 the subject matter of one or any combination of Examples 1-6 optionally includes protocol layer circuitry configured to receive a response to the command from a responder device that is a smart phone.
  • Example 9 include subject matter (such as a method of operating an access control system) or can optionally be combined with one or any combination of Examples 1-8 to include such subject matter; comprising transmitting a command from an initiator device of the access control system to a responder device, determining; using the initiator device, a first time duration from an end of sending the command to the responder device to a start of receiving a response to the command from the responder device; receiving, by the initiator device from the responder device, a responder execution time of a time duration for the responder device to execute the command; generating, using the initiator device, an indication of a relay attack using the first time duration and the responder execution time.
  • Example 10 the subject matter of Example 9 optionally includes computing, by the initiator device, a time difference between the first time duration and the responder execution time; comparing the computed time difference to a specified relay attack detection time gap; and generating the indication of the relay attack when the computed time difference exceeds the relay attack detection time gap.
  • Example 11 the subject matter of one or both of Examples 9 and 10 optionally includes receiving, by the initiator device from the responder device, the responder execution time in response to a following command sent by the initiator device; and using the computed time difference to determine whether the time duration indicates a relay attack.
  • Example 12 the subject matter of Example 11 optionally includes computing, by the initiator device, a communication time gap between a time the command is sent by the initiator device to a time the command is received by the responder device using the first time duration and the responder execution time; comparing the computed communication time gap to a specified relay attack detection time gap; and generating the indication of the relay attack when the computed communication time gap exceeds the specified relay attack detection time gap.
  • Example 13 the subject matter of one or any combination of Examples 9- 12 optionally includes computing, by the initiator device, the first time duration to include an initiator execution time of the command, an initiator sending time that is a time duration between a protocol layer of the initiator device signaling that the command is sent and a last byte of the command sent by the protocol layer of the initiator device, and an initiator receiving time that is a time after the initiator execution time that the response to the command is recognized, a second time duration including the responder execution time, a responder receiving time that is a time duration for the responder to recognize the command, and a responder sending time that is a time duration between a protocol layer of the responder device signaling that the response is sent and a last byte of the response sent by the protocol layer of the responder device, and a difference between the first time duration and the second time duration.
  • the initiator device uses the computed difference to determine whether the time duration indicates a relay attack.
  • Example 14 the subject matter of one or any combination of Examples 9- 14 optionally includes detecting, by the responder device, that the command is a multi-frame measurement command; omitting, by the responder device, error correction on the first frame of the multi-frame message; and wherein the determining the time duration includes the initiator device determining a time duration from an end of transmitting the multi-frame command by the initiator device to a start of receiving a response to the multi-frame command from the responder device.
  • Example 15 the subject matter of one or nay combination of Examples 9-14 optionally includes the initiator device being a reader device and the responder device being a smart card.
  • Example 16 the subject matter of one or nay combination of Examples 9- 14 optionally includes the initiator device being a verifier device and the responder device being a smart phone.
  • Example 17 includes subject matter (or can optionally be combined with one or any combination of Examples 1-16 to include such subject matter) comprising a computer- readable storage medium including instructions that, when executed by processing circuitry of an initiator device of an access control system, cause the initiator device to perform acts including transmitting a command to a responder device, determining a time duration from an end of sending the command to the responder device to a start of receiving a response to the command from the responder device, receiving a responder execution time of a time duration for the responder device to execute the command, and generating an indication of a relay attack using the time duration and the responder execution time.
  • Example 18 the subject matter of Example 17 optionally includes the computer-readable storage medium including instructions that cause the initiator device to perform acts including comparing the computed time difference to a specified relay attack detection time gap, and generating the indication when the computed time difference exceeds the relay attack detection time gap.
  • Example 19 the subject matter of one or both of Example 17 and 18 optionally includes the computer-readable storage medium including instructions that cause the initiator device to perform acts including sending a following command to the responder device, receiving the responder execution from the responder service in a response to the following command, computing a time difference between the time duration and the responder execution time, and determining whether the time duration indicates a relay attack using the computed time difference.
  • Example 20 the subject matter of one or any combination of Examples 17- 19 optionally includes the computer-readable storage medium including instructions that cause the initiator device to perform acts including computing a communication time gap between a time the command is sent by the initiator device to a time the command is received by the responder device, comparing the computed communication time gap to a specified relay attack detection time gap, and generating the indication of the relay attack when the computed communication time gap exceeds the specified relay attack detection time gap.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

An initiator device of an access control system includes physical layer circuitry and processing circuitry operatively coupled to the physical layer circuitry. The processing circuitry is configured to initiate transmission of a command to a responder device, determine a first time measurement of a time duration from an end of sending the command to the responder device to a start of receiving a response to the command from the responder device, receive a response from the responder device that includes a second time measurement of a responder execution time of the command by the responder device, and generate an indication when the first time measurement and second time measurement indicate a relay attack.

Description

RELAY ATTACK DETECTION
TECHNICAL FIELD
[0001] Embodiments illustrated and described herein generally relate to access control systems and to preventing security breaches in access control systems.
BACKGROUND
[0002] Access control systems grant physical access to an authorized user through a controlled portal such as a secured door. Additionally, remote identity authentication for applications such as mobile online shopping or mobile banking is now a common practice. Remote authentication often involves authentication information being exchanged between a user’s mobile phone and a server performing authentication. Unfortunately, attempts to defeat systems that provide secure authentication often occur. A relay attack is a type of hacking technique that can lead to a security breach of an access control system.
BRIEF DESCRIPTION OF THE DRAWINGS
[0003] FIG. 1 is an illustration of an example of an access control system structure.
[0004] FIG. 2 is a timing diagram representing an example of a command sent by an initiator device and received by a receiving device.
[0005] FIG. 3 is a timing diagram representing an example of a relay attack involving a command sent by an initiator device received by a receiving device.
[0006] FIG. 4 is a flow diagram of an example of a method of operating an access control system.
[0007] FIG. 5 is a block diagram schematic of portions of an example of a verifier device.
DETAILED DESCRIPTION
[0008] A physical access control system (PACS) provides automatic physical access to an authorized user through a physical access point such as a secured door. Seamless access control systems grant physical access to an authorized user through the controlled portal without requiring intrusive actions of the user such as entering or swiping an access card at a card reader or entering a personal identification number (PIN) or password. The architecture of a PACS may vary significantly based on the application (e.g., a hotel, a residence, an office, etc.), the technology (e.g., access interfaces technology, door type, etc.), and the manufacturer.
[0009] FIG. 1 is an illustration of a basic PACS structure useful for an office application. The Access Credential is a data object, a piece of knowledge (e.g., PIN, password, etc.), or a facet of the person’s physical being (e.g., face, fingerprint, etc.) that provides proof of the person’s identity. The Credential Device 104 stores the Access Credential when the Access Credential is a data object. The Credential Device 104 may be a smartcard or smartphone. Other examples of Credential Devices include, but are not limited to, proximity radio frequency identification based (RFID-based) cards, access control cards, credit cards, debit cards, passports, identification cards, key fobs, near field communication (NFC) enabled devices, mobile phones, personal digital assistants (PDAs), tags, or any other device configurable to emulate a virtual credential.
[0010] The Credential Device 104 can be referred to as the Access Credential. The Reader device 102 or other verifier device retrieves and authenticates the Access Credential when a Credential Device is used and sends the Access Credential to the Access Controller 106. The Access Controller 106 compares the Access Credential to an Access Control list and grants or denies access based on the comparison, such as by controlling an automatic lock on a door for example.
[0011] The functionality of an Access Controller 106 may be included in the Reader device 102. These Reader devices can be referred to as offline readers or standalone readers. If the unlocking mechanism is included as well, a device is referred to as smart door lock which is more typically used in residential applications. Devices such as smart door locks are often battery powered, and power consumption and battery lifetime can be key parameters for the devices.
[0012] In a PACS, an access sequence consists of four parts: Proof of Presence, Intent Detection, Authentication, and Authorization. The user approaches the door and presents their access credential or credential device. This provides the Proof of Presence and Intent portions of the sequence. The reader device checks the validity of the access credential (the Authentication portion) and sends it to the access controller (e.g., using a local area network or LAN), which grants or denies access (the Authorization portion). As explained above, seamless access is access granted without intrusive actions to show Intent (e.g., presenting a card, entering a password etc.), while maintaining the same level of security as a conventional access system. [0013] Physical access control systems are susceptible to attempts for unauthorized access such as hacking. A relay attack is a type of hacking technique related to man-in-the middle attacks. In a man-in-the-middle attack, communication between the Access Controller 106 (or Reader device 102) and a Credential Device 104 is initiated by the attacking device, and the attacking device merely relays messages between the two legitimate devices. The Credential Device 104 may be remote from the controlled physical portal, but the Access Controller 106 grants access as if the legitimate Credential Device 104 were present. This may allow access to the holder of the attacking device to the controlled portal. [0014] FIG. 2 is a timing diagram representing a command sent by an initiator device and received by a responder device. The initiator device may be an interface terminal of a physical access control system (e.g., a Reader Device of a PACS or another type of verifier device) and the responder device may be a Credential Device. The initiator device and the responder device include protocol layer circuitry and processing circuitry. The protocol layer circuitry can include a medium access control (MAC) layer and a physical (PHY) layer. The initiator device transmits a command 210 to the responder device. The command 210 may be included in an authentication protocol communicated between the initiator device and the responder device.
[0015] FIG. 2 shows a time delay or communication time gap Tc between the time the start of the command 210 is sent by the initiator device until it begins to arrive at the responder device. FIG. 2 also shows a time delay or initiator sending time TA§I between the time the command is signaled to the processing circuitry of the initiator device as being sent and the time the last byte is actually sent by the physical layer circuitry of the initiator device. After the initiator sending time TA§I, the initiator execution time TA of executing the command begins.
[0016] FIG. 2 shows another time delay that is a responder receiving time Tsgi, which is the time between the responder device receiving all of the command and the responder device recognizing the command (e.g., by decoding the command data) and an application of the responder device starting to execute the command over the responder execution time TB. After the responder execution time TB, FIG. 2 shows a time delay that is the responder sending time TB§2, which is the time between the protocol layer of the responder device preparing the response data and the protocol layer beginning to send the response 212 to the command 210. FIG. 2 also shows an initiator sending time TA§2 at the initiator device after the initiator execution time TA. The initiator sending time TA§2 is the time between the initiator device beginning to receive the response data to the time the response 212 is recognized (e.g., by decoding the response data) by the initiator device. There is also a second communication gap Tc between the time that the responder device starts to send the response 212 and the initiator device starts to receive the response data.
[0017] Because of the delays in signaling times and the delay in recognizing the response 212, the time from sending the command to recognizing the response will appear to be an execution time of TA + TA§I + TA§2 to the initiator device. It can be seen in FIG. 2 that an expression for the execution time is
TA + TAgi + TAg2 = TB + TBgi + TBg2 + 2(Tc) . (1)
The relationship in Equation (1) is true if TAgi=TBgi and TAg2=TBg2, or if TA§I, TBgi, TA§2, and TBg2 are small enough to be ignored. Solving for the expected communication time gap Tc yields
Tc= {TA - (TB + TBgi + TBg2 - TAgi - TAg2)} / 2 . (2)
[0018] When there is a relay attack, there will be some non-zero time that the command and response pass through the attacking device or devices. The additional devices will add communication gaps Tc to the transmitting and receiving of the command and response. In a perfect relay attack, the attacking device or devices will be as efficient as possible.
[0019] FIG. 3 is a timing diagram representing a command 310 sent by an initiator device, relayed by two attacking devices (ATTACKER 1, ATTACKER 2) in a relay attack, and then received by a responder device. The attacking devices add a communication gap Tc to the sending of the command 310 by the initiator device and the receiving of the command 310 by the responder device. There is also a communication gap TCA between the attacking devices. The communication gap TCA between the attacking devices may be less than the communication Tc. The communication between the attacking devices can be very efficient because the attacking devices can use any proprietary communication protocol. The communication gap TCA is added to the sending of the command 310 by the initiator device and the receiving of the command 310 by the responder device.
[0020] The attacking devices also add the Tc and TCA communication gaps to the sending of the response 312 by the responder device and the receiving of the response 312 by the initiator device. The total time from when the initiator device starts to send the command to when the initiator device recognizes receiving the response 312 to the command is
TA + TAgi + TAg2 = TB + TBgi + TBg2 + 4(Tc) +2(TCA) . (3) [0021] The difference in time between the normal communication and the relay attack communication is 2(Tc) +2(TCA). If the communication time gaps are different between directions from initiator to responder and responder to initiator, the time difference may be (Tci + Tc?) + (TCAI + TCA2). If all the communication time gaps are all the same, the time difference is 4(Tc). The difference in communication time for the command 210 and response 212 can be used by the initiator device to detect the relay attack. The initiator device may measure a communication time gap. If the measured communication time gap is greater than a predetermined relay attack detection threshold, then there may be a relay attack.
[0022] To check for a relay attack, the initiator device measures the time from sending the command 210 to receiving the response 212. The responder device sends a value of the responder execution time TB to the initiator device. In some examples, the initiator device sends a second command to the responder device and the responder device includes the responder execution time TB in a response to the second command. In some examples, the responder device includes the responder execution time TB in a response to the first command sent by the initiator device. The processing circuitry of the initiator device uses the received value of the responder execution time and the measured time for sending and receiving the command-response pair to detect a relay attack. For instance, the processing circuitry may calculate a communication time gap between the initiator execution time of TA + TAgi + TA§2 and the expected responder response time of TB + TB§I + TB§2 and the expected communication gap of 2(Tc), or
Gap = (TA + TAgi + TAg2) - (TB + TB§I + Tng2 + 2Tc) . (4)
[0023] If the calculated communication time gap (Gap) is longer than an expected time difference the initiator device may interpret the increase in communication time as a relay attack and take some action, such as denying the access requested, sending an alert message or alert signal to another device in the access control system, suspending communication for a predetermined period of time, etc.
[0024] FIG. 4 is a flow diagram of an example of a method 400 of operating an access control system. At block 405, a command is transmitted from an initiator device of the access control system to a responder device. The initiator device may be a verifier device of the access control system (e.g., a reader device 102 in FIG. 1) and the responder device may be a credential device (e.g., credential device 104 in FIG. 1). The command may be transmitted wirelessly to the responder device according to a wireless communication protocol (e.g., the Bluetooth® protocol) using physical layer circuitry of the verifier device. The responder device may be a smart credential device (e.g., a smartphone or smartcard) storing access credential information. In variations, the interface between the initiator device and the responder device may be a wired interface, and the measurement command can be transmitted according to a wired communication protocol.
[0025] The initiator device may be an authorization-only device that compares the credential information to credential information that is allowed access, or the initiator device may be a combination authorization and control device that evaluates credential information and provides access through a physical portal (e.g., a door) when the credential information meets the criteria for access. In certain examples, the initiator device may be the credential device, and the responder device is the verifier device of the access control system.
[0026] At block 410, the initiator device determines a time duration from the end of sending the command 210 to the start of receiving the response 212 to the command from the responder device. The command 210 may be a measurement command sent by the initiator device specifically to measure the communication time between the initiator device and the responder device.
[0027] At block 415, the initiator device sends a second command to the responder device and receives a value of the responder execution time (TB) in the response to the command from the responder device. At block 420, the processing circuitry of the initiator device computes a value of the communication time gap between the devices.
[0028] In some examples, the initiator device stores (e.g., in a memory) an expected value for the normal communication time gap. The expected value may be determined from previous measurements and programmed into the initiator device. The processing circuitry of the initiator device may compare the computed communication time gap to the stored expected time. If attacker devices are relaying the command, the computed communication time gap will be longer than the expected time gap, and the initiator device will detect the relay attack.
[0029] According to some embodiments, the processing circuitry of the initiator device computes the difference between the initiator execution time and the responder execution time, and detects a relay attack when the time difference is longer than a predetermined threshold time difference. In certain examples, the time returned by the responder device includes the actual responder execution time (TB), the responder receiving time (TBgi), and the responder sending time (TB§2). The time measured by the initiator device includes the actual initiator execution time (TB), the initiator sending time (TA§I), and the initiator receiving time (TA§2). The time difference computed by the processing circuitry of the initiator device may be the computed communication time gap (Gap) in Equation (4) described previously herein. If the computed time difference is more than a threshold time (e.g., Gap > (TAgi + TA§2 + threshold)), then the initiator device detects a relay attack.
[0030] At block 425, the processing circuitry of the initiator device generates an indication when the initiator device detects relay attack. The indication may be a signal sent to alarm circuitry of the initiator device or alarm circuitry of a separate device (e.g., an access controller 106 in FIG. 1). In variations, the indication may be a predetermined message transmitted from the verifier device to the separate device. The command 210 may be recurrently transmitted, and the response to the command measured to recurrently check for a relay attack. One or both of the initiator device and the responder device may measure or compute any of the time durations described for the command and use the determined time to detect a relay attack.
[0031] The comparison of the timing measurements is used to decide whether the command 210 is relayed. The timing measurement values may be based on the type of responder device. The behavior of a hardware platform of a responder device may result in using different comparison algorithms. For example, when a command is received on the responder device for some platforms, it is not guaranteed it will be immediately executed. In another example, when a command is executed on the responder device it is not guaranteed that the response will be immediately sent.
[0032] Any communication mechanism that is not restarted or repeated can be used for the command and used in the timing measurements. Conversely, communication mechanism that are restarted or repeated should not be used. This includes error correction (e.g., error correction coding or ECC). If the measurement command includes multiple frames, error correction should be omitted from the first frame of the multi-frame message. Error correction on the first frame may add an additional gap between both timing measurements that can lead to a wrong relay detection. Error correction on the other frames would not cause an incorrect detection using the multi-frame command-response pair.
[0033] The systems, devices, and methods described herein provide a reliable way to detect a relay attack between two devices. Timing measurements for the attack detection are determined and may be shared between the initiator device and the responder device. [0034] FIG. 5 is a block diagram schematic of various example components of a device 500 (e.g., an embedded device) for supporting the device architectures described and illustrated herein. The device 500 of FIG. 5 could be, for example, a verifier or reader device that authenticates credential information of authority, status, rights, and/or entitlement to privileges for the holder of a credential device. At a basic level, a reader device can include an interface (e.g., one or more antennas and Integrated Circuit (IC) chip(s)), which permit the reader device to exchange data with another device, such as a credential device or another verifier device. One example of credential device is an RFID smartcard that has data stored thereon allowing a holder of the credential device to access a secure area or asset protected by the reader device.
[0035] With reference specifically to FIG. 5, additional examples of a device 500 for supporting the device architecture described and illustrated herein may generally include one or more of a memory 502, a processor 504, one or more antennas 506, a communication port or communication module 508, a network interface device 510, a user interface 512, and a power source 514 or power supply.
[0036] Memory 502 can be used in connection with the execution of application programming or instructions by processing circuitry, and for the temporary or long-term storage of program instructions or instruction sets 516 and/or authorization data 518, such as credential data, credential authorization data, or access control data or instructions, as well as any data, data structures, and/or computer-executable instructions needed or desired to support the above-described device architecture. For example, memory 502 can contain executable instructions 516 that are used by a processor 504 of the processing circuitry to run other components of device 500, to make access determinations based on credential or authorization data 518, and/or to perform any of the functions or operations described herein, such as the method of FIG. 4 for example. Memory 502 can comprise a computer readable medium that can be any medium that can contain, store, communicate, or transport data, program code, or instructions for use by or in connection with device 500. The computer readable medium can be, for example but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device. More specific examples of suitable computer readable medium include, but are not limited to, an electrical connection having one or more wires or a tangible storage medium such as a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory
(ROM), an erasable programmable read-only memory (EPROM or Flash memory), Dynamic RAM (DRAM), any solid-state storage device, in general, a compact disc read-only memory (CD-ROM), or other optical or magnetic storage device. Computer-readable media includes, but is not to be confused with, computer-readable storage medium, which is intended to cover all physical, non-transitory, or similar embodiments of computer-readable media.
[0037] Processor 504 can correspond to one or more computer processing devices or resources. For instance, processor 504 can be provided as silicon, as a Field Programmable Gate Array (FPGA), an Application-Specific Integrated Circuit (ASIC), any other type of Integrated Circuit (IC) chip, a collection of IC chips, or the like. As a more specific example, processor 504 can be provided as a microprocessor, Central Processing Unit (CPU), or plurality of microprocessors or CPUs that are configured to execute instructions sets stored in an internal memory 520 and/or memory 502.
[0038] Antenna 506 can correspond to one or multiple antennas and can be configured to provide for wireless communications between device 500 and another device. Antenna(s) 506 can be coupled to one or more physical (PHY) layers 524 to operate using one or more wireless communication protocols and operating frequencies including, but not limited to, the IEEE 802.15.1, Bluetooth, Bluetooth Low Energy (BLE), near field communications (NFC), ZigBee, GSM, CDMA, Wi-Fi, RF, UWB, and the like. Processor 504 may implement a MAC layer that forms a protocol layer with a physical layer 524. In an example, antenna 506 may include one or more antennas coupled to one or more physical layers 524 to operate using ultra-wide band (UWB) for in band activity/communi cation and Bluetooth (e.g., BLE) for out-of-band (OOB) activity/communi cation. However, any RFID or personal area network (PAN) technologies, such as the IEEE 502.15.1, near field communications (NFC), ZigBee, GSM, CDMA, Wi-Fi, etc., may alternatively or additionally be used for the OOB activity/communi cation described herein.
[0039] Device 500 may additionally include a communication module 508 and/or network interface device 510. Communication module 508 can be configured to communicate according to any suitable communications protocol with one or more different systems or devices either remote or local to device 500. Network interface device 510 includes hardware to facilitate communications with other devices over a communication network utilizing any one of a number of transfer protocols (e.g., frame relay, internet protocol (IP), transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), etc.). Example communication networks can include a local area network (LAN), a wide area network (WAN), a packet data network (e.g., the Internet), mobile telephone networks (e.g., cellular networks), Plain Old Telephone (POTS) networks, wireless data networks (e.g., IEEE 802.11 family of standards known as Wi-Fi, IEEE 802.16 family of standards known as WiMax), IEEE 802.15.4 family of standards, and peer-to-peer (P2P) networks, among others. In some examples, network interface device 510 can include an Ethernet port or other physical jack, a Wi-Fi card, a Network Interface Card (NIC), a cellular interface (e.g., antenna, filters, and associated circuitry), or the like. In some examples, network interface device 510 can include a plurality of antennas to wirelessly communicate using at least one of single-input multiple-output (SIMO), multiple-input multiple-output (MIMO), or multiple-input single-output (MISO) techniques. In some example embodiments, one or more of the antennas 506, communication module 508, and/or network interface device 510 or subcomponents thereof, may be integrated as a single module or device, function or operate as if they were a single module or device, or may comprise of elements that are shared between them.
[0040] User interface 512 can include one or more input devices and/or display devices. Examples of suitable user input devices that can be included in user interface 512 include, without limitation, one or more buttons, a keyboard, a mouse, a touch-sensitive surface, a stylus, a camera, a microphone, etc. Examples of suitable user output devices that can be included in user interface 512 include, without limitation, one or more LEDs, an LCD panel, a display screen, a touchscreen, one or more lights, a speaker, etc. It should be appreciated that user interface 512 can also include a combined user input and user output device, such as a touch-sensitive display or the like. The user interface 512 may include a separate alarm circuit 526 to indicate an alarm condition such as a relay attack or other security breach. Alarm circuit 526 may provide an audio signal to a speaker or may activate a light or present an alarm condition using a display device.
[0041] Power source 514 can be any suitable internal power source, such as a battery, capacitive power source or similar type of charge-storage device, etc., and/or can include one or more power conversion circuits suitable to convert external power into suitable power (e.g., conversion of externally-supplied AC power into DC power) for components of the device 500.
[0042] Device 500 can also include one or more interlinks or buses 522 operable to transmit communications between the various hardware components of the device. A system bus 522 can be any of several types of commercially available bus structures or bus architectures. ADDITIONAL DISCLOSURE AND EXAMPLES
[0043] Example 1 includes subject matter (such as an initiator device of an access control system) comprising protocol layer circuitry and processing circuitry operatively coupled to the protocol layer circuitry. The processing circuitry is configured to initiate transmission of a command to a responder device, determine a first time measurement of a time duration from an end of sending the command to the responder device to a start of receiving a response to the command from the responder device, receive a response from the responder device that includes a second time measurement of a responder execution time of the command by the responder device, and generate an indication when the first time measurement and second time measurement indicate a relay attack.
[0044] In Example 2, the subject matter of Example 1 optionally includes processing circuitry configured to compute a time difference between the first time measurement and the second time measurement, compare the computed time difference to a specified relay attack detection time gap, and generate the indication when the computed time difference exceeds the relay attack detection time gap.
[0045] In Example 3, the subject matter of one or both of Examples 1 and 2 optionally includes processing circuitry configured to initiate transmission of a second command to the responder device, receive the second time measurement in a response to the second command, compute a time difference between the first time measurement and the second time measurement, and determine whether the time duration indicates a relay attack using the computed time difference.
[0046] In Example 4, the subject matter of one or any combination of Examples 1-3 optionally includes processing circuitry configured to compute a communication time gap between a time the command is sent by the initiator device to a time the command is received by the responder device, compare the computed communication time gap to a specified relay attack detection time gap, and generate the indication when the computed communication time gap exceeds the specified relay attack detection time gap.
[0047] In Example 5, the subject matter of one or any combination of Examples 1-4 optionally includes processing circuitry configured to compute the first time measurement to include an initiator execution time of the command, an initiator sending time that is a time duration between the protocol layer of the initiator device signaling that the command is sent and a last byte of the command sent by the protocol layer of the initiator device, and an initiator receiving time that is a time after the initiator execution time that the response to the command is recognized; compute a second time duration that includes the responder execution time, a responder receiving time that is a time duration for the responder to recognize the command, and a responder sending time that is a time duration between a protocol layer of the responder device signaling that the response is sent and a last byte of the response sent by the protocol layer of the responder device; compute a time difference between the first time measurement and the second time duration; and generate the indication when the computed time difference indicates a relay attack.
[0048] In Example 6, the subject matter of one or any combination of Examples 1-5 optionally includes processing circuitry configured to initiate transmission of a multi-frame measurement command to the responder device, and determine the time duration as a time from an end of transmitting the multi-frame command to a start of receiving a response to the multi-frame command from the responder device.
[0049] In Example 7, the subject matter of one or any combination of Examples 1-6 optionally includes protocol layer circuitry configured to receive a response to the command from a responder device that is a smart card.
[0050] In Example 8, the subject matter of one or any combination of Examples 1-6 optionally includes protocol layer circuitry configured to receive a response to the command from a responder device that is a smart phone.
[0051] Example 9 include subject matter (such as a method of operating an access control system) or can optionally be combined with one or any combination of Examples 1-8 to include such subject matter; comprising transmitting a command from an initiator device of the access control system to a responder device, determining; using the initiator device, a first time duration from an end of sending the command to the responder device to a start of receiving a response to the command from the responder device; receiving, by the initiator device from the responder device, a responder execution time of a time duration for the responder device to execute the command; generating, using the initiator device, an indication of a relay attack using the first time duration and the responder execution time. [0052] In Example 10, the subject matter of Example 9 optionally includes computing, by the initiator device, a time difference between the first time duration and the responder execution time; comparing the computed time difference to a specified relay attack detection time gap; and generating the indication of the relay attack when the computed time difference exceeds the relay attack detection time gap. [0053] In Example 11, the subject matter of one or both of Examples 9 and 10 optionally includes receiving, by the initiator device from the responder device, the responder execution time in response to a following command sent by the initiator device; and using the computed time difference to determine whether the time duration indicates a relay attack. [0054] In Example 12, the subject matter of Example 11 optionally includes computing, by the initiator device, a communication time gap between a time the command is sent by the initiator device to a time the command is received by the responder device using the first time duration and the responder execution time; comparing the computed communication time gap to a specified relay attack detection time gap; and generating the indication of the relay attack when the computed communication time gap exceeds the specified relay attack detection time gap.
[0055] In Example 13, the subject matter of one or any combination of Examples 9- 12 optionally includes computing, by the initiator device, the first time duration to include an initiator execution time of the command, an initiator sending time that is a time duration between a protocol layer of the initiator device signaling that the command is sent and a last byte of the command sent by the protocol layer of the initiator device, and an initiator receiving time that is a time after the initiator execution time that the response to the command is recognized, a second time duration including the responder execution time, a responder receiving time that is a time duration for the responder to recognize the command, and a responder sending time that is a time duration between a protocol layer of the responder device signaling that the response is sent and a last byte of the response sent by the protocol layer of the responder device, and a difference between the first time duration and the second time duration. The initiator device uses the computed difference to determine whether the time duration indicates a relay attack.
[0056] In Example 14, the subject matter of one or any combination of Examples 9- 14 optionally includes detecting, by the responder device, that the command is a multi-frame measurement command; omitting, by the responder device, error correction on the first frame of the multi-frame message; and wherein the determining the time duration includes the initiator device determining a time duration from an end of transmitting the multi-frame command by the initiator device to a start of receiving a response to the multi-frame command from the responder device. [0057] In Example 15 the subject matter of one or nay combination of Examples 9-14 optionally includes the initiator device being a reader device and the responder device being a smart card.
[0058] In Example 16, the subject matter of one or nay combination of Examples 9- 14 optionally includes the initiator device being a verifier device and the responder device being a smart phone.
[0059] Example 17 includes subject matter (or can optionally be combined with one or any combination of Examples 1-16 to include such subject matter) comprising a computer- readable storage medium including instructions that, when executed by processing circuitry of an initiator device of an access control system, cause the initiator device to perform acts including transmitting a command to a responder device, determining a time duration from an end of sending the command to the responder device to a start of receiving a response to the command from the responder device, receiving a responder execution time of a time duration for the responder device to execute the command, and generating an indication of a relay attack using the time duration and the responder execution time.
[0060] In Example 18, the subject matter of Example 17 optionally includes the computer-readable storage medium including instructions that cause the initiator device to perform acts including comparing the computed time difference to a specified relay attack detection time gap, and generating the indication when the computed time difference exceeds the relay attack detection time gap.
[0061] In Example 19, the subject matter of one or both of Example 17 and 18 optionally includes the computer-readable storage medium including instructions that cause the initiator device to perform acts including sending a following command to the responder device, receiving the responder execution from the responder service in a response to the following command, computing a time difference between the time duration and the responder execution time, and determining whether the time duration indicates a relay attack using the computed time difference.
[0062] In Example 20, the subject matter of one or any combination of Examples 17- 19 optionally includes the computer-readable storage medium including instructions that cause the initiator device to perform acts including computing a communication time gap between a time the command is sent by the initiator device to a time the command is received by the responder device, comparing the computed communication time gap to a specified relay attack detection time gap, and generating the indication of the relay attack when the computed communication time gap exceeds the specified relay attack detection time gap. [0063] These non-limiting Examples can be combined in any permutation or combination. The above detailed description includes references to the accompanying drawings, which form a part of the detailed description. The drawings show, by way of illustration, specific embodiments in which the invention can be practiced. The above description is intended to be illustrative, and not restrictive. For example, the abovedescribed examples (or one or more aspects thereof) may be used in combination with each other. Other embodiments can be used, such as by one of ordinary skill in the art upon reviewing the above description. The Abstract is provided to allow the reader to quickly ascertain the nature of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. In the above Detailed Description, various features may be grouped together to streamline the disclosure. This should not be interpreted as intending that an unclaimed disclosed feature is essential to any claim. Rather, the subject matter may lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the Detailed Description, with each claim standing on its own as a separate embodiment, and it is contemplated that such embodiments can be combined with each other in various combinations or permutations. The scope should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.

Claims

WHAT IS CLAIMED IS:
1. An initiator device of an access control system, the device comprising: protocol layer circuitry; and processing circuitry operatively coupled to the protocol layer circuitry and configured to: initiate transmission of a command to a responder device; determine a first time measurement of a time duration from an end of sending the command to the responder device to a start of receiving a response to the command from the responder device; receive a response from the responder device that includes a second time measurement of a responder execution time of the command by the responder device; and generate an indication when the first time measurement and second time measurement indicate a relay attack.
2. The initiator device of claim 1, wherein processing circuitry is configured to: compute a time difference between the first time measurement and the second time measurement; compare the computed time difference to a specified relay attack detection time gap; and generate the indication when the computed time difference exceeds the relay attack detection time gap.
3. The initiator device of claim 1, wherein processing circuitry is configured to: initiate transmission of a second command to the responder device; receive the second time measurement in a response to the second command; compute a time difference between the first time measurement and the second time measurement; and determine whether the time duration indicates a relay attack using the computed time difference.
4. The initiator device of claim 1, wherein processing circuitry is configured to: compute a communication time gap between a time the command is sent by the initiator device to a time the command is received by the responder device; compare the computed communication time gap to a specified relay attack detection time gap; and generate the indication when the computed communication time gap exceeds the specified relay attack detection time gap.
5. The initiator device of claim 1, wherein processing circuitry is configured to: compute the first time measurement to include an initiator execution time of the command, an initiator sending time that is a time duration between the protocol layer of the initiator device signaling that the command is sent and a last byte of the command sent by the protocol layer of the initiator device, and an initiator receiving time that is a time after the initiator execution time that the response to the command is recognized; compute a second time duration that includes the responder execution time, a responder receiving time that is a time duration for the responder to recognize the command, and a responder sending time that is a time duration between a protocol layer of the responder device signaling that the response is sent and a last byte of the response sent by the protocol layer of the responder device; compute a time difference between the first time measurement and the second time duration; and generate the indication when the computed time difference indicates a relay attack.
6. The initiator device of claim 1, wherein processing circuitry is configured to: initiate transmission of a multi-frame measurement command to the responder device; and determine the time duration as a time from an end of transmitting the multi-frame command to a start of receiving a response to the multi-frame command from the responder device.
7. The initiator device of any one of claims 1-6, wherein the protocol layer circuitry is configured to receive a response to the command from a responder device that is a smart card.
8. The initiator device of any one of claims 1-6, wherein the protocol layer circuitry is configured to receive a response to the command from a responder device that is a smart phone.
9. A method of operating an access control system, the method comprising: transmitting a command from an initiator device of the access control system to a responder device; determining, using the initiator device, a first time duration from an end of sending the command to the responder device to a start of receiving a response to the command from the responder device; receiving, by the initiator device from the responder device, a responder execution time of a time duration for the responder device to execute the command; and generating, using the initiator device, an indication of a relay attack using the first time duration and the responder execution time.
10. The method of claim 9, including: computing, by the initiator device, a time difference between the first time duration and the responder execution time; comparing the computed time difference to a specified relay attack detection time gap; and generating the indication of the relay attack when the computed time difference exceeds the relay attack detection time gap.
11. The method of claim 9, including: receiving, by the initiator device from the responder device, the responder execution time in response to a following command sent by the initiator device; and using the computed time difference to determine whether the time duration indicates a relay attack.
12. The method of claim 11, including: computing, by the initiator device, a communication time gap between a time the command is sent by the initiator device to a time the command is received by the responder device using the first time duration and the responder execution time; comparing the computed communication time gap to a specified relay attack detection time gap; and generating the indication of the relay attack when the computed communication time gap exceeds the specified relay attack detection time gap.
13. The method of claim 9, including: computing, by the initiator device: the first time duration to include an initiator execution time of the command, an initiator sending time that is a time duration between a protocol layer of the initiator device signaling that the command is sent and a last byte of the command sent by the protocol layer of the initiator device, and an initiator receiving time that is a time after the initiator execution time that the response to the command is recognized; a second time duration including the responder execution time, a responder receiving time that is a time duration for the responder to recognize the command, and a responder sending time that is a time duration between a protocol layer of the responder device signaling that the response is sent and a last byte of the response sent by the protocol layer of the responder device; and a difference between the first time duration and the second time duration; and using, by the initiator device, the computed difference to determine whether the time duration indicates a relay attack.
14. The method of claim 9, detecting, by the responder device, that the command is a multi-frame measurement command; omitting, by the responder device, error correction on the first frame of the multiframe message; and wherein the determining the time duration includes the initiator device determining a time duration from an end of transmitting the multi-frame command by the initiator device to a start of receiving a response to the multi-frame command from the responder device.
15. The method of any one of claims 9-14, wherein the initiator device is a reader device and the responder device is a smart card.
16. The method of any one of claims 9-14, wherein the initiator device is a verifier device and the responder device is a smart phone.
17. A computer-readable storage medium including instructions that, when executed by processing circuitry of an initiator device of an access control system, cause the initiator device to perform acts comprising: transmitting a command to a responder device; determining a time duration from an end of sending the command to the responder device to a start of receiving a response to the command from the responder device; receiving a responder execution time of a time duration for the responder device to execute the command; and generating an indication of a relay attack using the time duration and the responder execution time.
18. The computer-readable storage medium of claim 17, including instructions that cause the initiator device to perform acts including: computing a time difference between the time duration and the responder execution time; comparing the computed time difference to a specified relay attack detection time gap; and generating the indication when the computed time difference exceeds the relay attack detection time gap.
19. The computer-readable storage medium of claim 17, including instructions that cause the initiator device to perform acts including: sending a following command to the responder device; receiving the responder execution from the responder service in a response to the following command; computing a time difference between the time duration and the responder execution time; and determining whether the time duration indicates a relay attack using the computed time difference.
20. The computer-readable storage medium of any one of claims claim 17-19, including instructions that cause the initiator device to perform acts including: computing a communication time gap between a time the command is sent by the initiator device to a time the command is received by the responder device; comparing the computed communication time gap to a specified relay attack detection time gap; and generating the indication of the relay attack when the computed communication time gap exceeds the specified relay attack detection time gap.
PCT/EP2023/075281 2023-09-14 2023-09-14 Relay attack detection Pending WO2025056162A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2023/075281 WO2025056162A1 (en) 2023-09-14 2023-09-14 Relay attack detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2023/075281 WO2025056162A1 (en) 2023-09-14 2023-09-14 Relay attack detection

Publications (1)

Publication Number Publication Date
WO2025056162A1 true WO2025056162A1 (en) 2025-03-20

Family

ID=88093566

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2023/075281 Pending WO2025056162A1 (en) 2023-09-14 2023-09-14 Relay attack detection

Country Status (1)

Country Link
WO (1) WO2025056162A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11449691B2 (en) * 2020-08-20 2022-09-20 Assa Abloy Ab Relay attack detection for interfaces using command-response pair
US20230224709A1 (en) * 2021-09-24 2023-07-13 Apple Inc. Nfc anti-relay protection

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11449691B2 (en) * 2020-08-20 2022-09-20 Assa Abloy Ab Relay attack detection for interfaces using command-response pair
US20230224709A1 (en) * 2021-09-24 2023-07-13 Apple Inc. Nfc anti-relay protection

Similar Documents

Publication Publication Date Title
JP7743566B2 (en) Systems, methods and apparatus for access control
AU2024204187B2 (en) Upper layer device architecture for ultra-wide band enabled device
US12014242B2 (en) Relay attack detection for interfaces using command-response pair
KR102795047B1 (en) Ultra-wideband radar for tailgating detection in access control systems
AU2020280017B2 (en) Physical access control systems and methods
WO2025056162A1 (en) Relay attack detection
WO2024160362A1 (en) Rf characteristic used to validate genuineness and counter a relay attack
HK40078263A (en) Ultra-wide band radar for tailgating detection in access control systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23772444

Country of ref document: EP

Kind code of ref document: A1