We Were Wrong: Ambient Sensors Do Not Provide Proximity Evidence for NFC Transactions RajaNaeemAkram∗ IakovosGurulian† CarltonShepherd‡ KonstantinosMarkantonakis§ KeithMayes¶ InformationSecurityGroup,RoyalHolloway,UniversityofLondon. 6 Egham,UnitedKingdom. 1 0 2 Abstract 1 Introduction b e F Contactless smart cards are deployed in a multitude of 8 applications, ranging from banking, transport and ac- Near Field Communication (NFC) has enabled mobile 1 cess control [32], and their awareness and acceptance phones to emulate contactless smart cards. Similar to is increasing, particularly in the banking sector [12]. ] contactless smart cards, they are also susceptible to re- Whiletheacceptanceofthecontactlesscardsisgrowing, R layattacks. Tocounterthese,anumberofmethodshave mobile (contactless) payments are also gaining accep- C beenproposedthatrelyprimarilyonambientsensorsas tance,particularly“amongearlyadoptersandyoungage . aproximitydetectionmechanism(alsoknownasananti- s groups”[13].Insuchmobilepayments,NearFieldCom- c relaymechanism). Inthispaper,we,forthefirsttimein munication (NFC) provides the medium through which [ academic literature, empirically evaluate a comprehen- to emulate a contactless smart card; Deliotte projected 2 sive set of ambient sensors for their effectiveness as a inearly2015thatfivepercentof600-650millionNFC- v proximitydetectionmechanism. Weselected15outofa enabledmobilephoneswillbeusedatleastonceamonth 1 totalof17sensorsavailableviatheGoogleAndroidplat- 0 in 20151 to make a contactless payment [9]. We can formforevaluation, withtheothertwosensorsunavail- 1 reasonablyassume,therefore,thatmobilepaymentswill ableonwidely-usedhandsets. Inexistingacademicliter- 7 be a significant payment medium in the future, poten- ature, only 5 sensors have been proposed with positive 0 tially overtaking contactless smart cards. Although the . results as a potential proximity detection mechanism. 1 abovediscussionislimitedtothefinancialindustry,sim- Eachsensor,wherefeasible,wasusedtorecordthemea- 0 ilar trends are being observed in other domains where 6 surementsof1000contactlesstransactionsatfourdiffer- contactlesssmartcardsaredeployed[5]. 1 entphysicallocations. Atotalof252randomusers,ran- : dom sample of the university student population, were Contactless smart cards, however, are susceptible to v relay attacks [24, 25, 29], as are NFC-enabled mobile i involved during the field trails. The analysis of these X phones [22, 21, 31, 35]. A relay attack is a passive transactionsprovidesanempiricalfoundationtocategor- r ically answer whether ambient sensors provide a strong man-in-the-middle attack in which an attacker extends a thedistancebetweenagenuinepaymentterminal(point- proximitydetectionmechanismforsecuritysensitiveap- of-service)andgenuinecontactlesssmartcard(orNFC- plications like banking, transport and high-security ac- enabled mobile device). This attack can enable a mali- cess control. After careful analysis, we conclude that cioususertoaccessservicesforwhichthegenuineuser nosingleevaluatedmobileambientsensorissuitablefor iseligible,suchaspayingforgoodsoraccessingabuild- suchcriticalapplicationsinrealisticdeploymentscenar- ingwithphysicalaccesscontrols. ios. Lastly, we identify a number of potential avenues Quantifyingthenumberoffraudulentactivitieswhere thatmayimprovetheireffectiveness. relay attacks were employed (on both smart card and NFCmobilephones)isachallengingtask. Evidenceex- ists, however, that academic work dealing with attacks ∗[email protected] †[email protected] 1Actual figures for 2015 were not available at the time of ‡[email protected] writing this paper. However, early forecasts for the global mar- §[email protected] ket of mobile payment for 2016 and beyond are available at ¶[email protected] http://www.nfcworld.com/technology/forecast/ on smart cards have been adopted by real-world crimi- accesscontrol. nals [19]. In the domain of contactless smart cards, a Therearethreeprimarycontributionsofthispaper: potentially effective countermeasure has been distance 1. Atest-bedarchitectureandimplementationthatcan bounding protocols [26, 36]. For NFC-enabled phones, beusedtoevaluatevarioussensorsonGoogleAn- anti-relaymechanisms–atleastinacademicliterature– droiddevices. have comprised largely of ambient sensing (Section 2). In this paper, we investigate the ambient sensors avail- 2. A data analysis framework and methodology for ablethroughtheGoogleAndroidplatformandconstruct evaluatingambientsensormeasurements. a test-bed environment (Section 3) to evaluate their ef- fectivenessasproximitydetectionmechanismforNFC- 3. Anempiricalevaluationoftheeffectivenessofam- basedcontactlesstransactions(Section5). Additionally, bient sensors as a proximity detection mechanism. we evaluate each individual sensor in relation to their This evaluation provides a foundation towards de- technicalfeasibility,reportanychallengesthatwereen- cidingwhichsensorstodeployinatargetenviron- counteredduringimplementation(Section4),andinves- ment. tigate issues affecting usability and reliability. The aim Theimplementationofthetest-bed,dataanalysisand ofthisworkistoprovideempiricalevidenceofeacham- collected data sets are being made available online at bientsensor’ssuitabilityasaproximitydetectionmech- http://anonymised. anismandinvestigatingwhetheritcancounterpotential relayattackseffectively(Section6). 2 AmbientSensinginMobilePayments The suitability of a proximity detection mechanism for critical applications, such as banking, transport and In this section, we briefly describe mobile phone-based (high-security) access control – the main focus of this contactless payments, relay attacks and a generic archi- paper–isbasedonitsabilitytouniquelypairmeasure- tecture for deploying ambient sensing as proximity de- mentstakenfromapaymentterminalandapaymentin- tectionmechanismtocounterrelayattacks. strument(ormobilehandsetinthiscase). Thisistopro- videconfidencethatthetwodevicesweretrulyinclose 2.1 Contactless Mobile Devices and Relay proximity(≈3cm)toeachother. Thismeasurementpair should be unique in a manner such that no other mea- Attacks surements can be paired successfully with the terminal Distance bounding protocols in smart cards are closely or payment instrument’s measurements. That is to say, integratedwiththephysicallayer[26].Usually,theover- foraneffectiveproximitydetectionmechanismthatcan allarchitectureandprocessisthesamewithminordiffer- thwartrelayattacks,thedevicemeasurementsgenerated ences,whethertheintendedpurposeofthesmartcardsis during a transaction should be unique to that transac- financialpayments,transportation,accesscontroloran- tion. Given a pair of measurements from two devices, otherdomain.Themajordifferencesresideinthehigher- PT andPI,representingthemeasurementfromthepay- level protocols and algorithms that implement the se- ment terminal and the payment instrument respectively, manticsofeachapplication. Inthissectionweexamine the mechanism (and associated ambient sensor) is con- contactlesstransactionsinrelationtoNFC-basedmobile sidered effective if it can uniquely pair PT with PI. No payments; however, the overall architecture is common other measurement, PT’ or PI’, can have the potential acrossalldeploymentdomains. to be paired successfully with either PT and/or PI, thus providingastrongproofofproximity. Ifthereisahigh likelihoodthatPT’orPI’,takenatdifferenttimeorloca- tion,canbepairedwithPT and/orPI,thenitisdifficult foranentity(athirdpartyorapaymentterminal)toas- certainwhichdevice(s)wereinactualproximitytoeach other. Thisgap,whereatransactioncannotbeidentified to have a unique measurement pair, is what a malicious usermayexploittomountarelayattack. Figure1: OverviewofaRelayAttack In this paper, we continue to refer to contactless mo- bile payments due to the associated financial repercus- When a user brings their NFC-enabled mobile phone sions, and the attention this may attract from malicious closeto acontactless paymentterminal, the NFCinthe actors. However, the discussion in this paper is equally mobilehandsetenterstheradiofrequencyrangearound relevant towards the deployment of contactless mobile- a payment terminal through which it can initiate a dia- based solutions in other domains, such as transport and logue. Duringacontactlesstransaction,physicalcontact 2 Figure2: GenericDeploymentsofAmbientSensorsasProximityDetectionMechanism is not necessary and, in many cases, a second factor of tified)paymentterminals,thenananti-relaymechanism authentication,e.g.biometricsorPersonalIdentification cansucceed. Number (PIN), is not mandatory [10]. As a result, it is A substantial portion of the work surrounding relay- difficult to ascertain that an authorised user brought the attack countermeasures for contactless smart cards re- mobiledeviceneartheterminalviaarelay. Itshouldbe latestodistanceboundingprotocols[17,20]. However, noted, however, that the use of a PIN or biometric may these may not be feasible for NFC-enabled phones – notcounterarelayattackeffectivelyincertainsituations at the current state-of-the-art – due to their requirement (notablytheMafiafraudattack[16]). of high time-delay sensitivity and specialised hardware [15,23]. Inarelayattack,showninFigure1,anattackermust InthedomainofNFC-basedcontactlessmobiletrans- emulateamaliciouspaymentterminaltoagenuineuser actions, severalmethodshavebeenproposedtoprovide andamasqueradingpaymentinstrument(mobilephone) somenotionofproximitydetection,mostofwhichutilise toagenuinepaymentterminal.Thegoalofthemalicious environmental(ambient)sensorspresentonmodernmo- actoristoextendthephysicaldistanceofthecommuni- bile handsets (for related work see Section 2.3). In the cation channel between the victim’s mobile phone and followingsection,wediscusshowambientsensorshave the payment terminal – relaying each messages across beenproposedtocounterrelayattacksinNFC-basedmo- thisextendeddistance. Theattackerhasthepotentialto bilecontactlesstransactions. payforservicesusingthevictim’saccountiftheattacker is able to relay these messages successfully without de- tection. 2.2 Ambient Sensors for Proximity Detec- tion With contactless smart cards, relay attacks are coun- teredusingdistanceboundingprotocols[34]andvariants Anambientsensormeasuresaparticularphysicalprop- ofsuch[24];thisisstillanactiveresearchdomain,with ertyofitsimmediatesurroundings,suchastemperature, newattacksandcountermeasuresemerging[27,16,14]. light and sound. Modern smartphones and tablets, are The aim of distance bounding protocols is to enable a equippedwithoneormoreofthesesensors. Thephysi- payment terminal (verifier) to enforce an upper bound calenvironmentsurroundingasmartphone(orapayment on its physical distance to a smart card (prover). The terminal) can potentially provide a rich set of attributes enforcementofphysicaldistanceisachievedthroughpe- that might be unique to that location – the sound and riodic challenge-response exchange and timing the pro- lighting of a quiet, brightly-lit room, for example – and cess. If the response is received within a predefined suchinformationmightbeusefultoimplementproxim- time (threshold), the verifier establishes that the prover itydetectionbetweentwointeractingdevices. is within a specified physical distance. In a relay at- Inthissection, wediscussagenericapproachforde- tack, provers may be either malicious or genuine; veri- ployingambientsensingasaproximitydetectionmecha- fiers,however,areconsideredhonest. Ifverifiersarema- nismthatcanbeusedinthecontextofmobilepayments. licious and try to participate in a relay attack, then they Figure 2 illustrates the entities involved in this process. are effectively attacking themselves, thus defeating the Variationsofthisapproacharediscussedbelow. purposeoftheattack. Thereisapossibilitythatatermi- nalmightplayaunwittingvictim, butsolongaswedo 1. IndependentReporting. Inthisscenario,depicted not consider them to be physically modifying the (cer- assolidlinesinFigure2, boththesmartphoneand 3 payment terminal collect sensor measurements in- collectedfor2and30secondsdurationforlightandau- dependent of each other and transmit these to a dio respectively – using a range of similarity compari- trustedauthority. Thisauthoritycomparesthesen- son algorithms. Extensive experiments were performed sormeasurements,basedonsomepredefinedcom- in different physical locations, with a high success rate parisonalgorithmwithsetmarginsoferror(thresh- ofdetectingco-locateddevices. old),anddecideswhetherthetwodeviceswereare Varshavskyetal.[38]basedtheirproximitydetection inproximityofeachother. mechanismonthesharedradioenvironmentofdevices– thepresenceofWiFiaccesspointsandassociatedsignal 2. Payment Terminal Dependent Reporting. This strengths – using the application scenario of secure de- setup, depicted as double-dot-dash line in Figure vicepairing. Inthiswork,theyconsideredthisapproach 2, involves the smartphone encrypting the sensor toproducelowerrorrates,recommendingitasaproxim- measurements with a shared key (between smart itydetectionmechanism.Whiletheirpaperdidnotfocus phone and trusted authority) and transmitting the onNFC-basedmobiletransactions,theirtechniquesand encrypted message to the payment terminal. The methodologymaystillbeapplicable. paymentterminalsendsitsownmeasurementsand Urien et al. [37] use ambient temperature with an el- the smartphone’s to the trusted authority for com- lipticcurve-basedRFID/NFCauthenticationprotocolto parison. determine whether two devices are co-located. Using this method, they were successful in establishing a se- 3. Payment Terminal (Localised) Evaluation. The curechannel;theproposalcombinesthetimingchannels smartphone transmits its own measurement to the in RFID, traditionally used in distance bounding proto- payment terminal, which then compares it with its cols, in conjunction with ambient temperature. Their own measurements locally; the payment terminal proposal,however,wasnotimplementedandsothereis thendecideswhetherthesmartphoneisinproxim- noexperimentaldataprovidedtoevaluateitsefficacy. ity. Mehrnezhad et al. [33] proposed the use of an ac- celerometer to provide assurance that the mobile phone Regardlessofhowtheuserinteractswiththepayment iswithinthevicinityofthepaymentterminal. Theirpro- terminal, e.g. touching or tapping it with their device, posalrequirestheusertotapthepaymentterminaltwice the overall deployment architecture falls under one of in succession, after which the sensor streams of the de- the above scenarios. It can be observed that there is a vice and the payment terminal are compared for simi- potential for a fourth scenario to have a mobile phone larity. It is difficult to deduce the total time it took to perform the proximity analysis. However, as we con- complete one transaction in its entirety, but the authors siderthepaymentterminaltobethe(potentially)trusted have provided a sensor recording time range of 0.6–1.5 device,asperthediscussioninSection2.1andthesmart- seconds. phone might be with a malicious entity, this scenario is notdiscussed. Table1: RelatedWorkinSensorsasAnti-RelayMecha- nism 2.3 RelatedWork Sample Contactless Paper Sensor Duration Suitability Asnotedpreviously,distanceboundingprotocolsmight Maetal.[30] GPS 10seconds PossiblyNot notbesuitableformobilebasedcontactlesstransactions. Audio 30seconds PossiblyNot In existing work, therefore, ambient sensors have been Halevietal.[23] Light 2seconds Potentially proposed as a strong proximity detection mechanism to WiFi Varshavskyetal.[38] 1second Potentially counterrelayattacks,whichisdiscussedasbelow. (RadioWaves) Drimer et al. [17] and Ma et al. [30] showed how Urienetal.[37] Temperature N/A - location-related data, namely using GPS (Global Posi- Mehrnezhadetal.[33] Accelerometer 0.6to1.5Seconds Potentially tioningSystem),canbeusedtodeterminetheproximity of two NFC mobile phones. Ma et al. use a ten second We summarise the related work in Table 1, and use window with location information collected every sec- sensorsamplingdurationstodeterminewhetheragiven ond, which was subsequently compared across various approach is suitable for contactless NFC mobile phone devices. Theauthorsreportahighsuccessrateinidenti- transactions,namelyinbankingandtransportation.‘Pos- fyingthedevicesincloseproximitytooneanother. sibly not’ are those proposals whose sample duration is Halevi et al. [23] demonstrated the suitability of us- solargethattheymaynotbeadequateformobile-based ing ambient sound and light for proximity detection. services that substitute contactless cards, whereas those Here, the authors analysed the sensor measurements – whosesamplerangecanbeconsideredreasonableincer- 4 tainapplicationsarelabelledas‘Potentially’intheTable 1. However,evenschemesdenotedas‘Potentially’may {(PT , PI ),(PT , PI ),...,(PT, PI)} (1) 1 1 2 2 i i not be suitable for certain domains, such as banking or For each transaction pair, we calculate the similarity transport applications, where a strict upper-bound is of- betweenPT andPI. WerefertothisasV,andthusour ten present in which to complete the entire transaction. set(Equation1)nowhasthreeentriespertransaction,as In these domains, the goal is to serve people as quickly showninEquation2. aspossibletomaximisecustomerthroughput,sotimeis criticalindeterminingwhetheratransactionissuccessful and,indeed,permitted;anoptimumtransactionduration {(PT1, PI1, V1),(PT2, PI2, V2),...,(PTi, PIi, Vi)} (2) would be in milliseconds, rather than seconds. We will From this set, we compute the Equal Error Rate returntothediscussionabouttransactiondurationlimits (EER)thresholdassociatedwitheachsensorbyplotting laterinSection3.2. the False Positive Rate (FPR) and False Negative Rate Ambientsensingisalsousedinuser-deviceauthenti- (FNR)curves,andlocatingthepointatwhichtheyinter- cation,keygenerationandestablishmentofsecurechan- sect. nels. These applications typically measure the environ- Inthecontextofouranalysis,aFalsePositiveiswhen mentforlongerperiodsoftime(>1second)and,gener- agenuinepair2ofPT andPIisnotconsideredtobemea- allyspeaking,theirprimarygoalisnotproximitydetec- suredbydevicesthatareinproximitytoeachotherunder tion. Assuch,wedonotdiscusstheminthissection. aselectedthreshold(V ). Conversely,aFalseNegativeis Thefieldofambientsensorsforproximitydetectionin x when a PT matches to be in proximity to another PI NFC-based mobile services is expanding, as illustrated i j (wherei(cid:54)= j)underthegenuineandcorrespondingsim- by the number of proposals that currently exist. In this ilarityvalueV (thresholdasthrehold). paperweextendthediscussiontoalargesetofambient i For the FPR curve, we select PT and V and iterate sensors. Weevaluatethesuitabilityofsensorsproposed j j throughnelementsoftheset,suchthatn=1,2,3,..., i currently and investigate a range of sensors not yet ex- exceptwheren= j. Foreachofthenelements,ifV < ploredasananti-relaymechanisminrelatedwork.Table j V then the corresponding transaction (call it T ) would 2showsthatwehaveundertakenacomprehensiveevalu- n n resultinFalsePositive. Rationaleforthisis,asweknow ationofambientsensorsforproximitydetection(fifteen that the T is a genuine transaction, but because to the intotal). Inexistingliterature,onlyfiveofthesesensors n V is smaller than the relatedV , the transaction will be areproposedandevaluatedasproximitydetectionmech- j n declinedifV istheselectedthreshold. anism(Table1). j For the FNR curve we select a value of V , then it- j erate through all the n elements of the set such that 3 Framework for Evaluating Ambient n=1,2,3,...,i except n= j. For each of the nth ele- Sensors ment, we only take PI and compute the similarity,V , n jn between PT and PI . If theV >V then the result is j n j jn In this section, we describe the test-bed that was devel- a False Negative. The rationale behind this is that for a oped to test, analyse and evaluate the effectiveness of set of genuine transaction elements, (PT andV ), there j j using various ambient sensors as a proximity detection exists another PI that can be accepted – other than the mechanism. The results of the evaluation are presented genuinevaluePI . Inthisanalysis,V isconsideredas j jn inSection5. theselectedthreshold. Inthissection,someoftheexplanationsweresimpli- 3.1 EvaluationFramework: Theory fiedforbrevityandtoavoidthenuancesofsensormea- surements and comparison techniques. In subsequent The aim of this work is to evaluate the effectiveness of sections, we expand the discussion on the above points ambientsensorsasaproximitydetectionmechanismfor and provide a more detailed account of how we imple- highsecuritymobilecontactlesstransactions;tothisend, mented the test-bed and evaluated the sensors data for wedevisedanevaluationframeworkdiscussedbelow. eachtransaction. Foraparticularambientsensor,wecollectsensormea- surements on the Payment Terminal (PT) and the Pay- 3.2 Test-bedArchitecture ment Instrument (PI), and these measurements are re- ferredtoasatransactionpaircomprisingPT andPI. We Two applications were implemented and installed on collected a set (Equation 1) of these transaction pairs, pairs of Android devices, one as a payment terminal each containing i transactions in total, by performing a 2Agenuine(value,transactionorpair)isameasurement(s)thatwe fieldtrialatfourdifferentlocationsonauniversitycam- havecollectedduringourtrailsandwehavetheevidencethattheywere pus. takenfromdevicesthatwereincloseproximitytoeachother. 5 andtheotherasthepaymentinstrument(mobilephone). After completing the measurements, the PI validates When the devices touch, an NFC connection is es- the data it received from the terminal (in message one), tablished and both begin recording data using a pre- returningacompletionorrejectionmessageaccordingly. specified sensor. Upon successful completion of the ThisisalongwithwhichsensorwasusedonthePIand measurements, each device stores the recorded data in thetransactionIDreceivedfromthePTinmessageone. alocaldatabase,showninFigure3. Thisvalidationprocessensuresthatthetwodeviceswere recording data from the same sensor. Finally, the PT verifies the data received from the PI, ensuring that the PIwasmeasuringthesametransaction, usingthetrans- action ID and whether the two devices were recording fromthesamesensor. Uponvalidation,thedevicessave the measurements in their local databases. In the event of any inconsistencies during the exchange, i.e. the de- vices recorded data for differing transaction IDs, then themeasurementisrejected. Thedatabaseisdesignedto holdmeasurementsforeachtransaction,whichareused toanalyseandevaluatetheeffectivenessofeachsensor. Figure3: Test-bedArchitecture 3.3 DataCollectionFramework AmoredetailedviewofthisprocessisdepictedinFig- To gauge the sensor variance in physical locations and ure 4. Bringing the two devices together causes the PT how this influences proximity detection, we test each application to send a message to the PI, stating which sensor in four different locations around the university: sensor it uses in the transaction, along with a unique thelab,cafeteria,dininghallandlibrary.Afieldtrailwas transactionID. conducted in each location with 252 participants sup- After this message is received by the PI, both appli- plied a varying number of transactions, with each pro- cationsinitiatetheprocesstorecordameasurement, by vidingaminimumofonetransactionpersensor. storing values returned by a sensor. The recording pro- cesslasts500ms–themaximumpermittedtimeinwhich Table2: SensorAvailability acontactlesspaymenttransactionshouldcompleteinac- cordance with the “EMV Contactless Specifications for Sensors Nexus9(1) Nexus9(2) Nexus5 SGS5mini Payment Systems: Book A” [10] and additional indus- PT-PIPair:Nexus9(1)→Nexus9(2) Accelerometer (cid:51) (cid:51) (cid:51) (cid:51) trial specifications [7, 8, 11]. This time limit will be Bluetooth ∗ ∗ ∗ ∗ reduced gradually to 400ms from 2016 onward. For GRV† (cid:51) (cid:51) ∗ (cid:51) GPS ∗ ∗ ∗ ∗ transport-related transactions, the performance require- Gyroscope (cid:51) (cid:51) (cid:51) (cid:51) mentsarestricter,wheretransactiontimesshouldnotex- MagneticField (cid:51) (cid:51) (cid:51) (cid:51) NetworkLocation (cid:51) (cid:51) (cid:51) (cid:51) ceed300ms[6,18]. Pressure (cid:51) (cid:51) (cid:51) (cid:55) RotationVector ∗ ∗ ∗ ∗ Sound (cid:51) (cid:51) (cid:51) ∗ PT PI WiFi ∗ ∗ ∗ ∗ PT-PIPair:SGS5mini→Nexus5 1)sensor—transactionID Gravity ◦ ◦ (cid:51) (cid:51) Light ∗ ∗ (cid:51) (cid:51) recordSensor() recordSensor() LinearAcceleration ◦ ◦ (cid:51) (cid:51) Proximity (cid:55) (cid:55) (cid:51) (cid:51) Unsupported Humidity (cid:55) (cid:55) (cid:55) (cid:55) validateReceivedData() Temperature (cid:55) (cid:55) (cid:55) (cid:55) (cid:51):Workingproperly.(cid:55):Notpresentondevice.∗:Technicallimitations. ◦:Onlyreturning0s. 2)sensor—transactionID †GeomagneticRotationVector validateReceivedData() saveMeasurement() Four devices were used in the experiments, forming saveMeasurement() twoPT-PIdevicepairs. ThefirstconsistedoftwoNexus 9 tablets, while the second pair comprised two Android smartphones: a Nexus 5, assuming the role of the pay- ment terminal and a Samsung Galaxy S5 mini (SGS5 Figure4: MeasurementRecordingOverview mini), acting as the payment instrument. The availabil- 6 ity of the sensors on each device can be found in Ta- Listing1: SampleXMLRecord ble 2, along with which sensors comprised each of the twopairsdiscussedbefore. 1 <?xml version="1.0" encoding="UTF-8"?> Sensors with technical limitations – Bluetooth, GPS, 2 <measurements> RotationVectorandWiFi–althoughpresentonthede- 3 .... vices,returnednoorveryfewdatapoints(>99%sensor 4 <measurement> failure3)withinthe500mstimeframe. Thespecificlimi- 5 <id>6</id> 6 <timestamp>60</timestamp> tations for each of these sensors are described in more 7 <data0>-0.32935655</data0> detail in Appendix B. Two sensors, the humidity and 8 <data1>6.2396774</data1> thetemperaturesensors,arerelativelyuncommonamong 9 <data2>-7.558329</data2> Androiddevicesandnoneofourtesteddevicescontained 10 </measurement> them,thusweexcludedthemfromthisstudy. 11 .... Aminimumof1000transactions–measurementpairs 12 </measurements> forwhichbothPTandPIhavecorrespondingsensordata –wererecordedforeachsensor. 700measurementsfor each sensor were recorded in the Lab, with 100 in each by the terminal, used to assist in linking the measure- oftheremaininglocations. ments of each device to represent a single transaction. The Android operating system returns data captured Occasionally, the connection is disrupted when the mo- by a sensor in time intervals set by the application. biledevicehasalreadyrepliedtotheterminal(message To prevent unnecessary power consumption, the sen- 2infigure4)whiletheterminalhasnotyetfinishedpro- sor values are returned by the operating system only cessingit. Asaresult,themeasurementisstoredonlyon when the values have altered. The sound sensor (mi- themobiledevice;thisoccurstypicallywhenthetwode- crophone), however, captures data in a continuous, un- vicesaremovedapartbeforetheendofthetransaction. interruptedstream.Inthisinstance,theapplicationscon- Tocounterthis,thetransactionIDisusedinconjunction vert the recorded amplitudes into sound pressure levels with the sequence ID to detect and exclude these mea- (indecibels)beforestoringthevaluesintheirrespective surementsduringtheanalysisphase. databases. WithBluetooth,dataissentfromtheoperat- Aftercompletingtheexperiments,thedatabaseswere ingsystemtotheapplicationeverytimeanewBluetooth extractedfromthedevicesviaUSBandtransferredtothe device is discovered; with WiFi, this is once the device PCrunningtheanalysissoftware. has completed scanning the presence of nearby access points. 3.4 DataAnalysisandEvaluationCriteria On each device (PT and PI), each transaction gener- ated a single database record containing the sensor val- Afterretrievingthedatabasesfromtheterminalandmo- uesmeasuredover500ms.Therecordedsensormeasure- bile,thesetofalltransactions,T,wasproducedusingthe mentsweresubsequentlystoredinthedatabaseinXML sharedIDsgeneratedduringdatacollection. Eachtrans- form. Every time sensor values were returned, a new actionmaybethoughtofasthesetofPTandPIvalues, child element was created containing the sequence ID PT andPI,withthesamesharedID,i.e.T =(PT,PI). i i i i i ofthemeasurement,thetimestamp(initialisedtozeroat Whereas, each of the devices (PT and PI) will measure thestartofthetransaction),alongwiththerecordedsen- an array of data for each sensor at different time inter- sormeasurements. AsampleXMLrecordcanbefound vals. Therefore,PT =PT ,PT ,...,PT . Similarly,PI i i1 i2 in i in Listing 1. The data measurements – whether a sen- isalsoasetofdatavalescollectedbymobileduringthe sor returned one or multiple values per sample – were T. A more detailed discussion on this is in Section 4.3 i saved in a generic format (e.g. data0, data1, etc.) for anddepictedinFigure5. convenience,andlaterassignedtotheiractualunitsdur- A Python application was developed for analysing ing the analysis phase, in accordance with the Android the transaction measurements from the application documentation[3]. Detailsforeachsensorcanbefound databases, employing the SciPy library [28] for numer- inAppendixA. icalcomputation. The sequence ID of each measurement, the date and time the transaction occurred, the location in which it (cid:32)(cid:114) (cid:33) wascaptured,andthetransactionIDwerealsostoredin φ −φ λ −λ 2r4arcsin sin2 2 1 +cosφ cosφ sin2 2 1 thedatabase. 1 2 2 2 ThetransactionIDisarandom7-bytestringgenerated (3) 3DetailedinSection5.2andTable5 4rrepresentstheradiusofEarth:6371km 7 4.1 ImplementationChallenges 1 N MAE(PT,PI)= ∑|PT −PI | (4) i i i,j i,j Anumberofchallengeswereencounteredduringtheim- N j=0 plementationphase, particularlyinrelationtorecording covariance(PT,PI) sufficientsensorvaluesinarelativelyshorttimeperiod. i i corr(PT,PI)= (5) i i σ ·σ The clocks of the two devices involved in a transac- PTi PIi tion cannot be expected to be completely synchronised, (cid:112) particularlyinareal-worlddeployment. Inorderforthe M= x2+y2+z2 (6) measurements on the devices to start as close to each Tocompare(PTi,PIi), wemeasurethesimilaritydis- other as possible, we perform the transaction validity tance between the two, which was measured differently checks after the recordings have finished. The validity accordingtosensortype. Thereasonbehindthisishow checksinvolveverifyingthatbothdevicesaremeasuring individualsensorsaredeployedinAndroidenvironment thesamesensorandthereisauniquetransactionIDfor and number of variables returned in each data element themeasurement. Therecordedmeasurementisrejected duringatransaction. Toexplainthisfurther,duringeach attheendofthetransactionintheeventoftheavalidity transactionTi,aPTandPIcollectdatafromtheselected checkfailure. sensoroveraperiodof500ms. Duringthisinterval,de- To capture the maximum possible amount of data, pending upon a sensor, a varying number of data ele- the applications were designed such that no threads, or mentsiscollected. Eachoftheseelementsmightcontain other process-intense components, were used prior to oneormorevariables,forexample,networklocationhas the initialisation of the measurement recording (other two variables, accelerometer has three and temperature than those started by the Android API automatically). hasonlyonevariableperdataelement. Duetothis, we ThethreadsinitiatedbytheAndroidAPImonitoredany devised three different methods of dealing with this di- changesinthesensorvaluesduringatransaction. versityinthesensordatareporting. The sound sensor’s development was relatively chal- For network location, this was calculated using the lenging. Typically, to avoid any problems, the micro- Haversine formula (Eq. 3), which measures the geo- phoneshouldbeaccessedfromwithinaseparatethread, graphic distance between two latitude and longitude otherwise the NFC communication stops for as long as pairs,{(φ ,λ ),(φ ,λ )}. 1 1 2 2 the microphone is being used. Initiating a thread prior For the remaining sensors, similarity was measured to accessing the microphone had an impact in the per- using the mean absolute error (MAE, Eq. 4) and cor- formance of the application, leading to no data being relationcoefficient (Eq.5), asusedin[33], betweenthe recorded in 500ms. To overcome this issue, we mea- signalsofPT andPI,witheachcontainingN measure- i i sured 500ms chunks of sensor data in the devices, and ments. Over the series of N data values per PT and i not worrying about the loss of NFC connection during PI, we calculate the covariance to understand the over- i thetransaction. all change between the collected data (per transaction). Ensuringthattherecordingofeachsensorwillnotex- Whereas,σ andσ isthemeanofallthedatapoints PTi PIi ceed 500ms was a high priority requirement that faced inPT andPI,respectively. i i a number of challenges. A common way to run a task Certainsensors–theaccelerometer,gyroscope,mag- foraspecificdurationoftimeinJavaisbyusingatimer netic field, rotation vector and GRV sensors – produce insideathread. Sincethetimerisinitiatedafterthecre- avectorofvaluescomprisingx,yandzcomponents. In ation of a thread, which is a process intense procedure, theseinstances,thevectormagnitude(Eq.6)wasusedas there is no guarantee that the measurement will last for a general-purpose method for producing a single, com- no more than 500ms since the initiation of the transac- binedvaluepriortocomputingtheMAEandcorrelation tion. To overcome this issue, we track the system time coefficient. ontheterminalsidewhenitsendsthefirstmessagetothe deviceandonthemobiledeviceside,whenitreceivesthe 4 Challenges firstmessagefromtheterminal.Aloopensuresthatmea- surements after the 500ms timeframe will not be stored Inthissection,wediscussthechallengesencounteredin andtherecordingwillterminate. implementingthetest-bed,duringdatacollectionandin TheHostApduServiceclasswasusedfortheimple- analysingandevaluatingthecollecteddata. Thediscus- mentationofthemobiledeviceapplication,whichisca- sionisofvaluenotonlytotheacademicexperimentation pableofemulatinganNFCcardonanAndroidhandset, purposesbutforactuallytestingarealdeploymentinthe andisthebasisofimplementingaHostCardEmulation field – based on ambient sensors to provide proximity (HCE)service[4]. HCEwasintroducedonAndroid4.4 detection. (APIlevel19),thereforethehandsetthatactsasthePIin 8 11.5 11.5 11.5 11.0 11.0 11.0 10.5 10.5 2msValues ()(cid:1) 1100..05 2msValues ()(cid:1) 190..50 2msValues ()(cid:1) 190..50 9.5 9.0 9.0 9.0 8.50 100 200 300 400 500 8.50 100 T2i0m0e (millisecon3d0s0) 400 500 8.50 100 T2i0m0e (millisecon3d0s0) 400 500 Time (milliseconds) Card (Continuous) Card (Sampled) Card (Continuous) Card (Sampled) Card (Sampled) Reader (Sampled) Reader (Continuous) Reader (Sampled) Reader (Continuous) Reader (Sampled) (a)StepOne (b)StepTwo (c)StepThree Figure5: LinearInterpolationtoMitigatetheEffectofMissingandInconsistentSamplingRate–AnExamplefrom Accelerometer-basedTransactions theexperimentshouldberunningAndroid4.4orlater. surementdata(i.e.atleastonenearbyWiFiaccesspoint Thedatafromthesensorswasretrievedintimeinter- orBluetoothdevice). ForBluetooth,99%ofthetransac- vals of 10ms. Although the SGS5 mini device was ca- tionscontainedlittleornodatapoints. Asaresult,they pable of collectingdata at a higher frequency (lessthan wereexcludedfromtherestofouranalysis. 1ms), the fastest common value across all our devices was10ms. Table3: TimeRequiredforReceivingResultsfromSen- sors 4.2 DataCollectionChallenges Sensor Averagetime Minimumtime Maximumtime Here, we discuss a selection of challenges faced during Bluetooth 962.7ms 354ms 1960ms thedatacollectionprocess. WiFi 3873.5ms 3795ms 3954ms Although the sampling rate for retrieving sensor val- ueswassetto10ms,weencounteredvarianceinthein- A separate application was built to measure the aver- tervalsthatsensorsreturneddata,aswellasinthegran- agetimerequiredfortheWiFiandBluetoothsensorsto ularity of values provided across different devices. As capturesufficientdata. TheGPSsensor’sspeedandac- mentioned previously, only when there is a significant curacyareverydependentontheenvironmentinwhich change in the values recorded by a sensor are they re- itisbeingtested.Theresultsfor50sensormeasurements turnedtotheapplication[2].Asweareusingarelatively fortheWiFiandtheBluetootharepresentedinTable3. smallsamplingrate(10ms),itispossiblethattherewas no change in the values observed by the sensor, so no 4.3 DataAnalysisChallenges data was returned. Another reason relates to other pro- cesses,servicesanddaemonsrunninginthebackground During the data analysis, we faced a number of chal- that may also be causing slight delays to the frequency lenges. Below is a list of some selected challenges that thatanapplicationisnotifiedaboutsensorchanges.Dur- wehadtoovercome. ing our experiments we ensured these delays were lim- AfteracquiringthedatafromthePTandPI,weused itedbyuninstallingprocessintenseapplicationsanddis- linearinterpolationtomitigatetheeffectofmissingand ablinganybackgroundservices. However,suchprecau- inconsistent samples due to the unwanted variation in tionscannotbeenforcedinareal-world, wide-scalede- samplingrates(steps1and2ofFigure5). ployment by a general mobile application. However, Datasamplingrarelyfinishedat500msprecisely:Fig- a well embedded application into the Android platform ure 6 illustrates that the reader’s final sample occurs at withprocesspriorityandisolationmightavoidit. ≈490ms,whilethecardfinishedat≈460ms. Tocounter Various sensors – WiFi, GPS and Bluetooth – were this, interpolation was performed up to the maximum excludedfromthestudy,sincetheywerenotcapableof timeperiodsharedbybothdevices(460ms)andanysam- returning any useful data in the 500ms timeframe. We plesbeyondthispointwerediscarded. performedaninitiallimitedexperimentinwhichweonly Correlation,however,issensitivetothistypeoftrun- took100transactionspersensorpriortothedatacollec- cation: if relatively extreme values are discarded, such tion phase, and found that 100% of these transactions as the reader’s measurements between 0-100ms in Fig- from WiFi and GPS sensors contained little or no mea- ure6,thencorrelationmaydiffersignificantly. Thus,for 9 230 vide a binary value rather than a real value [1]. In our dataset, both devices reported far for all transactions. 220 Thereasoningforthisisbecausetheproximitysensoris locatedonthefrontofthedeviceandNFCbeingonthe 210 back of the devices. To tab two handset for NFC trans- µT)200 action, you have to touch the backsides of the devices Values (190 wseinthsoeraacshthoethyear,rewlhoiccahteddoaetsthneotfrionntetr.aTchtuwsitbhotphrodxeivmicietys reportingthevaluesas“far”. 180 170 5 AmbientSensorEvaluation 1600 100 200 300 400 500 In this section, we describe our methodology in detail Time (milliseconds) to calculate False Positive Rate (FPR), False Negative Card (Sampled) Reader (Sampled) Rate (FNR) and Equal Error Rate (EER). Furthermore, Figure 6: Example Magnetic Field transaction illustrat- wepresenttheresultsofouranalysisforeachindividual ingdifferingfinishingtimesforthePTandPI sensor. 5.1 CalculatingtheFPR,FNRandEER computingcorrelationweavoidtruncation. Only one measurement was collected at maximum – As discussed in Section 3.1 and 3.4, each transaction, ifanywerecollectedatall–whenanalysingnetworklo- Ti, comprises a set of PTi and PIi measurements (Equa- cationforalltransactions. Sincecorrelationisundefined tion 1). From this data, we compute the MAE(PTi,PIi) for a single point, we calculated only the MAE for this and corr(PTi,PIi) for each successful transaction (col- particularmodality. lective we called them Vi in Equation 2). We calcu- For 43% of gyroscope-based transactions (430 of late the FPR, FNR and EER of each sensor by test- 1000),avalueofzerowasmeasuredfortheentiretrans- ing the MAE and corr of the set of genuine transaction action on the PT and/or PI, indicating that the device pairs6, (PTi,PIi), against the MAE and corr of unau- was not perturbed sufficiently to alter the sensor’s rest- thorised pairs (PTi,PIj) using some threshold, t. Ide- ing value. Correlation is undefined for a single point, ally,Vi(PTi,PIj)<t andVij(PTi,PIj)>t forallpossible so these transactions were discarded for the correlation pairs. analysis. Thisalsosuggeststhatgyroscopesensormight The FPR and FNR are calculated using Equation 7, not be a suitable sensor for mobile based contactless whereFP,FN,TPandTNrepresentthetotalnumberof transactions. FalsePositives,FalseNegatives,TruePositivesandTrue Negativesrespectivelyforagiventhreshold. Ononedevice(SGS5mini),thelightsensorreturned valuesfarmorefrequentlythantheother.WiththeNexus FP FN 5, onlyonelightmeasurementwascapturedonaverage FPR= FNR= (7) FP+TN FN+TP during the 500ms timeframe, while the SGS5 mini col- Toelaborateuponthisfurther,thepseudo-codeforcal- lected 48–50 measurements. Rather than truncating a significant number of measurements, we assumed5 that culationoftheFPRisgiveninListing2: alloftheNexus5valueslayonastraightline,withagra- Listing2: CalculatingFalsePositiveRate dient of zero, and calculated the MAE using this. Note thatcorrelationisundefinedinthiscase. 1 /* Pseudocode to calculate FPR data points */ 2 int t = Tested_Threshold; The proximity sensor on both tested devices (Nexus 3 int maxint = Number_of_Transactions; 5 and SGS5 mini – see Table 4) returned only a binary 4 int FPS = 0; // False positives value, representingnear andfar, ratherthantheprecise 5 int TNS = 0; // True negatives proximityofthedevicetoanobjectincentimetres. The 6 for (int i = 1; i <= maxint; i++) { 7 for (int j = 1; j <= maxint; j++) { Android documentation states that “some” devices pro- 8 if (i != j) { 9 calculateMAE(PTi, Mj); 5OurassumptionisbasedontheAndroidsensorAPIimplementa- 10 if (MAE(PTi, PIj) < t) tionandpotentiallythecapabilityofthelightsensoronNexus5. In 11 FPS++; whichifthesensorvaluedonotchange,theAndroidAPIdonotre- 12 else turnanynewvalues.Forthisreason,weassumedthatforthecomplete durationof500ms,thelightsensorvaluedidn’tchangefromthefirst 6Fromtraildatatobepairsfromdevicethatareinproximitytoeach reportedvalue. other 10