Security Threats to Business Information Systems Using NFC Read/Write Mode

Radio Frequency IDentification (RFID) and related technologies such as Near Field Communication (NFC) are becoming essential in industrial contexts thanks to their ability to perform contactless data exchange, either device-to-device or tag-to-device. One of the three main operation modes of NFC, called read/write mode, makes use of the latter type of interaction. It is extensively used in business information systems that make use of NFC tags to provide the end-user with augmented information in one of several available NFC data exchange formats, such as plain text, simple URLs or enriched URLs. Using a wide variety of physical form factors, NFC-compatible tags (wireless transponders) are currently available in many locations with applications going from smart posters, contactless tokens, tap-and-go payments or transport ticketing to automated device configuration, patient identification at hospitals or inventory management within supply chains. Most of these applications handle sensitive processes or data. This paper proposes a complete security threat model for the read/write operation mode of NFC used in Next Generation Industrial IoT (Nx-IIoT) contexts. This model, based on a well-known methodology, STRIDE, allows developers and users to identify NFC applications vulnerabilities or weaknesses, analyze potential threats, propose risk management strategies, and design mitigation mechanisms to mention only some significant examples.