[web-nfc] Security implications of multiple tags in close proximity (#548)

flaki has just created a new issue for https://github.com/w3c/web-nfc:

== Security implications of multiple tags in close proximity ==
The [Mozilla Standards Position discussion on Web NFC](https://github.com/mozilla/standards-positions/issues/238) has raised the possibility of exploits based on multiple NFC tags in close proximity. Browsing the spec's [threats section](https://w3c.github.io/web-nfc/#threats) I couldn't see these scenarios being explored in depth but it might be worthwhile considering doing so.

One such scenario which could exploit close-proximity multiple tags I'd imagine would be when the  attacker created concealed NFC tags (e.g. transparent stickers) applied over legitimate NFC devices, such as smart posters, in a way that would make these "tag-in-the-middle" malicious NFC tags hardly noticeable. Differentiating between the tags in this scenario (or, at a bare minimum, notifying the user of the presence of multiple tags) would be a desirable feature of user agent implementations.

According to my short chat with @zolkis, detecting and differentiating between multiple "concurrent" NFC reads should be generally possible using data exposed by the underlying NFC stack, but implementations need to be aware of this and in certain cases mitigations may need to be deployed.

My understanding is, that since we are talking about physics & radio technology (and due to how the NFC protocol is constructed) there is always some inherent "uncertainty" in such concurrent cases (as they are not truly concurrent, in most hardware implementations, and are exposed as separate sessions in the software stack).

Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/548 using your GitHub account

Received on Monday, 9 March 2020 17:15:12 UTC