Active demonstration of a relay attack using a genuine OMNIKEY 5121 RFID reader and ISO14443-A tag.
A relay attack is a kind of man-in-the-middle attack, where that the attacker only forwards the data. It does not have to trick any of the involved parties, it impersonates just by relaying the communication between the originator and the original genuine device. The genuine device is replaced by a device-emulator. The emulator gathers instructions and transmits (forwards) them to the genuine device. Secondly it gathers the responses from the genuine device and transmits them back to the originator.
Essentially a relay attack on wireless protocols is very easy to perform. It only requires some hardware to redirect the transmitted signals over the air. It does not have to know about any higher-level protocol than the modulation itself. Most modulation techniques are publicly known, which makes a relay attack often possible with of-the-shelf hardware. For example, the modulation techniques used in NFC tags is specified by the ISO14443/ISO18092 standards.
A very important difficulty during such an attack is the timing delay that is added during the transmission. To prevent relay attacks it could be useful to set very hard timing-constraints and make use of distance bounding protocols.
This tool requires two compatible NFC devices. One will emulate a ISO14443-A tag, while the 2nd device will act like an access control reader. The genuine tag can be placed on the 2nd reader and the emulator can be placed on top of the original reader. All communication is now relayed and logged to the screen.
Relaying frames over USB can be time-consuming because of all the overhead created by the operating system. Not all readers allow the slow responses from the emulator. Luckily, desktop RFID readers like the "Omnikey 5121" ignore slow timing. It is recommended to use one of these devices to explore this advanced feature.