Beware of Pickpockets: A Practical Attack against Blocking Cards

Today, we rely on contactless smart cards to perform several critical operations (e.g., payments and accessing buildings). Attacking smart cards can have severe consequences, such as losing money or leaking sensitive information. Although the security protections embedded in smart cards have evolved over the years, those with weak security properties are still commonly used. Among the different solutions, blocking cards are affordable devices to protect smart cards. These devices are placed close to the smart cards, generating a noisy jamming signal or shielding them. Whereas vendors claim the reliability of their blocking cards, no previous study has ever focused on evaluating their effectiveness. In this paper, we shed light on the security threats on smart cards even in the presence of blocking cards, showing the possibility of being bypassed by an attacker. We analyze blocking cards by inspecting their emitted signal and assessing a vulnerability in their internal design. We propose a novel attack that bypasses the jamming signal emitted by a blocking card and reads the content of the smart card. We evaluate the effectiveness of 14 blocking cards when protecting a MIFARE Ultralight smart card and a MIFARE Classic card. We demonstrate that the protection of the 8 blocking cards among the 14 we evaluate can be successfully bypassed to dump the content of the smart card. Based on this observation, we propose a countermeasure that may lead to the design of effective blocking cards. To assist further security improvement, the tool that we developed to inspect the spectrum emitted by blocking cards and set up our attack is made available in open source.