In response to the TNO research, Nedap has reduced the delay times of its card readers even further, without having to make concessions to user-friendliness
By applying stricter delay times in all of its card readers, Nedap significantly reduces chances of possible relay attacks

NFC-enabled credit cards have received much attention because of their vulnerability to relay attacks. Widely used NXP DESFire EV1 cards use the same technology, and are vulnerable to relay attacks, which raised concern in the access control market. A relay attack fraudulently extends the distance between smart card and card reader enabling, for example, unauthorised access to buildings. Research carried out by the Dutch knowledge institute TNO has proved that Nedap’s security platform AEOS maximises resistance to relay attacks.

Applied stricter delay times

It has been known for some time that so-called proximity communication - as described in the ISO/IEC 14443 protocol - is vulnerable to relay attacks. It only requires two smartphones with built-in NFC technology to extend the distance between card and reader without restrictions. Extending this communication distance, however, creates a delay. By applying much stricter delay times in all of its card readers than is prescribed by the ISO/IEC 14443 protocol, Nedap significantly reduces the chances of possible relay attacks.

As in 2009, when Nedap was the first manufacturer to respond to the possible security risks of the Mifare Classic chip, Nedap has moved quickly to give its clients the best protection. In response to the TNO research, Nedap has reduced the delay times of its card readers even further, without having to make concessions to user-friendliness. Because AEOS can provide card readers with new firmware remotely, clients can now get better protection against relay attacks at the press of a button.

Proximity check

To prevent the chance of relay attacks, NXP applies a check between card and reader in its Mifare Plus X technology to determine whether the card is actually in the proximity of the reader. The successor of the much-used DESFire EV1-chip, the DESFire EV2-chip, is also expected to have this built-in proximity check. Until this card is launched, however, it is the responsibility of users to map out the security risks together with their suppliers. Manufacturers therefore face the task of developing solutions to minimise the risks.

Download PDF version

Nedap Security Management case studies

Case studies
Nedap AEOS access control system secures Swiss Re buildings

Swiss Re, a global reinsurer, will equip 48 of its buildings with the latest version of AEOS, Nedap’s physical access control system. Through a state-of-the-art badge system, using Mifare Desfire card technology, employees with specific safety and security clearance will be able to access dedicated Swiss Re buildings. The implementation of AEOS is part of the Global PACS project to replace ageing access control systems in Swiss Re buildings around the world. The AEOS system is designed to...

Case studies
Nedap AEOS Security Management Platform secures BNP Paribas bank

“It’s obvious that a prominent bank like BNP Paribas has to take processes like security extremely seriously", said Alan Ford, Security Manager at BNP Paribas. Spread over several office buildings, more than 4000 staff make daily use of the AEOS Security Management Platform to enter the restricted areas for which only they have been authorised. BNP Paribas needs be certain that they can rely on their access control system. Even though their previous Nedap WinXS system did just t...

Case studies
Nedap AEOS provides centrally managed access control for Dutch municipality

The municipality of Haarlemmermeer wanted to replace the existing access control system and bring city hall security up to modern standards. They looked for a system that could manage all municipal buildings centrally. For this reason, the system had to be easily expandable. The access control system also had to include camera supervision of employees' sign-in and sign-out process. Existing access control infrastructure When implementing the new system, the municipality wanted...