Eavesdropping on smartphone 13.56MHz NFC polling during screen wake-up/unlock
54 comments
·April 6, 2025niemandhier
0xbadcafebee
Oh, right. Ukraine is still at war. We don't hear about it on the news over here in the civilized democratized developed modern advanced West anymore, so I just figured it was over. But turns out it's still going on, since 11 years, 1 month, 1 week, and 5 days. The actual invasion of Ukraine has been ongoing for 3 years, 1 month and 2 weeks.
If you want to help:
- I want to donate to the Ukrainian people in the most effective way but there are so many options. What is needed most and where? [1]
- 5 ways you can support Ukraine — even if your government doesn't want to [2]
- United Help Ukraine [3]
- Ukraine - Fact Sheet: How You Can Help [4] (Yes, even the god damn CIA cough I mean state department wants you to help)
- How You Can Help Ukraine [5]
- How you can help the people of Ukraine [6]
- Support Ukraine [7]
- How can I help Ukraine? [8]
- No child should face the war experience alone [9]
- Nova Ukraine [10]
- One in five children in Ukraine has lost a relative or friend since the escalation of war three years ago [11]
- UKRAINE HUMANITARIAN CRISIS: Help with critical aid — Give now [12]
- International Medical Corps Ukraine [13]
- Chefs for Ukraine [14]
- Doctors without Borders [15]
- International Rescue Committee [16]
- Greater Good Charities [17]
- Catholic Relief Services [18]
[1] https://www.reddit.com/r/ukraine/comments/1eqnmbf/i_want_to_... [2] https://kyivindependent.com/5-ways-you-can-support-ukraine-e... [3] https://unitedhelpukraine.org/ [4] https://travel.state.gov/content/travel/en/News/Intercountry... [5] https://www.huri.harvard.edu/how-you-can-help-ukraine [6] https://www.obama.org/stories/help-ukraine/ [7] https://war.ukraine.ua/support-ukraine/ [8] https://www.rescue.org/article/how-can-i-help-ukraine [9] https://voices.org.ua/en [10] https://novaukraine.org/ [11] https://www.unicef.org.uk/press-releases/one-in-five-childre... [12] https://my.care.org/site/Donation2;jsessionid=00000000.app30... [13] https://internationalmedicalcorps.org.uk/country/ukraine/ [14] https://wck.org/relief/activation-chefs-for-ukraine [15] https://donate.doctorswithoutborders.org/secure/monthly-an?m... [16] https://help.rescue.org/donate/ukraine-acq?ms=gs_ppc_fy25_uk... [17] https://greatergood.org/crisis-in-ukraine-send-aid-now?utm_s... [18] https://support.crs.org/donate/donate-ukraine?ms=agigoo0922u...
agubelu
> We don't hear about it on the news over here in the civilized democratized developed modern advanced West anymore, so I just figured it was over.
Maybe not in the US. But the invasion of Ukraine is still very much present in most of Europe and it's a driving factor of recent public policies.
Cthulhu_
At the moment a lot of Ukraine coverage is drowned out by Trump's daily bullshit onslaught though, just like 2016-2020.
rolandog
Great idea! Also, we can vote with our Euros and kill two birds with one stone [0], [1].
[0]: https://www.goeuropean.org/product-details/unixhost-web-host...
yapyap
what the hell are you talking about? I hear plenty of it in my civilized western country, you might just be tuning into the wrong news channels
c10ned
[dead]
spongebobstoes
This is surprising and cool. What's the explanation for why there are NFC transmissions on unlock or wake?
roboror
To look for NFC stuff like payment or tickets etc.
lxgr
iOS is constantly scanning for NFC tags containing URLs etc., which requires emitting enough field power to allow the tag to indicate its presence.
Apple Pay itself uses card emulation mode, and as such the phone only needs to (passively) listen for a payment terminal's field; that should itself not be detectable without emitting such a field.
bestham
Is it really true that the phone must be passively listening? The field of the payment terminal will induce current in the NFC-coil and that should be able to wake the phone as necessary.
lxgr
That's a common way of doing it, but Apple devices actively amplify the signal in card emulation mode as well, which gives them longer range than physical cards or "purely passive" devices.
But it also means they can't do the neat trick of paying with a completely dead (i.e. not even reserve battery power) phone that some early Android and Windows Phone devices could do.
boznz
Bluetooth already broadcasts and has a UID, I have used this a few times in books as plot-outline to identify an antagonist, and I now wonder if NFC has a similar UID It would be interesting to decode the data and see.
capitainenemo
Article notes this impacts soldiers (or I suppose others trying to be stealthy) who would have turned off bluetooth and wifi.
pajko
If the transmission contains some identifying information and can be used for coarse triangulation to decide if a specific phone is in a specific building - well, that's pretty bad.
Can be harmful even without identifying information in situations where it's enough to decide if some building is occupied or not.
ghostly_s
They mention android for this risk factor specifically-does android not have an "airplane mode" equivalent? I would assume it disables NFC also on iOS, but I guess I don't know —no mention of NFC on Apple's support page.
c10ned
I’m the author. Let me clarify, as that was indeed worded rather vaguely in my post—I forgot to mention why exactly Android is at risk.
On the Pixel 7, Airplane mode absolutely did not disable those frequency spikes upon screen unlock. Only disabling NFC through the dedicated setting in the phone’s parameters did (Settings > Connected devices > Connection Preferences > NFC). This theoretically puts Android users at greater risk, since on iOS, Airplane mode does disable those polling signals.
It’s easy to see how an average user might assume they’ve gone completely dark by enabling Airplane mode on an Android device—when in fact, they haven’t.
I’ll update the original post with this information, and thank you for pointing it out.
schaum
Andoird has an airplane mode Once enabled airplane mode you can enable Bluetooth again and airplane mode stays on,so just no mobile data an.same is true for WiFi.
NFC however isn't touched by the airplane mode
...At least it was like that on the android phones I owned
lxgr
"Classic" Bluetooth does not broadcast a detectable ID except if the device is explicitly in "pairing mode". It can be inferred when observing a connection establishment between two paired devices, or probed for if known (i.e. you can confirm that one of a few candidate devices is nearby, if you know their addresses), but not passively sniffed, as far as I know.
Bluetooth LE does explicitly broadcast its MAC address in some modes, but offers various forms of private or random address modes to mitigate the problem.
autoexec
there are passive ways to track cell phones using bluetooth:
https://www.theregister.com/2021/10/22/bluetooth_tracking_de...
https://cec.gmu.edu/news/2025-02/find-my-hacker-how-apples-n...
lxgr
The second attack you linked is yet another completely different threat model. It requires running malicious software on the device to be tracked. From the paper:
The Trojan code runs on the computer to be tracked.
It retrieves the advertising address, acquires the matching
public key from our server, and then advertises lost messages
The first one describes radio fingerprinting, which is relatively new, concerning, and might be tricky to address.
jsheard
Don't they randomize their broadcast ID? I know both Android and iOS scramble the WiFi MAC address by default, it would be odd if they didn't take the same precaution with Bluetooth.
csdvrx
The randomization doesn't matter: you can very easily link the addresses if you have a few datapoints, even if it's just the time you observed the addresses: the basic method is discussed in https://inria.hal.science/hal-03045555/document
See https://inria.hal.science/hal-02394629v1 for the theoretical bases then hop to https://samteplov.com/uploads/shmoocon20/slides.pdf for an example applying to Apple devices
Those who said the randomization and other techniques were sufficient were wrong: https://petsymposium.org/popets/2020/popets-2020-0003.pdf will show you how they changed their mind :)
It's not just apple: google nearby has also been reversed: https://publications.cispa.saarland/2748/ and https://www.ndss-symposium.org/wp-content/uploads/2019/02/nd... talks about attacks, but there's no need for that: just find identifiers that let you link the addresses
Even if you don't have any identifiers, the Bluetooth address randomization happens only about every 15 minutes: the manufacturer specific data in the public advertisement (or even the frequency and the length of these advertisements) during these 15 minutes periods can be used for linking the randomized addresses
lxgr
That attack requires continuously monitoring a given device or area though, right?
In other words, you could possibly track a given device through an area with enough sensors, e.g. a store, but not across visits.
AStonesThrow
Google has lately been far overstepping their utility with “security measures” which I definitely don’t need and often make everything more annoying and difficult.
Ex: blocking 3rd party cookies always now. Breaks countless websites which I need to work reliably. “Manage unused website/app’s permissions” even after I specifically granted them! Randomized virtual credit card numbers in Wallet: for no good reason, you thoroughly fucked up a refund attempt for me, >$500! And randomized MAC addresses by default for EVERY. SINGLE. SSID. It’s unhinged. It’s fake protection.
As a matter of fact, I do not enjoy my devices lying to my ISP, or to my college campus, my medical clinic, or to my employers. Device, please identify yourself without wearing a fuckin’ Groucho mask on top, and put on your big boy pants.
HeatrayEnjoyer
Never thought I'd hear someone complain Google takes privacy too seriously.
boznz
Sci-Fi books and it was a sentient AI, I can do anything I want in that situation :-)
jillyboel
NFC uid is also randomized
dzhiurgis
Does it do it lockdown mode too?
c10ned
Yes. I've just tested that. Lockdown mode doesn't disable NFC polling.
nubinetwork
Last time I checked, NFC has a range of 3 centimeters...
Edit: can't reproduce this with my android phone, sitting 6ft away from my SDR.
c10ned
Check your software SDR gain, use higher sampling rates and make sure NFC is enabled.
Otherwise, there might be some other nuances I'm not yet aware of, such as some phones not polling on unlock. I did test iPhone 15 Pro and Pixel 7 for initial POC. Others tested modern Samsungs/Xiaomis - worked as a charm.
babuloseo
Can we use this to find people stuck in Earthquake rubble?
ghostly_s
Are they checking their phones?
areyourllySorry
the n in nfc stands for near. won't help under layers of concrete
voidUpdate
TFA talks about detecting phones through load-bearing walls over 15-20 meters, and how the lower frequency penetrates surprisingly well. You can't necessarily pull the actual data off it, but you can see that there is a signal
drag0s
one of the things I miss in iOS coming from Android is to be able to easily disable NFC or location :/
byry
From article: "Then, when the screen turns off again (either manually or via timeout), another signal is sent, just 1 ping this time."
Nice.
yapyap
Very interesting!
sparker72678
> tracking occupancy patterns, correlating signal presence with known devices, identifying sleep cycles
Wait til you find out about Wifi and GSM!
capitainenemo
From the article. "A great part of discussion in comments on the original thread I've made was about soldiers on the battlefield and a heavy usage of devices close to the line of contact. Android users might turn off Wi-Fi and Bluetooth and even remove their SIM card, thinking they’ve minimized their radio footprint. But NFC often remains active by default — and since most people assume it only matters within arm’s reach, they don’t bother disabling it."
1659447091
> soldiers on the battlefield and a heavy usage of devices close to the line of contact. Android users might turn off Wi-Fi and Bluetooth and even remove their SIM card
I would think a faraday bag would be far more efficient for this - should take care of the NFC issue too
reginald78
I'm assuming they're still using the phone in some capacity in (what they thought) was offline mode. What they really need are phones with hardware switches for all radios, which of course almost don't even exist as a product. If a faraday bag worked for them they'd probably be better off just removing the battery altogether when they don't need the phone (removable batteries also aren't that common anymore).
It speaks to how terribly fit for purpose mobile devices are for soldiers in an active modern battlefield. Not only do they require discipline and technology training to prevent leaking positions, but most of them actually lack the capability to prevent leaking altogether no matter how trained you are.
xyst
Time to start lining the walls with lead to block signal leak. New building code, when?
babuloseo
You know its interesting to know that the people that are in ICE are not smart/competent enough to make uses of these things to detect people and I dont think anything is going to change in the next 3-4 years, its actually bizarre.
reaperman
TSA (more accurately - CBP, more generally - DHS) contract out the hard engineering to Cellebrite and NSO Group. Those companies develop a dumb-proof box. The CBP agents at the border take the phones, plug them to the box, press a few buttons, and that’s it.
No one in the TSA/CBP/ICE/DHS needs to be smart for this, that’s the job of private engineering firms/contractors.
That man is doing nfc spectrum analysis during an air raid.
I hope to someday acquire this amount of focus and dedication.