Page 112                                            Calderoni et al. J Surveill Secur Saf 2020;1:106-18  I  http://dx.doi.org/10.20517/jsss.2019.01






















               Figure 3. The complete communication trace concerning the GetVerison command. UID: unique tag identifier; DF: dedicated file


















               Figure 4. The complete communication trace concerning the commands performed against the capability container file. EF: elementary
               file; SDM: secure dynamic messaging

               studied. The complete communication trace is provided in Figure 3. According to the returned data, the
               tag was produced during the 39th week of 2018 by NXP. The most important information included in the
               answer is the tag ID: as the tag studied is not configured with the random ID setting, the third response
               includes the real 7-byte UID. This condition may lead to a privacy breach and will be further discussed in
               the “Discussion” section.

               The following step consists in the selection of the CC file. The application checks the file settings through
               the GetFileSettings command and subsequently reads the full file content using the standard ISOReadBinary
               command. The communication trace involved is provided in Figure 4. The information returned by the
               GetFileSettings command shows that the SDM is not enabled for this file. Again, the CC file has a size of
               20:00:00, which means it is composed of 32 bytes, as it should be interpreted with least significant byte
               encoding. Concerning the access rights to the file, the response shows that the E103 file is subject to the
               00:E0 access policy. According to NXP specifications, it means that this file is free to read (E), while other
               operations (write and change file permissions) need to be preceded by authentication through the key
               number 0x00 (the App Master Key). ISOReadBinary asks the tag for 32 bytes from the aforementioned
               file. The answer states that the CC effectively occupies 23 bytes only (00:17). Here, we may see that the file
               system comprises two more files, named E104 and E105. The first one occupies 256 bytes and may be read
               and written without any authentication (00:00). Note that this access notation differs from the one returned
               by the GetFileSettings command as it is intended to be in accordance with the NFC Forum specifications.
               The latter file occupies 128 bytes. The access conditions for this file are set to 82:83. These numbers fall in
               the proprietary range, concerning NFC Forum access policies. Specifically, it means that read operations
               need to be preceded by authentication with the application key number 0x02. The same applies to write
               operations, with key number 0x03.