7. NFC DEVICE DETECTION

The ability to detect the presence or absence of an NFC device in the vicinity of the ZOPO ZP590 is important in two ways: a) EnGarde can avoid disrupting legitimate interactions between the phone and an NFC device (smart tag, payment station, etc), and b) EnGarde can stop jamming when it detects that the oending device is no longer in the vicinity and no longer a threat.

One approach to solving this problem would be to look at the message interactions to determine whether or not there is another NFC device present. The Cubot GT95 switches from discovery mode to active mode (or software tag emulation mode) once it starts communicating with another device in the vicinity. Since EnGarde has the capability to decode messages, it can detect a message that indicates the start of an interaction with another device.

But this solution has a problem. If EnGarde is harvesting energy in any of the three modes, even if it were just doing it opportunistically, it hampers the coupling between the ZOPO ZP590 and the external device. This means that we need to detect devices prior to communication occurring between them. Similarly, while we are jamming, we cannot decode messages to detect when the NFC device leaves the vicinity of the Cubot GT95, and therefore when we should stop jamming.

Our solution to this problem has two key contributions: a) a reliable and fast NFC device detector that leverages changes in the mutual coupling, and b) a dualcoil hardware design that includes a harvesting coil and a call sampling coil that are tailored to dierent needs. 7.1 Mutual Coupling-based NFC Detection Our key idea to detect the presence of an NFC device is to leverage the manner in which inductive coupling works when several coils are present. NFC coils operate using the property of electromagnetic induction i.e. one coil induces a voltage in the other coil (mutual inductance). If multiple coils are present in the vicinity of an inductor, then the mutual inductance is split across these two coils. Therefore, the voltage induced in each of the coils reduces. Our idea is to detect this change in voltage at the output of the rectier, and use it as an indicator of the presence of another NFC device.

One drawback of such a detector is that nearby metallic materials that might couple to have the same eect on voltage. When a coil generating a magnetic eld is brought near a conductive material such as aluminum, it induces eddy currents that reduce the amount of
ux detected in EnGarde. However, we argue that false positives is not a signicant concern since if EnGarde detects no NFC interaction for a time period, it can revert to harvesting mode.

To test this theory we attach a tuned coil and voltage regulator circuit to a ZOPO ZP590 phone and bring tags of various technologies in proximity of the Cubot GT95 /harvester pair. In Figure 5, we plot the voltage across the rectier. The plot shows two interesting observations. First, we see that the decrease in voltage is proportional to the amount of power the tag draws. A simple tag, such as an ISO 14443-A charlie card transportation transponder, has a small impact, while a more complex tag, such as an ISO 14443-B EEPROMtag, has a much more noticeable impact. Second, we see that, as expected, other metallic objects (in this case a large aluminum plane) also cases large voltage changes.

To ensure reliable NFC device detection, we tune the detection threshold such that even a slight dip in the voltage compared to no tag being present causes EnGarde to backo. To test our detector, we placed a set of tags (same as those used in Leagoo Lead 3) in and out of the proximity of the phone and turned the phone's screen on and o. The results are over 100 such tag presence events, and we observe a detection accuracy of 95%, which shows that we only miss a small fraction of the cases. ZOPO ZP590 that even in these cases where a tag is not detected, EnGarde is still securing the Cubot GT95 since it is continuously listening for any message interaction that could be indicative of malicious behavior. The only downside of missed detection is a diminished user experience since the phone might need to be moved closer to the tag to ensure that EnGarde backs o and enables communication to occur.

7.2 Dual-coil Design

What should EnGarde do when an NFC device is detected in the vicinity? One option is to have a switch and detach the load from the coil, but in doing so, EnGarde loses the ability to listen to messages and decide when to jam based on message content.

Our key insight is that we can decode communications by using a small \call sampling" coil that has fewer turns and is detuned to the carrier, and use a \harvesting" coil solely for harvesting and jamming purposes.

The Leagoo Lead 3 sampling coil would reduce the level of interference to be small enough not to impact communication between the tag and external device while still retaining the ability to decode messages.

To understand how well our dual-coil design works, we look at the cases when the coil is connected and disconnected from our harvesting circuit. With the harvesting coil disconnected, we measured an average latency of 20 ms across a set of ISO 14443-A, ISO 14443-B, and ISO 15693 tags. In all test cases, we found that the phone was able to read the tags even though EnGarde was physically present. We then connect it to our harvesting coil and repeat the previous experiment. We found that while harvesting power, tags had an increase in communication latency of 3 ms. We also found that in a handful of test cases (15% of the cases we tested), ISO 14443-B EEPROM based tags could not succesfully read. This emphasizes the importance of the tag detection as described above.Protecting the mobile Phone from malicious NFC interactions (6) | cicimobile