Publications and pre-prints I have historically kept on my website and have since been linked to by others. If you are looking for a list of publications refer to my Google Scholar and CityU Scholars Profile links at the top of the page.
Introduction to Industrial Control Networks
B. Galloway and G.P. Hancke. IEEE Communications Surveys and Tutorials, June 2012.
An overview of industrial control/SCADA networks. Preprint
Practical Eavesdropping and Skimming Attacks on High-Frequency RFID Tokens
G.P. Hancke. Journal of Computer Security. Vol 19, Issue 2, pp. 259-288, March 2011.
Some practical results and discussion of related industrial and academic work on eavesdropping and skimming attacks. Preprint
Design of a Secure Distance-Bounding Channel for RFID
G.P. Hancke. Elsevier Journal of Network and Computer Applications. Accepted to be published 2010.
Proof-of-concept implementation of a communication channel suitable for distance-bounding in HF RFID environments. Preprint
Security Challenges for User-Oriented RFID Applications within the 'Internet of Things'
G.P. Hancke, K.Markantonakis and K.E. Mayes. Journal of Internet Technology. Accepted to be published 2010.
Discussion of the role played by RFID in enabling user-oriented applications and the related security issues. Preprint
Confidence in Smart Token Proximity: Relay Attacks Revisited
G.P. Hancke, K.E. Mayes and K.Markantonakis. Elsevier Computers & Security, Vol. 28, Issue 7, pp 615-627. October 2009.
An overview of relay attacks in the smart token environment that discusses attack implementations, implications and possible countermeasures. Preprint
Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones
L. Francis, G.P. Hancke, K.E. Mayes, K. Markantonakis. RFIDSec Asia, November 2012.
Practical NFC Peer-to-Peer Relay Attack using Mobile Phones
L. Francis, G.P. Hancke, K.E. Mayes and K. Markantonakis
Proceedings of RFIDSec 2010, June 2010.
Relay attack on mobile phone handsets using P2P NFC communication. Preprint
Eavesdropping Attacks on High-Frequency RFID Tokens
G.P. Hancke. Presented the 4th Workshop on RFID Security (RFIDSec), July 2008.
An overview/explanatory paper describing practical eavesdropping experiments by myself and other researchers on ISO 14443 and ISO 15693 contactless tokens. Download
Attacks on time-of-flight distance-bounding channels
G.P. Hancke and M.G. Kuhn. Presented at the ACM Conference on Wireless Network Security (WISEC'08), pp 194-202, March 2008.
Practical demonstration of late-commit and clocking attacks at the physical communication layer, which allows an attacker to circumvent distance-bounding measures. Download
Talk given at ACM Wisec 2008 on 2 April 2008 can be found here here
Noisy Carrier Modulation for HF RFID
G.P. Hancke. Proceedings of First International EURASIP Workshop on RFID Technology, pp 63-66, September 2007.
This paper describes how to make the backward communication of HF RFID tokens resistant to eavesdropping. The reader transmits a ''noisy'' carrier onto which the token modulates its reply. It also shows that an attacker can easily distinguish between a token's response and a bit-blocking sequence transmitted by another device. Download
Talk given at RFID 2007 on 25 September 2007 can be found here here
So Near and yet So Far: Distance-Bounding Attacks in Wireless Networks
J. Clulow, G.P. Hancke, M.G. Kuhn and T. Moore, European Workshop on Security and Privacy in Ad-Hoc and Sensor Networks (ESAS), Springer-Verlag LNCS 4357, pp 83-97, July 2006.
A brief review of some secure location protocols, possible attacks on these and the subsequent requirements for implementing distance bounding protocols securely. Download
Practical Attacks on Proximity Identification Systems (Short Paper)
G.P. Hancke, Proceedings of IEEE Symposium on Security and Privacy, pp 328-333, May 2006.
This short paper describes some initial findings on practical attacks that we implemented against "proximity" (ISO 14443 A) type RFID tokens. Focusing mainly on the RF communication interface we discuss the results and implementation of eavesdropping, unauthorized scanning and relay attacks. Described attacks are simple and mostly "proof-of-concept", more work is being done to improve attack methods and extend attacks to other RFID standards. Download
Talk given at IEEE S&P on 24 May 2006 can be found here here
An RFID distance bounding protocol
G.P. Hancke and Markus G. Kuhn. Proceedings of IEEE/CreateNet SecureComm, pp 67-73, September 2005.
Radio-frequency identification tokens, such as contactless smartcards, are vulnerable to relay attacks if they are used for proximity authentication. Cryptographic distance bounding protocols provide a possible countermeasure but schemes require fast time-base and signal acquisition hardware at both ends. We propose a new distance-bounding protocol that is more suited for use in systems with passive low-cost tokens. Download
Talk given at Securecomm on 6 September 2005 can be found here here
A Practical Relay Attack on ISO 14443 Proximity Cards
G.P. Hancke, February 2005.
Authentication protocols in payment or access control systems based on contactless smartcards (or other NFC device) can be circumvented by simply relaying messages between the reader and smartcard. A proxy device is placed within range of the reader and communicates with another device held close to a valid card.The attack is based on the "grand master chess problem" and it is known that identification of physical entities are vulnerable to such real-time attacks. It should therefore be noted that this paper does not introduce a new attack, neither does it claim to be a high-tech, optimal realization. The paper describes a very simple working system, using off-the-shelf modules and standard components available from most electronic stores (Maplin etc). Download