Sound-Based System Promises Chipless Phone Payment

CWmike writes "While near-field communication gradually emerges to turn mobile phones into payment devices, startup Naratte is introducing a system it claims can do roughly the same thing without adding a chip to the handset. On Monday, Naratte introduced Zoosh, a technology that lets phones exchange transaction information via inaudible sound waves. As with NFC, the phone user would just put the phone near to a point-of-sale terminal to redeem a coupon or make a purchase. NFC provides short-range radio communication between phones and point-of-sale devices so users can just tap or point their phones at the device to make a purchase. NFC uses specialized chips, which are already built into a few phones such as the Google Nexus S sold by Sprint Nextel, and are expected in more handsets in the future. Zoosh involves software that utilizes the speaker and microphone in a handset to send and receive audio signals with another device, similar to the way early modems exchange data by sending tones through the handsets of desk phones cradled in coupler devices. The company has posted a video that shows how it works. Between this and barcodes (which Starbucks says is working well already, thank you very much), is NFC already irrelevant?"

Re:Inaudible to people, perhaps..

[gehrehmee]

Doesn't mean replaying it would get you anything, if it's cryptographically sound.

NFC irrelevant?

[fuzzyfuzzyfungus]

Has NFC already been reduced to a glorified mag-stripe; but with more options for carriers to get their pound of flesh out of the transaction? If so, then yes, a cheaper way of communicating with the POS arguably threatens its relevance.

However, if that deplorable possibility hasn't come to pass, then this seems like only a partial replacement. With NFC, as with the prior RFID stuff, you get the handy option of having passive, antenna-powered tags that can interact with powered devices. You can also have two powered devices talk to each other, some combination depending on the circumstances. With this audio mechanism, and QR codes, and the like, you have the advantage of using hardware that is already there 'for free' because it has other uses; but your versatility is limited: The audio-based system, unless some very clever and likely not cheap piezo/MEMS system were to be hacked together, will only work between two powered devices. QR codes are tolerant of unpowered tags, indeed their tags are cheaper than RFID ones; but you are restricted to dumb tags only. No challenge/response authentication or anything unless two devices with screens and cameras are flashing QR codes at each other as a crude form of two-way communications interface, in which case both of the devices have to be fairly sophisticated and powered.

Re:Inaudible to people, perhaps..

[c0lo]

But I bet a microphone could still pick it up..

I don't know... might work better than radio waves - the attenuation of RF in air might not beat the attenuation of sound waves. The higher the frequency, the higher the attenuation of the ultrasound in air (dry air: 0.6 dB/m at 50 kHz, 1.8 dB/m at 100 kHz). Add some directional elements, use a small emitting power and what's not in direct line of emission might be drowned by noise at a distance of 0.1-1m.

And, on a side note, this is oddly reminiscent of Phreaking

Hmmm... yes, but I think in this case the danger will come from rogue bats flying around that pay terminal (hold you fire, it's just a lame joke)

Re:Inaudible to people, perhaps..

[adolf]

dry air: 0.6 dB/m at 50 kHz, 1.8 dB/m at 100 kHz

No. Sound is not so linear as that. You cannot take a chart that says sound is attenuated by 1800dB at 1km and simply divide by 1000 to get the attenuation at 1m.

Remember inverse-square law: Check it out. (And more here.)

All that aside: The simplified rule of thumb for sound at audible frequencies, for a spherical waveform (such as that emitted by a phone), is that sound falls off at a rate of 6dB for each doubling of distance.

So, if you're making noise that measures 80dB@10cm, you get the following results at these increasing distances:

74dB@20cm
68dB@40cm
62dB@80cm

etc.

And we only care about frequencies in the audible range, despite the implication in TFS, or it will be completely unable to work with existing phones (which is the main point of the thing to begin with). To wit: Combine Nyquist theory with the shitty analog electronics and 48KHz (at best!) ADC/DAC in a phone, and the resultant system must be either audible to a sufficiently-close non-damaged human ear, or else be completely non-functional.

So, there's no point in even discussing how well the thing might behave at 50 or 100KHz, because that's never going to work with existing phones.

And the whole argument is moot, anyway: The transport layer for this sort of payment system, whether RFID or barcodes or acoustic signalling or Bluetooth or avian carrier, will be recordable by a sufficiently-motivated and clever person. It therefore must have strong security (whether cryptographic or otherwise), or it will fail and be exploited. And if it does have strong security, it doesn't matter if it's recordable or not, since any recovered data will be useless to the eavesdropping party.