Your SlideShare is downloading. ×
0
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

How to Build a Low-Cost, Extended-Range RFID Skimmer

1,155

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,155
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium,2006 Kishore Padma Raju
  • 2. OVERVIEW
  • 3. BACKGROUND <ul><li>RFID uses ISO-14443 standard </li></ul><ul><ul><li>Increased security </li></ul></ul><ul><ul><li>Very short range (5-10cm) </li></ul></ul><ul><li>Goals </li></ul><ul><ul><li>Build extended-range RFID skimmer </li></ul></ul><ul><ul><li>Collects mass info from RFID devices </li></ul></ul>
  • 4. OUTLINE <ul><li>RFID </li></ul><ul><li>System design </li></ul><ul><ul><li>Building </li></ul></ul><ul><ul><li>Tuning methods </li></ul></ul><ul><li>Results </li></ul><ul><li>Conclusions </li></ul>
  • 5. RFID Technology <ul><li>Many applications </li></ul><ul><ul><li>Contactless credit-cards </li></ul></ul><ul><ul><li>National ID cards </li></ul></ul><ul><ul><li>E-passports </li></ul></ul><ul><ul><li>Other access cards </li></ul></ul><ul><li>Very short range </li></ul><ul><li>Security vulnerabilities </li></ul>
  • 6. Attacks on RFID <ul><li>Relay attack </li></ul>
  • 7. Attacks on RFID <ul><li>Relay attack </li></ul>
  • 8. Attacks on RFID <ul><li>German Hacker </li></ul><ul><ul><li>PDA and RFID read/write device </li></ul></ul><ul><ul><li>Changed shampoo prices from $7 to $3 </li></ul></ul><ul><li>Johns Hopkins Univ. </li></ul><ul><ul><li>Sniffs info from RFID-based car keys </li></ul></ul><ul><ul><li>Purchased gasoline for free </li></ul></ul>
  • 9. ISO-14443 <ul><li>Proximity card used for identification </li></ul><ul><ul><li>Very short range (5-10 cm) </li></ul></ul><ul><ul><li>Embedded microcontroller </li></ul></ul><ul><ul><li>Magnetic loop antenna (13.56 MHz) </li></ul></ul><ul><li>Security </li></ul><ul><ul><li>Cryptographically-signed file format </li></ul></ul>
  • 10. RFID Skimmer <ul><li>Collect info from RFID tags </li></ul><ul><ul><li>Signal/query RFID tags </li></ul></ul><ul><ul><li>Record responses </li></ul></ul><ul><li>Some uses: </li></ul><ul><ul><li>Retrieve info from remote car keys </li></ul></ul><ul><ul><li>Obtain credit card numbers </li></ul></ul>
  • 11. System Design Goals <ul><li>Low power </li></ul><ul><li>Low noise </li></ul><ul><li>Large read range </li></ul><ul><li>Simple design </li></ul><ul><li>Cheap </li></ul>
  • 12. System Design
  • 13. Part #1 - RFID Reader <ul><li>TI S4100 Multi-Function </li></ul><ul><li>reader </li></ul><ul><ul><li>Cost: $60 </li></ul></ul><ul><ul><li>Built in RF power amplifier </li></ul></ul><ul><ul><li>Sends approx. 200mW into small antenna </li></ul></ul>
  • 14. Part #2 - RFID Antenna <ul><li>Antenna range ≈ length </li></ul><ul><li>39 cm copper tube loop </li></ul><ul><li>Antenna inductance ≈ 1 μ H </li></ul>
  • 15. Part #3 - Power amplifier <ul><li>Amplifier interfaced directly to module’s output stage </li></ul><ul><li>Powered by FET voltage </li></ul><ul><ul><li>Field-effect transistor </li></ul></ul><ul><li>Did not match impedances between amp and output </li></ul>
  • 16. Part #4 - Receiver Buffer <ul><li>Load Modulation Receive Buffer </li></ul><ul><ul><li>HF reader system </li></ul></ul><ul><ul><li>Receiver input directly connected to reader’s antenna </li></ul></ul><ul><li>Attenuate signals before feeding them back to the TI module </li></ul><ul><ul><li>Avoid potential reader damage </li></ul></ul><ul><ul><li>Still deliver input signals to receiver </li></ul></ul>
  • 17. Part #4 - Receiver Buffer
  • 18. Part #5 -Power supply <ul><li>Powers the large loop antenna </li></ul><ul><li>Maintain “smooth” DC supply </li></ul><ul><ul><li>Clean power supply </li></ul></ul><ul><ul><li>Low ripples (power variance) </li></ul></ul><ul><ul><li>Improves detection range </li></ul></ul>
  • 19. SYSTEM BUILDING <ul><li>Copper Tube Loop Antenna </li></ul><ul><ul><li>Ideal: 40x40 cm </li></ul></ul><ul><ul><li>Copper-tube </li></ul></ul><ul><li>Constructed their own </li></ul><ul><ul><li>Cheaper copper tube, used for cooking gas </li></ul></ul><ul><ul><li>Pre-made in circular coils </li></ul></ul>
  • 20. SYSTEM BUILDING <ul><li>Copper-tube loop and PCB antennas </li></ul>
  • 21. SYSTEM BUILDING <ul><li>RFID Base Board </li></ul><ul><ul><li>Decon DALO 33 Blue PC Etch pen </li></ul></ul><ul><ul><li>Protected ink used to draw leads on tablet </li></ul></ul>
  • 22. SYSTEM BUILDING <ul><li>RFID Base Board and power amp </li></ul>
  • 23. SYSTEM BUILDING <ul><li>Power Amplifier </li></ul><ul><ul><li>Based on Melexis application note </li></ul></ul><ul><ul><li>Input driven from reader output </li></ul></ul><ul><ul><li>Ideal: high voltage rating capacitors </li></ul></ul><ul><ul><li>Used cheaper, but low voltage </li></ul></ul>
  • 24. SYSTEM BUILDING <ul><li>Load Modulation Receive Path Buffer </li></ul><ul><ul><li>Signals are looped back </li></ul></ul><ul><ul><li>Buffer needed to hold correct signals </li></ul></ul>
  • 25. SYSTEM TUNING <ul><li>RF Network Analyzer </li></ul><ul><ul><li>Measure magnitude and phase of input </li></ul></ul><ul><li>Measure Voltage Standing Wave Radio </li></ul><ul><ul><li>Adjust antenna’s impedance to match amplifier output </li></ul></ul><ul><li>RF power meter </li></ul><ul><ul><li>Measures power reception </li></ul></ul><ul><ul><li>Ideal: measure actual amplification </li></ul></ul>
  • 26. RESULTS
  • 27. RESULTS <ul><li>Close to theoretical predictions </li></ul>
  • 28. CONTRIBUTIONS <ul><li>Built RFID skimmer  validated basic concept of an RFID “Leech” </li></ul><ul><li>RFID tags can be read from greater distances (25 cm) </li></ul><ul><li>Halfway towards full implementation of a relay-attack </li></ul>
  • 29. Strengths <ul><li>Created a portable, RFID skimmer </li></ul><ul><li>Step-by-step instructions </li></ul><ul><li>Low system cost ($110) </li></ul>
  • 30. Weaknesses <ul><li>Not developed for large scale production </li></ul><ul><li>Cheap design = less efficient results </li></ul><ul><li>Expensive system tuning methods </li></ul>
  • 31. Improvements <ul><li>Better equipment </li></ul><ul><li>High rating components </li></ul><ul><ul><li>More powerful RF test equipment </li></ul></ul>

×