How to Build a Low-Cost, Extended-Range RFID Skimmer

1,691 views
1,460 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,691
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How to Build a Low-Cost, Extended-Range RFID Skimmer

  1. 1. How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium,2006 Kishore Padma Raju
  2. 2. OVERVIEW
  3. 3. BACKGROUND <ul><li>RFID uses ISO-14443 standard </li></ul><ul><ul><li>Increased security </li></ul></ul><ul><ul><li>Very short range (5-10cm) </li></ul></ul><ul><li>Goals </li></ul><ul><ul><li>Build extended-range RFID skimmer </li></ul></ul><ul><ul><li>Collects mass info from RFID devices </li></ul></ul>
  4. 4. OUTLINE <ul><li>RFID </li></ul><ul><li>System design </li></ul><ul><ul><li>Building </li></ul></ul><ul><ul><li>Tuning methods </li></ul></ul><ul><li>Results </li></ul><ul><li>Conclusions </li></ul>
  5. 5. RFID Technology <ul><li>Many applications </li></ul><ul><ul><li>Contactless credit-cards </li></ul></ul><ul><ul><li>National ID cards </li></ul></ul><ul><ul><li>E-passports </li></ul></ul><ul><ul><li>Other access cards </li></ul></ul><ul><li>Very short range </li></ul><ul><li>Security vulnerabilities </li></ul>
  6. 6. Attacks on RFID <ul><li>Relay attack </li></ul>
  7. 7. Attacks on RFID <ul><li>Relay attack </li></ul>
  8. 8. Attacks on RFID <ul><li>German Hacker </li></ul><ul><ul><li>PDA and RFID read/write device </li></ul></ul><ul><ul><li>Changed shampoo prices from $7 to $3 </li></ul></ul><ul><li>Johns Hopkins Univ. </li></ul><ul><ul><li>Sniffs info from RFID-based car keys </li></ul></ul><ul><ul><li>Purchased gasoline for free </li></ul></ul>
  9. 9. ISO-14443 <ul><li>Proximity card used for identification </li></ul><ul><ul><li>Very short range (5-10 cm) </li></ul></ul><ul><ul><li>Embedded microcontroller </li></ul></ul><ul><ul><li>Magnetic loop antenna (13.56 MHz) </li></ul></ul><ul><li>Security </li></ul><ul><ul><li>Cryptographically-signed file format </li></ul></ul>
  10. 10. RFID Skimmer <ul><li>Collect info from RFID tags </li></ul><ul><ul><li>Signal/query RFID tags </li></ul></ul><ul><ul><li>Record responses </li></ul></ul><ul><li>Some uses: </li></ul><ul><ul><li>Retrieve info from remote car keys </li></ul></ul><ul><ul><li>Obtain credit card numbers </li></ul></ul>
  11. 11. System Design Goals <ul><li>Low power </li></ul><ul><li>Low noise </li></ul><ul><li>Large read range </li></ul><ul><li>Simple design </li></ul><ul><li>Cheap </li></ul>
  12. 12. System Design
  13. 13. Part #1 - RFID Reader <ul><li>TI S4100 Multi-Function </li></ul><ul><li>reader </li></ul><ul><ul><li>Cost: $60 </li></ul></ul><ul><ul><li>Built in RF power amplifier </li></ul></ul><ul><ul><li>Sends approx. 200mW into small antenna </li></ul></ul>
  14. 14. Part #2 - RFID Antenna <ul><li>Antenna range ≈ length </li></ul><ul><li>39 cm copper tube loop </li></ul><ul><li>Antenna inductance ≈ 1 μ H </li></ul>
  15. 15. Part #3 - Power amplifier <ul><li>Amplifier interfaced directly to module’s output stage </li></ul><ul><li>Powered by FET voltage </li></ul><ul><ul><li>Field-effect transistor </li></ul></ul><ul><li>Did not match impedances between amp and output </li></ul>
  16. 16. Part #4 - Receiver Buffer <ul><li>Load Modulation Receive Buffer </li></ul><ul><ul><li>HF reader system </li></ul></ul><ul><ul><li>Receiver input directly connected to reader’s antenna </li></ul></ul><ul><li>Attenuate signals before feeding them back to the TI module </li></ul><ul><ul><li>Avoid potential reader damage </li></ul></ul><ul><ul><li>Still deliver input signals to receiver </li></ul></ul>
  17. 17. Part #4 - Receiver Buffer
  18. 18. Part #5 -Power supply <ul><li>Powers the large loop antenna </li></ul><ul><li>Maintain “smooth” DC supply </li></ul><ul><ul><li>Clean power supply </li></ul></ul><ul><ul><li>Low ripples (power variance) </li></ul></ul><ul><ul><li>Improves detection range </li></ul></ul>
  19. 19. SYSTEM BUILDING <ul><li>Copper Tube Loop Antenna </li></ul><ul><ul><li>Ideal: 40x40 cm </li></ul></ul><ul><ul><li>Copper-tube </li></ul></ul><ul><li>Constructed their own </li></ul><ul><ul><li>Cheaper copper tube, used for cooking gas </li></ul></ul><ul><ul><li>Pre-made in circular coils </li></ul></ul>
  20. 20. SYSTEM BUILDING <ul><li>Copper-tube loop and PCB antennas </li></ul>
  21. 21. SYSTEM BUILDING <ul><li>RFID Base Board </li></ul><ul><ul><li>Decon DALO 33 Blue PC Etch pen </li></ul></ul><ul><ul><li>Protected ink used to draw leads on tablet </li></ul></ul>
  22. 22. SYSTEM BUILDING <ul><li>RFID Base Board and power amp </li></ul>
  23. 23. SYSTEM BUILDING <ul><li>Power Amplifier </li></ul><ul><ul><li>Based on Melexis application note </li></ul></ul><ul><ul><li>Input driven from reader output </li></ul></ul><ul><ul><li>Ideal: high voltage rating capacitors </li></ul></ul><ul><ul><li>Used cheaper, but low voltage </li></ul></ul>
  24. 24. SYSTEM BUILDING <ul><li>Load Modulation Receive Path Buffer </li></ul><ul><ul><li>Signals are looped back </li></ul></ul><ul><ul><li>Buffer needed to hold correct signals </li></ul></ul>
  25. 25. SYSTEM TUNING <ul><li>RF Network Analyzer </li></ul><ul><ul><li>Measure magnitude and phase of input </li></ul></ul><ul><li>Measure Voltage Standing Wave Radio </li></ul><ul><ul><li>Adjust antenna’s impedance to match amplifier output </li></ul></ul><ul><li>RF power meter </li></ul><ul><ul><li>Measures power reception </li></ul></ul><ul><ul><li>Ideal: measure actual amplification </li></ul></ul>
  26. 26. RESULTS
  27. 27. RESULTS <ul><li>Close to theoretical predictions </li></ul>
  28. 28. CONTRIBUTIONS <ul><li>Built RFID skimmer  validated basic concept of an RFID “Leech” </li></ul><ul><li>RFID tags can be read from greater distances (25 cm) </li></ul><ul><li>Halfway towards full implementation of a relay-attack </li></ul>
  29. 29. Strengths <ul><li>Created a portable, RFID skimmer </li></ul><ul><li>Step-by-step instructions </li></ul><ul><li>Low system cost ($110) </li></ul>
  30. 30. Weaknesses <ul><li>Not developed for large scale production </li></ul><ul><li>Cheap design = less efficient results </li></ul><ul><li>Expensive system tuning methods </li></ul>
  31. 31. Improvements <ul><li>Better equipment </li></ul><ul><li>High rating components </li></ul><ul><ul><li>More powerful RF test equipment </li></ul></ul>

×