How to Build a Low-Cost, Extended-Range RFID Skimmer
Upcoming SlideShare
Loading in...5
×
 

How to Build a Low-Cost, Extended-Range RFID Skimmer

on

  • 1,362 views

 

Statistics

Views

Total Views
1,362
Views on SlideShare
1,361
Embed Views
1

Actions

Likes
0
Downloads
5
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

How to Build a Low-Cost, Extended-Range RFID Skimmer How to Build a Low-Cost, Extended-Range RFID Skimmer Presentation Transcript

  • How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium,2006 Kishore Padma Raju
  • OVERVIEW
  • BACKGROUND
    • RFID uses ISO-14443 standard
      • Increased security
      • Very short range (5-10cm)
    • Goals
      • Build extended-range RFID skimmer
      • Collects mass info from RFID devices
  • OUTLINE
    • RFID
    • System design
      • Building
      • Tuning methods
    • Results
    • Conclusions
  • RFID Technology
    • Many applications
      • Contactless credit-cards
      • National ID cards
      • E-passports
      • Other access cards
    • Very short range
    • Security vulnerabilities
  • Attacks on RFID
    • Relay attack
  • Attacks on RFID
    • Relay attack
  • Attacks on RFID
    • German Hacker
      • PDA and RFID read/write device
      • Changed shampoo prices from $7 to $3
    • Johns Hopkins Univ.
      • Sniffs info from RFID-based car keys
      • Purchased gasoline for free
  • ISO-14443
    • Proximity card used for identification
      • Very short range (5-10 cm)
      • Embedded microcontroller
      • Magnetic loop antenna (13.56 MHz)
    • Security
      • Cryptographically-signed file format
  • RFID Skimmer
    • Collect info from RFID tags
      • Signal/query RFID tags
      • Record responses
    • Some uses:
      • Retrieve info from remote car keys
      • Obtain credit card numbers
  • System Design Goals
    • Low power
    • Low noise
    • Large read range
    • Simple design
    • Cheap
  • System Design
  • Part #1 - RFID Reader
    • TI S4100 Multi-Function
    • reader
      • Cost: $60
      • Built in RF power amplifier
      • Sends approx. 200mW into small antenna
  • Part #2 - RFID Antenna
    • Antenna range ≈ length
    • 39 cm copper tube loop
    • Antenna inductance ≈ 1 μ H
  • Part #3 - Power amplifier
    • Amplifier interfaced directly to module’s output stage
    • Powered by FET voltage
      • Field-effect transistor
    • Did not match impedances between amp and output
  • Part #4 - Receiver Buffer
    • Load Modulation Receive Buffer
      • HF reader system
      • Receiver input directly connected to reader’s antenna
    • Attenuate signals before feeding them back to the TI module
      • Avoid potential reader damage
      • Still deliver input signals to receiver
  • Part #4 - Receiver Buffer
  • Part #5 -Power supply
    • Powers the large loop antenna
    • Maintain “smooth” DC supply
      • Clean power supply
      • Low ripples (power variance)
      • Improves detection range
  • SYSTEM BUILDING
    • Copper Tube Loop Antenna
      • Ideal: 40x40 cm
      • Copper-tube
    • Constructed their own
      • Cheaper copper tube, used for cooking gas
      • Pre-made in circular coils
  • SYSTEM BUILDING
    • Copper-tube loop and PCB antennas
  • SYSTEM BUILDING
    • RFID Base Board
      • Decon DALO 33 Blue PC Etch pen
      • Protected ink used to draw leads on tablet
  • SYSTEM BUILDING
    • RFID Base Board and power amp
  • SYSTEM BUILDING
    • Power Amplifier
      • Based on Melexis application note
      • Input driven from reader output
      • Ideal: high voltage rating capacitors
      • Used cheaper, but low voltage
  • SYSTEM BUILDING
    • Load Modulation Receive Path Buffer
      • Signals are looped back
      • Buffer needed to hold correct signals
  • SYSTEM TUNING
    • RF Network Analyzer
      • Measure magnitude and phase of input
    • Measure Voltage Standing Wave Radio
      • Adjust antenna’s impedance to match amplifier output
    • RF power meter
      • Measures power reception
      • Ideal: measure actual amplification
  • RESULTS
  • RESULTS
    • Close to theoretical predictions
  • CONTRIBUTIONS
    • Built RFID skimmer  validated basic concept of an RFID “Leech”
    • RFID tags can be read from greater distances (25 cm)
    • Halfway towards full implementation of a relay-attack
  • Strengths
    • Created a portable, RFID skimmer
    • Step-by-step instructions
    • Low system cost ($110)
  • Weaknesses
    • Not developed for large scale production
    • Cheap design = less efficient results
    • Expensive system tuning methods
  • Improvements
    • Better equipment
    • High rating components
      • More powerful RF test equipment