how to build a low-cost, extended-range rfid skimmer ilan kirschenbaum & avishai wool 15 th...
TRANSCRIPT
How to Build a Low-Cost, Extended-Range RFID Skimmer
Ilan Kirschenbaum & Avishai Wool15th Usenix Security Symposium, 2006
* Presented by Justin Miller on 4/5/07
Overview
Background
RFID uses ISO-14443 standard Increased securityVery short range (5-10cm)
GoalsBuild extended-range RFID skimmerCollects mass info from RFID devices
Outline
RFIDSystem design
BuildingTuning methods
ResultsConclusions
RFID Technology
Many applicationsContactless credit-cardsNational ID cardsE-passportsOther access cards
Very short rangeSecurity vulnerabilities
Attacks on RFID
Relay Attack
Attacks on RFID
Relay Attack
Attacks on RFID
German HackerPDA and RFID read/write deviceChanged shampoo prices from $7 to $3
Johns Hopkins Univ.Sniffs info from RFID-based car keysPurchased gasoline for free
ISO-14443
Proximity card used for identificationVery short range (5-10 cm)Embedded microcontrollerMagnetic loop antenna (13.56 MHz)
SecurityCryptographically-signed file format
RFID Skimmer
Collect info from RFID tagsSignal/query RFID tags close byRecord responses
Some uses:Retrieve info from remote car keysObtain credit card numbers
System Design Goals
Low powerLow noiseLarge read rangeSimple designCheap
System Design
Part #1 - RFID Reader
TI S4100 Multi-Function reader Cost: $60 Built in RF power
amplifier Sends approx.
200mW into small antenna
Part #2 - RFID Antenna
Antenna range ≈ length 39 cm copper tube loop Antenna inductance ≈ 1 μH
Part #3 - Power amplifier
Amplifier interfaced directly to module’s output stage
Powered by FET voltag Field-effect transistor
Did not match impedances between amp and output
Part #4 - Receiver Buffer
Load Modulation Receive BufferHF reader systemReceiver input directly connected to
reader’s antenna
Attenuate signals before feeding them back to the TI moduleAvoid potential reader damageStill deliver input signals to receiver
Part #5 - Power Supply
Powers the large loop antennaMaintain “smooth” DC supply
Clean power supplyLow ripples (power variance) Improves detection range
System Building
Copper Tube Loop Antenna Ideal: 40x40 cm Copper-tube
Constructed their own Cheaper copper tube, used
for cooking gas Pre-made in circular coils
System Building
Copper-tube loop and PCB antennas
System Building
RFID Base BoardDecon DALO 33
Blue PC Etch penProtected ink used
to draw leads on tablet
System Building
RFID Base Board and power amp
System Building
Power AmplifierBased on Melexis
application note Input driven from reader
output Ideal: high voltage rating
capacitorsUsed cheaper, but low
voltage
System Building
Load Modulation Receive Path BufferSignals are looped backBuffer needed to hold correct signals
System Tuning
RF Network AnalyzerMeasure magnitude and phase of input
Measure Voltage Standing Wave RadioAdjust antenna’s impedance to match
amplifier outputRF power meter
Measures power reception Ideal: measure actual amplification
Experiment Notes
Power supply affects skimmer mobilityClean increases RFID detection range
System tuning finds maximal power transfer between circuits
Results
Increased RFID Scan Ranges
12-V battery16.9 cm (PCB), 23.2 cm (copper tube)
With power amp17.3 cm (PCB), 25.2 cm (copper tube)
Results
Results
Close to theoretical predictions
Contributions
Built RFID skimmer validated basic concept of an RFID “Leech”
RFID tags can be read from greater distances (25 cm)
Halfway towards full implementation of a relay-attack
Strengths
Created a portable, RFID skimmer
Step-by-step instructions
Low system cost ($60)
Weaknesses
Not developed for large scale production
Cheap design = less efficient results
Expensive system tuning methods
Improvements
Better equipmentUse copper-tube loop antennaPower amp with higher voltage rating
capacitorsRF Tuning: measure actual amplification
instead of power
High rating componentsMore powerful RF test equipment
Questions?
Ask me!