Download ppt

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Power inverter wikipedia, lookup

Solar micro-inverter wikipedia, lookup

Power over Ethernet wikipedia, lookup

Electric power system wikipedia, lookup

Islanding wikipedia, lookup

Rectifier wikipedia, lookup

History of electric power transmission wikipedia, lookup

Pulse-width modulation wikipedia, lookup

Electrification wikipedia, lookup

Buck converter wikipedia, lookup

Opto-isolator wikipedia, lookup

Wireless power transfer wikipedia, lookup

Voltage optimisation wikipedia, lookup

Tube sound wikipedia, lookup

Power engineering wikipedia, lookup

Metadyne wikipedia, lookup

Power electronics wikipedia, lookup

Alternating current wikipedia, lookup

Optical rectenna wikipedia, lookup

Regenerative circuit wikipedia, lookup

Audio power wikipedia, lookup

Mains electricity wikipedia, lookup

Switched-mode power supply wikipedia, lookup

Radio-frequency identification wikipedia, lookup

Transcript
How to Build a Low-Cost,
Extended-Range RFID Skimmer
Ilan Kirschenbaum & Avishai Wool
15th Usenix Security Symposium, 2006
* Presented by Justin Miller on 4/5/07
Overview
Background

RFID uses ISO-14443 standard
Increased security
 Very short range (5-10cm)


Goals
Build extended-range RFID skimmer
 Collects mass info from RFID devices

Outline
RFID
 System design

Building
 Tuning methods

Results
 Conclusions

RFID Technology

Many applications
Contactless credit-cards
 National ID cards
 E-passports
 Other access cards

Very short range
 Security vulnerabilities

Attacks on RFID

Relay Attack
Attacks on RFID

Relay Attack
Attacks on RFID

German Hacker
PDA and RFID read/write device
 Changed shampoo prices from $7 to $3


Johns Hopkins Univ.
Sniffs info from RFID-based car keys
 Purchased gasoline for free

ISO-14443

Proximity card used for identification
Very short range (5-10 cm)
 Embedded microcontroller
 Magnetic loop antenna (13.56 MHz)


Security

Cryptographically-signed file format
RFID Skimmer

Collect info from RFID tags
Signal/query RFID tags close by
 Record responses


Some uses:
Retrieve info from remote car keys
 Obtain credit card numbers

System Design Goals
Low power
 Low noise
 Large read range
 Simple design
 Cheap

System Design
Part #1 - RFID Reader

TI S4100 MultiFunction reader



Cost: $60
Built in RF power
amplifier
Sends approx.
200mW into small
antenna
Part #2 - RFID Antenna
Antenna range ≈ length
 39 cm copper tube loop
 Antenna inductance ≈ 1 μH

Part #3 - Power amplifier

Amplifier interfaced directly
to module’s output stage

Powered by FET voltag


Field-effect transistor
Did not match impedances
between amp and output
Part #4 - Receiver Buffer

Load Modulation Receive Buffer
HF reader system
 Receiver input directly connected to
reader’s antenna


Attenuate signals before feeding them
back to the TI module
Avoid potential reader damage
 Still deliver input signals to receiver

Part #5 - Power Supply
Powers the large loop antenna
 Maintain “smooth” DC supply

Clean power supply
 Low ripples (power variance)
 Improves detection range

System Building

Copper Tube Loop Antenna



Ideal: 40x40 cm
Copper-tube
Constructed their own


Cheaper copper tube, used
for cooking gas
Pre-made in circular coils
System Building

Copper-tube loop and PCB antennas
System Building

RFID Base Board
Decon DALO 33
Blue PC Etch pen
 Protected ink used
to draw leads on
tablet

System Building

RFID Base Board and power amp
System Building

Power Amplifier
Based on Melexis
application note
 Input driven from reader
output
 Ideal: high voltage rating
capacitors
 Used cheaper, but low
voltage

System Building

Load Modulation Receive Path Buffer
Signals are looped back
 Buffer needed to hold correct signals

System Tuning

RF Network Analyzer


Measure Voltage Standing Wave Radio


Measure magnitude and phase of input
Adjust antenna’s impedance to match
amplifier output
RF power meter
Measures power reception
 Ideal: measure actual amplification

Experiment Notes

Power supply affects skimmer mobility


Clean increases RFID detection range
System tuning finds maximal power
transfer between circuits
Results

Increased RFID Scan Ranges

12-V battery


16.9 cm (PCB), 23.2 cm (copper tube)
With power amp

17.3 cm (PCB), 25.2 cm (copper tube)
Results
Results

Close to theoretical predictions
Contributions

Built RFID skimmer  validated basic
concept of an RFID “Leech”

RFID tags can be read from greater
distances (25 cm)

Halfway towards full implementation of a
relay-attack
Strengths

Created a portable, RFID skimmer

Step-by-step instructions

Low system cost ($60)
Weaknesses

Not developed for large scale production

Cheap design = less efficient results

Expensive system tuning methods
Improvements

Better equipment
Use copper-tube loop antenna
 Power amp with higher voltage rating
capacitors
 RF Tuning: measure actual amplification
instead of power


High rating components

More powerful RF test equipment
Questions?

Ask me!