Download ppt

How to Build a Low-Cost,
Extended-Range RFID Skimmer
Ilan Kirschenbaum & Avishai Wool
15th Usenix Security Symposium, 2006
* Presented by Justin Miller on 4/5/07
Overview
Background

RFID uses ISO-14443 standard
Increased security
 Very short range (5-10cm)


Goals
Build extended-range RFID skimmer
 Collects mass info from RFID devices

Outline
RFID
 System design

Building
 Tuning methods

Results
 Conclusions

RFID Technology

Many applications
Contactless credit-cards
 National ID cards
 E-passports
 Other access cards

Very short range
 Security vulnerabilities

Attacks on RFID

Relay Attack
Attacks on RFID

Relay Attack
Attacks on RFID

German Hacker
PDA and RFID read/write device
 Changed shampoo prices from $7 to $3


Johns Hopkins Univ.
Sniffs info from RFID-based car keys
 Purchased gasoline for free

ISO-14443

Proximity card used for identification
Very short range (5-10 cm)
 Embedded microcontroller
 Magnetic loop antenna (13.56 MHz)


Security

Cryptographically-signed file format
RFID Skimmer

Collect info from RFID tags
Signal/query RFID tags close by
 Record responses


Some uses:
Retrieve info from remote car keys
 Obtain credit card numbers

System Design Goals
Low power
 Low noise
 Large read range
 Simple design
 Cheap

System Design
Part #1 - RFID Reader

TI S4100 MultiFunction reader



Cost: $60
Built in RF power
amplifier
Sends approx.
200mW into small
antenna
Part #2 - RFID Antenna
Antenna range ≈ length
 39 cm copper tube loop
 Antenna inductance ≈ 1 μH

Part #3 - Power amplifier

Amplifier interfaced directly
to module’s output stage

Powered by FET voltag


Field-effect transistor
Did not match impedances
between amp and output
Part #4 - Receiver Buffer

Load Modulation Receive Buffer
HF reader system
 Receiver input directly connected to
reader’s antenna


Attenuate signals before feeding them
back to the TI module
Avoid potential reader damage
 Still deliver input signals to receiver

Part #5 - Power Supply
Powers the large loop antenna
 Maintain “smooth” DC supply

Clean power supply
 Low ripples (power variance)
 Improves detection range

System Building

Copper Tube Loop Antenna



Ideal: 40x40 cm
Copper-tube
Constructed their own


Cheaper copper tube, used
for cooking gas
Pre-made in circular coils
System Building

Copper-tube loop and PCB antennas
System Building

RFID Base Board
Decon DALO 33
Blue PC Etch pen
 Protected ink used
to draw leads on
tablet

System Building

RFID Base Board and power amp
System Building

Power Amplifier
Based on Melexis
application note
 Input driven from reader
output
 Ideal: high voltage rating
capacitors
 Used cheaper, but low
voltage

System Building

Load Modulation Receive Path Buffer
Signals are looped back
 Buffer needed to hold correct signals

System Tuning

RF Network Analyzer


Measure Voltage Standing Wave Radio


Measure magnitude and phase of input
Adjust antenna’s impedance to match
amplifier output
RF power meter
Measures power reception
 Ideal: measure actual amplification

Experiment Notes

Power supply affects skimmer mobility


Clean increases RFID detection range
System tuning finds maximal power
transfer between circuits
Results

Increased RFID Scan Ranges

12-V battery


16.9 cm (PCB), 23.2 cm (copper tube)
With power amp

17.3 cm (PCB), 25.2 cm (copper tube)
Results
Results

Close to theoretical predictions
Contributions

Built RFID skimmer  validated basic
concept of an RFID “Leech”

RFID tags can be read from greater
distances (25 cm)

Halfway towards full implementation of a
relay-attack
Strengths

Created a portable, RFID skimmer

Step-by-step instructions

Low system cost ($60)
Weaknesses

Not developed for large scale production

Cheap design = less efficient results

Expensive system tuning methods
Improvements

Better equipment
Use copper-tube loop antenna
 Power amp with higher voltage rating
capacitors
 RF Tuning: measure actual amplification
instead of power


High rating components

More powerful RF test equipment
Questions?

Ask me!