330 likes | 557 Views
How to Build a Low-Cost, Extended-Range RFID Skimmer. Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium, 2006 * Presented by Justin Miller on 4/5/07. Overview. Background. RFID uses ISO-14443 standard Increased security Very short range (5-10cm) Goals
E N D
How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15th Usenix Security Symposium, 2006 * Presented by Justin Miller on 4/5/07
Background • RFID uses ISO-14443 standard • Increased security • Very short range (5-10cm) • Goals • Build extended-range RFID skimmer • Collects mass info from RFID devices
Outline • RFID • System design • Building • Tuning methods • Results • Conclusions
RFID Technology • Many applications • Contactless credit-cards • National ID cards • E-passports • Other access cards • Very short range • Security vulnerabilities
Attacks on RFID • Relay Attack
Attacks on RFID • Relay Attack
Attacks on RFID • German Hacker • PDA and RFID read/write device • Changed shampoo prices from $7 to $3 • Johns Hopkins Univ. • Sniffs info from RFID-based car keys • Purchased gasoline for free
ISO-14443 • Proximity card used for identification • Very short range (5-10 cm) • Embedded microcontroller • Magnetic loop antenna (13.56 MHz) • Security • Cryptographically-signed file format
RFID Skimmer • Collect info from RFID tags • Signal/query RFID tags close by • Record responses • Some uses: • Retrieve info from remote car keys • Obtain credit card numbers
System Design Goals • Low power • Low noise • Large read range • Simple design • Cheap
Part #1 - RFID Reader • TI S4100 Multi-Function reader • Cost: $60 • Built in RF power amplifier • Sends approx. 200mW into small antenna
Part #2 - RFID Antenna • Antenna range ≈ length • 39 cm copper tube loop • Antenna inductance ≈ 1 μH
Part #3 - Power amplifier • Amplifier interfaced directly to module’s output stage • Powered by FET voltag • Field-effect transistor • Did not match impedances between amp and output
Part #4 - Receiver Buffer • Load Modulation Receive Buffer • HF reader system • Receiver input directly connected to reader’s antenna • Attenuate signals before feeding them back to the TI module • Avoid potential reader damage • Still deliver input signals to receiver
Part #5 - Power Supply • Powers the large loop antenna • Maintain “smooth” DC supply • Clean power supply • Low ripples (power variance) • Improves detection range
System Building • Copper Tube Loop Antenna • Ideal: 40x40 cm • Copper-tube • Constructed their own • Cheaper copper tube, used for cooking gas • Pre-made in circular coils
System Building • Copper-tube loop and PCB antennas
System Building • RFID Base Board • Decon DALO 33 Blue PC Etch pen • Protected ink used to draw leads on tablet
System Building • RFID Base Board and power amp
System Building • Power Amplifier • Based on Melexis application note • Input driven from reader output • Ideal: high voltage rating capacitors • Used cheaper, but low voltage
System Building • Load Modulation Receive Path Buffer • Signals are looped back • Buffer needed to hold correct signals
System Tuning • RF Network Analyzer • Measure magnitude and phase of input • Measure Voltage Standing Wave Radio • Adjust antenna’s impedance to match amplifier output • RF power meter • Measures power reception • Ideal: measure actual amplification
Experiment Notes • Power supply affects skimmer mobility • Clean increases RFID detection range • System tuning finds maximal power transfer between circuits
Results • Increased RFID Scan Ranges • 12-V battery • 16.9 cm (PCB), 23.2 cm (copper tube) • With power amp • 17.3 cm (PCB), 25.2 cm (copper tube)
Results • Close to theoretical predictions
Contributions • Built RFID skimmer validated basic concept of an RFID “Leech” • RFID tags can be read from greater distances (25 cm) • Halfway towards full implementation of a relay-attack
Strengths • Created a portable, RFID skimmer • Step-by-step instructions • Low system cost ($60)
Weaknesses • Not developed for large scale production • Cheap design = less efficient results • Expensive system tuning methods
Improvements • Better equipment • Use copper-tube loop antenna • Power amp with higher voltage rating capacitors • RF Tuning: measure actual amplification instead of power • High rating components • More powerful RF test equipment
Questions? • Ask me!