Upload
petersam67
View
1.125
Download
0
Embed Size (px)
Citation preview
How to Build a Low-Cost, Extended-Range RFID Skimmer
Ilan Kirschenbaum & Avishai Wool15th Usenix Security Symposium,2006
Kishore Padma Raju
OVERVIEW
BACKGROUND
• RFID uses ISO-14443 standard– Increased security– Very short range (5-10cm)
• Goals– Build extended-range RFID skimmer– Collects mass info from RFID devices
OUTLINE
• RFID• System design– Building– Tuning methods
• Results• Conclusions
RFID Technology
• Many applications– Contactless credit-cards– National ID cards– E-passports– Other access cards
• Very short range• Security vulnerabilities
Attacks on RFID
• Relay attack
Attacks on RFID
• Relay attack
Attacks on RFID
• German Hacker– PDA and RFID read/write device– Changed shampoo prices from $7 to $3
• Johns Hopkins Univ.– Sniffs info from RFID-based car keys– Purchased gasoline for free
ISO-14443
• Proximity card used for identification– Very short range (5-10 cm)– Embedded microcontroller– Magnetic loop antenna (13.56 MHz)
• Security– Cryptographically-signed file format
RFID Skimmer
• Collect info from RFID tags– Signal/query RFID tags – Record responses
• Some uses:– Retrieve info from remote car keys– Obtain credit card numbers
System Design Goals
• Low power• Low noise• Large read range• Simple design• Cheap
System Design
Part #1 - RFID Reader
• TI S4100 Multi-Function
reader– Cost: $60– Built in RF
power amplifier– Sends approx.
200mW into small antenna
Part #2 - RFID Antenna
• Antenna range ≈ length• 39 cm copper tube loop• Antenna inductance ≈ 1 μH
Part #3 - Power amplifier
• Amplifier interfaced directly to module’s output stage
• Powered by FET voltage• Field-effect transistor
• Did not match impedances between amp and output
Part #4 - Receiver Buffer
• Load Modulation Receive Buffer– HF reader system– Receiver input directly connected to reader’s
antenna
• Attenuate signals before feeding them back to the TI module– Avoid potential reader damage– Still deliver input signals to receiver
Part #4 - Receiver Buffer
Part #5 -Power supply
• Powers the large loop antenna• Maintain “smooth” DC supply– Clean power supply– Low ripples (power variance)– Improves detection range
SYSTEM BUILDING
• Copper Tube Loop Antenna– Ideal: 40x40 cm– Copper-tube
• Constructed their own– Cheaper copper tube,
used for cooking gas– Pre-made in circular coils
SYSTEM BUILDING
• Copper-tube loop and PCB antennas
SYSTEM BUILDING
• RFID Base Board– Decon DALO 33 Blue PC Etch pen– Protected ink used to draw leads on tablet
SYSTEM BUILDING
• RFID Base Board and power amp
SYSTEM BUILDING
• Power Amplifier– Based on Melexis
application note– Input driven from
reader output– Ideal: high voltage
rating capacitors– Used cheaper, but
low voltage
SYSTEM BUILDING
• Load Modulation Receive Path Buffer– Signals are looped back– Buffer needed to hold correct signals
SYSTEM TUNING
• RF Network Analyzer– Measure magnitude and phase of input
• Measure Voltage Standing Wave Radio– Adjust antenna’s impedance to match amplifier
output
• RF power meter– Measures power reception– Ideal: measure actual amplification
RESULTS
RESULTS
• Close to theoretical predictions
CONTRIBUTIONS
• Built RFID skimmer validated basic concept of an RFID “Leech”
• RFID tags can be read from greater distances (25 cm)
• Halfway towards full implementation of a relay-attack
Strengths
• Created a portable, RFID skimmer
• Step-by-step instructions
• Low system cost ($110)
Weaknesses
• Not developed for large scale production
• Cheap design = less efficient results
• Expensive system tuning methods
Improvements
• Better equipment• High rating components– More powerful RF test equipment