How to Build a LowCost ExtendedRange RFID Skimmer
How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium, 2006 Kishore Padma Raju
OVERVIEW
BACKGROUND • RFID uses ISO-14443 standard – Increased security – Very short range (5 -10 cm) • Goals – Build extended-range RFID skimmer – Collects mass info from RFID devices
OUTLINE • RFID • System design – Building – Tuning methods • Results • Conclusions
RFID Technology • Many applications – Contactless credit-cards – National ID cards – E-passports – Other access cards • Very short range • Security vulnerabilities
Attacks on RFID • Relay attack
Attacks on RFID • Relay attack
Attacks on RFID • German Hacker – PDA and RFID read/write device – Changed shampoo prices from $7 to $3 • Johns Hopkins Univ. – Sniffs info from RFID-based car keys – Purchased gasoline for free
ISO-14443 • Proximity card used for identification – Very short range (5 -10 cm) – Embedded microcontroller – Magnetic loop antenna (13. 56 MHz) • Security – Cryptographically-signed file format
RFID Skimmer • Collect info from RFID tags – Signal/query RFID tags – Record responses • Some uses: – Retrieve info from remote car keys – Obtain credit card numbers
System Design Goals • • • Low power Low noise Large read range Simple design Cheap
System Design
Part #1 - RFID Reader • TI S 4100 Multi-Function reader – Cost: $60 – Built in RF power amplifier – Sends approx. 200 m. W into small antenna
Part #2 - RFID Antenna • Antenna range ≈ length • 39 cm copper tube loop • Antenna inductance ≈ 1 μH
Part #3 - Power amplifier Amplifier interfaced directly to module’s output stage • Powered by FET voltage • • • Field-effect transistor Did not match impedances between amp and output
Part #4 - Receiver Buffer • Load Modulation Receive Buffer – HF reader system – Receiver input directly connected to reader’s antenna • Attenuate signals before feeding them back to the TI module – Avoid potential reader damage – Still deliver input signals to receiver
Part #4 - Receiver Buffer
Part #5 -Power supply • Powers the large loop antenna • Maintain “smooth” DC supply – Clean power supply – Low ripples (power variance) – Improves detection range
SYSTEM BUILDING • Copper Tube Loop Antenna – Ideal: 40 x 40 cm – Copper-tube • Constructed their own – Cheaper copper tube, used for cooking gas – Pre-made in circular coils
SYSTEM BUILDING • Copper-tube loop and PCB antennas
SYSTEM BUILDING • RFID Base Board – Decon DALO 33 Blue PC Etch pen – Protected ink used to draw leads on tablet
SYSTEM BUILDING • RFID Base Board and power amp
SYSTEM BUILDING • Power Amplifier – Based on Melexis application note – Input driven from reader output – Ideal: high voltage rating capacitors – Used cheaper, but low voltage
SYSTEM BUILDING • Load Modulation Receive Path Buffer – Signals are looped back – Buffer needed to hold correct signals
SYSTEM TUNING • RF Network Analyzer – Measure magnitude and phase of input • Measure Voltage Standing Wave Radio – Adjust antenna’s impedance to match amplifier output • RF power meter – Measures power reception – Ideal: measure actual amplification
RESULTS
RESULTS • Close to theoretical predictions
CONTRIBUTIONS • Built RFID skimmer validated basic concept of an RFID “Leech” • RFID tags can be read from greater distances (25 cm) • Halfway towards full implementation of a relay-attack
Strengths • Created a portable, RFID skimmer • Step-by-step instructions • Low system cost ($110)
Weaknesses • Not developed for large scale production • Cheap design = less efficient results • Expensive system tuning methods
Improvements • Better equipment • High rating components – More powerful RF test equipment
- Slides: 31