How to Build a Low-Cost, Extended-Range RFID Skimmer 15

How to Build a Low-Cost,
Extended-Range RFID Skimmer
Ilan Kirschenbaum & Avishai Wool
15th Usenix Security Symposium,2006
Kishore Padma Raju
OVERVIEW
BACKGROUND
• RFID uses ISO-14443 standard
– Increased security
– Very short range (5-10cm)
• Goals
– Build extended-range RFID skimmer
– Collects mass info from RFID devices
OUTLINE
• RFID
• System design
– Building
– Tuning methods
• Results
• Conclusions
RFID Technology
• Many applications
– Contactless credit-cards
– National ID cards
– E-passports
– Other access cards
• Very short range
• Security vulnerabilities
Attacks on RFID
• Relay attack
Attacks on RFID
• Relay attack
Attacks on RFID
• German Hacker
– PDA and RFID read/write device
– Changed shampoo prices from $7 to $3
• Johns Hopkins Univ.
– Sniffs info from RFID-based car keys
– Purchased gasoline for free
ISO-14443
• Proximity card used for identification
– Very short range (5-10 cm)
– Embedded microcontroller
– Magnetic loop antenna (13.56 MHz)
• Security
– Cryptographically-signed file format
RFID Skimmer
• Collect info from RFID tags
– Signal/query RFID tags
– Record responses
• Some uses:
– Retrieve info from remote car keys
– Obtain credit card numbers
System Design Goals
•
•
•
•
•
Low power
Low noise
Large read range
Simple design
Cheap
System Design
Part #1 - RFID Reader
• TI S4100 Multi-Function
reader
– Cost: $60
– Built in RF
power amplifier
– Sends approx.
200mW into small antenna
Part #2 - RFID Antenna
• Antenna range ≈ length
• 39 cm copper tube loop
• Antenna inductance ≈ 1 μH
Part #3 - Power amplifier
Amplifier interfaced directly to
module’s output stage
• Powered by FET voltage
•
•
•
Field-effect transistor
Did not match impedances
between amp and output
Part #4 - Receiver Buffer
• Load Modulation Receive Buffer
– HF reader system
– Receiver input directly connected to reader’s
antenna
• Attenuate signals before feeding them back to
the TI module
– Avoid potential reader damage
– Still deliver input signals to receiver
Part #4 - Receiver Buffer
Part #5 -Power supply
• Powers the large loop antenna
• Maintain “smooth” DC supply
– Clean power supply
– Low ripples (power variance)
– Improves detection range
SYSTEM BUILDING
• Copper Tube Loop Antenna
– Ideal: 40x40 cm
– Copper-tube
• Constructed their own
– Cheaper copper tube,
used for cooking gas
– Pre-made in circular coils
SYSTEM BUILDING
• Copper-tube loop and PCB antennas
SYSTEM BUILDING
• RFID Base Board
– Decon DALO 33 Blue PC Etch pen
– Protected ink used to draw leads on tablet
SYSTEM BUILDING
• RFID Base Board and power amp
SYSTEM BUILDING
• Power Amplifier
– Based on Melexis
application note
– Input driven from
reader output
– Ideal: high voltage
rating capacitors
– Used cheaper, but
low voltage
SYSTEM BUILDING
• Load Modulation Receive Path Buffer
– Signals are looped back
– Buffer needed to hold correct signals
SYSTEM TUNING
• RF Network Analyzer
– Measure magnitude and phase of input
• Measure Voltage Standing Wave Radio
– Adjust antenna’s impedance to match amplifier
output
• RF power meter
– Measures power reception
– Ideal: measure actual amplification
RESULTS
RESULTS
• Close to theoretical predictions
CONTRIBUTIONS
• Built RFID skimmer  validated basic concept
of an RFID “Leech”
• RFID tags can be read from greater distances
(25 cm)
• Halfway towards full implementation of a
relay-attack
Strengths
• Created a portable, RFID skimmer
• Step-by-step instructions
• Low system cost ($110)
Weaknesses
• Not developed for large scale production
• Cheap design = less efficient results
• Expensive system tuning methods
Improvements
• Better equipment
• High rating components
– More powerful RF test equipment