yossef oren dvir schirman and avishai wool tel aviv university n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Range Extension Attacks on Contactless Smartcards PowerPoint Presentation
Download Presentation
Range Extension Attacks on Contactless Smartcards

Loading in 2 Seconds...

play fullscreen
1 / 25

Range Extension Attacks on Contactless Smartcards - PowerPoint PPT Presentation


  • 166 Views
  • Uploaded on

Yossef Oren, Dvir Schirman , and Avishai Wool: Tel Aviv University. Range Extension Attacks on Contactless Smartcards. ESORICS 2013. Agenda. Introduction Contactless smartcards Attack motivation System design Experimental results Attack scenarios Conclusions. Contactless smartcards.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Range Extension Attacks on Contactless Smartcards' - chin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
agenda
Agenda
  • Introduction
    • Contactless smartcards
    • Attack motivation
  • System design
  • Experimental results
  • Attack scenarios
  • Conclusions
contactless smartcards iso 14443
Contactless smartcards – ISO 14443
  • Passive tags
  • Communication based on inductive coupling
  • Transmit back data using load modulation
  • Nominal operation range – 5-10 cm
attack motivation
Attack Motivation
  • Contactless smartcards are being used in a variety of security oriented applications:
    • Access control
    • Payment
    • E-voting
    • Smart ID card
    • Passports
  • All of them assume the tag is in proximity of the reader
motivation
Motivation
  • If a communication between the reader and the tag could be established from a longer range – the proximity assumption would be broken
  • Our goal – build a device (a.k.a “Ghost”) which allow a standard tag to communicate with a standard reader from a distance of more than 1m
range extension attacks
Range extension attacks

Leech

Leech

Extended range

Extended range

Relay

Ghost

Ghost

related work
Related work
  • Relay attack – extending the nominal communication range between a reader and a tag using a relay channel between two custom made devices (“Ghost” & “Leech”)[KW05, Han05, FHMM11, SC13]
  • Extended range Leech – a device that allows to read a standard tag from a distance of 30 cm[KW06]
ghost system d esign
Ghost system design
  • Design principles:
    • Two separate antennas:
      • A large loop antenna for downlink
      • A mobile monopole HF antenna for uplink
    • Active load modulation for uplink transmission
    • PC based relay
openpcd2
OpenPCD2
  • An open source & open hardware evaluation board for ISO14443
  • Can emulate a tag or a reader
  • Based on NXP PN532
  • www.openpcd.org
ghost system design relay leech
Ghost system design – Relay & Leech
  • A relay & a Leech were not part of this research, but necessary for the whole system
  • Relay channel between two OpenPCD2 boards was implemented inside a single PC
    • Using libnfc’snfc-relay-picc– designed to overcome relay timing limitations
  • Leech was based on an unmodified OpenPCD2
ghost system design downlink
Ghost system design – Downlink
  • Receiving antenna: a 39 cm loop antenna designed for prior Leech project
  • Matching circuit: Based on NXP’s app note
  • LNA: Mini-Circuits’ ZFL-500LN
ghost system design uplink
Ghost system design – Uplink
  • Active load modulation:
    • Producing the spectral image created by load modulation by means of a standard AM modulator
ghost system design uplink1
Ghost system design – Uplink
  • Ghost OpenPCD2 modification:
    • LOADMOD pin was enabled – outputs modulated subcarrier (847.5 kHz)
  • The above signal was connected to a detector, in order to extract coded bitstream
  • The bitstream was pulse modulated on a 14.4075 MHz carrier signal
  • The HF signal was pre-amplified (Mini-Circuits’ ZHL-32A) & power amplified (RM-Italy KL400)
ghost system design uplink2
Ghost system design – Uplink
  • Transmitting antenna:
    • Broadband helically wound monopole antenna
    • We use the magnetic near field emitted from the antenna
preliminary experiments
Preliminary experiments
  • Downlink experiment:
    • Maximal downlink range was tested with a homemade diode detector ~ 1.5m
    • Using a spectrum analyzer as a detectora range of ~3.5m was measured
preliminary experiments1
Preliminary experiments
  • Jamming
    • By transmitting a continuous signal on 14.4075 MHz the reader can be jammed
    • Since we couldn’t measure uplink range independently from downlink system, maximal Jamming range was measured in order to evaluate the performance of the uplink system
    • By transmitting a 29 dBm signal, a jamming range of 2 m was achieved
range extension experiment results
Range extension experiment – Results
  • The measured range was highly sensitive to the surrounding environment
attack scenarios
Attack Scenarios
  • E-voting
    • Using a range extended Ghost and a relay attack, an adversary can mount several attacks on Israel’s proposed e-voting system
    • Allows the attacker complete control over previously cast votes
  • Access control
    • By using a range extended Ghost and a relay setup the attacker can open a secured door without being detected by a guard / security camera
conclusions
Conclusions
  • We offer a car mounted range extension setup for ISO 14443 RFID systems
  • We successfully built a prototype working from 1.15 m (more than 10 times the nominal range)
conclusions1
Conclusions
  • Extending the nominal communication range of contactless smartcards form a severe threat on the system’s security
  • Combining with a relay attack the presented device can allow adversary to mount his attack without being detected