1 / 33

How to Build a Low-Cost, Extended-Range RFID Skimmer

How to Build a Low-Cost, Extended-Range RFID Skimmer. Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium, 2006 * Presented by Justin Miller on 4/5/07. Overview. Background. RFID uses ISO-14443 standard Increased security Very short range (5-10cm) Goals

landen
Download Presentation

How to Build a Low-Cost, Extended-Range RFID Skimmer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15th Usenix Security Symposium, 2006 * Presented by Justin Miller on 4/5/07

  2. Overview

  3. Background • RFID uses ISO-14443 standard • Increased security • Very short range (5-10cm) • Goals • Build extended-range RFID skimmer • Collects mass info from RFID devices

  4. Outline • RFID • System design • Building • Tuning methods • Results • Conclusions

  5. RFID Technology • Many applications • Contactless credit-cards • National ID cards • E-passports • Other access cards • Very short range • Security vulnerabilities

  6. Attacks on RFID • Relay Attack

  7. Attacks on RFID • Relay Attack

  8. Attacks on RFID • German Hacker • PDA and RFID read/write device • Changed shampoo prices from $7 to $3 • Johns Hopkins Univ. • Sniffs info from RFID-based car keys • Purchased gasoline for free

  9. ISO-14443 • Proximity card used for identification • Very short range (5-10 cm) • Embedded microcontroller • Magnetic loop antenna (13.56 MHz) • Security • Cryptographically-signed file format

  10. RFID Skimmer • Collect info from RFID tags • Signal/query RFID tags close by • Record responses • Some uses: • Retrieve info from remote car keys • Obtain credit card numbers

  11. System Design Goals • Low power • Low noise • Large read range • Simple design • Cheap

  12. System Design

  13. Part #1 - RFID Reader • TI S4100 Multi-Function reader • Cost: $60 • Built in RF power amplifier • Sends approx. 200mW into small antenna

  14. Part #2 - RFID Antenna • Antenna range ≈ length • 39 cm copper tube loop • Antenna inductance ≈ 1 μH

  15. Part #3 - Power amplifier • Amplifier interfaced directly to module’s output stage • Powered by FET voltag • Field-effect transistor • Did not match impedances between amp and output

  16. Part #4 - Receiver Buffer • Load Modulation Receive Buffer • HF reader system • Receiver input directly connected to reader’s antenna • Attenuate signals before feeding them back to the TI module • Avoid potential reader damage • Still deliver input signals to receiver

  17. Part #5 - Power Supply • Powers the large loop antenna • Maintain “smooth” DC supply • Clean power supply • Low ripples (power variance) • Improves detection range

  18. System Building • Copper Tube Loop Antenna • Ideal: 40x40 cm • Copper-tube • Constructed their own • Cheaper copper tube, used for cooking gas • Pre-made in circular coils

  19. System Building • Copper-tube loop and PCB antennas

  20. System Building • RFID Base Board • Decon DALO 33 Blue PC Etch pen • Protected ink used to draw leads on tablet

  21. System Building • RFID Base Board and power amp

  22. System Building • Power Amplifier • Based on Melexis application note • Input driven from reader output • Ideal: high voltage rating capacitors • Used cheaper, but low voltage

  23. System Building • Load Modulation Receive Path Buffer • Signals are looped back • Buffer needed to hold correct signals

  24. System Tuning • RF Network Analyzer • Measure magnitude and phase of input • Measure Voltage Standing Wave Radio • Adjust antenna’s impedance to match amplifier output • RF power meter • Measures power reception • Ideal: measure actual amplification

  25. Experiment Notes • Power supply affects skimmer mobility • Clean increases RFID detection range • System tuning finds maximal power transfer between circuits

  26. Results • Increased RFID Scan Ranges • 12-V battery • 16.9 cm (PCB), 23.2 cm (copper tube) • With power amp • 17.3 cm (PCB), 25.2 cm (copper tube)

  27. Results

  28. Results • Close to theoretical predictions

  29. Contributions • Built RFID skimmer  validated basic concept of an RFID “Leech” • RFID tags can be read from greater distances (25 cm) • Halfway towards full implementation of a relay-attack

  30. Strengths • Created a portable, RFID skimmer • Step-by-step instructions • Low system cost ($60)

  31. Weaknesses • Not developed for large scale production • Cheap design = less efficient results • Expensive system tuning methods

  32. Improvements • Better equipment • Use copper-tube loop antenna • Power amp with higher voltage rating capacitors • RF Tuning: measure actual amplification instead of power • High rating components • More powerful RF test equipment

  33. Questions? • Ask me!

More Related