Transcript ppt
How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15th Usenix Security Symposium, 2006 * Presented by Justin Miller on 4/5/07 Overview Background RFID uses ISO-14443 standard Increased security Very short range (5-10cm) Goals Build extended-range RFID skimmer Collects mass info from RFID devices Outline RFID System design Building Tuning methods Results Conclusions RFID Technology Many applications Contactless credit-cards National ID cards E-passports Other access cards Very short range Security vulnerabilities Attacks on RFID Relay Attack Attacks on RFID Relay Attack Attacks on RFID German Hacker PDA and RFID read/write device Changed shampoo prices from $7 to $3 Johns Hopkins Univ. Sniffs info from RFID-based car keys Purchased gasoline for free ISO-14443 Proximity card used for identification Very short range (5-10 cm) Embedded microcontroller Magnetic loop antenna (13.56 MHz) Security Cryptographically-signed file format RFID Skimmer Collect info from RFID tags Signal/query RFID tags close by Record responses Some uses: Retrieve info from remote car keys Obtain credit card numbers System Design Goals Low power Low noise Large read range Simple design Cheap System Design Part #1 - RFID Reader TI S4100 MultiFunction reader Cost: $60 Built in RF power amplifier Sends approx. 200mW into small antenna Part #2 - RFID Antenna Antenna range ≈ length 39 cm copper tube loop Antenna inductance ≈ 1 μH Part #3 - Power amplifier Amplifier interfaced directly to module’s output stage Powered by FET voltag Field-effect transistor Did not match impedances between amp and output Part #4 - Receiver Buffer Load Modulation Receive Buffer HF reader system Receiver input directly connected to reader’s antenna Attenuate signals before feeding them back to the TI module Avoid potential reader damage Still deliver input signals to receiver Part #5 - Power Supply Powers the large loop antenna Maintain “smooth” DC supply Clean power supply Low ripples (power variance) Improves detection range System Building Copper Tube Loop Antenna Ideal: 40x40 cm Copper-tube Constructed their own Cheaper copper tube, used for cooking gas Pre-made in circular coils System Building Copper-tube loop and PCB antennas System Building RFID Base Board Decon DALO 33 Blue PC Etch pen Protected ink used to draw leads on tablet System Building RFID Base Board and power amp System Building Power Amplifier Based on Melexis application note Input driven from reader output Ideal: high voltage rating capacitors Used cheaper, but low voltage System Building Load Modulation Receive Path Buffer Signals are looped back Buffer needed to hold correct signals System Tuning RF Network Analyzer Measure Voltage Standing Wave Radio Measure magnitude and phase of input Adjust antenna’s impedance to match amplifier output RF power meter Measures power reception Ideal: measure actual amplification Experiment Notes Power supply affects skimmer mobility Clean increases RFID detection range System tuning finds maximal power transfer between circuits Results Increased RFID Scan Ranges 12-V battery 16.9 cm (PCB), 23.2 cm (copper tube) With power amp 17.3 cm (PCB), 25.2 cm (copper tube) Results Results Close to theoretical predictions Contributions Built RFID skimmer validated basic concept of an RFID “Leech” RFID tags can be read from greater distances (25 cm) Halfway towards full implementation of a relay-attack Strengths Created a portable, RFID skimmer Step-by-step instructions Low system cost ($60) Weaknesses Not developed for large scale production Cheap design = less efficient results Expensive system tuning methods Improvements Better equipment Use copper-tube loop antenna Power amp with higher voltage rating capacitors RF Tuning: measure actual amplification instead of power High rating components More powerful RF test equipment Questions? Ask me!