How to Build a Low-Cost, Extended-Range RFID Skimmer

Ilan Kirschenbaum & Avishai Wool15th Usenix Security Symposium, 2006

* Presented by Justin Miller on 4/5/07

Overview

Background

RFID uses ISO-14443 standard Increased securityVery short range (5-10cm)

GoalsBuild extended-range RFID skimmerCollects mass info from RFID devices

Outline

RFIDSystem design

BuildingTuning methods

ResultsConclusions

RFID Technology

Many applicationsContactless credit-cardsNational ID cardsE-passportsOther access cards

Very short rangeSecurity vulnerabilities

Attacks on RFID

Relay Attack

Attacks on RFID

Relay Attack

Attacks on RFID

German HackerPDA and RFID read/write deviceChanged shampoo prices from $7 to $3

Johns Hopkins Univ.Sniffs info from RFID-based car keysPurchased gasoline for free

ISO-14443

Proximity card used for identificationVery short range (5-10 cm)Embedded microcontrollerMagnetic loop antenna (13.56 MHz)

SecurityCryptographically-signed file format

RFID Skimmer

Collect info from RFID tagsSignal/query RFID tags close byRecord responses

Some uses:Retrieve info from remote car keysObtain credit card numbers

System Design Goals

Low powerLow noiseLarge read rangeSimple designCheap

System Design

Part #1 - RFID Reader

TI S4100 Multi-Function reader Cost: $60 Built in RF power

amplifier Sends approx.

200mW into small antenna

Part #2 - RFID Antenna

Antenna range ≈ length 39 cm copper tube loop Antenna inductance ≈ 1 μH

Part #3 - Power amplifier

Amplifier interfaced directly to module’s output stage

Powered by FET voltag Field-effect transistor

Did not match impedances between amp and output

Part #4 - Receiver Buffer

Load Modulation Receive BufferHF reader systemReceiver input directly connected to

reader’s antenna

Attenuate signals before feeding them back to the TI moduleAvoid potential reader damageStill deliver input signals to receiver

Part #5 - Power Supply

Powers the large loop antennaMaintain “smooth” DC supply

Clean power supplyLow ripples (power variance) Improves detection range

System Building

Copper Tube Loop Antenna Ideal: 40x40 cm Copper-tube

Constructed their own Cheaper copper tube, used

for cooking gas Pre-made in circular coils

System Building

Copper-tube loop and PCB antennas

System Building

RFID Base BoardDecon DALO 33

Blue PC Etch penProtected ink used

to draw leads on tablet

System Building

RFID Base Board and power amp

System Building

Power AmplifierBased on Melexis

application note Input driven from reader

output Ideal: high voltage rating

capacitorsUsed cheaper, but low

voltage

System Building

Load Modulation Receive Path BufferSignals are looped backBuffer needed to hold correct signals

System Tuning

RF Network AnalyzerMeasure magnitude and phase of input

Measure Voltage Standing Wave RadioAdjust antenna’s impedance to match

amplifier outputRF power meter

Measures power reception Ideal: measure actual amplification

Experiment Notes

Power supply affects skimmer mobilityClean increases RFID detection range

System tuning finds maximal power transfer between circuits

Results

Increased RFID Scan Ranges

12-V battery16.9 cm (PCB), 23.2 cm (copper tube)

With power amp17.3 cm (PCB), 25.2 cm (copper tube)

Results

Results

Close to theoretical predictions

Contributions

Built RFID skimmer validated basic concept of an RFID “Leech”

RFID tags can be read from greater distances (25 cm)

Halfway towards full implementation of a relay-attack

Strengths

Created a portable, RFID skimmer

Step-by-step instructions

Low system cost ($60)

Weaknesses

Not developed for large scale production

Cheap design = less efficient results

Expensive system tuning methods

Improvements

Better equipmentUse copper-tube loop antennaPower amp with higher voltage rating

capacitorsRF Tuning: measure actual amplification

instead of power

High rating componentsMore powerful RF test equipment

Questions?

Ask me!