Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013.

Slides:

Advertisements

Similar presentations

PROF. MAULIK PATEL CED, GPERI Mobile Computing Gujarat Power Engineering and Research Institute 1 Prepared By: Prof. Maulik Patel Mobile Technologies.

Advertisements

RFID: OPPORTUNITIES and CHALLENGES Yize Chen. History In 1969, Mario Cardullo presented a RFID business plan to investors. The application areas include:

VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.

NFC Forum Measurements

NFC Security What is NFC? NFC Possible Security Attacks. NFC Security Attacks Countermeasures. Conclusion. References.

NFC Devices: Security and Privacy

Overview of new technologies Jørgen Bach Andersen, Aalborg University, Denmark Sven Kuhn, Rasmus Krigslund, Troels B. Sørensen.

SIMS: Smart Inventory Management System Group 37 Masaki Negishi & Anthony Fai ECE 445 Senior Design April 27, 2005.

1 FCC RFID Workshop RFID Discussions September 7, 2004 Kevin Powell, Symbol Technologies.

Timo Kasper Crete, Greece May 10, 2007 An Embedded System for Practical Security Analysis of Contactless Smartcards Timo Kasper, Dario Carluccio and Christof.

Security for RFID Department of Information Management, ChaoYang University of Technology. Speaker : Che-Hao Chen ( 陳哲豪 ) Date:2006/01/18.

1 Remote Power Analysis of RFID Tags Joint work with Adi Shamir yossi.oren[at]weizmann.ac.il 28/Aug/06.

How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium,2006 Kishore Padma Raju.

Physical-layer Identification of RFID Devices Authors: Boris Danev, Thomas S. Heyde-Benjamin, and Srdjan Capkun Presented by Zhitao Yang 1.

How to efficiently use the electrical distribution underground cables for Power Line Communications and to achieve the Smart grid’s goals. Energy Smart.

Radio Frequency Identification (RFID) Features and Functionality of RFID Including application specific ISO specifications Presented by: Chris Lavin Sarah.

Chip tag A radio-frequency identification system uses tags readers send a signal to the tag and read its response RFID tags can be either passive active.

 Defining the RF jamming system and showing the importance and need of using it in many places.  Giving a complete RF jamming system design based on.

(LF Transmitter Module, High Power) Development Prototype

SIMS: Smart Inventory Management System Group 37 Masaki Negishi & Anthony Fai ECE 445 Senior Design April 27, 2005.

Presented by: Arpit Jain Guided by: Prof. D.B. Phatak.

Physical Contact in Ad-Hoc Wireless Network Nie Pin

EE592:Graduation Project Ahmad Jisrawi

Xiaofan Jiang, Chieh-Jan Mike Liang, Kaifei Chen, Ben Zhang, Jeff Hsu Jie Liu, Bin Cao, and Feng Zhao Microsoft Research Asia Neight.

1 Secure Cooperative MIMO Communications Under Active Compromised Nodes Liang Hong, McKenzie McNeal III, Wei Chen College of Engineering, Technology, and.

Phase-Locked Loop Design S emiconducto r S imulation L aboratory Phase-locked loops: Building blocks in receivers and other communication electronics Main.

MINIATURE RFID READER 1.55 Square Inch UHF Generation 2 ISO C Combination RFID Reader/Writer Communicates with Active and Passive Tags

NFC - Near Field Communication Technology

NEAR FIELD COMMUNICATION. WHAT IS NFC??? NFC or Near Field Communication is a short range high frequency wireless communication technology. A radio communication.

Lesson Title: RFID Frequency Bands Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

RFID Payment Terminal Presented by: Rohit Kale. Introduction RFID: an automatic identification method, relying on storing and remotely retrieving data.

Radio-frequency identification (RFID) is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID.

Near Field Communication Systems Patras, July 2006.

Week #6: Discussion results NFC technology and its components Group #33 Group member: Tianhao Han Ximeng Sun(Susie) Xing Cao(Star) Zhuoran Yang.

Ignite Presentation: Near Field Communication Harry Yang.

R F I D Presented by Kerry Wong. What is RFID? Radio Frequency IDentification –Analogous to electronic barcode –Uses radio waves to send info Serial numbers.

January, 2007Doc: IEEE ban Zhen, Li, Kohno (NICT) Slide1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)

Practical Attacks on a Proximity Card Jonathan Westhues June

Submitted By: A.Anjaneyulu INTRODUCTION Near Field Communication (NFC) is based on a short-range wireless connectivity, designed for.

RFID: Radio Frequency Identification Amanda Di Maso Shreya Patel Tresit Tarko.

Modulation and Data Transfer February 21, References gy-Article.asp?ArtNum=2

Senior Project – Electrical Engineering Amateur Radio Repeater Daniel Harkenrider Advisor – Professor James Hedrick Abstract There are a number.

Prof. Avishai Wool: School of Electrical Engineering, Tel Aviv University.

Physical-layer Identification of UHF RFID Tags Authors: Davide Zanetti, Boris Danev and Srdjan Capkun Presented by Zhitao Yang 1.

How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium, 2006 * Presented by Justin Miller.

Security in Near Field Communication Strengths and Weaknesses

THE INTERNET OF THINGS (IOT). THE INTERNET OF THINGS Objects can transmit and share information without any human intervention.

Ph.D. Candidate: Yunlei Li Advisor: Jin Liu 9/10/03

Building a contactless university examination system using NFC Speaker : Chih-Ching Chen Advisor : Dr. Ho-Ting Wu 2013/12/2 1.

IDENTITY NUMBERS BY A.M.VILLAVAN M.TECH(COS). RFID Acronymn: Radio Frequency Identification Device RFID is a technology, whose origins are found in the.

Security Device using RFID Reader Alex Gerard & Joe Nevin.

Strategic Innovation Management Prof. Marc Gruber January 27, 2011.

What is a Smart Card Reader & Terminal. What is a smart card reader? Smart card reader, also known as smart card terminal, such as point of sale terminal,

I’m back ! Had a nice Holiday? I’m back ! Had a nice Holiday? Today we are talking PROXIMITY TECHNOLOGY Today we are talking PROXIMITY TECHNOLOGY.

SMART CART Group 20 Ciju Francis, Tom Rosengrant.

Fire Fighting Robotic Vehicle. Introduction:  It is designed to develop a fire fighting robot using RF technology for remote.

IR OBSTACLE DETECTION TO

ACTIVE ANTENNA. 5 INTRODUCTION way of implementing compact broadband antennas. based on the idea that drastically shortening the dipole length of an.

ABSTRACT Near Field Communication (NFC) is based on a short- range wireless connectivity, designed for intuitive, simple and safe interaction between.

3506-D WEST LAKE CENTER DRIVE,

Chapter 5 – Design of Passive Tag RFID Readers

Operating Mode 1 – Peer-Peer

SHORT DISTANCE WIRELESS COMMUNICATION

Textbook Detection System With Radio-Frequency Identification

Radio Frequency Identification (RFID)

Introduction HBE-RFID-REX

Apple Pay Research on NFC and the security threat

N-Guard: a Solution to Secure Access to NFC tags

NEW PRODUCT INTRODUCTION CONEKT™ Mobile Smartphone Access Control Identification Solution June 2018.

Near field communication (NFC)

Presentation transcript:

Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013

 Introduction  Contactless smartcards  Attack motivation  System design  Experimental results  Attack scenarios  Conclusions

 Passive tags  Communication based on inductive coupling  Transmit back data using load modulation  Nominal operation range – 5-10 cm

 Contactless smartcards are being used in a variety of security oriented applications:  Access control  Payment  E-voting  Smart ID card  Passports  All of them assume the tag is in proximity of the reader

 If a communication between the reader and the tag could be established from a longer range – the proximity assumption would be broken  Our goal – build a device (a.k.a “Ghost”) which allow a standard tag to communicate with a standard reader from a distance of more than 1m

Leech Ghost Relay Extended range Leech Extended range Ghost

 Relay attack – extending the nominal communication range between a reader and a tag using a relay channel between two custom made devices (“Ghost” & “Leech”) [KW05, Han05, FHMM11, SC13]  Extended range Leech – a device that allows to read a standard tag from a distance of 30 cm [KW06]

 Design principles:  Two separate antennas: ▪ A large loop antenna for downlink ▪ A mobile monopole HF antenna for uplink  Active load modulation for uplink transmission  PC based relay

 An open source & open hardware evaluation board for ISO14443  Can emulate a tag or a reader  Based on NXP PN532 

 A relay & a Leech were not part of this research, but necessary for the whole system  Relay channel between two OpenPCD2 boards was implemented inside a single PC  Using libnfc’s nfc-relay-picc – designed to overcome relay timing limitations overcome relay timing limitations  Leech was based on an unmodified OpenPCD2

 Part 3 (anticollision protocol) – strict timing constraint  Each of the two devices implement part 3 independently, with no relay  Part 4 (transmission protocol) – more permissive timing constraint  The tag can ask for more time by sending WTX request  WTXs are sent repeatedly by the Ghost to extend the time window allowed by the reader

 Receiving antenna: a 39 cm loop antenna designed for prior Leech project  Matching circuit: Based on NXP’s app note  LNA: Mini-Circuits’ ZFL-500LN

 Active load modulation:  Producing the spectral image created by load modulation by means of a standard AM modulator

 Ghost OpenPCD2 modification:  LOADMOD pin was enabled – outputs modulated subcarrier (847.5 kHz)  The above signal was connected to a detector, in order to extract coded bitstream  The bitstream was pulse modulated on a MHz carrier signal  The HF signal was pre-amplified (Mini- Circuits’ ZHL-32A) & power amplified (RM- Italy KL400)

 Transmitting antenna:  Broadband helically wound monopole antenna  We use the magnetic near field emitted from the antenna

 Downlink experiment:  Maximal downlink range was tested with a homemade diode detector ~ 1.5m  Using a spectrum analyzer as a detector a range of ~3.5m was measured

 Jamming  By transmitting a continuous signal on MHz the reader can be jammed  Since we couldn’t measure uplink range independently from downlink system, maximal Jamming range was measured in order to evaluate the performance of the uplink system  By transmitting a 29 dBm signal, a jamming range of 2 m was achieved

 The measured range was highly sensitive to the surrounding environment

 E-voting  Using a range extended Ghost and a relay attack, an adversary can mount several attacks on Israel’s proposed e-voting system  Allows the attacker complete control over previously cast votes  Access control  By using a range extended Ghost and a relay setup the attacker can open a secured door without being detected by a guard / security camera

 We offer a car mounted range extension setup for ISO RFID systems  We successfully built a prototype working from 1.15 m (more than 10 times the nominal range)

 Extending the nominal communication range of contactless smartcards form a severe threat on the system’s security  Combining with a relay attack the presented device can allow adversary to mount his attack without being detected

 I would like to thank the following people for their contributions to this work:  Mr. Ilan Kirschenbaum – For the loop antenna and other equipment built for his Leech project  Mr. Milosch Meriac – For his help with OpenPCD  Mr. Klaus Finkenzeller – For his help with understanding ISO14443