How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium, 2006 * Presented by Justin Miller on 4/5/07

Overview

Background RFID uses ISO standard Increased security Very short range (5-10cm) Goals Build extended-range RFID skimmer Collects mass info from RFID devices

Outline RFID System design Building Tuning methods Results Conclusions

RFID Technology Many applications Contactless credit-cards National ID cards E-passports Other access cards Very short range Security vulnerabilities

Attacks on RFID Relay Attack

Attacks on RFID Relay Attack

Attacks on RFID German Hacker PDA and RFID read/write device Changed shampoo prices from $7 to $3 Johns Hopkins Univ. Sniffs info from RFID-based car keys Purchased gasoline for free

ISO Proximity card used for identification Very short range (5-10 cm) Embedded microcontroller Magnetic loop antenna (13.56 MHz) Security Cryptographically-signed file format

RFID Skimmer Collect info from RFID tags Signal/query RFID tags close by Record responses Some uses: Retrieve info from remote car keys Obtain credit card numbers

System Design Goals Low power Low noise Large read range Simple design Cheap

System Design

Part #1 - RFID Reader TI S4100 Multi- Function reader Cost: $60 Built in RF power amplifier Sends approx. 200mW into small antenna

Part #2 - RFID Antenna Antenna range ≈ length 39 cm copper tube loop Antenna inductance ≈ 1 μH

Part #3 - Power amplifier Amplifier interfaced directly to module’s output stage Powered by FET voltag Field-effect transistor Did not match impedances between amp and output

Part #4 - Receiver Buffer Load Modulation Receive Buffer HF reader system Receiver input directly connected to reader’s antenna Attenuate signals before feeding them back to the TI module Avoid potential reader damage Still deliver input signals to receiver

Part #5 - Power Supply Powers the large loop antenna Maintain “smooth” DC supply Clean power supply Low ripples (power variance) Improves detection range

System Building Copper Tube Loop Antenna Ideal: 40x40 cm Copper-tube Constructed their own Cheaper copper tube, used for cooking gas Pre-made in circular coils

System Building Copper-tube loop and PCB antennas

System Building RFID Base Board Decon DALO 33 Blue PC Etch pen Protected ink used to draw leads on tablet

System Building RFID Base Board and power amp

System Building Power Amplifier Based on Melexis application note Input driven from reader output Ideal: high voltage rating capacitors Used cheaper, but low voltage

System Building Load Modulation Receive Path Buffer Signals are looped back Buffer needed to hold correct signals

System Tuning RF Network Analyzer Measure magnitude and phase of input Measure Voltage Standing Wave Radio Adjust antenna’s impedance to match amplifier output RF power meter Measures power reception Ideal: measure actual amplification

Experiment Notes Power supply affects skimmer mobility Clean increases RFID detection range System tuning finds maximal power transfer between circuits

Results Increased RFID Scan Ranges 12-V battery 16.9 cm (PCB), 23.2 cm (copper tube) With power amp 17.3 cm (PCB), 25.2 cm (copper tube)

Results

Close to theoretical predictions

Contributions Built RFID skimmer  validated basic concept of an RFID “Leech” RFID tags can be read from greater distances (25 cm) Halfway towards full implementation of a relay-attack

Strengths Created a portable, RFID skimmer Step-by-step instructions Low system cost ($60)

Weaknesses Not developed for large scale production Cheap design = less efficient results Expensive system tuning methods

Improvements Better equipment Use copper-tube loop antenna Power amp with higher voltage rating capacitors RF Tuning: measure actual amplification instead of power High rating components More powerful RF test equipment

Questions? Ask me!