Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013.

Published byEgbert Bridges Modified over 9 years ago

Similar presentations

Presentation on theme: "Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013."— Presentation transcript:

1 Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013

2  Introduction  Contactless smartcards  Attack motivation  System design  Experimental results  Attack scenarios  Conclusions

3

4  Passive tags  Communication based on inductive coupling  Transmit back data using load modulation  Nominal operation range – 5-10 cm

5  Contactless smartcards are being used in a variety of security oriented applications:  Access control  Payment  E-voting  Smart ID card  Passports  All of them assume the tag is in proximity of the reader

6  If a communication between the reader and the tag could be established from a longer range – the proximity assumption would be broken  Our goal – build a device (a.k.a “Ghost”) which allow a standard tag to communicate with a standard reader from a distance of more than 1m

7 Leech Ghost Relay Extended range Leech Extended range Ghost

8  Relay attack – extending the nominal communication range between a reader and a tag using a relay channel between two custom made devices (“Ghost” & “Leech”) [KW05, Han05, FHMM11, SC13]  Extended range Leech – a device that allows to read a standard tag from a distance of 30 cm [KW06]

9  Design principles:  Two separate antennas: ▪ A large loop antenna for downlink ▪ A mobile monopole HF antenna for uplink  Active load modulation for uplink transmission  PC based relay

10  An open source & open hardware evaluation board for ISO14443  Can emulate a tag or a reader  Based on NXP PN532  www.openpcd.org www.openpcd.org

11

12  A relay & a Leech were not part of this research, but necessary for the whole system  Relay channel between two OpenPCD2 boards was implemented inside a single PC  Using libnfc’s nfc-relay-picc – designed to overcome relay timing limitations overcome relay timing limitations  Leech was based on an unmodified OpenPCD2

13  Part 3 (anticollision protocol) – strict timing constraint  Each of the two devices implement part 3 independently, with no relay  Part 4 (transmission protocol) – more permissive timing constraint  The tag can ask for more time by sending WTX request  WTXs are sent repeatedly by the Ghost to extend the time window allowed by the reader

14  Receiving antenna: a 39 cm loop antenna designed for prior Leech project  Matching circuit: Based on NXP’s app note  LNA: Mini-Circuits’ ZFL-500LN

15  Active load modulation:  Producing the spectral image created by load modulation by means of a standard AM modulator

16  Ghost OpenPCD2 modification:  LOADMOD pin was enabled – outputs modulated subcarrier (847.5 kHz)  The above signal was connected to a detector, in order to extract coded bitstream  The bitstream was pulse modulated on a 14.4075 MHz carrier signal  The HF signal was pre-amplified (Mini- Circuits’ ZHL-32A) & power amplified (RM- Italy KL400)

17  Transmitting antenna:  Broadband helically wound monopole antenna  We use the magnetic near field emitted from the antenna

18

19  Downlink experiment:  Maximal downlink range was tested with a homemade diode detector ~ 1.5m  Using a spectrum analyzer as a detector a range of ~3.5m was measured

20  Jamming  By transmitting a continuous signal on 14.4075 MHz the reader can be jammed  Since we couldn’t measure uplink range independently from downlink system, maximal Jamming range was measured in order to evaluate the performance of the uplink system  By transmitting a 29 dBm signal, a jamming range of 2 m was achieved

21

22  The measured range was highly sensitive to the surrounding environment

23  E-voting  Using a range extended Ghost and a relay attack, an adversary can mount several attacks on Israel’s proposed e-voting system  Allows the attacker complete control over previously cast votes  Access control  By using a range extended Ghost and a relay setup the attacker can open a secured door without being detected by a guard / security camera

24  We offer a car mounted range extension setup for ISO 14443 RFID systems  We successfully built a prototype working from 1.15 m (more than 10 times the nominal range)

25  Extending the nominal communication range of contactless smartcards form a severe threat on the system’s security  Combining with a relay attack the presented device can allow adversary to mount his attack without being detected

26  I would like to thank the following people for their contributions to this work:  Mr. Ilan Kirschenbaum – For the loop antenna and other equipment built for his Leech project  Mr. Milosch Meriac – For his help with OpenPCD  Mr. Klaus Finkenzeller – For his help with understanding ISO14443

27

Download ppt "Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013."

Similar presentations

PROF. MAULIK PATEL CED, GPERI Mobile Computing Gujarat Power Engineering and Research Institute 1 Prepared By: Prof. Maulik Patel Mobile Technologies.

PROF. MAULIK PATEL CED, GPERI Mobile Computing Gujarat Power Engineering and Research Institute 1 Prepared By: Prof. Maulik Patel Mobile Technologies.
RFID: OPPORTUNITIES and CHALLENGES Yize Chen. History In 1969, Mario Cardullo presented a RFID business plan to investors. The application areas include:

RFID: OPPORTUNITIES and CHALLENGES Yize Chen. History In 1969, Mario Cardullo presented a RFID business plan to investors. The application areas include:
VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.

VSMC MIMO: A Spectral Efficient Scheme for Cooperative Relay in Cognitive Radio Networks 1.
NFC Forum Measurements

NFC Forum Measurements
NFC Security What is NFC? NFC Possible Security Attacks. NFC Security Attacks Countermeasures. Conclusion. References.

NFC Security What is NFC? NFC Possible Security Attacks. NFC Security Attacks Countermeasures. Conclusion. References.
NFC Devices: Security and Privacy

NFC Devices: Security and Privacy
Overview of new technologies Jørgen Bach Andersen, Aalborg University, Denmark Sven Kuhn, Rasmus Krigslund, Troels B. Sørensen.

Overview of new technologies Jørgen Bach Andersen, Aalborg University, Denmark Sven Kuhn, Rasmus Krigslund, Troels B. Sørensen.
SIMS: Smart Inventory Management System Group 37 Masaki Negishi & Anthony Fai ECE 445 Senior Design April 27, 2005.

SIMS: Smart Inventory Management System Group 37 Masaki Negishi & Anthony Fai ECE 445 Senior Design April 27, 2005.
1 FCC RFID Workshop RFID Discussions September 7, 2004 Kevin Powell, Symbol Technologies.

1 FCC RFID Workshop RFID Discussions September 7, 2004 Kevin Powell, Symbol Technologies.
Timo Kasper Crete, Greece May 10, 2007 An Embedded System for Practical Security Analysis of Contactless Smartcards Timo Kasper, Dario Carluccio and Christof.

Timo Kasper Crete, Greece May 10, 2007 An Embedded System for Practical Security Analysis of Contactless Smartcards Timo Kasper, Dario Carluccio and Christof.
Security for RFID Department of Information Management, ChaoYang University of Technology. Speaker : Che-Hao Chen ( 陳哲豪 ) Date:2006/01/18.

Security for RFID Department of Information Management, ChaoYang University of Technology. Speaker : Che-Hao Chen ( 陳哲豪 ) Date:2006/01/18.
1 Remote Power Analysis of RFID Tags Joint work with Adi Shamir yossi.oren[at]weizmann.ac.il 28/Aug/06.

1 Remote Power Analysis of RFID Tags Joint work with Adi Shamir yossi.oren[at]weizmann.ac.il 28/Aug/06.
How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium,2006 Kishore Padma Raju.

How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium,2006 Kishore Padma Raju.
Physical-layer Identification of RFID Devices Authors: Boris Danev, Thomas S. Heyde-Benjamin, and Srdjan Capkun Presented by Zhitao Yang 1.

Physical-layer Identification of RFID Devices Authors: Boris Danev, Thomas S. Heyde-Benjamin, and Srdjan Capkun Presented by Zhitao Yang 1.
How to efficiently use the electrical distribution underground cables for Power Line Communications and to achieve the Smart grid’s goals. Energy Smart.

How to efficiently use the electrical distribution underground cables for Power Line Communications and to achieve the Smart grid’s goals. Energy Smart.
Radio Frequency Identification (RFID) Features and Functionality of RFID Including application specific ISO specifications Presented by: Chris Lavin Sarah.

Radio Frequency Identification (RFID) Features and Functionality of RFID Including application specific ISO specifications Presented by: Chris Lavin Sarah.
Chip tag A radio-frequency identification system uses tags readers send a signal to the tag and read its response RFID tags can be either passive active.

Chip tag A radio-frequency identification system uses tags readers send a signal to the tag and read its response RFID tags can be either passive active.
 Defining the RF jamming system and showing the importance and need of using it in many places.  Giving a complete RF jamming system design based on.

 Defining the RF jamming system and showing the importance and need of using it in many places.  Giving a complete RF jamming system design based on.
(LF Transmitter Module, High Power) Development Prototype

(LF Transmitter Module, High Power) Development Prototype
SIMS: Smart Inventory Management System Group 37 Masaki Negishi & Anthony Fai ECE 445 Senior Design April 27, 2005.

SIMS: Smart Inventory Management System Group 37 Masaki Negishi & Anthony Fai ECE 445 Senior Design April 27, 2005.

Similar presentations

Ads by Google