Download presentation
Presentation is loading. Please wait.
Published byHilary Thomas Modified over 9 years ago
1
How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium,2006 Kishore Padma Raju
2
OVERVIEW
3
BACKGROUND RFID uses ISO-14443 standard – Increased security – Very short range (5-10cm) Goals – Build extended-range RFID skimmer – Collects mass info from RFID devices
4
OUTLINE RFID System design – Building – Tuning methods Results Conclusions
5
RFID Technology Many applications – Contactless credit-cards – National ID cards – E-passports – Other access cards Very short range Security vulnerabilities
6
Attacks on RFID Relay attack
7
Attacks on RFID Relay attack
8
Attacks on RFID German Hacker – PDA and RFID read/write device – Changed shampoo prices from $7 to $3 Johns Hopkins Univ. – Sniffs info from RFID-based car keys – Purchased gasoline for free
9
ISO-14443 Proximity card used for identification – Very short range (5-10 cm) – Embedded microcontroller – Magnetic loop antenna (13.56 MHz) Security – Cryptographically-signed file format
10
RFID Skimmer Collect info from RFID tags – Signal/query RFID tags – Record responses Some uses: – Retrieve info from remote car keys – Obtain credit card numbers
11
System Design Goals Low power Low noise Large read range Simple design Cheap
12
System Design
13
Part #1 - RFID Reader TI S4100 Multi-Function reader – Cost: $60 – Built in RF power amplifier – Sends approx. 200mW into small antenna
14
Part #2 - RFID Antenna Antenna range ≈ length 39 cm copper tube loop Antenna inductance ≈ 1 μH
15
Part #3 - Power amplifier Amplifier interfaced directly to module’s output stage Powered by FET voltage Field-effect transistor Did not match impedances between amp and output
16
Part #4 - Receiver Buffer Load Modulation Receive Buffer – HF reader system – Receiver input directly connected to reader’s antenna Attenuate signals before feeding them back to the TI module – Avoid potential reader damage – Still deliver input signals to receiver
17
Part #4 - Receiver Buffer
18
Part #5 -Power supply Powers the large loop antenna Maintain “smooth” DC supply – Clean power supply – Low ripples (power variance) – Improves detection range
19
SYSTEM BUILDING Copper Tube Loop Antenna – Ideal: 40x40 cm – Copper-tube Constructed their own – Cheaper copper tube, used for cooking gas – Pre-made in circular coils
20
SYSTEM BUILDING Copper-tube loop and PCB antennas
21
SYSTEM BUILDING RFID Base Board – Decon DALO 33 Blue PC Etch pen – Protected ink used to draw leads on tablet
22
SYSTEM BUILDING RFID Base Board and power amp
23
SYSTEM BUILDING Power Amplifier – Based on Melexis application note – Input driven from reader output – Ideal: high voltage rating capacitors – Used cheaper, but low voltage
24
SYSTEM BUILDING Load Modulation Receive Path Buffer – Signals are looped back – Buffer needed to hold correct signals
25
SYSTEM TUNING RF Network Analyzer – Measure magnitude and phase of input Measure Voltage Standing Wave Radio – Adjust antenna’s impedance to match amplifier output RF power meter – Measures power reception – Ideal: measure actual amplification
26
RESULTS
27
Close to theoretical predictions
28
CONTRIBUTIONS Built RFID skimmer validated basic concept of an RFID “Leech” RFID tags can be read from greater distances (25 cm) Halfway towards full implementation of a relay-attack
29
Strengths Created a portable, RFID skimmer Step-by-step instructions Low system cost ($110)
30
Weaknesses Not developed for large scale production Cheap design = less efficient results Expensive system tuning methods
31
Improvements Better equipment High rating components – More powerful RF test equipment
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.