Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Attacks on a Proximity Card Jonathan Westhues June 18 2005.

Published byShon Scott Modified over 9 years ago

Similar presentations

Presentation on theme: "Practical Attacks on a Proximity Card Jonathan Westhues June 18 2005."— Presentation transcript:

1 Practical Attacks on a Proximity Card Jonathan Westhues jwesthues@cq.cx June 18 2005

2 Introduction How do RFID tags work? Signals sent over the air A naïve attack works perfectly Better-than-naïve attacks work even better Security is possible if you are willing to pay for it

3 How the tags work The reader transmits a powerful carrier (a signal that carries no information) –Reader “excites” or “illuminates” tag This carrier powers the circuitry on the tag –So the tag does not need an internal power source (battery)

4 Information over the air Tag returns an information-bearing signal to the reader –Same frequency, same antenna Bi-directional communication also possible –e.g. to write information to a tag instead of just reading

5 Example: TI tag antenna coil capacitor(s) (microchip on other side)

6 Example: 13.56 MHz tag antenna coil microchip capacitor

7 reader: powerful, no information Signals over the air tag: weak, carries information + 1 0 1 1 0

8 Result: the signals add (signal seen at the reader) 1 0 1 1 0

9 Motorola/Indala Flexpass Card transmits its ID code to the reader Reader checks ID against its list to see if it should open the door That’s it; no attempt at security

10 Basic replay attack

11 Read a legitimate card to get its ID code Store the ID in memory Replay the ID to a legitimate reader

12 Basic replay attack Hardware design: nothing fast, no need for anything custom Easy Other people have done this

13 What kind of read range? Depends on the power of the carrier that the reader transmits Practical limits: –TX power Legalities (FCC, Industry Canada) Input power Technical limits (heat etc.) –Antenna size

14 Practical read range “A few feet”

15 Even better attacks The read range goes up when the card is already powered –Thus, even more vulnerable if the eavesdropper sets up near a legitimate reader The signal goes through sheetrock walls

16 DSP refinements FlexPass cards: repeat their ID over and over as long as they are powered Opportunity to use DSP techniques to “average together” multiple copies and improve sensitivity

17 Solution But surely we can do better… http://members.core.com/~jeffp/

18 FlexPass FlexSecur Encrypt ID before programming it onto card Replay attack: –Doesn’t help, eavesdropper unlikely to notice that is present Not useless though

19 Challenge/Response Fixes everything, and cards are available that use it Drawbacks: –Complexity: crypto circuitry on the card –Bi-directional communication with reader is now required

20 Alternative: Rolling codes Also fixes everything Used e.g. in auto keyless entry Advantage: –No bi-directional communication required Disadvantage: –Needs non-volatile storage

21 Conclusion ID-only cards are not in any mathematical sense secure Secure alternatives exist Depending on the application, they might not be better It would be nice if the vendors would tell you what you’re getting

22 Thank you

Download ppt "Practical Attacks on a Proximity Card Jonathan Westhues June 18 2005."

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
TPS – UNIQUE HARDWARE (WWW.HOWSTUFFWORKS.COM) Option 1: Transaction Processing Systems.

TPS – UNIQUE HARDWARE ( Option 1: Transaction Processing Systems.
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.

Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013.

Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013.
Security for RFID Department of Information Management, ChaoYang University of Technology. Speaker : Che-Hao Chen ( 陳哲豪 ) Date:2006/01/18.

Security for RFID Department of Information Management, ChaoYang University of Technology. Speaker : Che-Hao Chen ( 陳哲豪 ) Date:2006/01/18.
RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.

RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.
Security in RFID Presented By… NetSecurity-Spring07

Security in RFID Presented By… NetSecurity-Spring07
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Asmt. 10: ID chips in product Pro RFID chips in product Group 3. Team A Ivan Augustino Andres Crucitti.

Asmt. 10: ID chips in product Pro RFID chips in product Group 3. Team A Ivan Augustino Andres Crucitti.
#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels.

#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels.
RADIO FREQUENCY IDENTIFICATION By Basia Korel. Automatic Identification Technology for identifying items Three step process 1) Identify people/objects.

RADIO FREQUENCY IDENTIFICATION By Basia Korel. Automatic Identification Technology for identifying items Three step process 1) Identify people/objects.
RFID in Mobile Commerce and Security Concerns Chassica Braynen April 25, 2007.

RFID in Mobile Commerce and Security Concerns Chassica Braynen April 25, 2007.
Real World Applications of RFID Mr. Mike Rogers Bryan Senior High School Omaha, NE.

Real World Applications of RFID Mr. Mike Rogers Bryan Senior High School Omaha, NE.
RFID passports How does is work? Step by step By: Einav Mimram.

RFID passports How does is work? Step by step By: Einav Mimram.
Physical-layer Identification of RFID Devices Authors: Boris Danev, Thomas S. Heyde-Benjamin, and Srdjan Capkun Presented by Zhitao Yang 1.

Physical-layer Identification of RFID Devices Authors: Boris Danev, Thomas S. Heyde-Benjamin, and Srdjan Capkun Presented by Zhitao Yang 1.
RFID Inventory System Shaun Duncan, Thomas Keaten, Auroop Roy.

RFID Inventory System Shaun Duncan, Thomas Keaten, Auroop Roy.
 The Global Positioning System (GPS) is a navigational system involving satellites and computers that can determine the latitude and longitude of a receiver.

 The Global Positioning System (GPS) is a navigational system involving satellites and computers that can determine the latitude and longitude of a receiver.

Similar presentations

Ads by Google