Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium, 2006 * Presented by Justin Miller.

Published byJune Gilmore Modified over 9 years ago

Similar presentations

Presentation on theme: "How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium, 2006 * Presented by Justin Miller."— Presentation transcript:

1 How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium, 2006 * Presented by Justin Miller on 4/5/07

2 Overview

3 Background RFID uses ISO-14443 standard Increased security Very short range (5-10cm) Goals Build extended-range RFID skimmer Collects mass info from RFID devices

4 Outline RFID System design Building Tuning methods Results Conclusions

5 RFID Technology Many applications Contactless credit-cards National ID cards E-passports Other access cards Very short range Security vulnerabilities

6 Attacks on RFID Relay Attack

7 Attacks on RFID Relay Attack

8 Attacks on RFID German Hacker PDA and RFID read/write device Changed shampoo prices from $7 to $3 Johns Hopkins Univ. Sniffs info from RFID-based car keys Purchased gasoline for free

9 ISO-14443 Proximity card used for identification Very short range (5-10 cm) Embedded microcontroller Magnetic loop antenna (13.56 MHz) Security Cryptographically-signed file format

10 RFID Skimmer Collect info from RFID tags Signal/query RFID tags close by Record responses Some uses: Retrieve info from remote car keys Obtain credit card numbers

11 System Design Goals Low power Low noise Large read range Simple design Cheap

12 System Design

13 Part #1 - RFID Reader TI S4100 Multi- Function reader Cost: $60 Built in RF power amplifier Sends approx. 200mW into small antenna

14 Part #2 - RFID Antenna Antenna range ≈ length 39 cm copper tube loop Antenna inductance ≈ 1 μH

15 Part #3 - Power amplifier Amplifier interfaced directly to module’s output stage Powered by FET voltag Field-effect transistor Did not match impedances between amp and output

16 Part #4 - Receiver Buffer Load Modulation Receive Buffer HF reader system Receiver input directly connected to reader’s antenna Attenuate signals before feeding them back to the TI module Avoid potential reader damage Still deliver input signals to receiver

17 Part #5 - Power Supply Powers the large loop antenna Maintain “smooth” DC supply Clean power supply Low ripples (power variance) Improves detection range

18 System Building Copper Tube Loop Antenna Ideal: 40x40 cm Copper-tube Constructed their own Cheaper copper tube, used for cooking gas Pre-made in circular coils

19 System Building Copper-tube loop and PCB antennas

20 System Building RFID Base Board Decon DALO 33 Blue PC Etch pen Protected ink used to draw leads on tablet

21 System Building RFID Base Board and power amp

22 System Building Power Amplifier Based on Melexis application note Input driven from reader output Ideal: high voltage rating capacitors Used cheaper, but low voltage

23 System Building Load Modulation Receive Path Buffer Signals are looped back Buffer needed to hold correct signals

24 System Tuning RF Network Analyzer Measure magnitude and phase of input Measure Voltage Standing Wave Radio Adjust antenna’s impedance to match amplifier output RF power meter Measures power reception Ideal: measure actual amplification

25 Experiment Notes Power supply affects skimmer mobility Clean increases RFID detection range System tuning finds maximal power transfer between circuits

26 Results Increased RFID Scan Ranges 12-V battery 16.9 cm (PCB), 23.2 cm (copper tube) With power amp 17.3 cm (PCB), 25.2 cm (copper tube)

27 Results

28 Close to theoretical predictions

29 Contributions Built RFID skimmer  validated basic concept of an RFID “Leech” RFID tags can be read from greater distances (25 cm) Halfway towards full implementation of a relay-attack

30 Strengths Created a portable, RFID skimmer Step-by-step instructions Low system cost ($60)

31 Weaknesses Not developed for large scale production Cheap design = less efficient results Expensive system tuning methods

32 Improvements Better equipment Use copper-tube loop antenna Power amp with higher voltage rating capacitors RF Tuning: measure actual amplification instead of power High rating components More powerful RF test equipment

33 Questions? Ask me!

Download ppt "How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium, 2006 * Presented by Justin Miller."

Similar presentations

1 Foundation Course Transmitters & Receivers EKRS Karl Davies.

1 Foundation Course Transmitters & Receivers EKRS Karl Davies.
The L-Network L-networks are used to match the output impedance of one circuit to the input of another. Rsource < Rload, 1< Q < 5 Rsource > Rload, 1

The L-Network L-networks are used to match the output impedance of one circuit to the input of another. Rsource < Rload, 1< Q < 5 Rsource > Rload, 1
Kit Building Class Lesson 4Page 1 R and X in Series Inductors and capacitors resist the flow of AC. This property is called reactance. Resistance also.

Kit Building Class Lesson 4Page 1 R and X in Series Inductors and capacitors resist the flow of AC. This property is called reactance. Resistance also.
Chapter 7 Operational-Amplifier and its Applications

Chapter 7 Operational-Amplifier and its Applications
SIMS: Smart Inventory Management System Group 37 Masaki Negishi & Anthony Fai ECE 445 Senior Design April 27, 2005.

SIMS: Smart Inventory Management System Group 37 Masaki Negishi & Anthony Fai ECE 445 Senior Design April 27, 2005.
RF Circuit Design Chris Fuller 952-607-8506 11/7/2012.

RF Circuit Design Chris Fuller /7/2012.
Timo Kasper Crete, Greece May 10, 2007 An Embedded System for Practical Security Analysis of Contactless Smartcards Timo Kasper, Dario Carluccio and Christof.

Timo Kasper Crete, Greece May 10, 2007 An Embedded System for Practical Security Analysis of Contactless Smartcards Timo Kasper, Dario Carluccio and Christof.
Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013.

Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013.
Antennas Lecture 9.

Antennas Lecture 9.
Flatiron Mobile Device Security Monitor Thomas Horacek Lucas Greve.

Flatiron Mobile Device Security Monitor Thomas Horacek Lucas Greve.
The Enforcer Laura Celentano Glenn Ramsey Michael Szalkowski.

The Enforcer Laura Celentano Glenn Ramsey Michael Szalkowski.
Technician License Course Chapter 3 Electricity, Components and Circuits Lesson Plan Module 6.

Technician License Course Chapter 3 Electricity, Components and Circuits Lesson Plan Module 6.
RFID in Mobile Commerce and Security Concerns Chassica Braynen April 25, 2007.

RFID in Mobile Commerce and Security Concerns Chassica Braynen April 25, 2007.
How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium,2006 Kishore Padma Raju.

How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15 th Usenix Security Symposium,2006 Kishore Padma Raju.
Overview of RFID System Characteristics Operating Frequency Method of Coupling Transmission Range Data Storage Capacity Power Supply (Active, Passive)

Overview of RFID System Characteristics Operating Frequency Method of Coupling Transmission Range Data Storage Capacity Power Supply (Active, Passive)
Radio Frequency Identification (RFID) Features and Functionality of RFID Including application specific ISO specifications Presented by: Chris Lavin Sarah.

Radio Frequency Identification (RFID) Features and Functionality of RFID Including application specific ISO specifications Presented by: Chris Lavin Sarah.
Chip tag A radio-frequency identification system uses tags readers send a signal to the tag and read its response RFID tags can be either passive active.

Chip tag A radio-frequency identification system uses tags readers send a signal to the tag and read its response RFID tags can be either passive active.
Diodes Analog Electronics UNIT III. Diodes UNIT I Objective The student will use diodes, capacitors, regulators and LEDs through a rectifying system in.

Diodes Analog Electronics UNIT III. Diodes UNIT I Objective The student will use diodes, capacitors, regulators and LEDs through a rectifying system in.
(LF Transmitter Module, High Power) Development Prototype

(LF Transmitter Module, High Power) Development Prototype
RFID – An Introduction Murari Raghavan UNC-Charlotte.

RFID – An Introduction Murari Raghavan UNC-Charlotte.

Similar presentations

Ads by Google