how to build a low-cost, extended-range rfid skimmer
TRANSCRIPT
![Page 1: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/1.jpg)
How to Build a Low-Cost, Extended-Range RFID Skimmer
Ilan Kirschenbaum & Avishai Wool15th Usenix Security Symposium,2006
Kishore Padma Raju
![Page 2: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/2.jpg)
OVERVIEW
![Page 3: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/3.jpg)
BACKGROUND
• RFID uses ISO-14443 standard– Increased security– Very short range (5-10cm)
• Goals– Build extended-range RFID skimmer– Collects mass info from RFID devices
![Page 4: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/4.jpg)
OUTLINE
• RFID• System design– Building– Tuning methods
• Results• Conclusions
![Page 5: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/5.jpg)
RFID Technology
• Many applications– Contactless credit-cards– National ID cards– E-passports– Other access cards
• Very short range• Security vulnerabilities
![Page 6: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/6.jpg)
Attacks on RFID
• Relay attack
![Page 7: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/7.jpg)
Attacks on RFID
• Relay attack
![Page 8: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/8.jpg)
Attacks on RFID
• German Hacker– PDA and RFID read/write device– Changed shampoo prices from $7 to $3
• Johns Hopkins Univ.– Sniffs info from RFID-based car keys– Purchased gasoline for free
![Page 9: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/9.jpg)
ISO-14443
• Proximity card used for identification– Very short range (5-10 cm)– Embedded microcontroller– Magnetic loop antenna (13.56 MHz)
• Security– Cryptographically-signed file format
![Page 10: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/10.jpg)
RFID Skimmer
• Collect info from RFID tags– Signal/query RFID tags – Record responses
• Some uses:– Retrieve info from remote car keys– Obtain credit card numbers
![Page 11: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/11.jpg)
System Design Goals
• Low power• Low noise• Large read range• Simple design• Cheap
![Page 12: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/12.jpg)
System Design
![Page 13: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/13.jpg)
Part #1 - RFID Reader
• TI S4100 Multi-Function
reader– Cost: $60– Built in RF
power amplifier– Sends approx.
200mW into small antenna
![Page 14: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/14.jpg)
Part #2 - RFID Antenna
• Antenna range ≈ length• 39 cm copper tube loop• Antenna inductance ≈ 1 μH
![Page 15: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/15.jpg)
Part #3 - Power amplifier
• Amplifier interfaced directly to module’s output stage
• Powered by FET voltage• Field-effect transistor
• Did not match impedances between amp and output
![Page 16: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/16.jpg)
Part #4 - Receiver Buffer
• Load Modulation Receive Buffer– HF reader system– Receiver input directly connected to reader’s
antenna
• Attenuate signals before feeding them back to the TI module– Avoid potential reader damage– Still deliver input signals to receiver
![Page 17: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/17.jpg)
Part #4 - Receiver Buffer
![Page 18: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/18.jpg)
Part #5 -Power supply
• Powers the large loop antenna• Maintain “smooth” DC supply– Clean power supply– Low ripples (power variance)– Improves detection range
![Page 19: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/19.jpg)
SYSTEM BUILDING
• Copper Tube Loop Antenna– Ideal: 40x40 cm– Copper-tube
• Constructed their own– Cheaper copper tube,
used for cooking gas– Pre-made in circular coils
![Page 20: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/20.jpg)
SYSTEM BUILDING
• Copper-tube loop and PCB antennas
![Page 21: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/21.jpg)
SYSTEM BUILDING
• RFID Base Board– Decon DALO 33 Blue PC Etch pen– Protected ink used to draw leads on tablet
![Page 22: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/22.jpg)
SYSTEM BUILDING
• RFID Base Board and power amp
![Page 23: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/23.jpg)
SYSTEM BUILDING
• Power Amplifier– Based on Melexis
application note– Input driven from
reader output– Ideal: high voltage
rating capacitors– Used cheaper, but
low voltage
![Page 24: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/24.jpg)
SYSTEM BUILDING
• Load Modulation Receive Path Buffer– Signals are looped back– Buffer needed to hold correct signals
![Page 25: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/25.jpg)
SYSTEM TUNING
• RF Network Analyzer– Measure magnitude and phase of input
• Measure Voltage Standing Wave Radio– Adjust antenna’s impedance to match amplifier
output
• RF power meter– Measures power reception– Ideal: measure actual amplification
![Page 26: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/26.jpg)
RESULTS
![Page 27: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/27.jpg)
RESULTS
• Close to theoretical predictions
![Page 28: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/28.jpg)
CONTRIBUTIONS
• Built RFID skimmer validated basic concept of an RFID “Leech”
• RFID tags can be read from greater distances (25 cm)
• Halfway towards full implementation of a relay-attack
![Page 29: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/29.jpg)
Strengths
• Created a portable, RFID skimmer
• Step-by-step instructions
• Low system cost ($110)
![Page 30: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/30.jpg)
Weaknesses
• Not developed for large scale production
• Cheap design = less efficient results
• Expensive system tuning methods
![Page 31: How to Build a Low-Cost, Extended-Range RFID Skimmer](https://reader035.vdocuments.us/reader035/viewer/2022081512/554a2425b4c9051b578b4750/html5/thumbnails/31.jpg)
Improvements
• Better equipment• High rating components– More powerful RF test equipment