How to Build a Low-Cost, Extended-Range RFID Skimmer Ilan Kirschenbaum & Avishai Wool 15th Usenix Security Symposium,2006 Kishore Padma Raju OVERVIEW BACKGROUND • RFID uses ISO-14443 standard – Increased security – Very short range (5-10cm) • Goals – Build extended-range RFID skimmer – Collects mass info from RFID devices OUTLINE • RFID • System design – Building – Tuning methods • Results • Conclusions RFID Technology • Many applications – Contactless credit-cards – National ID cards – E-passports – Other access cards • Very short range • Security vulnerabilities Attacks on RFID • Relay attack Attacks on RFID • Relay attack Attacks on RFID • German Hacker – PDA and RFID read/write device – Changed shampoo prices from $7 to $3 • Johns Hopkins Univ. – Sniffs info from RFID-based car keys – Purchased gasoline for free ISO-14443 • Proximity card used for identification – Very short range (5-10 cm) – Embedded microcontroller – Magnetic loop antenna (13.56 MHz) • Security – Cryptographically-signed file format RFID Skimmer • Collect info from RFID tags – Signal/query RFID tags – Record responses • Some uses: – Retrieve info from remote car keys – Obtain credit card numbers System Design Goals • • • • • Low power Low noise Large read range Simple design Cheap System Design Part #1 - RFID Reader • TI S4100 Multi-Function reader – Cost: $60 – Built in RF power amplifier – Sends approx. 200mW into small antenna Part #2 - RFID Antenna • Antenna range ≈ length • 39 cm copper tube loop • Antenna inductance ≈ 1 μH Part #3 - Power amplifier Amplifier interfaced directly to module’s output stage • Powered by FET voltage • • • Field-effect transistor Did not match impedances between amp and output Part #4 - Receiver Buffer • Load Modulation Receive Buffer – HF reader system – Receiver input directly connected to reader’s antenna • Attenuate signals before feeding them back to the TI module – Avoid potential reader damage – Still deliver input signals to receiver Part #4 - Receiver Buffer Part #5 -Power supply • Powers the large loop antenna • Maintain “smooth” DC supply – Clean power supply – Low ripples (power variance) – Improves detection range SYSTEM BUILDING • Copper Tube Loop Antenna – Ideal: 40x40 cm – Copper-tube • Constructed their own – Cheaper copper tube, used for cooking gas – Pre-made in circular coils SYSTEM BUILDING • Copper-tube loop and PCB antennas SYSTEM BUILDING • RFID Base Board – Decon DALO 33 Blue PC Etch pen – Protected ink used to draw leads on tablet SYSTEM BUILDING • RFID Base Board and power amp SYSTEM BUILDING • Power Amplifier – Based on Melexis application note – Input driven from reader output – Ideal: high voltage rating capacitors – Used cheaper, but low voltage SYSTEM BUILDING • Load Modulation Receive Path Buffer – Signals are looped back – Buffer needed to hold correct signals SYSTEM TUNING • RF Network Analyzer – Measure magnitude and phase of input • Measure Voltage Standing Wave Radio – Adjust antenna’s impedance to match amplifier output • RF power meter – Measures power reception – Ideal: measure actual amplification RESULTS RESULTS • Close to theoretical predictions CONTRIBUTIONS • Built RFID skimmer validated basic concept of an RFID “Leech” • RFID tags can be read from greater distances (25 cm) • Halfway towards full implementation of a relay-attack Strengths • Created a portable, RFID skimmer • Step-by-step instructions • Low system cost ($110) Weaknesses • Not developed for large scale production • Cheap design = less efficient results • Expensive system tuning methods Improvements • Better equipment • High rating components – More powerful RF test equipment