How to Build a LowCost, ExtendedRange RFID Skimmer

1
How to Build a Low-Cost, Extended-Range RFID
Skimmer

• Ilan Kirschenbaum Avishai Wool
• 15th Usenix Security Symposium,2006
• Kishore Padma Raju

2
OVERVIEW
3
BACKGROUND

• RFID uses ISO-14443 standard
• Increased security
• Very short range (5-10cm)
• Goals
• Build extended-range RFID skimmer
• Collects mass info from RFID devices

4
OUTLINE

• RFID
• System design
• Building
• Tuning methods
• Results
• Conclusions

5
RFID Technology

• Many applications
• Contactless credit-cards
• National ID cards
• E-passports
• Other access cards
• Very short range
• Security vulnerabilities

6
Attacks on RFID

• Relay attack

7
Attacks on RFID

• Relay attack

8
Attacks on RFID

• German Hacker
• PDA and RFID read/write device
• Changed shampoo prices from 7 to 3
• Johns Hopkins Univ.
• Sniffs info from RFID-based car keys
• Purchased gasoline for free

9
ISO-14443

• Proximity card used for identification
• Very short range (5-10 cm)
• Embedded microcontroller
• Magnetic loop antenna (13.56 MHz)
• Security
• Cryptographically-signed file format

10
RFID Skimmer

• Collect info from RFID tags
• Signal/query RFID tags
• Record responses
• Some uses
• Retrieve info from remote car keys
• Obtain credit card numbers

11
System Design Goals

• Low power
• Low noise
• Large read range
• Simple design
• Cheap

12
System Design
13
Part 1 - RFID Reader

• TI S4100 Multi-Function
• reader
• Cost 60
• Built in RF power amplifier
• Sends approx. 200mW into small antenna

14
Part 2 - RFID Antenna

• Antenna range length
• 39 cm copper tube loop
• Antenna inductance 1 µH

15
Part 3 - Power amplifier

• Amplifier interfaced directly to modules output
  stage
• Powered by FET voltage
• Field-effect transistor
• Did not match impedances between amp and output

16
Part 4 - Receiver Buffer

• Load Modulation Receive Buffer
• HF reader system
• Receiver input directly connected to readers
  antenna
• Attenuate signals before feeding them back to the
  TI module
• Avoid potential reader damage
• Still deliver input signals to receiver

17
Part 4 - Receiver Buffer
18
Part 5 -Power supply

• Powers the large loop antenna
• Maintain smooth DC supply
• Clean power supply
• Low ripples (power variance)
• Improves detection range

19
SYSTEM BUILDING

• Copper Tube Loop Antenna
• Ideal 40x40 cm
• Copper-tube
• Constructed their own
• Cheaper copper tube, used for cooking gas
• Pre-made in circular coils

20
SYSTEM BUILDING

• Copper-tube loop and PCB antennas

21
SYSTEM BUILDING

• RFID Base Board
• Decon DALO 33 Blue PC Etch pen
• Protected ink used to draw leads on tablet

22
SYSTEM BUILDING

• RFID Base Board and power amp

23
SYSTEM BUILDING

• Power Amplifier
• Based on Melexis application note
• Input driven from reader output
• Ideal high voltage rating capacitors
• Used cheaper, but low voltage

24
SYSTEM BUILDING

• Load Modulation Receive Path Buffer
• Signals are looped back
• Buffer needed to hold correct signals

25
SYSTEM TUNING

• RF Network Analyzer
• Measure magnitude and phase of input
• Measure Voltage Standing Wave Radio
• Adjust antennas impedance to match amplifier
  output
• RF power meter
• Measures power reception
• Ideal measure actual amplification

26
RESULTS
27
RESULTS

• Close to theoretical predictions

28
CONTRIBUTIONS

• Built RFID skimmer ? validated basic concept of
  an RFID Leech
• RFID tags can be read from greater distances (25
  cm)
• Halfway towards full implementation of a
  relay-attack

29
Strengths

• Created a portable, RFID skimmer
• Step-by-step instructions
• Low system cost (110)

30
Weaknesses

• Not developed for large scale production
• Cheap design less efficient results
• Expensive system tuning methods

31
Improvements

• Better equipment
• High rating components
• More powerful RF test equipment