How to Build a Low-Cost, Extended-Range RFID Skimmer

Ilan Kirschenbaum & Avishai Wool15th Usenix Security Symposium,2006

Kishore Padma Raju

OVERVIEW

BACKGROUND

• RFID uses ISO-14443 standard– Increased security– Very short range (5-10cm)

• Goals– Build extended-range RFID skimmer– Collects mass info from RFID devices

OUTLINE

• RFID• System design– Building– Tuning methods

• Results• Conclusions

RFID Technology

• Many applications– Contactless credit-cards– National ID cards– E-passports– Other access cards

• Very short range• Security vulnerabilities

Attacks on RFID

• Relay attack

Attacks on RFID

• Relay attack

Attacks on RFID

• German Hacker– PDA and RFID read/write device– Changed shampoo prices from $7 to $3

• Johns Hopkins Univ.– Sniffs info from RFID-based car keys– Purchased gasoline for free

ISO-14443

• Proximity card used for identification– Very short range (5-10 cm)– Embedded microcontroller– Magnetic loop antenna (13.56 MHz)

• Security– Cryptographically-signed file format

RFID Skimmer

• Collect info from RFID tags– Signal/query RFID tags – Record responses

• Some uses:– Retrieve info from remote car keys– Obtain credit card numbers

System Design Goals

• Low power• Low noise• Large read range• Simple design• Cheap

System Design

Part #1 - RFID Reader

• TI S4100 Multi-Function

reader– Cost: $60– Built in RF

power amplifier– Sends approx.

200mW into small antenna

Part #2 - RFID Antenna

• Antenna range ≈ length• 39 cm copper tube loop• Antenna inductance ≈ 1 μH

Part #3 - Power amplifier

• Amplifier interfaced directly to module’s output stage

• Powered by FET voltage• Field-effect transistor

• Did not match impedances between amp and output

Part #4 - Receiver Buffer

• Load Modulation Receive Buffer– HF reader system– Receiver input directly connected to reader’s

antenna

• Attenuate signals before feeding them back to the TI module– Avoid potential reader damage– Still deliver input signals to receiver

Part #4 - Receiver Buffer

Part #5 -Power supply

• Powers the large loop antenna• Maintain “smooth” DC supply– Clean power supply– Low ripples (power variance)– Improves detection range

SYSTEM BUILDING

• Copper Tube Loop Antenna– Ideal: 40x40 cm– Copper-tube

• Constructed their own– Cheaper copper tube,

used for cooking gas– Pre-made in circular coils

SYSTEM BUILDING

• Copper-tube loop and PCB antennas

SYSTEM BUILDING

• RFID Base Board– Decon DALO 33 Blue PC Etch pen– Protected ink used to draw leads on tablet

SYSTEM BUILDING

• RFID Base Board and power amp

SYSTEM BUILDING

• Power Amplifier– Based on Melexis

application note– Input driven from

reader output– Ideal: high voltage

rating capacitors– Used cheaper, but

low voltage

SYSTEM BUILDING

• Load Modulation Receive Path Buffer– Signals are looped back– Buffer needed to hold correct signals

SYSTEM TUNING

• RF Network Analyzer– Measure magnitude and phase of input

• Measure Voltage Standing Wave Radio– Adjust antenna’s impedance to match amplifier

output

• RF power meter– Measures power reception– Ideal: measure actual amplification

RESULTS

RESULTS

• Close to theoretical predictions

CONTRIBUTIONS

• Built RFID skimmer validated basic concept of an RFID “Leech”

• RFID tags can be read from greater distances (25 cm)

• Halfway towards full implementation of a relay-attack

Strengths

• Created a portable, RFID skimmer

• Step-by-step instructions

• Low system cost ($110)

Weaknesses

• Not developed for large scale production

• Cheap design = less efficient results

• Expensive system tuning methods

Improvements

• Better equipment• High rating components– More powerful RF test equipment