 Reverse Engineering RFID
Zulkharnain
Researcher
Department of ECE
JNTU
Hyderabad INDIA.
zulkharnain@gmail.com
Phone +919866652501
Abstract: RFID smart cards are well in use for better management of products in almost
all developed countries. The technology that most of them use is not upto the mark and
need revision. The purpose of this paper is to highlight some of those
important
discrepancies, so as to enable them to update their technology. This paper is presented in
the form of ethical hacking RFID tags, whose inspiration for the small project was
secured from the references given in the last. Details are avoided, so as to disable the
Hackers to practise on detailed experiments if discussed. It is well known fact that RFID
smart cards operate within 10 cm radius. Within this zone they are also prone to Relay
attack. By using a trick, an attacker can fool the reader who is within 50m, and simulates
an environment to make it sense as if it is within 10 cm. This is an economical pick pocket
system, which need to be educated for the user of the card, as well as the Manufacturers.
The purpose of the paper is for the same.
Key words: RFID, Security, Ghost, Leech, POS, APDU, ISO, NFCIP-1/ECMA 340,
NFC, NEDAP, SNR. AMDSB
|
 1.
Introduction
A smart card is a passive device, i.e., it does not have power source of its own. An
industrial standard termed as ISO-14443 is usually used here for keeping the reader and
card within 10 cm maximum. In this paper we consider a POS application. Here the card
is connected to the merchant’s cash register. When the customer waves the card, near the
reader, it gets powered up, and executes the authentication protocol. Following is the
system of setup for this:
RFID Tag Host Security
When the protocol is successful, the customer’s electronic wallet, i.e. the Smart card is
charged, by the purchase cost. In this paper I propose a possibility of an attacker of
building a device that can illegally charge a victim’s card for his own purchase, thereby
defeating the security of the system. Such attack system-devices are classified as Ghost
and Leech, and can activate even from 30 feet away from the victim’s card. The antenna
converts electrical signal from the reader into magnetic signal transmitted. The design of
such antenna system is given in Texas instrument web-site. For POS smart card operate
at 13.56 MHz with bitrate of 106 Kbps. ISO/IEC 7816.4 standard define interindustry
commands for interchange and secure messaging on structure of APDU messages. Cell
RF
Antenna
Reader
Computer
Database
|
 phones, PDA, and Laptops use parallel RFID standard NFCIP-1/ECMA 340. For
example some of the Nokia phones are equipped with NFC technology.
2.
Basic Relay Attack
Following is the overview of a relay attack on RFID tag on smart card:
FAST DIGITAL COMMUNICATION
GHOST is a Devise which illegally simulates like a Card to the reader. LEECH is a
device which mimics as a reader. This whole system thus mimics the bi-directional
communication channel, amidst the genuine reader and victim card. Thus the range
needed for such a system can even be more advantageous, to the attacker, than the actual.
First the reader sends the message to Ghost. The latter sends the message to The Leach
within the least delay possible, and even without manipulation of data. The Leech now
fakes the real reader
and transmits message to real card. Now the communication is
responded in the reverse. The Leech is placed very close to Victim’s Smart card (e.g.
Slipped into the Victim’s handbag). The Ghost is presented to the reader at payment time.
READER
GHOST
LEECH
RFID TAG
|
|
Another method is hacking into the victim’s NFCIP device (PDA/Mobile phone), and
programming it to act as Leech, provided it is near the contactless smart card. This can be
done in various ways like giving a beautiful fictitious advantageous Advertisement
brochure to the victim which has Leech inbuilt, similarly the Victim’s Mobile SIM card
can be replaced with a Leech, by his knowledge or without it inducing him with free talk
time and so on.
The attack on such a system can take place, inspite of strong
authentication and encrypted algorithm in the actual system of the victim. Here it is
necessary for Leech to card, and Ghost to reader to have each a distance of 10 cm.
3.
Increasing distance between Reader and Ghost and vice versa
Attackers can build active ghost to increase the distance limitation between the card and
his tools. In order to calculate the distance of activation range, we can use NEDAP model
using C-programming. This model uses the parameters of the tag reader, and antenna, and
combines the effects of external noise and interface source, to simulate the various
reading ranges. Here ISO 14443 standards are used. Man-made and RFID system
interfaces can be considered in this setup. For the former the activation range can be
about 5m and for the latter, the reader can be about 3 times, closer to ghost than
interference device. Here AMDSB radio modulation techniques are used. Here ghost
should synchronize its DSB transmission signal with reader’s carrier.
4. Constraints on Tool design
|
 The hacker needs apparatus that costs him less than 100 dollars for keeping his tools
within appreciable distance to hide from the victim. The apparatus can be wires, copper
tubes as that of cooking gas, and a few hardware components. Following is the setup:
To
and from
To and from Leech
Reader
This system is connected to a large antenna using amplifier components. Around the NFC
device wire is wrapped to create full magnetic coupling with the internal antenna. This
wire loop is connected to a filter, for eliminating carrier frequency, with an amplifier and
copper tube antenna.
4.
Increasing Leech to Tag distance
Leech can be 40—50 cm away from the smart cards
i.e. a five fold increase. Here too
NEDAP software can be used to experiment. The inputs to the model based on ISO -
14443 parameters are used. To calculate external noise a second external RFID system is
assumed, for transmitting at a maximum regulation limits, from a distance of 100m. Here
external noise can be found by the relation:
Ext-noise = Hmax + 51.5 – 10log
2
Distance – 10 Log Bandwidth
Hmax = 42 dB uA/m/Hz at 10m
Let Distance = 100m
BW = 106,000Hz
51.5 is a constant for air impedance to make external noise about 24 dB u V/m/Hz
Bi-directional
power gain
and
filters
NFC
device
|
 The card to reader distance presents the most difficult challenge in any passive RFID
system. Following are the limitations:
1)
If Leech can ignore regular limits, a strong magnetic field can be created and thus
can activate the card from far-off.
2)
Leech’s sensitivity places a limit on sensitivity. The signal strength drops by a
factor of 1000, whenever the distance grows by a factor of 10. Thus if sensitivity
is increased, it increases Leech to card distance.
3)
Noise directly affects SNR for Leech. Thus the distance is limited by Shannon’s
limitation.
Before communication, Leech must supply enough energy to power up the card. The
boundary between near field and far field is C / (2 ¶ f)
If C = 13.56 MHz, Upper bound distance = 3.52 m.
To generate strong magnetic field, strong current need to be passed through the Leech
antenna, or by using larger antenna or both. Transmission power is directly proportional
to internal noise. Size of the antenna is directly proportional to external noise. Thus one
can limit the antenna current by 4A, for battery power up, operating in bursts.
Following is a graph that depicts roughly Leech to card distance, as a function of current:
0.5
Active Range
(m)
0 Current (A) 5
|
 By the graph we can conclude that, using large antenna and stronger current, the Leech
can increase the reading range by a factor of 3.5, over the nominal range. By transmitting
a powerful signal, the card’s signal to receive above the noise also increases. The Leech
can be designed to cause the card to retransmit every message multiple times using
software. This effectively reduced bandwidth, and amplifies the signal. Here it is
important that the Leech hardware should lock-on the card signal at a lower SNR, than
needed for error-free data reception. The manufacturers of the RFID smart card should
take care of this. The Leech hardware provides the frame to the driver software, even if
the frame has errors and fails in the checksum test. If these two conditions get satisfied,
Leech can compensate for the reception errors. In order to implement this method, the
attacker need good programming knowledge, and also access to the receiver driver in
NFC device.
Another method of re-transmission
is based on signal processing, at the Leech. This
works if the attacker has much more knowledge, comparatively. The Leech causes the
card to retransmit each frame K times. The Leech signal processing interleaves the
repeated frames into a jumbo frame as follows:
Interleaving Frames
Jumbo frame
|
 Now this Jumbo frame can be filtered resulting into a lower bandwidth and also improves
SNR. Building a Leech is equally complicated, as building a ghost. Such a scheme is just
reverse to that of building a Ghost.
5.
Counter Measures
If strong protocols like Challenge response authentication, and data encryption, are used
the contactless smart cards are much more vulnerable to worst attack. This makes the
attacker to modify, copy, or do whatever he likes with the card, without any modification
to the card holder. In replay attack, sniffer techniques are used by attacker to record the
traffic between reader and card, and thus replays data when needed.
Counter Measure Protections
Protecting the Card
Protecting the System
Eg., Use Faraday Cage E.g., use of PIN
-Wrapping Card in Aluminium Foil
mCloak
-Actuation by Switching only
- Biometric switch
6.
Conclusion
In this paper, a real threat to contactless Smart card system has been discussed, and a few
protection techniques have been discussed. The activation range when extended makes
the Hacker go unnoticed for his crime. Thus one can conclude that unless protection is
done to the smart card, they are a real temptation and a sure Jackpot for the hackers.
|
 7.
References:
1)
Security Technology: Where’s the smart money? The economist, pp 69-70 Feb. 02
2)
Smart card Alliance Nist Report 2004-2005 Smartcardalliance,org/alliance-
activities/rfid.faq.cfm item 17
3)
http://www.ti-rfid.com June 2006-06-20
4)
http://www.csrc.nist.gov/cc June 2006-06-20
5)
http://www.autoid.org June 2006-06-20
6)
http://www.eurosmart.com June 2006-06-20
|
Technical College - Bourgas,
All rights reserved, © March, 2000