Yossef Oren, Dvir Schirman, and Avishai Wool: Tel Aviv University ESORICS 2013.

Range Extension Attacks on Contactless Smartcards

Yossef Oren, Dvir Schirman, and Avishai Wool:

Tel Aviv University

ESORICS 2013

Agenda

Introduction Contactless smartcards Attack motivation

System design Experimental results Attack scenarios Conclusions

Contactless smartcards

Contactless smartcards – ISO 14443

Passive tags

Communication based on inductive coupling

Transmit back data using load modulation

Nominal operation range – 5-10 cm

Attack Motivation

Contactless smartcards are being used in a variety of security oriented applications: Access control Payment E-voting Smart ID card Passports

All of them assume the tag is in proximity of the reader

Motivation

If a communication between the reader and the tag could be established from a longer range – the proximity assumption would be broken

Our goal – build a device (a.k.a “Ghost”) which allow a standard tag to communicate with a standard reader from a distance of more than 1m

Range extension attacks

5 cm

HF RFID Reader HF RFID Tag

Leec

h

Ghost

Rela y

Extended range

Leech

Extended range

Ghost

Related work

Relay attack – extending the nominal communication range between a reader and a tag using a relay channel between two custom made devices (“Ghost” & “Leech”)[KW05, Han05, FHMM11, SC13]

Extended range Leech – a device that allows to read a standard tag from a distance of 30 cm[KW06]

Ghost system design

Design principles: Two separate antennas:▪ A large loop antenna for downlink▪ A mobile monopole HF antenna for uplink

Active load modulation for uplink transmission

PC based relay

OpenPCD2

An open source & open hardware evaluation board for ISO14443

Can emulate a tag or a reader Based on NXP PN532 www.openpcd.org

Ghost system design

Ghost system design – Relay & Leech

A relay & a Leech were not part of this research, but necessary for the whole system

Relay channel between two OpenPCD2 boards was implemented inside a single PC Using libnfc’s nfc-relay-picc – designed

to overcome relay timing limitations Leech was based on an unmodified

OpenPCD2

Ghost system design – Downlink

Receiving antenna: a 39 cm loop antenna designed for prior Leech project

Matching circuit: Based on NXP’s app note

LNA: Mini-Circuits’ ZFL-500LN

Ghost system design – Uplink

Active load modulation: Producing the spectral image created by

load modulation by means of a standard AM modulator

Ghost system design – Uplink Ghost OpenPCD2 modification:

LOADMOD pin was enabled – outputs modulated subcarrier (847.5 kHz)

The above signal was connected to a detector, in order to extract coded bitstream

The bitstream was pulse modulated on a 14.4075 MHz carrier signal

The HF signal was pre-amplified (Mini-Circuits’ ZHL-32A) & power amplified (RM-Italy KL400)

Ghost system design – Uplink Transmitting antenna:

Broadband helically wound monopole antenna

We use the magnetic near field emitted from the antenna

Ghost system design

Preliminary experiments

Downlink experiment: Maximal downlink range was tested with

a homemade diode detector ~ 1.5m Using a spectrum

analyzer as a detectora range of ~3.5m was measured

Preliminary experiments

Jamming By transmitting a continuous signal on

14.4075 MHz the reader can be jammed Since we couldn’t measure uplink range

independently from downlink system, maximal Jamming range was measured in order to evaluate the performance of the uplink system

By transmitting a 29 dBm signal, a jamming range of 2 m was achieved

Range extension experiment – Setup

The measured range was highly sensitive to the surrounding environment

Range extension experiment – Results

Attack Scenarios

E-voting Using a range extended Ghost and a relay

attack, an adversary can mount several attacks on Israel’s proposed e-voting system

Allows the attacker complete control over previously cast votes

Access control By using a range extended Ghost and a relay

setup the attacker can open a secured door without being detected by a guard / security camera

Conclusions

We offer a car mounted range extension setup for ISO 14443 RFID systems

We successfully built a prototype working from 1.15 m (more than 10 times the nominal range)

Extending the nominal communication range of contactless smartcards form a severe threat on the system’s security

Combining with a relay attack the presented device can allow adversary to mount his attack without being detected

Conclusions

Thank you