intervalsfedora17

RangeExtensionAttacksonContactlessSmartCardsYossefOren,DvirSchirman,andAvishaiWoolCryptographyandNetworkSecurityLab,SchoolofElectricalEngineeringTel-AvivUniversity,RamatAviv69978,Israel{yos@eng,dvirschi@post}.
tau.
ac.
il,yash@acm.
orgAbstract.
Thesecurityofmanynear-eldRFIDsystemssuchascreditcards,accesscontrol,e-passports,ande-voting,reliesontheassumptionthatthetagholderisincloseproximitytothereader.
ThisassumptionshouldbereasonableduetothefactthatthenominaloperationrangeoftheRFIDtagisonlyfewcentimeters.
Inthisworkwedemonstratearangeextensionsetupwhichbreaksthisproximityassumption.
Oursystemallowsfullcommunicationswithanear-eldRFIDreaderfromarangeof115cm–twoordersofmagnitudegreaterthannominalrange–andusespowerthatcanbesuppliedbyacarbattery.
Theaddedexibil-ityoeredtoanattackerbythisrangeextensionsignicantlyimprovestheeectivenessandpracticalityofrelayattacksonreal-worldsystems.
Keywords:RFID,Contactlesssmartcard,ISO/IEC14443,Relayattack.
1Introduction1.
1BackgroundOverthelastfewyears,radiofrequencyidentication(RFID)andneareldcom-munication(NFC)technologieshavebecomeincreasinglypopular.
Theyareusedinapplicationswhichbenetfromtheeaseofuse,theincreaseddatarate,andcomputationalabilitiesoeredbyRFIDtechnologiescomparedtotraditionaltechnologieslikemagneticstripeorbar-code.
Thereareingeneraltwocategoriesofpassively-poweredRFIDtags:(a)UHFtagscompliantwithISO/IEC18000whichoperateatarangeoffewmetersandaremainlyusedformarkingproductsorcomponents,and(b)HFtagscompliantwithISO/IEC14443whichoper-ateatarangeoffewcentimetersandareusedinavarietyofsecurity-sensitiveapplicationssuchaspaymentcards,accesscontrol,e-passports,nationalID-cards,ande-voting.
Inbothcategoriestagsaregenerallylowcostdeviceswhichcommunicatewithamorepowerfulreaderoverawirelessmedium.
ThisworkfocusesonphysicallayersecurityissuesofISO/IEC14443HFtags,whicharealsocommonlyreferredtoascontactlesssmartcards.
Alloftheapplicationsmentionedaboverequiresecuritycontrols,whethertodefendtheuser'sprivacy,topreventunauthorizedaccess,ortokeeptheuser'sJ.
Crampton,S.
Jajodia,andK.
Mayes(Eds.
):ESORICS2013,LNCS8134,pp.
646–663,2013.
cSpringer-VerlagBerlinHeidelberg2013RangeExtensionAttacksonContactlessSmartCards647VictimTagVictimReaderLGFig.
1.
AnRFIDchannelunderarelayattack.
DeviceListheleech,whiledeviceGistheghost.
moneysafe.
MostRFIDapplicationsdealwithsecurityissuesthroughsecureprotocolsandcryptography,buttheyalsorelyontheassumptionofproxim-itybetweenthetagandthereaderasasecurityfeature.
Inoldertechnologies,likemagneticstripecreditcardsorcontact-basedsmartcards,theassumptionofproximitywasguaranteedduetothecontact-basedinterfacebetweenthecardandthereader.
NeareldRFIDstandardslikeISO/IEC14443arealsoperceivedtoguaranteeproximitysincethenominaloperationrangeforcommunicationbe-tweenatagandareaderisonlyfewcentimeters.
Therefore,mostcontactlesssmartcardsecureprotocolsinherentlyassumethatthetagholderstandsrightinfrontofthereader.
1.
2RelatedWorkIn[3]Desmedtetal.
presentedagenericwaytodefeatprotocolswithaassump-tionofproximitycalledthemaafraudattack,ortherelayattack.
Previousworkshavealreadynotedtherelevanceofrelayattackstothecontactlesssmartcardscenario[15]andhavedemonstratedthatrelayscanbepracticallybuiltandusedtoattacksuchsystems[7,6,30,14,28].
AsillustratedinFigure1,arelayisestablishedbyplacingtwospecialcommunicationdevices(calledthe"ghost"andthe"leech")betweenthevictimreaderandthevictimtag.
Theghostandtheleechcommunicateviaalong-rangechannelsuchasawirelessconnection.
Theleechtransmitsanypacketssentbythevictimreadertothevictimtag,receivesthevictimtag'sresponses,andsendsthembacktotheghost,whichnallyforwardsthemtothevictimreader.
Sincetheghostandtheleecharebuiltandcontrolledbytheattacker,theydonothavetocomplytoanystan-dard.
Thisallowsthecommunicationrangesbetweenleechandtagandbetweenghostandreadertobeincreased,beyondthenominalstandards,improvingtheeectivenessoftherelayattack.
Theworkof[16]showedhowtobuildalow-cost,extended-rangeRFIDleechdevice.
In[8]extendedrangeeavesdroppingandskimmingattacksaredescribed.
Despitethefactthatrelayattackshavebeenaknownthreatforseveralyears,andthatbuildingarelaysystemiswellwithinthebudgetofevenamoderately-fundedattacker,thereisasurprisinglackofreportsonrelayattacksoccurringonreal-worldcontactlesssmartcardsystems[2].
Onepossibleexplanationis648Y.
Oren,D.
Schirman,andA.
Woolthehighriskincurredbytheattacker:whilethevictimtagcanbeaccessedwithrelativelylowrisk(forexample,byfollowingthevictimandplacingaskimmernearhisbackpocket),thevictimreaderisgenerallylocatedinahigh-securitylocationsuchasastorecounterorabordercrossing,andisprotectedbyadditionalsecuritymeasuressuchassecuritycamerasorguards.
1.
3ContributionsInthisworkwepresentadesignforamodiedghostdevicewhichdramaticallyincreasestherangeoftheghost-readercommunicationchannel.
ThemainnoveltyofourdesignistheuseoftwodierentantennasandRFfrontends:Oneforthereader-to-ghostreceivepath,andonefortheghost-to-readertransmitpath.
Sinceourmodicationsarecompletelyintheanalogdomain,theyarenotexpectedtoincreasetheprocessingdelayoftherelayorotherwiseinterferewiththeRFIDprotocol.
Weexperimentallyverifytheeectivenessofourmodiedghostdeviceinaseriesofexperiments.
Inourexperimentsweshowaneectivereader-to-ghostrangeof140cm,aneectiveghost-to-readerrangeof115cm,andtherefore,afullbi-directionalrangeof115cm.
Theserangesaretwoordersofmagnitudegreaterthanthenominaltag-to-readerrange.
Mostsignicantly,ourdevicecanbebuiltwithamoderate-to-lowbudgetandusespowerthatcanbesuppliedbyacarbattery.
WealsostudytheimplicationsoftheimprovedghostdeviceonthesecurityofseveralcontactlessRFIDscenarios.
Specically,theextendedrangecanincreasetheseverityofrelayattacksbyallowingtheattackertomoveawayfromthevictimreader,possiblyeventothenextroomortoanearbycar.
Beyondposingasignicantthreattothesecurityofcontactlesssmartcardapplications,wealsoshowhowtherangeextensionsetupcanalsobeusedforlegitimatepurposes–e.
g.
,toallowhandicappedpersonstousetheirRFIDtagfromadistance.
DocumentStructureThispaperisorganizedasfollows.
Thenextsectiongivesabriefbackgroundofcontactlesssmartcardstandardsanddescribesrelayattacks.
Section3presentsthedesignofourrangeextensionsystem.
Section4presentstheexperimentalresults.
Section5discussespossibleattackscenariosandlegitimateusesforoursetup.
Finally,section5.
3summarizestheimplicationsofourwork.
2TheISO/IEC14443StandardMostcloserangeRFIDapplicationsarebasedontheISO/IEC14443standard.
Thisstandardspeciestheoperationmethodandparametersforproximity-couplingsmartcards.
Thenominaloperationrangeforthisstandardis5-10cm.
ThestandardcallstheRFIDreaderaProximityCouplingDevice(PCD),sowewillusethetermsreaderandPCDinterchangeably.
ThetagiscalledaRangeExtensionAttacksonContactlessSmartCards649012345678x10510.
500.
51t[sec]Downlinkmodulation012345678x10510.
500.
51t[sec]UplinkmodulationFig.
2.
ExamplecommunicationsignalsforISO/IEC14443-2typeA.
Top:Downlinkmodulation,Bottom:UplinkmodulationProximityIntegratedCircuitCard(PICC),sowewillusethetermstagandPICCinterchangeably.
Thestandardconsistsof4parts:part1coversthephysicalcharacteristicsofthePICC[10];part2speciesthecharacteristicsoftheeldstobeprovidedforpowerandbi-directionalcommunicationbetweenthePCDandthePICC[12];part3denestheroutinesfortheinitializationofthePICCaswellasananti-collisionroutineformultiplePICCs[13];part4speciesahalf-duplexblocktransmissionprotocolfeaturingthespecialneedsofacontactlessenvironmentanddenestheactivationanddeactivationsequenceoftheprotocol[11].
Notethatthehigherpartsofthestandardareintendedtobeusedinconjunctionwiththelowerparts.
Thestandarddenestwotypesoftags,typeAandtypeB.
Thetwotypesdierinmodulationtechniques,initializationprotocols,andtransmissionproto-cols.
OurworkfocusesontypeA,hencethefollowingsectionswilldescribeonlytypeAproperties.
Thepartsofthestandardthatarerelevanttothedesignofourrangeextensionsetup,areparts2,3,and4,wehighlighttheirrelevantfeatureshere.
2.
1ISO/IEC14443Part2:RadioFrequencyPowerandSignalInterfaceThispartdenesthephysicallayerinterfacebetweenthePCDandthePICC.
thePICC(tag)ispassive–ithasnosourceofpower,anddrawsallitsenergyfromthereader'stransmissionsignal.
Thecommunicationisbasedoninductivecouplingbetweenanactivereaderandapassivetag.
Wewillrefertothechannelfromthereadertothetagasthedownlinkchannel,andthechannelfromthetagtothereaderastheuplinkchannel.
Accordingtothestandardthecarrierfrequencyofthereaderisfc=13.
56MHz.
Theoperatingmagneticeldproducedbythereadershouldliewithintherange650Y.
Oren,D.
Schirman,andA.
Woolof1.
5A/mrmsto7.
5A/mrms.
And,thebitrateduringinitializationpartisdenedasfc/128≈106kbits/S.
DownlinkModulation:ThecommunicationfromthereadertothetagusesAmplitudeShiftKeying(ASK)withmodulationdepthof100%.
ThetransmittedbitsarecodedwithmodiedMillercodingasshowninFigure2(top).
Inordertoguaranteeacontinuouspowersupplytothepassivetag,thelengthoftheblankingintervalsisonly2-3μs.
UplinkModulation:Sincethetaghasnoindependentpowersource,ittrans-mitsitssignalbymeansofloadmodulationofasub-carrieratfsc=fc/16≈847kHz.
ThismodulationisphysicallycarriedoutbyswitchingaloadinsidethePICConando.
ThetransmittedbitsareManchestercodedandmodulatedbyon/okeyingofthesub-carrier(i.
e.
,thesub-carrierisASK100%modulatedbytheManchestercodedbits)–seeFigure2(bottom).
2.
2ISO/IEC14443TimingParametersTheISO/IEC14443standarddenestwocriticaltimingparameterscalledtheFrameDelayTime(FDT),whichdenesthemaximaltimedelayduringtheinitializationprotocol[13],andFramewaitingtime(FWT)whichdenesthemaximaltimedelayduringthetransmissionprotocol[11].
BothoftheseparametersdenethetimedelayallowedfromtheendofaPCD'sframetrans-missiontothestartofthePICC'sresponsereception.
Theseparametersaresettoabout90μsduringinitializationoftheprotocol(FDT),andtoabout300μs-5s(FWT).
Aftertheinitializationprotocoliscompleted,ifaPICCrequiresalongercalculationtime,itcanaskforadditionaltimethroughsendingaWTXrequest[11],whichcanextendtheFWTuptoitsmaximalvalueofabout5seconds.
TheWTXrequestcanbesentmultipletimesinordertoachievelongercalculationtimes.
Oneofthepracticallimitationsthatrelayattacksfaceistheissueoftiming.
Withoutcarefulattention,therelaycanintroducedelaysintothecommuni-cationchannel,whichmaybreaktheprotocols:Asmentionedabove,theini-tializationprotocolhasstrictdelayconstraints,whileduringthetransmissionprotocollongerdelayscanbeestablished,butnotwithoutactivelyinterferingintheactivationprotocol.
3GhostSystemDesignOurgoalinthisworkistodemonstrateanextended-rangeghostdevice–i.
e.
,adevicethatcanpretendtobeatagtoalegitimatereader.
Unlikearealtagourghostdeviceisanactivedevicethathasapowersource.
RangeExtensionAttacksonContactlessSmartCards651ISO/IEC14443ReaderPCOpenPCD2(initiator)LoopAntennaLNAMatchingcircuitPowerampHFmonopoleantennaFromReaderToReaderDetectorDiodedetectorComparatorDownlinksetupUplinksetupRelaysetupOpenPCD2(target)loadmodRxPre-ampSignalGeneratormodinRFout14.
408MHzISO/IEC14443tagFig.
3.
BlockdiagramoffullrangeextensionsystemWemadethefollowingdesigndecisionswhencreatingourghostdevice:(1)Weusetwoseparateantennas,oneforthedownlink,andonefortheuplink.
Thedownlinkreceptionantennaisalargeloopantennawhichallowsgreatersensitivityandtherefore,canreceivethesignalfromagreaterrange.
FortheuplinktransmissionweusethecloserangemagneticeldemittedfromanHFmonopoleantenna.
(2)Weuseactiveloadmodulationfortheuplink,toovercomethenominalrangelimitationsofthemagneticcoupling.
(3)Weperformarelayofprotocollevel4,whileimplementingprotocollevel3independentlyinfrontofthereaderandthetag,toovercomethestricttimingrequirementsoftheinitializationprotocolatlevel3.
Thesystemcanbedividedintothreeindependentbuildingblocks:downlink,uplink,andrelay.
Inthefollowingsectionsthesethreebuildingblocksarede-scribed.
Thesystemisdesignedtobemountedonacar,andtogetitspowerfromastandardcarbattery.
AblockdiagramofourdesigncanbeseeninFigure3.
Wetestedourghostusingarelayinfrastructure.
Weusedstandardunmodiedhardwarefortheleechdevice,whilemakingalltherequiredchangesforrangeextensiononlyontheghostdevice.
3.
1DownlinkChannelDesignTherelaysetupisbasedontwoOpenPCD2[17]boards.
OpenPCD2isaRFID/NFCopensourcedevelopmentboardbasedonNXP'sPN532chip[22].
Thus,thecontrollogicfortheGhostdeviceisbasedononeoftheopenPCD2devices(seegureg:Diagram).
OurextendedrangedownlinkisbasedonconnectingalargeloopantennatotheantennaportsofthePN532(ontheOpenPCD2board).
Weuseda39cmcoppertubeloopantennabuiltforapreviousleechprojectinourlab[16].
652Y.
Oren,D.
Schirman,andA.
WoolR11o.
5ΩR12o.
5ΩR0150ΩR0250ΩR20-10kΩL01560mHL02560mHC01220pFC02220pFC1233pFC1133pFC320-10pFC310-10pFC22180pFC21180pFC420-50pFC410-50pFAntennaLNAFig.
4.
Downlinkantennamatchingcircuit.
Thexedcomponentsvaluesareroughlytunedforourantenna,thevariablecomponentsareusedfornetuning.
Theantennaisconnectedviaamatchingcircuitthroughalownoiseamplier(ZFL-500LN[18])totheRxportofthePN532.
MatchingtheAntenna:Inordertotransfermaximumpowerfromthean-tennatothePN532'sinputanimpedancematchingcircuitisneeded.
ThecircuitwasdesignedaccordingtoNXP'sapplicationnote[21]:Firstmeasuringthean-tennaimpedance,thencalculatingappropriatevaluesforthetuningcapacitorsandresistors.
TheQresistor(R1)valuewaschosentoachieveaqualityfactorof25asrecommendedbyNXP.
Sinceweusetheantennaonlyforreception,theTx1andTx2portsofthePN532chipwerenotconnectedtothematchingcircuit,andinstead50Ωresistors(R01,2)wereadded.
ThematchingcircuitschemecanbeseeninFigure4.
Thematchingcircuitwasrsttunedbytransmittinga13.
56MHzcarrierwavesignalfromasignalgeneratorthroughanotherloopantenna,andmeasuringtheamplitudeattheRxoutputwithascope,whilethecircuitisconnectedtotheOpenPCD2board.
Thevariablecapacitorsweretunedforthemaximumamplitudevalue.
Finally,thematchingwasveriedusinganetworkanalyzerbymeasuringtheS11valueofthematchingcircuitandtheantenna(i.
e.
,theinputreturnlossoftheantenna).
3.
2UplinkChannelDesignAkeyideabehindtheuplinkistoreplacetheloadmodulationtechniquewithanactivemodulationtechniqueandtransmitthesignalthroughapoweramplierandamobilemonopoleHFantenna.
RangeExtensionAttacksonContactlessSmartCards653CarrierSubcarriersSidebands13.
5612.
712514.
4075f[MHz]HFig.
5.
SpectralimageofISO/IEC14443communicationActiveLoadModulation.
isatechniqueintroducedbyFinkenzelleretal.
in[4,5].
ThistechniqueusesactivecircuitrywhichproducesthesamespectralimageasISO/IEC14443typeAloadmodulation,causingthereadertoobservethetransmittedsignalasifitwasastandardloadmodulatedsignal.
Activeloadmodulationoperatesinthefollowingway:AsdescribedinSection2.
1theuplinktransmissionchannelofISO/IEC14443-2isbasedonanASKmodulationofasub-carrier.
Whenlookingatthespectralimageofthismodulationtheresultistwosidebandscenteredatf1,2=fc±fsc,andeachbandfunctionsascarrierfortheManchestercodedbits(seeFigure5).
Accordingto[5]atypicalISO/IEC14443compliantreaderevaluatesonlytheuppersideband,hencetherelevantpartofthespectralimageistheuppersidebandcenteredatfUSB=fc+fsc=13.
56+13.
5616=14.
4075MHz.
Therefore,InordertoemulatetheloadmodulationsignalwecandirectlymodulatetheManchestercodedbitstreamusinganASK100%modulationofa14.
4075MHzcarriersignal.
Doingso,withanactivepoweredtransmitter,allowsustobypasstheneedfornear-eldmagneticcoupling,andachievetransmissionrangesthatare2ordersofmagnitudegreaterthanthenominalrange.
TheTransmittingAntenna:NominalRFIDcommunicationisbasedonmag-neticcouplingbetweentwoloopantennas.
Asexplainedin[5]aneorttoincreasetherangeofanactivetransmittingsignalrequireseithertodramaticallyincreasethecurrentinjectedtotheantenna,ortoincreasetheareaoftheloop(whichalsointroducesmorenoise).
AnalternativeapproachistousetheeldgeneratedbyanHFmonopoleantenna.
Monopoleantennasaredesignedforelectriceld(planewave)transmissionratherthanmagneticcoupling.
However,theantennastillproducesamagneticeldintheneareldregion.
Moreover,theremaybeacouplingbetweentheelectriceldproducedbythemonopoleantennatothereader'scircuit,whichalsocontributestotherangeextension.
Thereareseveraladvantagesofusingamonopoleantennaforthissetup.
First,sinceitusuallylookslikeasimplepoleitiseasiertohide,whichhelps654Y.
Oren,D.
Schirman,andA.
Woolindisguisinganattacksetup.
Second,thereisavarietyofcommercialantennasinthehamradiomarketwhicharedesignedforthedesiredfrequencyrange.
Andthird,wehypothesizethattheuplinkrangewillbelonger,andthepowerconsumptionwillbereducedincomparisontoour39cmloopantenna.
Inordertochoosetheappropriateantennaweconductedapreliminaryjam-mingexperiment(seesection4.
2).
Wegotthebestjammingrangewithamili-tarybroadbandhelicallywoundantenna,NVIS-HF1-BC.
Theconsiderationsforchoosingtheuplinkantennaarefurtherdescribedin[23].
Implementation:InordertoproduceanactiveloadmodulationsignalfromthePN532chipwemadeuseofalittle-usedoutputpinnamedLOAD_MOD.
Thispinismeanttobeconnectedtoanexternalload,andthereforecarriesthemodulatedsub-carriersignal.
TheOpenPCD2boarddoesnotmakeuseoftheLOAD_MODpin,andtheregularlibnfccodedoesnotinstructthePN532toactivatethepin.
Thus,weneededtosolderaconnectordirectlyintothepinandmodifythelibnfccodetoactivateit.
ForoursetupweneededtoworkwiththedigitalManchestercodedbitstreamratherthanthemodulatedsub-carriersignal.
Therefore,webuiltasimplede-tectorcircuitconsistingofadiodedetectorandacomparatorwhichextractsthebitstreamfromthemodulatedsub-carriersignal.
Weusedtheextractedbitstreamtomodulatea14.
4075MHzcarrier.
Notethatforourexperimentsweproducedthemodulatedsignalbyenteringthebitstreamintoasignalgenera-tor(AgilentN9310A).
Thesignalgeneratorcanbeeasilyreplacedbyasimplecircuitcontaininganoscillatorandamixer.
Sinceoursignalgenerator'soutputpowerreachesonlyupto15dBm,weneededtoamplifythesignal.
WeusedaMini-CircuitsZHL-32A[19]amplierwhichservesasapre-amplier,andaRM-ItalyKL400[26](ahamradioampli-er)whichservesasapoweramplier.
Theamplieroutputisconnectedtoouruplinkantennadescribedabove.
TheKL400amplierisamobileamplierintendedtobeusedinacarmountedsetup.
Itrequiresa12VDCpowersupply,andwhenworkingatfullpoweritusesupto24A,whichcanbesuppliedfromastandardcarbattery.
3.
3RelaySetupSinceourfocuswastheconstructionoftheghostsystemandnottherelayitself,weimplementedtherelaypartoftheattackinsideasinglePC.
FortheleechdeviceweusedanunmodiedOpenPCD2board.
TheghostantennasareconnectedtoasecondOpenPCD2board.
TheOpenPCD2boardsrunalibnfccompatiblermwareandarebothconnectedtoaPCrunningLinuxFedora17withlibnfc[1].
Wemakeuseofoneoftheprogramsinlibnfc,callednfc-relay-picc,whichisarelayapplicationbuiltforboardsusingthePN532chip.
nfc-relay-piccwasdesignedtoovercomethetimingissuesdiscussedinSection2.
2,whichlimittheeectivenessofrelayattacks.
Theprogramoperatesinthefollowingway:RangeExtensionAttacksonContactlessSmartCards655–Onedeviceisselectedasinitiator(aleechinourterminology),andtheotherdeviceisselectedastarget(aghostinourterminology).
–Theleechisplacedinfrontofavictimtag,emulatingareader.
Itperformstheinitializationandactivationprotocolsdenedinthestandard,towardsthetag(furtherdescriptionoftheseprotocolscanbefoundin[13,11]).
–Thetagcredentialsareacquiredbytheleechandrelayedtotheghostdevice.
–Theghostemulatesatagwiththedataacquiredfromtheoriginaltagandwaitsforareadertoactivateit.
–Whentheghostisactivatedbythevictimreader,itperformstheinitializa-tionandactivationprotocolsdirectlywiththereader,usingthevictimtag'scredentialsacquiredearlier,thusovercomingtheverystrictdelayconstraintsoftheanticollisionlevel3protocol.
–Whileatransmissionprotocolisestablishedbetweentheghostandthereader,aparalleltransmissionisestablishedbetweentheleechandthetag.
–Afterbothtransmissionprotocolsareestablished,eachAPDU(level4)framefromthereaderisrelayedthroughtheghost→PC→leechrelaytothetag,andviceversa.
–Inordertoovercometimingissuesduringthetransmissionitself,theghostsendsWTXrequestseachtimetheFWTperiodisabouttoexpire.
Notethatinitselfthenfc-relay-piccprogramandtheOpenPCD2boardsaredesignedtooperatewithinthenominalrangeof5-10cm.
Tousethisprogramwithouruplinksetupwehadtoslightlychangethelibnfcsource,inordertoenableanoutputofthemodulatedsub-carriersignaloutoftheLOAD_MODpinofthePN532chip.
4ExperimentsandResultsInthissectionwedescribetheexperimentsdonetotestoursetup,includingpreliminaryexperimentstovalidateourassumptions,andmeasurementsofthenalsetup.
AlloftheexperimentsdescribedbelowweredonewithaTIMFS4100Reader[9]actingasthevictimreader,andaISO/IEC14443typeAsampletagwhichwasprovidedinsidetheOpenPCD2packageasthevictimtag.
TheMFreaderwasselectedsinceitgeneratesreadrequestsatahighrate(morethan10timespersecond).
Inaddition,theTIreader'scontrollersoftwareemitsaloudbeepwhenitreceivesananswerfromthetag.
4.
1Reader-to-Ghost(Downlink)RangeEstimationOurrstexperimentwastomeasurethereceptionrangeofourdownlinkcoppertubeloopantennainisolation.
Forthispurposeweconnectedtheantennaandthematchingcircuittoasimpledetectorcircuitconsistingofadiodedetectorandacomparator,connectedthedetector'soutputofascope,andmeasuredthereceivedpulses.
Inordertoestimatethereceptionperformanceweusedthefollowingmetric:656Y.
Oren,D.
Schirman,andA.
Wool0.
40.
60.
811.
21.
41.
61.
80102030405060708090100110rangefromreader[m]successrate[%]Fig.
6.
Downlinkperformanceasafunctionofthedistancefromthereader–Areferencemeasurementwastakenatacloserange,measuringthereceptionoffewrepeatedREQAframes.
–Foreachmeasurementthenumberofpositivepulseswascounted.
–Foreachmeasurement,wedeneanerrorratemetricasthenormalizeddierencebetweenthenumberofpulsesinthismeasurementandinthereferencemeasurement.
Figure6presenttheresultsoftheexperiment.
Weobservedgooddownlinkreceptionuptoarangeof140cm,followedbyadramaticdropinqualitywithinlessthan20cm.
Asimilarexperimentwasdoneusingaspectrumanalyzerwithananalogoutputasthedetector,andweobservedareceptionrangeofabout350cm.
However,webelievethatourdetector's140cmrangepredictstheexpectedresultsmoreaccurately,sincetheghost'sPN532chipneedstoreceivethemessageserror-freeinordertodecodethem.
Basedon[25]webelievethatagreaterdownlinkrangemaywellbepossible.
However,wemustnotethattheghostrangeisboundedbyboththeuplinkandthedownlinkranges.
4.
2Ghost-to-Reader(Uplink)RangeEstimationAnisolatedestimationoftheuplinkperformancewasamorechallengingtask,sincetransmissionfromthetagtothereaderoccursonlyafterasuccessfulrecep-tionofareader'sframebythetag(i.
e.
,aworkingdownlinkchannelisrequired).
Hence,inordertotesttheperformanceoftheRFpartoftheuplinkchannel(signalgenerator,amplier,andantenna)weconductedajammingexperiment.
Thebasicprincipleofthejammingsetupistousethesamesetupastheuplinkchannel,onlywithoutmodulation,inordertotransmitacontinuouswavesignalattheuppersidebandfrequency(14.
4075MHz,recallFigure5).
Bytransmit-tingapowerfulsignaltowardsthereaderatthesamefrequencyasthetag'stransmission,weblockthetag'sresponseandjamthecommunicationbetweenthereaderandthetag.
RangeExtensionAttacksonContactlessSmartCards657Table1.
JammingexperimentresultsAntennaFulljammingrange[cm]Partialjammingrange[cm]39cmloop95125Hustler110165Helicallywound200230Weassumethatsinceinthejammingcasethesignalshouldonlyinterferewithalegitimatesignal,andnottransmitanyinformation,jammingshouldbeaneasiertaskthanuplinktransmission.
Therefore,bymeasuringthejammingrangeweobtainanupperboundontheachievableuplinkrange.
Anotherobjectiveofthejammingexperimentwastodeterminewhichantennaisthebestfortheuplinkchannel.
Wetestedthefollowingthreeantennas:a.
39cmcoppertubeloopantenna(theoneusedforthedownlinksetup)b.
New-TronicsHustler:MO-4(mast)+RM-20-S(resonator),whichisdesignedforthe14–14.
35MHzhamradioband[20](See[29,§6-29])c.
Broadbandverticalhelicallywoundantenna:NVIS-HF1-BC(See[29,§6-37])NotethatinthejammingexperimenttheKL400poweramplierwasnotused,andthesignalwasampliedonlywiththeMini-Circuitspre-amplier.
Further-more,sincenoinformationwastransmitted,wedidnotneedtoworryaboutdistortion,andtheamplierwasoperatedwith15dBminputpower,aboveits1dBcompressionpoint.
TheresultsofthejammingexperimentsaresummarizedinTable1.
JammingwasidentiedusinganISO14443Acomplianttagplacednexttothereader.
UsingTI'sdemosoftwarethecomputerbeepseverytimeatagisrecognized.
Wedistinguishbetweentwojammingtypes:fulljammingisdenedwhennobeepisheardfromthereaderformorethan10seconds,whilepartialjammingisdenedwhen1-2beepspersecondareheard,butstillsignicantlyfewerbeepsthanwithnojammingsignalatall(5-10beepspersecond).
Wenoticethatthehelicallywoundantennagivesthebestjammingrange,andtherefore,itwaschosenforuseintheuplinkchannel.
Thejammingexperimentisdescribedinfurtherdetailsin[23].
4.
3FullRangeExtensionExperimentAfterestimatingtheachievablerangesofthedierentbuildingblocksinisola-tion,weconstructedafullrangeextensiondevice(ghost).
Alltherangeextensionexperimentsweredonewiththehelicallywoundantennachosenduringthejam-mingexperimentsastheuplinkantenna,andthe39cmcoppertubeloopantennaasthedownlinkantenna.
AsuccessfuldownlinkcanbeobservedbywatchingthePN532responsetoareader'sframe,whichismanifestedinasignalontheLOAD_MODpin.
Asadiagnostictool,ascopewasusedtomonitortheLOAD_MODoutput,inorder658Y.
Oren,D.
Schirman,andA.
Wooltoidentifyasuccessfuldownlink.
Themeasureddownlinkrangeis120cm–twoordersofmagnitudegreaterthanthenominalrange,andenoughinmanycasesforanattackertomovefarenoughfromthevictimreadertoavoidcapture.
Ontheotherhand,uplinkmeasurementsweremorecomplex,sincetheuplinkchannelwasfoundtobeverysensitivetothesurroundingenvironmentandcableorientation.
AsuccessfuluplinkwasidentiedbyhearingtheTIreader'sdemosoftwarebeepforasuccessfulreadofatag.
So,asuccessfuluplinkalsomeantasuccessfulrangeextendedrelay.
Ourrstattemptswithmeasuringuplinkrangesproducedsuspiciouslyhighranges.
Wediscoveredthatthehighrangewasduetoanunwantedcouplingeectasnoticedby[30].
Inourinitialsetupacoaxialcablewaspassingbetweentheuplinksetupandthereader(notconnectedtoanyofthem),servingasawaveguidefortheuplinksignal.
Wethendecidedtomoveoursetupoutsideofthebuildinginordertoworkinaclearandrobustenvironment.
TherstmeasurementswereheldwithonlytheMini-Circuit's25dBpre-amplierwhichhasanoutput-1dB-compression-pointof29dBm(~800mW).
Inpractice,wenoticedthatatoutputlevelsofabove25dBm(~300mW)theperformanceoftheuplinkchannelwasseverelydegraded.
Webelievethatthisistheresultofnoisecreatedbyoperatingtheamplierclosetoitscompressionpoint.
Therefore,allthemeasurementsweredoneusinga0dBmpowerattheoutputofthesignalgenerator.
Atrst,theexperimentwasheldwiththemonopoleantennaalone,andweachievedonlya35cmuplinkrange.
Webelievethatthisisduetothefactthatmonopoleantennasneedtobeplacedoverapropergroundplaneforoptimalperformance.
Sincethewavelengthofouruplinksignalis~20matruegroundplaneisimpractical.
Instead,weassumedacarmountedsetup,inwhichthecaritselfcanserveasagroundplane.
Toemulateaprivatecar'sdimensionsweuseda1m2tinplateasagroundplane.
Withtheantennaboltedontothetinplateandusingonlythepre-amplierwemanagedtogetanuplinkrangeof85cm.
Wenoticedthatthissetupisverysensitivetotheorientationoftheantennacableregardingthetinplate–withdierentcableorientationsthemaximaluplinkrangevariedbetween45cmto85cm.
Wefurthernoticedthatthebestuplinkrangeswereachievedwhentheantennawasfacingthesideofthevictimreaderandnotitsfront.
Apossibleexplanationisthatwhentheuplinkantennawasplacedinfrontofthereader,itwasjammingthedownlinkantennafromreceivingthereader'ssignal,andthereforepreventingafullrelay.
Atlast,afterestablishingagoodsetupfortheuplinkantenna,weaddedthepoweramplierintothetransmissionchain.
Sinceourpre-ampliercanonlyproduceupto300mWwithoutdistortingthesignal,yettheRM-ItalyKL400amplier'sinputpowermustbeatleast1W,wehadtobypassaninternalrelayinsidetheamplier'scircuitinordertolettheamplieropenfortransmissionwithlowerinputpower.
DuringourexperimentswesettheKL400onlyuptoits2ndpowerlevel(outof6possiblelevels)duetoradiationhazardconcerns(bothfortheequipment,andforoursafety).
LaterwemeasuredtheoutputpowerofthemodiedKL400ampliersettoits2ndlevelandfoundouttheoutputpowerofoursystemwasabout7W.
RangeExtensionAttacksonContactlessSmartCards659Table2.
RangeextensionresultsAntennasetupAmplierFullbidirectionalrange[cm]nogroundplanepre-amplier(Pout=300mW)351m2groundplanepre-amplier(Pout=300mW)851m2groundplanepre-amplier+poweramplier(Pout=7W)115Afterallmodications,themeasureduplinkrangeincludingthepoweram-plierwas115cm,whichisalmostthesameasourmeasureddownlinkrange,andagainenoughforanadversarytomounthisattackfromthenextroom.
TheresultsofthedierentuplinksetupsaresummarizedinTable2.
ThenalsetupincludingthetinplateandthepowerampliercanbeseeninFigure7.
Fig.
7.
Thefullrangeextensionsetupoutsideourbuilding.
Thevictimreaderislocatedonthelabstoolinthemiddleofthepicture.
Theuplinkantennaonitsgroundplaneisontheleft.
Thedownlinkloopantennaisbehindthereader.
Thevictimtagisonthetableintheback,nexttothelaptoprunningtherelaysoftware.
5DiscussionandConclusionsTherangeextensionsetupdescribedinthisworkhassignicantimplicationsonthesecurityofcloserangeRFIDsystems.
Thesamesetupcanalsobeusedforlegitimatepurposes,inordertoenhanceRFIDcapabilities.
Inthissectionwebrieyintroducetwoattackscenariosandsomelegitimateuseexamplesforthissetup.
660Y.
Oren,D.
Schirman,andA.
Wool5.
1AttackScenariosE-voting.
Theworkof[24]presentsasetofphysicalattacksonIsrael'sproposede-votingsystemwhichusesISO/IEC14443tagsasvotingballots.
Usingarelaysetupanattackercanmountaballotsningattack(whichallowshimtolearnatanytimewhichvoteswerealreadycastintotheballotbox),asingledissidentattack(whichcanundetectablysuppressthevotesforanyamountofvoters),andnallyaballotstungattack(whichgivestheadversarycompletecontroloverpreviouslycastvotes).
Usinganominal-rangerelaytheattacksmentionedin[24]arelimitedsincetheadversarymustbeinarangeof5-10cmfromthetargetballots,whichplaceshiminsidetheballotstation'sroom,andinfrontoftheelectioncommitteemembers.
However,iftherelaysetupisenhancedwitharangeextensionsetuptheattackscanbemountedfromadistance,possiblyevenfromoutsidetheroom,whichallowstheattackertomounttheattackwithoutbeingdetected.
AccessControl.
OneofthemostcommonapplicationofcloserangeRFIDisforaccesscontrolintorestrictedareas.
UsingpersonalRFIDtagsonlyauthorizedpersonnelcanenterarestrictedarea.
Usingarelaysetupanadversarycanuseavictimworker'sidentitywhileheisawayfromtherestricteddoor,andthetagliesinhispocket,toopenthedoor.
However,usinganominalrelaysetup,thisattackscenarioislimited,sincewhentheattackerapproachesthedoorholdinghisghostdeviceinsteadofaregulartaghecanbeeasilyspottedbytheotherworkerswhowalkby.
Alternatively,iftheattackermountsarangeextensionsetupinadistancefromthedoor(possiblyevenbehindawall),hecancausethedoortoopenwhileanaccomplicewalkstowardsthedoorandwavesadecoyblanktaginfrontofthereader.
Sincetheaccomplicedoesnotcarryanyspecialhardwareotherthanadecoytag,theriskincurredbytheattackerisdrasticallylowered.
AninterestingtwistonthisattackwouldbecombinationofanRFIDzapper[27]andanextended-rangeghost.
AnRFIDzapperisalow-costdevicewhichcancompletelydisableavictimtagbyapplyingahigh-energyelectromagneticpulsetoitsRFinput.
Ifanattackerrstzapsavictim'stag,thenappliesanextended-rangeghostattacktothereaderjustasthevictimattemptstousehis(nowdisabled)tag,itwillgiveanyhumanobserverstheimpressionthatonetagisused,whileeectivelyactivatingadierenttag.
Thisforcesaninnocentusertobeanaccomplicetotherelayattackdescribedabove.
5.
2LegitimateUsesforRangeExtensionBesidesbreakingthecloserangeassumption,andviolatingthesystem'ssecurity,therangeextensionsetupcanbeusedforlegitimatepurposes.
Forexample,ahandicappedpersonsittinginawheelchairmightndithardtouseRFIDtags,sincemostofthereadersareplacedoutofhisreach.
Bymountingarangeextensionsetupontothewheelchair,theuserwillnowndRangeExtensionAttacksonContactlessSmartCards661itpossibletoenterthroughdoorswithRFIDaccesscontrol,orpayforpublictransportationwithoutaskingforhelp.
Asanotherexample,nowadaysmanyparkinglotshaveRFIDtagsforsub-scribers.
ManydriversndithardtoreachtheRFIDreaderthroughthecar'swindow.
Bymountingarangeextensionsetupontohiscar,thedrivercanenterintotheparkinglotwithouttheeortofreachingthereaderattheentranceoftheparkinglot.
5.
3ConclusionsInthisworkwepresentedarangeextensionsetupforcontactlesssmartcards.
Thesetupcanbemountedonanycar,andpoweredbyaregularcarbattery.
Theentiresetupcostsabout$2,000.
Theuplinkantennaconstitutesmostofthesum,andcanbereplacedbyacheapermodelforcostreduction.
UsingthissetupthecloserangeassumptionofISO/IEC14443applicationsisbroken,sincethetagdoesnothavetobeplaced5-10cmfromthereader,butcanbeatadistanceofover1m.
Moreover,themoresevereimplicationofthisattackisincombinationwiththeknownrelayattack.
Whileoneofthedrawbacksofaregularrelayattackisthattheattackercanbeseenoperatingadevicerightnexttothereaderorthetag,usingourrangeextendedghosttogetherwitharangeextendedleechpresentedat[16]theattackercanconcealhisdevices,andinthecaseoftherangeextendedghostmightevenplacehisdeviceinthenextroom.
Theattacksmentionedaboveoperateatthephysicallayerofthestandard,andtherefore,arediculttodefendagainstbyaprotocolbasedsolution.
De-signersofcloserangeRFIDapplicationslike:creditcards,e-passports,accesscontrol,ande-votingshouldtakeintoconsiderationthethreatsintroducedbyextendingthenominaloperationrangeofISO/IEC14443tags.
References1.
libnfcwebsite(2013),http://nfc-tools.
org/index.
phptitle=Main_Page2.
APACS.
APACSresponsetoBBCwatchdogandchipandPIN.
Pressrealese(February2007),http://www.
chipandpin.
co.
uk/media/documents/APACSresponsetoWatchdogandchipandPIN-06.
02.
07.
pdf3.
Desmedt,Y.
,Goutier,C.
,Bengio,S.
:SpecialusesandabusesoftheFiat-Shamirpassportprotocol.
In:Pomerance,C.
(ed.
)CRYPTO1987.
LNCS,vol.
293,pp.
21–39.
Springer,Heidelberg(1988)4.
Finkenzeller,K.
:BatterypoweredtagsforISO/IEC14443,activelyemulatingloadmodulation.
In:7thEuropeanWorkshoponSmartObjects:Systems,TechnologiesandApplications(RFIDSysTech)(May2011)5.
Finkenzeller,K.
,Pfeier,F.
,Biebl,E.
:RangeExtensionofanISO/IEC14443typeARFIDSystemwithActivelyEmulatingLoadModulation.
In:7thEuro-peanWorkshoponSmartObjects:Systems,TechnologiesandApplications(RFIDSysTech)(May2011)662Y.
Oren,D.
Schirman,andA.
Wool6.
Francis,L.
,Hancke,G.
,Mayes,K.
,Markantonakis,K.
:PracticalNFCpeer-to-peerrelayattackusingmobilephones.
In:OrsYalcin,S.
B.
(ed.
)RFIDSec2010.
LNCS,vol.
6370,pp.
35–49.
Springer,Heidelberg(2010)7.
Hancke,G.
P.
:Practicalattacksonproximityidenticationsystems(shortpaper).
In:SP2006:Proceedingsofthe2006IEEESymposiumonSecurityandPrivacy,Oakland,CA,pp.
328–333.
IEEEComputerSociety(2006)8.
Hancke,G.
P.
:Practicaleavesdroppingandskimmingattacksonhigh-frequencyRFIDtokens.
JournalofComputerSecurity19(2),259–288(2011)9.
TexasInstruments.
Multifunctionreaderseries4000(March2005),http://www.
ti.
com/rfid/docs/manuals/pdfSpecs/RF-MFR-RNLK-00.
pdf10.
InternationalOrganizationforStandardization,Geneva.
ISO/IEC14443-1Identi-cationcards–Contactlessintegratedcircuitcards–Proximitycards–Part1:Physicalcharacteristics(2008)11.
InternationalOrganizationforStandardization,Geneva.
ISO/IEC14443-4Identi-cationcards–Contactlessintegratedcircuitcards–Proximitycards–Part4:Transmissionprotocol(2008)12.
InternationalOrganizationforStandardization,Geneva.
ISO/IEC14443-2Identi-cationcards–Contactlessintegratedcircuitcards–Proximitycards–Part2:Radiofrequencypowerandsignalinterface(2010)13.
InternationalOrganizationforStandardization,Geneva.
ISO/IEC14443-3Identi-cationcards–Contactlessintegratedcircuitcards–Proximitycards–Part3:Initializationandanticollision(2011)14.
Issovits,W.
,Hutter,M.
:WeaknessesoftheISO/IEC14443protocolregardingrelayattacks.
In:2011IEEEInternationalConferenceonRFID-TechnologiesandApplications(RFID-TA),pp.
335–342.
IEEE(2011)15.
Kr,Z.
,Wool,A.
:Pickingvirtualpocketsusingrelayattacksoncontactlesssmart-cards.
In:InternationalConferenceonSecurityandPrivacyforEmergingAreasinCommunicationsNetworks,LosAlamitos,CA,USA,pp.
47–58.
IEEEComputerSociety(2005)16.
Kirschenbaum,I.
,Wool,A.
:Howtobuildalow-cost,extended-rangeRFIDskim-mer.
In:Proceedingsofthe15thUSENIXSecuritySymposium,Vancouver,B.
C.
,Canada.
USENIXAssociation(2006)17.
BitManufaktur.
OpenPCD2(2012),http://www.
openpcd.
org/OpenPCD_2_RFID_Reader_for_13.
56MHz18.
Mini-Circuits.
ZFL-500LNlownoiseamplier,http://www.
minicircuits.
com/pdfs/ZFL-500LN.
pdf19.
Mini-Circuits.
ZHL-32Acoaxialamplier(August2009),http://www.
minicircuits.
com/pdfs/ZHL-32A.
pdf20.
New-Tronics.
mobileHFhustlerantenna(October2008),http://www.
new-tronics.
com/main/html/mobile__hf.
html21.
NXP.
AN1425-RFAmplierforNXPContactlessNFCReaderICs(August2011),http://www.
nxp.
com/download/grouping/10529/application_note22.
NXP.
PN532-NearFieldCommunication(NFC)controller(September2012),http://www.
nxp.
com/documents/short_data_sheet/PN532_C1_SDS.
pdf23.
Oren,Y.
,Schirman,D.
,Wool,A.
:RFIDjammingandattacksonIsraelie-voting.
In:ITG-Fachbericht-SmartSysTech2012(2012)24.
Oren,Y.
,Wool,A.
:RFID-Basedelectronicvoting:WhatcouldpossiblygowrongIn:InternationalIEEEConferenceonRFID,Orlando,USA,pp.
118–125(2010)25.
Pfeier,F.
,Finkenzeller,K.
,Biebl,E.
:TheoreticallimitsofISO/IEC14443typeARFIDeavesdroppingattacks.
In:ITG-Fachbericht-SmartSysTech2010(2012)RangeExtensionAttacksonContactlessSmartCards66326.
RM-Italy.
KL400LinearAmplier(2005),http://www.
rmitaly.
com/scheda.
aspIDGr=1&cat=0&tipo=9627.
Runge,T.
:Schriftlichearbeitjugendforscht:DerRFID-Zapper(February2007)(inGerman),http://rfidzapper.
dyndns.
org/RFID-ZAPPER.
pdf28.
Sportiello,L.
,Ciardulli,A.
:Longdistancerelayattack.
RFIDSec(July2013)29.
Straw,R.
D.
:TheARRLantennabook:TheUltimateReferenceforAmateurRadioAntennas.
AmerRadioRelayLeague(2003)30.
Thevenon,P.
-H.
,Savry,O.
,Tedjini,S.
,Malherbi-Martins,R.
:AttacksontheHFphysicallayerofcontactlessandRFIDsystems.
In:CurrentTrendsandChallengesinRFID(2011)