Yossef Oren Dvir Schirman and Avishai Wool Tel Aviv University ESORICS 2013 Agenda Introduction Contactless smartcards Attack motivation System design Experimental results Attack scenarios ID: 488047
Download Presentation The PPT/PDF document "Range Extension Attacks on Contactless S..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Range Extension Attacks on Contactless Smartcards
Yossef Oren, Dvir Schirman, and Avishai Wool:Tel Aviv University
ESORICS 2013Slide2
Agenda
IntroductionContactless smartcardsAttack motivationSystem designExperimental resultsAttack scenariosConclusionsSlide3
Contactless smartcardsSlide4
Contactless smartcards – ISO 14443
Passive tagsCommunication based on inductive couplingTransmit back data using load modulationNominal operation range – 5-10 cmSlide5
Attack Motivation
Contactless smartcards are being used in a variety of security oriented applications:Access controlPaymentE-votingSmart ID cardPassportsAll of them assume the tag is in proximity of the readerSlide6
Motivation
If a communication between the reader and the tag could be established from a longer range – the proximity assumption would be brokenOur goal – build a device (a.k.a “Ghost”) which allow a standard tag to communicate with a standard reader from a distance of more than 1mSlide7
Range extension attacks
Leech
Ghost
Relay
Extended range
Leech
Extended range
GhostSlide8
Related work
Relay attack – extending the nominal communication range between a reader and a tag using a relay channel between two custom made devices (“Ghost” & “Leech”)[KW05, Han05, FHMM11, SC13]Extended range Leech – a device that allows to read a standard tag from a distance of 30 cm[KW06]Slide9
Ghost system design
Design principles: Two separate antennas:A large loop antenna for downlinkA mobile monopole HF antenna for uplinkActive load modulation for uplink transmissionPC based relaySlide10
OpenPCD2
An open source & open hardware evaluation board for ISO14443Can emulate a tag or a readerBased on NXP PN532www.openpcd.orgSlide11
Ghost system designSlide12
Ghost system design –
Relay & LeechA relay & a Leech were not part of this research, but necessary for the whole systemRelay channel between two OpenPCD2 boards was implemented inside a single PC Using libnfc’s nfc-relay-picc
– designed to overcome relay timing limitationsLeech was based on an unmodified OpenPCD2Slide13
Overcoming relay timing limitations
Part 3 (anticollision protocol) – strict timing constraintEach of the two devices implement part 3 independently, with no relayPart 4 (transmission protocol) – more permissive timing constraintThe tag can ask for more time by sending WTX requestWTXs are sent repeatedly by the Ghost to extend the time window allowed by the readerSlide14
Ghost system design – Downlink
Receiving antenna: a 39 cm loop antenna designed for prior Leech projectMatching circuit: Based on NXP’s app noteLNA: Mini-Circuits’ ZFL-500LNSlide15
Ghost system design – Uplink
Active load modulation:Producing the spectral image created by load modulation by means of a standard AM modulatorSlide16
Ghost system design – Uplink
Ghost OpenPCD2 modification:LOADMOD pin was enabled – outputs modulated subcarrier (847.5 kHz)The above signal was connected to a detector, in order to extract coded bitstream The bitstream was pulse modulated on a 14.4075 MHz carrier signalThe HF signal was pre-amplified (Mini-Circuits’ ZHL-32A) & power amplified (RM-Italy KL400)Slide17
Ghost system design – Uplink
Transmitting antenna:Broadband helically wound monopole antennaWe use the magnetic near field emitted from the antennaSlide18
Ghost system designSlide19
Preliminary experiments
Downlink experiment:Maximal downlink range was tested with a homemade diode detector ~ 1.5mUsing a spectrum analyzer as a detectora range of ~3.5m was measuredSlide20
Preliminary experiments
JammingBy transmitting a continuous signal on 14.4075 MHz the reader can be jammedSince we couldn’t measure uplink range independently from downlink system, maximal Jamming range was measured in order to evaluate the performance of the uplink systemBy transmitting a 29 dBm signal, a jamming range of 2 m was achievedSlide21
Range extension experiment – SetupSlide22
The measured range was highly sensitive to the surrounding environment
Range extension experiment – ResultsSlide23
Attack Scenarios
E-votingUsing a range extended Ghost and a relay attack, an adversary can mount several attacks on Israel’s proposed e-voting systemAllows the attacker complete control over previously cast votesAccess controlBy using a range extended Ghost and a relay setup the attacker can open a secured door without being detected by a guard / security cameraSlide24
Conclusions
We offer a car mounted range extension setup for ISO 14443 RFID systemsWe successfully built a prototype working from 1.15 m (more than 10 times the nominal range)Slide25
Extending the nominal communication range of contactless smartcards form a severe threat on the system’s security
Combining with a relay attack the presented device can allow adversary to mount his attack without being detectedConclusionsSlide26
Acknowledgements
I would like to thank the following people for their contributions to this work:Mr. Ilan Kirschenbaum – For the loop antenna and other equipment built for his Leech projectMr. Milosch Meriac – For his help with OpenPCD
Mr. Klaus Finkenzeller – For his help with understanding ISO14443 Slide27
Thank you