1 / 25

Range Extension Attacks on Contactless Smartcards

Yossef Oren, Dvir Schirman , and Avishai Wool: Tel Aviv University. Range Extension Attacks on Contactless Smartcards. ESORICS 2013. Agenda. Introduction Contactless smartcards Attack motivation System design Experimental results Attack scenarios Conclusions. Contactless smartcards.

chin
Télécharger la présentation

Range Extension Attacks on Contactless Smartcards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Yossef Oren, DvirSchirman, and Avishai Wool: Tel Aviv University Range Extension Attacks on Contactless Smartcards ESORICS 2013

  2. Agenda • Introduction • Contactless smartcards • Attack motivation • System design • Experimental results • Attack scenarios • Conclusions

  3. Contactless smartcards

  4. Contactless smartcards – ISO 14443 • Passive tags • Communication based on inductive coupling • Transmit back data using load modulation • Nominal operation range – 5-10 cm

  5. Attack Motivation • Contactless smartcards are being used in a variety of security oriented applications: • Access control • Payment • E-voting • Smart ID card • Passports • All of them assume the tag is in proximity of the reader

  6. Motivation • If a communication between the reader and the tag could be established from a longer range – the proximity assumption would be broken • Our goal – build a device (a.k.a “Ghost”) which allow a standard tag to communicate with a standard reader from a distance of more than 1m

  7. Range extension attacks Leech Leech Extended range Extended range Relay Ghost Ghost

  8. Related work • Relay attack – extending the nominal communication range between a reader and a tag using a relay channel between two custom made devices (“Ghost” & “Leech”)[KW05, Han05, FHMM11, SC13] • Extended range Leech – a device that allows to read a standard tag from a distance of 30 cm[KW06]

  9. Ghost system design • Design principles: • Two separate antennas: • A large loop antenna for downlink • A mobile monopole HF antenna for uplink • Active load modulation for uplink transmission • PC based relay

  10. OpenPCD2 • An open source & open hardware evaluation board for ISO14443 • Can emulate a tag or a reader • Based on NXP PN532 • www.openpcd.org

  11. Ghost system design

  12. Ghost system design – Relay & Leech • A relay & a Leech were not part of this research, but necessary for the whole system • Relay channel between two OpenPCD2 boards was implemented inside a single PC • Using libnfc’snfc-relay-picc– designed to overcome relay timing limitations • Leech was based on an unmodified OpenPCD2

  13. Ghost system design – Downlink • Receiving antenna: a 39 cm loop antenna designed for prior Leech project • Matching circuit: Based on NXP’s app note • LNA: Mini-Circuits’ ZFL-500LN

  14. Ghost system design – Uplink • Active load modulation: • Producing the spectral image created by load modulation by means of a standard AM modulator

  15. Ghost system design – Uplink • Ghost OpenPCD2 modification: • LOADMOD pin was enabled – outputs modulated subcarrier (847.5 kHz) • The above signal was connected to a detector, in order to extract coded bitstream • The bitstream was pulse modulated on a 14.4075 MHz carrier signal • The HF signal was pre-amplified (Mini-Circuits’ ZHL-32A) & power amplified (RM-Italy KL400)

  16. Ghost system design – Uplink • Transmitting antenna: • Broadband helically wound monopole antenna • We use the magnetic near field emitted from the antenna

  17. Ghost system design

  18. Preliminary experiments • Downlink experiment: • Maximal downlink range was tested with a homemade diode detector ~ 1.5m • Using a spectrum analyzer as a detectora range of ~3.5m was measured

  19. Preliminary experiments • Jamming • By transmitting a continuous signal on 14.4075 MHz the reader can be jammed • Since we couldn’t measure uplink range independently from downlink system, maximal Jamming range was measured in order to evaluate the performance of the uplink system • By transmitting a 29 dBm signal, a jamming range of 2 m was achieved

  20. Range extension experiment – Setup

  21. Range extension experiment – Results • The measured range was highly sensitive to the surrounding environment

  22. Attack Scenarios • E-voting • Using a range extended Ghost and a relay attack, an adversary can mount several attacks on Israel’s proposed e-voting system • Allows the attacker complete control over previously cast votes • Access control • By using a range extended Ghost and a relay setup the attacker can open a secured door without being detected by a guard / security camera

  23. Conclusions • We offer a car mounted range extension setup for ISO 14443 RFID systems • We successfully built a prototype working from 1.15 m (more than 10 times the nominal range)

  24. Conclusions • Extending the nominal communication range of contactless smartcards form a severe threat on the system’s security • Combining with a relay attack the presented device can allow adversary to mount his attack without being detected

  25. Thank you

More Related