May 10, 2007
Timo Kasper
Crete, Greece
An Embedded System for Practical Security Analysis of Contactless Smartcards
Timo Kasper, Dario Carluccio and Christof Paar
Communication Security Group
Ruhr University Bochum, Germany
http://www.crypto.rub.de
Timo Kasper May 10, 2007 2
Outline
1. Background
2. RFID Basics (ISO 14443)
3. Security Weaknesses
4. Design and Development of an Embedded System
5. Selected Applications and Results
6. Conclusion
Timo Kasper May 10, 2007 3
Background
Many standards for RFID coexist, differing in
- Frequency: kHz … GHz,
- Data rate: 2400 bit/s … 1 Mbit/s,
- Range: < 1 centimetre … several metres,
- Coupling method: backscattering, inductive, …
RFID = Radio Frequency IDentification
Timo Kasper May 10, 2007 4
Background
ISO 14443 is widely deployed in security sensitive applications:
- RFID augmented credit cards (Visa Wave, MasterCard PayPass),
- Ticketing (Philips Mifare, Smart Labels),
- Electronic passport, student identity cards, mobile phones (NFC) , …
Many standards for RFID coexist, differing in
- Frequency: kHz … GHz,
- Data rate: 2400 bit/s … 1 Mbit/s,
- Range: < 1 centimetre … several metres,
- Coupling method: backscattering, inductive, …
RFID = Radio Frequency IDentification
Timo Kasper May 10, 2007 5
RFID Basics (ISO 14443)
• reader generates field with 13.56 MHz carrier frequency
• supplies tag with clock and energy via inductive coupling
Timo Kasper May 10, 2007 6
RFID Basics (ISO 14443)
• reader generates field with 13.56 MHz carrier frequency
• supplies tag with clock and energy via inductive coupling
• reader transmits data by creating short pauses in the field
Timo Kasper May 10, 2007 7
RFID Basics (ISO 14443)
• reader generates field with 13.56 MHz carrier frequency
• supplies tag with clock and energy via inductive coupling
• reader transmits data by creating short pauses in the field
• tag answers employing load modulation
Timo Kasper May 10, 2007 8
RFID Basics (ISO 14443)
• reader generates field with 13.56 MHz carrier frequency
• supplies tag with clock and energy via inductive coupling
• reader transmits data by creating short pauses in the field
• tag answers employing load modulation
• operating range: 8…15 cm, data rate 106…847 kBit/s
Timo Kasper May 10, 2007 9
RFID Basics (ISO 14443)
• reader generates field with 13.56 MHz carrier frequency
• supplies tag with clock and energy via inductive coupling
• reader transmits data by creating short pauses in the field
• tag answers employing load modulation
• operating range: 8…15 cm, data rate 106…847 kBit/s
Timo Kasper May 10, 2007 10
Security Weaknesses
• contactless interface (e.g. ISO 14443) brings new opportunities for attackers
- read out a tag actively (range: up to 25 cm), maybe unnoticed
- replay attack,
- relay („man in the middle“) attack,
- eavesdropping of the communication from a distance of several meters
Timo Kasper May 10, 2007 11
Security Weaknesses
• contactless interface (e.g. ISO 14443) brings new opportunities for attackers
- read out a tag actively (range: up to 25 cm), maybe unnoticed
- replay attack,
- relay („man in the middle“) attack,
- eavesdropping of the communication from a distance of several metres
• maximum energy consumption of a contactless smartcard is limited,
• reduce manufacturing costs small chip area,
measures for security / privacy may be not implemented or very lightweight !
Timo Kasper May 10, 2007 12
Our Contribution
Idea: Design a cost-effective embedded system which makes it possible to
• communicate with a contactless smartcard on the physical layer,
• emulate any ISO 14443(A) compliant RFID tag / smartcard.
perform replay-, man in the middle-, and other attacks,
analyse protocols, i.e., logging of the communication data,
implement and test new protocols and countermeasures,
assist side-channel attacks (DEMA, …),
test different antennas / power amplifiers.
Timo Kasper May 10, 2007 13
Embedded System – The Reader
• RF interface: transparently operating EM4094 transceiver
• Atmel ATMega32 microcontroller clocked at 13.56 MHz
• specially designed circuits for signal conditioning / processing
Timo Kasper May 10, 2007 14
Embedded System – The Fake Tag
• appears like an authentic ISO 14443(A) compliant transponder
• perform load modulation with subcarrier, as specified
• acquire data from the field and reduce bandwidth
• designed to cooperate with the bit level reader
Timo Kasper May 10, 2007 15
Embedded System – Realization
(Bit-Level) Reader Fake Tag
Timo Kasper May 10, 2007 16
Embedded System - Overview
• RFID tool: provide ISO 14443 compliant interface and emulation of a tag
• oscilloscope: measure / acquire information (e.g. electromagnetic emanation)
• PC: control process sequence and evaluate / analyse the data
• stand-alone operation modes implemented
Timo Kasper May 10, 2007 17
Application: Relay Attack
Timo Kasper May 10, 2007 18
Application: Relay Attack
Timo Kasper May 10, 2007 19
Application: Relay Attack
Timo Kasper May 10, 2007 20
Application: Relay Attack
Timo Kasper May 10, 2007 21
Application: Relay Attack
Timo Kasper May 10, 2007 22
Application: Relay Attack
Timo Kasper May 10, 2007 23
Application: Relay Attack
Timo Kasper May 10, 2007 24
Application: Relay Attack
Timo Kasper May 10, 2007 25
Application: Relay Attack
Timo Kasper May 10, 2007 26
Application: Relay Attack
• DEMA = Differential ElectroMagnetic Analysis
Timo Kasper May 10, 2007 27
Application: Relay Attack
Relay attacks have been carried out successfully with
• electronic passport (issued in Germany)
• student identity card (used at the Ruhr University in Bochum)
• Philips „Classic Mifare“ & „DESFire“ cryptographically enabled smartcards
• Atmel AT88SC153 smartcard
• tickets for the football world championship 2006
Timo Kasper May 10, 2007 28
Applications and Results
Ticket for FIFA World Cup 2006 in Germany
• successful relay attack (all data read out remotely via the Fake Tag)
• embedded Mifare Ultralight chip 64 Byte data, providing NO encryption
with developed hardware: (simple) Replay Attack feasible!
Timo Kasper May 10, 2007 29
Applications and Results
Timing Analysis of an „ACG Dual 2.1 Passport Reader Module“
• reaction of the ACG reader to purposedly delayed answer of a transponder
• compliance with the „Frame Delay Time“, exactly defined in the ISO 14443, could not be observed facilitates relay attack
Timo Kasper May 10, 2007 30
Applications and Results
Investigations with regard to tuning and range
• antennas made out of thin copper wire
• antennas on PCBs
Timo Kasper May 10, 2007 31
Future Works
• improved „Man in the Middle“ attack:
modify the relayed information in real time
• increase reader operating range to 25 cm
• implement and test new protocols / countermeasures
• assist / perform other attacks:
• remote power analysis
• fault analysis
• improve Differential Electro-Magnetic Analysis
Timo Kasper May 10, 2007 32
Conclusion
• cost-effective design of a freely programmable RFID reader and
• Fake Tag emulation of any ISO 14443A complaint tag
• Replay-attack (play-back of previously recorded data)
• Relay-attack (real-time relaying of the data in both directions)
• Timing Analysis of a commercial RFID reader
• Different types of antennas were built and tested
• promising applications & extensions:- Remote Power Analysis- DEMA- Fault Analysis
• Recommendation: Shield RFID tags / contactless smartcards
to protect your privacy (e.g., one layer of aluminum foil) !