Range Extension Attacks on Contactless Smart Cards

Yossef Oren¹⁸,
Dvir Schirman¹⁸ &
Avishai Wool¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8134))

Included in the following conference series:

European Symposium on Research in Computer Security

3178 Accesses

Abstract

The security of many near-field RFID systems such as credit cards, access control, e-passports, and e-voting, relies on the assumption that the tag holder is in close proximity to the reader. This assumption should be reasonable due to the fact that the nominal operation range of the RFID tag is only few centimeters. In this work we demonstrate a range extension setup which breaks this proximity assumption. Our system allows full communications with a near-field RFID reader from a range of 115cm – two orders of magnitude greater than nominal range – and uses power that can be supplied by a car battery. The added flexibility offered to an attacker by this range extension significantly improves the effectiveness and practicality of relay attacks on real-world systems.

Download to read the full chapter text

Chapter PDF

RFID and Contactless Technology

An NFC Relay Attack with Off-the-shelf Hardware and Software

Practical Experiences on NFC Relay Attacks with Android

Keywords

References

libnfc website (2013), http://nfc-tools.org/index.php?title=Main_Page
APACS. APACS response to BBC watchdog and chip and PIN. Press realese (February 2007), http://www.chipandpin.co.uk/media/documents/APACSresponsetoWatchdogandchipandPIN-06.02.07.pdf
Desmedt, Y., Goutier, C., Bengio, S.: Special uses and abuses of the Fiat-Shamir passport protocol. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 21–39. Springer, Heidelberg (1988)
Google Scholar
Finkenzeller, K.: Battery powered tags for ISO/IEC 14443, actively emulating load modulation. In: 7th European Workshop on Smart Objects: Systems, Technologies and Applications (RFID SysTech) (May 2011)
Google Scholar
Finkenzeller, K., Pfeiffer, F., Biebl, E.: Range Extension of an ISO/IEC 14443 type A RFID System with Actively Emulating Load Modulation. In: 7th European Workshop on Smart Objects: Systems, Technologies and Applications (RFID SysTech) (May 2011)
Google Scholar
Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical NFC peer-to-peer relay attack using mobile phones. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 35–49. Springer, Heidelberg (2010)
Chapter Google Scholar
Hancke, G.P.: Practical attacks on proximity identification systems (short paper). In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, CA, pp. 328–333. IEEE Computer Society (2006)
Google Scholar
Hancke, G.P.: Practical eavesdropping and skimming attacks on high-frequency RFID tokens. Journal of Computer Security 19(2), 259–288 (2011)
Google Scholar
Texas Instruments. Multi function reader series 4000 (March 2005), http://www.ti.com/rfid/docs/manuals/pdfSpecs/RF-MFR-RNLK-00.pdf
International Organization for Standardization, Geneva. ISO/IEC 14443-1 Identification cards – Contactless integrated circuit cards – Proximity cards – Part 1: Physical characteristics (2008)
Google Scholar
International Organization for Standardization, Geneva. ISO/IEC 14443-4 Identification cards – Contactless integrated circuit cards – Proximity cards – Part 4: Transmission protocol (2008)
Google Scholar
International Organization for Standardization, Geneva. ISO/IEC 14443-2 Identification cards – Contactless integrated circuit cards – Proximity cards – Part 2: Radio frequency power and signal interface (2010)
Google Scholar
International Organization for Standardization, Geneva. ISO/IEC 14443-3 Identification cards – Contactless integrated circuit cards – Proximity cards – Part 3: Initialization and anticollision (2011)
Google Scholar
Issovits, W., Hutter, M.: Weaknesses of the ISO/IEC 14443 protocol regarding relay attacks. In: 2011 IEEE International Conference on RFID-Technologies and Applications (RFID-TA), pp. 335–342. IEEE (2011)
Google Scholar
Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcards. In: International Conference on Security and Privacy for Emerging Areas in Communications Networks, Los Alamitos, CA, USA, pp. 47–58. IEEE Computer Society (2005)
Google Scholar
Kirschenbaum, I., Wool, A.: How to build a low-cost, extended-range RFID skimmer. In: Proceedings of the 15th USENIX Security Symposium, Vancouver, B.C., Canada. USENIX Association (2006)
Google Scholar
Bit Manufaktur. OpenPCD2 (2012), http://www.openpcd.org/OpenPCD_2_RFID_Reader_for_13.56MHz
Mini-Circuits. ZFL-500LN low noise amplifier, http://www.minicircuits.com/pdfs/ZFL-500LN.pdf
Mini-Circuits. ZHL-32A coaxial amplifier (August 2009), http://www.minicircuits.com/pdfs/ZHL-32A.pdf
New-Tronics. mobile HF hustler antenna (October 2008), http://www.new-tronics.com/main/html/mobile__hf.html
NXP. AN1425 - RF Amplifier for NXP Contactless NFC Reader ICs (August 2011), http://www.nxp.com/download/grouping/10529/application_note
NXP. PN532 - Near Field Communication (NFC) controller (September 2012), http://www.nxp.com/documents/short_data_sheet/PN532_C1_SDS.pdf
Oren, Y., Schirman, D., Wool, A.: RFID jamming and attacks on Israeli e-voting. In: ITG-Fachbericht-Smart SysTech 2012 (2012)
Google Scholar
Oren, Y., Wool, A.: RFID-Based electronic voting: What could possibly go wrong? In: International IEEE Conference on RFID, Orlando, USA, pp. 118–125 (2010)
Google Scholar
Pfeiffer, F., Finkenzeller, K., Biebl, E.: Theoretical limits of ISO/IEC 14443 type A RFID eavesdropping attacks. In: ITG-Fachbericht-Smart SysTech 2010 (2012)
Google Scholar
RM-Italy. KL400 Linear Amplifier (2005), http://www.rmitaly.com/scheda.asp?IDGr=1&cat=0&tipo=96
Runge, T.: Schriftliche arbeit jugend forscht: Der RFID-Zapper (February 2007) (in German), http://rfidzapper.dyndns.org/RFID-ZAPPER.pdf
Sportiello, L., Ciardulli, A.: Long distance relay attack. RFIDSec (July 2013)
Google Scholar
Straw, R.D.: The ARRL antenna book: The Ultimate Reference for Amateur Radio Antennas. Amer Radio Relay League (2003)
Google Scholar
Thevenon, P.-H., Savry, O., Tedjini, S., Malherbi-Martins, R.: Attacks on the HF physical layer of contactless and RFID systems. In: Current Trends and Challenges in RFID (2011)
Google Scholar

Download references

Author information

Authors and Affiliations

Cryptography and Network Security Lab, School of Electrical Engineering, Tel-Aviv University, Ramat Aviv, 69978, Israel
Yossef Oren, Dvir Schirman & Avishai Wool

Authors

Yossef Oren
View author publications
You can also search for this author in PubMed Google Scholar
Dvir Schirman
View author publications
You can also search for this author in PubMed Google Scholar
Avishai Wool
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Information Security Group, University of London, Royal Holloway, TW20 0EX, Egham Hill, Egham, UK
Jason Crampton & Keith Mayes &
Center for Secure Information Systems, George Mason University, 4400 University Drive, 22030-4422, Fairfax, VA, USA
Sushil Jajodia

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Oren, Y., Schirman, D., Wool, A. (2013). Range Extension Attacks on Contactless Smart Cards. In: Crampton, J., Jajodia, S., Mayes, K. (eds) Computer Security – ESORICS 2013. ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40203-6_36

Download citation

DOI: https://doi.org/10.1007/978-3-642-40203-6_36
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40202-9
Online ISBN: 978-3-642-40203-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics