Contactless snooping: Assessing the real threats

Similar documents
Eavesdropping Near Field Contactless Payments: A Quantitative Analysis

Extending ISO/IEC Type A Eavesdropping Range using Higher Harmonics

RF Basics 15/11/2013

Physics of RFID. Pawel Waszczur McMaster RFID Applications Lab McMaster University

RFID Reader Frontends for a Dual-Frequency (13 MHz and 868 MHz) Rapid Prototyping Environment

HF-RFID. References. School of Engineering

Eavesdropping Attacks on High-Frequency RFID Tokens

NFC OpenSense & NFC SpeedTap 128- & 256-bit NFC Tags

Broadband Communications at mmwave Frequencies: An MSK system for Multi-Gb/s Wireless Communications at 60GHz. IBM Research

COMPRION Design Validation. Solution for Visualizing and Analyzing NFC Operating Volumes

Advanced Self-Interference Cancellation and Multiantenna Techniques for Full-Duplex Radios

RFID. Identification systems (IDFS) Department of Control and Telematics Faculty of Transportation Sciences, CTU in Prague

NEAR FIELD COMMUNICATION (NFC) A TECHNICAL OVERVIEW

CDMA Principle and Measurement

RF Interference Cancellation - a Key Technology to support an Integrated Communications Environment

RECOMMENDATION ITU-R F *, ** Signal-to-interference protection ratios for various classes of emission in the fixed service below about 30 MHz

Battery Powered Tags for ISO/IEC Klaus Finkenzeller

Passive Wireless Sensors

MCRF200. Contactless Programmable Passive RFID Device

An Empirical Study of UHF RFID Performance. Michael Buettner and David Wetherall Presented by Qian (Steve) He CS Prof.

ELT0040 RFID ja NFC. Enn Õunapuu ICT-643

RFID. Contents and form. Petr Bureš, Faculty of transportation sciences Czech technical university in Prague

Speed regulation vehicles using RFID

University of Bristol - Explore Bristol Research. Peer reviewed version. Link to published version (if available): /ICCE.2012.

Receiver Architecture

Operational Description

SPECIFICATION. Product Name : Square Flexible Near-Field Communications Antenna with Ferrite Layer for Metal Direct Mount

Rec. ITU-R F RECOMMENDATION ITU-R F *,**

Application Note: IQ Filtering in an RFID Reader Using Anadigm Integrated circuits,

SETTING UP A WIRELESS LINK USING ME1000 RF TRAINER KIT

Digital Audio Broadcasting Eureka-147. Minimum Requirements for Terrestrial DAB Transmitters

New dimensions for multifunctional car keys

RFID Chipless Tag Based On Multiple Phase Shifters

Combining filters and self-interference cancellation for mixer-first receivers in Full Duplex and Frequency-Division Duplex transceiver systems

Revision RCT-433-UTR DATASHEET

SPECIFICATION. Product Name : Square Flexible Near-Field Communications Ferrite Antenna with 75mm Twisted Pair 28AWG Cable and ACH(F) connector

ELT Receiver Architectures and Signal Processing Fall Mandatory homework exercises

6.976 High Speed Communication Circuits and Systems Lecture 20 Performance Measures of Wireless Communication

Maximizing MIMO Effectiveness by Multiplying WLAN Radios x3

RFID/NFC TECHNOLOGY. With emphasis on physical layer. Ali Zaher Oslo

Ultra Wideband Transceiver Design

NOISE, INTERFERENCE, & DATA RATES

Multi Frequency RFID Read Writer System

Flexible Evaluation of RFID System Parameters using Rapid Prototyping

Single Frequency Network Structural Aspects & Practical Field Considerations

ELEN 701 RF & Microwave Systems Engineering. Lecture 2 September 27, 2006 Dr. Michael Thorburn Santa Clara University

The Measurement and Characterisation of Ultra Wide-Band (UWB) Intentionally Radiated Signals

CONFORMANCE TEST SYSTEM DESIGN FOR ISO/IEC MODE 1 PASSIVE RFID. Danlu Rong. B.S. in Electrical Engineering, Southeast University, China, 2008

Problem Sheet 1 Probability, random processes, and noise

Measuring and monitoring with precision. NRA-RX Narda Remote Analyzer

FEATURES DESCRIPTION BENEFITS APPLICATIONS. Preliminary PT4501 Sub-1 GHz Wideband FSK Transceiver

VDE Testing and Certification Institute. Contents Directory

Announcements : Wireless Networks Lecture 3: Physical Layer. Bird s Eye View. Outline. Page 1

Amit Gupta 1, Sudeep Baudha 2, Shrikant Pandey 3

Preface to the Third Edition. List of Abbreviations

RFID circuit with read/write functions

RFID at mm-waves Michael E. Gadringer

Course Project. Project team forming deadline has passed Project teams will be announced soon Next step: project proposal presentation

Wireless Keyboard Without Need For Battery

Definition of RF-ID. Lecture on RF-IDs

A Courseware about Microwave Antenna Pattern

NFC ANTENNAS FOR SMART PHONES

Contactless RFID Tag Measurements

Radio Receivers. Al Penney VO1NO

Digital Signal Analysis

Outline / Wireless Networks and Applications Lecture 3: Physical Layer Signals, Modulation, Multiplexing. Cartoon View 1 A Wave of Energy

WIRELESS COMMUNICATION TECHNOLOGIES (16:332:546) LECTURE 5 SMALL SCALE FADING

Handy dandy little circuit #17 #17

SPECIFICATION. Product Name : Circular Flexible Near-Field Communications Antenna with 75mm Twisted Pair 28AWG Cable and ACH(F) connector

Practical Eavesdropping and Skimming Attacks on High-Frequency RFID Tokens

Field Experiments of 2.5 Gbit/s High-Speed Packet Transmission Using MIMO OFDM Broadband Packet Radio Access

Simple Algorithm in (older) Selection Diversity. Receiver Diversity Can we Do Better? Receiver Diversity Optimization.

Master s Thesis Defense

Introduction to Receivers

A Practical Method to Achieve Perfect Secrecy

RFID - a basic introduction

HIGH GAIN ADVANCED GPS RECEIVER

Simplified, high performance transceiver for phase modulated RFID applications

Project: IEEE P Working Group for Wireless Personal Area Networks (WPANS)

RFID Door Unlocking System

TSEK02: Radio Electronics Lecture 8: RX Nonlinearity Issues, Demodulation. Ted Johansson, EKS, ISY

Motivation. Approach. Requirements. Optimal Transmission Frequency for Ultra-Low Power Short-Range Medical Telemetry

AIR-INTERFACE COMPATIBILITY & ISO-CERTIFICATION

Analysis and Simulation of UHF RFID System

ECE 630: Statistical Communication Theory

Part A: Spread Spectrum Systems

Design of Adaptive RFID Reader based on DDS and RC522 Li Yang, Dong Zhi-Hong, Cong Dong-Sheng

Popping a Smart Gun DEF CON 25

EE 434 Final Projects Fall 2006

Chapter 14 MODULATION INTRODUCTION

Chapter 4 Radio Communication Basics

Wireless Communication

Features. Future Electronics (

Electronics Design Laboratory Lecture #10. ECEN 2270 Electronics Design Laboratory

1 Interference Cancellation

TSEK02: Radio Electronics Lecture 8: RX Nonlinearity Issues, Demodulation. Ted Johansson, EKS, ISY

Experiment 19 Binary Phase Shift Keying

Revision of Wireless Channel

N1100 NFC Test System

ProxiMate : Proximity Based Secure Pairing using Ambient Wireless Signals

Transcription:

Thomas P. Diakos 1 Johann A. Briffa 1 Tim W. C. Brown 2 Stephan Wesemeyer 1 1 Department of Computing,, Guildford 2 Centre for Communication Systems Research,, Guildford Tomorrow s Transactions forum, London, March 19, 2014

Outline Near Field Communication Eavesdropping Antennas Experimental Work Quantitative Analysis Conclusions and Future Work

Near Field Contactless Transactions RFID Technology Near Field Communication Coupling Element Reader Chip Reader's magnetic field Contactless card HF 13.56 MHz radio Short range of operation (< 10 cm) Near-field region Contactless cards or NFC devices

Near Field Contactless Transactions Near Field Communication Near Field Contactless Transactions Marketed as ideal for quick, convenient transactions 23 million cards in the UK alone 13.32% of smartphones with access to the WWW

Near Field Contactless Transactions Near Field Communication Near Field Contactless Transactions Marketed as ideal for quick, convenient transactions 23 million cards in the UK alone 13.32% of smartphones with access to the WWW What s the catch? Because the transmission range is so short, NFC-enabled transactions are inherently secure. http://nfc-forum.org/what-is-nfc/nfc-in-action/

Near Field Contactless Transactions Research Motivation Eavesdropping - Our Attack Vector 20 Eavesdropping system PoS Customer pays with contactless tag Electromagnetic field generated during transaction

Near Field Contactless Transactions Research Motivation Eavesdropping - Our Attack Vector 20 Eavesdropping system PoS Customer pays with contactless tag Electromagnetic field generated during transaction Inherently secure? Difficult to defend against Contact world heritage

Near Field Contactless Transactions Motivation Eavesdropping - Past work Expensive, cumbersome equipment No control over transmit power Traces on a scope Our contribution

Near Field Contactless Transactions Motivation Eavesdropping - Past work Expensive, cumbersome equipment No control over transmit power Traces on a scope Our contribution Relatively inexpensive, inconspicuous equipment Varying Magnetic field strength measurements Quantitative analysis

Eavesdropping Antennas Design Factors The ideal eavesdropping antenna Maximise Signal-Noise-Ratio Resonance Suitable Q factor H-Antenna Conclusions

Eavesdropping Antennas Design Factors The ideal eavesdropping antenna Maximise Signal-Noise-Ratio Resonance Suitable Q factor H-Antenna Conclusions Low Inductance High load Resistance

Eavesdropping Antennas Large Metallic structures The shopping trolley Far End Middle End Leg End Ground Point Near End Scenario Inductance Resistance (µh) (Ω) Near End 0.42 1.31 Middle 1.42 18.48 End Leg End 3.73 70.66 Far End 2.59 7.67

Introduction Eavesdropping Antennas Experimental Work Results Conclusions Eavesdropping Antennas Shopping Trolley Antenna Pros I Short connection points I Ease of execution I High load resistance

Eavesdropping Antennas Shopping Trolley antenna Cons Trolley resistance Noise susceptibility Not an ideal H-antenna

Eavesdropping Antennas Eavesdropping Antenna Benchmarks Eavesdropping H-fields H-loop antenna used as a transmitter Signal generator and power amplifier Three types of eavesdropping antennas Path Loss & background noise measurements

Eavesdropping Antennas NFC Antenna Design Principles H-Loop Antenna Matched to 50 Ω with a resistor (10 Ω) in series

Eavesdropping Antennas Quarter Wavelength Antenna Worn over body Water content of body reduces efficiency

Eavesdropping Antennas Path Loss Measurements Trolley Power Level (dbm) 70 80 90 100 110 Trolley Path Loss 4.5 A/m Front 4.5 A/m Side 1.5 A/m Front 0.5 A/m Front Theoretical curve 120 0.2 0.4 0.6 0.8 1.0 1.2 1.4 1.6 1.8 2.0 Distance (m)

Eavesdropping Antennas Path Loss Measurements Summary H-loop and trolley are most efficient Antenna orientation H-field strength Quantitative Analysis

Experimental Work Near Field Contactless Transactions ISO 14443 Type A Communication PHY layer based on ISO 14443 standard Manchester encoded baseband 847 khz Subcarrier modulation (OOK)

Experimental Work Eavesdropping Near Field Contactless Transactions Computing Frame Error Rates A known (randomly generated) long sequence Transmitter / Receiver Processing and computation

Experimental Work Eavesdropping Near Field Contactless Transactions Transmitter Arrangement Signal Generator PC Data Card Pad Attenuator IQ Modulator Coil Antenna RF Amp Step Attenuator Synthetic data, 60 bytes per frame Subcarrier generated in software External trigger signal at 1.7 MHz

Experimental Work Eavesdropping Near Field Contactless Transactions Sequence of 5 bits Binary stream, Manchester encoded and modulated with 847 KHz subcarrier 1 Voltage / V binary sequence 0 0 1 16 32 48 64 80 0 Manchester encoded 0 1 16 32 48 64 80 0 OOK modulated subcarrier 0 16 32 48 Samples 64 80

Experimental Work Eavesdropping Near Field Contactless Transactions Receiver Arrangement Covert Antenna LNA RF Amp BPF 13.56 MHz Notch Filter PC Data Card Peak Detector LNA maximises SNR Band Pass Filter 12.7 14.4 MHz Logarithmic peak detector

Introduction Eavesdropping Antennas Experimental Work Results Conclusions Experimental Work Eavesdropping Near Field Contactless Transactions Receiver Arrangement

Experimental Work Eavesdropping Near Field Contactless Transactions Noise Corruption 1.8 Eavesdropped Samples 1.7 1.6 Voltage / V 1.5 1.4 1.3 1.2 1.1 0 50 100 150 200 Number of Samples Frame synchronisation becomes challenging

Experimental Work Eavesdropping Near Field Contactless Transactions Noise Corruption 1.8 Eavesdropped Samples 1.7 1.6 Voltage / V 1.5 1.4 1.3 1.2 1.1 0 50 100 150 200 Number of Samples Frame synchronisation becomes challenging Variance computing sliding window Threshold crossing

Experimental Work Eavesdropping Near Field Contactless Transactions Variance Sliding Window Binary sequence 1 0 0 1 1 0 1.0 binary sequence 0.8 0.6 0.4 0.2 0.0 0 16 32 48 64 80 96 112 1.0 modulated subcarrier 0.8 0.6 0.4 0.2 0.0 0.250 16 32 48 64 80 96 112 0.20 window size = 32 window size = 16 0.15 0.10 0.05 0.00 0 16 32 48 64 80 96 112 Samples Amplitude / V Amplitude / V Variance Value

Experimental Work Eavesdropping Near Field Contactless Transactions Variance Smoothing and Threshold Crossing 0.95 0.90 0.85 0.80 0.75 0.70 0.65 0.60 0.55 0.50 0.012 0.010 0.008 0.006 0.004 0.002 Voltage / V Variance Value σ=0 σ=10 σ=40 Eavesdropped samples Impact of σ and ρ on variance curve ρ =60% data start 0 16 32 48 64 80 96 112 128 144 160 176 192 Gaussian smoothing

Experimental Work Eavesdropping Near Field Contactless Transactions Robust Frame Synchronisation Frame length Rough estimate based on ρ crossing (EOF SOF 32) ± Y multiple of 144 Cross correlation for bit decoding

Results Eavesdropping Near Field Contactless Transactions Experimental set-up Outside Chamber PC Data Card IQ Modulator 13.56 MHz carrier Pre Amp Step Attenuator RF Amp Tx Antenna Rx Antenna Receiver & Peak detector Inside Chamber

Introduction Eavesdropping Antennas Experimental Work Results Conclusions Results Eavesdropping Near Field Contactless Transactions Receiver circuit and Antenna

Results Eavesdropping Near Field Contact-less Transactions Preliminary testing Anechoic chamber 500 frame tests Establish σ and ρ values

Results Eavesdropping Near Field Contactless Transactions σ and ρ selection at 7.45 A m 1 ρ 80cm 65 60 10,57 55 50 0 10 20 30 40 85cm 10,57 0 10 20 30 40 σ 90cm 10,57 0 10 20 30 40 1.00 0.93 0.87 0.80 0.73 0.66 0.60 0.53 0.46 0.39 0.33 0.26 0.19 0.12 0.06

Results Eavesdropping Near Field Contactless Transactions Experimental Procedure 5000 frames (20 minutes per run) 20 170 cm Increments of 5 cm (2 30 cm for trolley) 1.5, 3.45, 7.45 A m 1 Experiments ran over 2 days

Results Results H-Loop Antenna Frame Error Rates 10 0 FER with confidence intervals FER 10-1 10-2 10-3 10-4 7.45 (a) 7.45 (b) 3.45 (a) 3.45 (b) 3.45 (c) 1.45 (a) 1.45 (b) 20 40 60 80 100 120 140 distance / cm Normal approximation, 95% confidence interval levels

Introduction Eavesdropping Antennas Experimental Work Results Conclusions Results Eavesdropping Near Field Contactless Transactions Shopping Trolley Eavesdropping Arrangement

Results Eavesdropping Near Field Contactless Transactions Shopping Trolley FER (σ = 10, ρ = 50) 1.0 Shopping Trolley FER Error Rate 0.8 0.6 0.4 0.2 0.0 7.45 A/m 3.45 A/m 1.45 A/m 0 5 10 15 20 25 30 Distance / cm Trolley generates its own noise, lossy antenna

Conclusions Conclusions and Future work Conclusions Eavesdropping distance 45-90 cm No interference from other HF sources Relatively inexpensive equipment, inconspicuous antennas Reliable data recovery Future work Commercial devices Improve portability Remote interrogation Security and privacy implications

Conclusions Eavesdropping Near Field Contactless Transactions Thank you for listening Please forward any questions

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback