Eavesdropping Near Field Contactless Payments: A Quantitative Analysis

Similar documents
Contactless snooping: Assessing the real threats

HF-RFID. References. School of Engineering

Eavesdropping Attacks on High-Frequency RFID Tokens

Amit Gupta 1, Sudeep Baudha 2, Shrikant Pandey 3

Advanced Self-Interference Cancellation and Multiantenna Techniques for Full-Duplex Radios

Extending ISO/IEC Type A Eavesdropping Range using Higher Harmonics

New dimensions for multifunctional car keys

Battery Powered Tags for ISO/IEC Klaus Finkenzeller

NEAR FIELD COMMUNICATION (NFC) A TECHNICAL OVERVIEW

Course Project. Project team forming deadline has passed Project teams will be announced soon Next step: project proposal presentation

NFC OpenSense & NFC SpeedTap 128- & 256-bit NFC Tags

RFID Reader Frontends for a Dual-Frequency (13 MHz and 868 MHz) Rapid Prototyping Environment

Backscatter and Ambient Communication. Yifei Liu

CDMA Principle and Measurement

Flexible Evaluation of RFID System Parameters using Rapid Prototyping

ELEN 701 RF & Microwave Systems Engineering. Lecture 2 September 27, 2006 Dr. Michael Thorburn Santa Clara University

EE12: Laboratory Project (Part-2) AM Transmitter

AIR-INTERFACE COMPATIBILITY & ISO-CERTIFICATION

Physics of RFID. Pawel Waszczur McMaster RFID Applications Lab McMaster University

Analysis and Simulation of UHF RFID System

Practical Eavesdropping and Skimming Attacks on High-Frequency RFID Tokens

Passive Wireless Sensors

Motivation. Approach. Requirements. Optimal Transmission Frequency for Ultra-Low Power Short-Range Medical Telemetry

NFC ANTENNAS FOR SMART PHONES

HF Power Amplifier (Reference Design Guide) RFID Systems / ASP

RF Basics 15/11/2013

Near Field Communication (NFC) Technology and Measurements White Paper

ISSCC 2003 / SESSION 20 / WIRELESS LOCAL AREA NETWORKING / PAPER 20.5

HF Receivers, Part 3

Broadband Communications at mmwave Frequencies: An MSK system for Multi-Gb/s Wireless Communications at 60GHz. IBM Research

Digital Audio Broadcasting Eureka-147. Minimum Requirements for Terrestrial DAB Transmitters

Wireless Communication

University of Bristol - Explore Bristol Research. Peer reviewed version. Link to published version (if available): /ICCE.2012.

Radio Frequency Electronics

Evaluation of the Effect of Gen2 Parameters on the UHF RFID Tag Read Rate

SETTING UP A WIRELESS LINK USING ME1000 RF TRAINER KIT

Radio Receivers. Al Penney VO1NO

ELT0040 RFID ja NFC. Enn Õunapuu ICT-643

Handy dandy little circuit #17 #17

Proximity Communication Interface Implementation Specifications. Version 1.1

MAINTENANCE MANUAL TRANSMITTER/RECEIVER BOARD CMN-234A/B FOR MLSU141 & MLSU241 UHF MOBILE RADIO TABLE OF CONTENTS

Definition of RF-ID. Lecture on RF-IDs

Active induction balance method for metal detector sensing head utilizing transmitterbucking and dual current source

SPECIFICATION. Product Name : Square Flexible Near-Field Communications Antenna with Ferrite Layer for Metal Direct Mount

RFID. Identification systems (IDFS) Department of Control and Telematics Faculty of Transportation Sciences, CTU in Prague

CDMA Technology. Pr. S.Flament Pr. Dr. W.Skupin On line Course on CDMA Technology

FAQs about OFDMA-Enabled Wi-Fi backscatter

CONFORMANCE TEST SYSTEM DESIGN FOR ISO/IEC MODE 1 PASSIVE RFID. Danlu Rong. B.S. in Electrical Engineering, Southeast University, China, 2008

RADIO RECEIVERS ECE 3103 WIRELESS COMMUNICATION SYSTEMS

Multi Frequency RFID Read Writer System

Receiver Design. Prof. Tzong-Lin Wu EMC Laboratory Department of Electrical Engineering National Taiwan University 2011/2/21

SPECIFICATION. Product Name : Square Flexible Near-Field Communications Ferrite Antenna with 75mm Twisted Pair 28AWG Cable and ACH(F) connector

ELT Receiver Architectures and Signal Processing Fall Mandatory homework exercises

Week 8 AM Modulation and the AM Receiver

N1100 NFC Test System

Ultra Wideband Transceiver Design

VDE Testing and Certification Institute. Contents Directory

DURIP Distributed SDR testbed for Collaborative Research. Wednesday, November 19, 14

1 Interference Cancellation

ELEC 0017: ELECTROMAGNETIC COMPATIBILITY LABORATORY SESSIONS

Application Note 5525

Preface to the Third Edition. List of Abbreviations

Design of a Regenerative Receiver for the Short-Wave Bands A Tutorial and Design Guide for Experimental Work. Part I

Receiver Architecture

How to guarantee Phase-Synchronicity in Active Load Modulation for NFC and Proximity

UHF RFID Reader Design

WIRELESS COMMUNICATION TECHNOLOGIES (16:332:546) LECTURE 5 SMALL SCALE FADING

Probe Considerations for Low Voltage Measurements such as Ripple

Practical Attacks on Proximity Identification Systems (Short Paper)

MP500 PT1-NFC MANUFACTURING OPTIMISED TESTER FOR NFC AND QI ENABLED DEVICES. Testing modes. Business areas

Exploiting Link Dynamics in LEO-to-Ground Communications

The Measurement and Characterisation of Ultra Wide-Band (UWB) Intentionally Radiated Signals

EENG473 Mobile Communications Module 3 : Week # (12) Mobile Radio Propagation: Small-Scale Path Loss

MCRF200. Contactless Programmable Passive RFID Device

Presentation Outline. Advisors: Dr. In Soo Ahn Dr. Thomas L. Stewart. Team Members: Luke Vercimak Karl Weyeneth. Karl. Luke

COMPRION Design Validation. Solution for Visualizing and Analyzing NFC Operating Volumes

AN PN7150 Antenna Design and Matching Guide. Application note COMPANY PUBLIC. Rev January Document information

Wireless Charging by Magnetic Resonance

AN1954 APPLICATION NOTE

EE 434 Final Projects Fall 2006

RFID Frequency Overview to Application fit

Test considerations for NFC enabled devices in manufacturing

Politecnico di Milano Advanced Network Technologies Laboratory. Radio Frequency Identification

TSTE17 System Design, CDIO. General project hints. Behavioral Model. General project hints, cont. Lecture 5. Required documents Modulation, cont.

Simulation Study for the Decoding of UHF RFID Signals

RF Interference Cancellation - a Key Technology to support an Integrated Communications Environment

Field Experiments of 2.5 Gbit/s High-Speed Packet Transmission Using MIMO OFDM Broadband Packet Radio Access

RFID/NFC TECHNOLOGY. With emphasis on physical layer. Ali Zaher Oslo

Master s Thesis Defense

MOBILE COMPUTING 2/25/17. What is RFID? RFID. CSE 40814/60814 Spring Radio Frequency IDentification

Selected answers * Problem set 6

SPECIFICATION. Product Name : Circular Flexible Near-Field Communications Antenna with 75mm Twisted Pair 28AWG Cable and ACH(F) connector

TCN : RADIO EQUIPMENTS OPERATING IN THE 2.4 ghz BAND and USING SPREAD SPECTRUM MODULATION TECHNIQUES. Technical Requirements

ProxiMate : Proximity Based Secure Pairing using Ambient Wireless Signals

4/29/2012. General Class Element 3 Course Presentation. Ant Antennas as. Subelement G9. 4 Exam Questions, 4 Groups

System Specification. EnOcean Certification Specification, part 1a Air Interface (ASK) V 1.1, RELEASED EXECUTIVE SUMMARY

Project: IEEE P Working Group for Wireless Personal Area Networks N

Twelve voice signals, each band-limited to 3 khz, are frequency -multiplexed using 1 khz guard bands between channels and between the main carrier

CH 1. Large coil. Small coil. red. Function generator GND CH 2. black GND

On Practical Selective Jamming of Bluetooth Low Energy Advertising

Transcription:

Eavesdropping Near Field Contactless Payments: A Quantitative Analysis Thomas P. Diakos 1 Johann A. Bri a 1 Tim W. C. Brown 2 Stephan Wesemeyer 1 1 Department of Computing,, Guildford 2 Centre for Communication Systems Research,, Guildford Computer Laboratory, University of Cambridge, January 21, 2014

Outline Introduction: Near Field Communications Eavesdropping Antennas Experimental Work Results Conclusions and Future Work

Near Field Contactless Payments Near Field Communications Near Field I Distance π Wavelength ( 22m) I HF 13.56 MHz radio inductive coupling I H-fields I Reader and tag (passive) I Short ( from a touch to a few cm ) range of operation NFC devices I Reader and tag on the same device I Power on-board

Near Field Contactless Payments Near Field Communications Near Field Contactless Payments I Marketed as ideal for quick, convenient transactions I Contactless Cards and NFC devices I 23 million cards in the UK alone I 13.32% of smartphones equipped with NFC

Near Field Contactless Payments Near Field Communications Near Field Contactless Payments I Marketed as ideal for quick, convenient transactions I Contactless Cards and NFC devices I 23 million cards in the UK alone I 13.32% of smartphones equipped with NFC What s the catch? Because the transmission range is so short, NFC-enabled transactions are inherently secure. http://nfc-forum.org/what-is-nfc/nfc-in-action/

Near Field Contactless Payments Motivation Eavesdropping - Chosen attack I Why eavesdropping?

Near Field Contactless Payments Motivation Eavesdropping - Chosen attack I Why eavesdropping? I Inherently secure? I Di cult to defend against I Contact world heritage

Near Field Contactless Payments Motivation Eavesdropping - Past work I Expensive, cumbersome equipment I No control over transmit power I Traces on a scope? Our contribution

Near Field Contactless Payments Motivation Eavesdropping - Past work I Expensive, cumbersome equipment I No control over transmit power I Traces on a scope? Our contribution I Relatively inexpensive, inconspicuous equipment I Varying Magnetic field strength I Quantitative analysis

Eavesdropping Antennas Design Factors The ideal eavesdropping antenna I Maximise SNR I Resonance I Suitable Q factor I Impedance matched

Eavesdropping Antennas NFC antenna design principles Ideal H-antenna I H-field antenna I L constant I R (DC) negligible L(f0) RL Antenna Coil Load Resistance

Eavesdropping Antennas NFC Antenna Design Principles H-Antenna Receiver Mode I In RX mode: I At resonance: V L V in = 1 1 + jêl(ê) R L Ê 2 LC V L V in = R Ô L C j apple L(Ê o ) (1) (2) H-Antenna Conclusions I Low Inductance, high load Resistance I Magnitude of 2 is equal to the Q-factor

Eavesdropping Antennas Large Metallic structures The shopping trolley I Various distances I Fixed Ground I Network Analyser

Eavesdropping Antennas The shopping trolley Findings at 13.5MHz Scenario Inductance at Resistance at 13.5 MHz / µh 13.5 MHz / Near End 0.42 1.31 Middle End 1.42 18.48 Leg End 3.73 70.66 Far End 2.59 7.67 I Connection point dependence

Eavesdropping Antennas Shopping Trolley antenna Pros I Ease of execution (variable C) I High load resistance desirable I Short connection points cons I Trolley resistance I Loop size

Eavesdropping Antennas Eavesdropping Antenna Benchmarks Eavesdropping H-fields I H-loop antenna used as a transmitter I Controlled H-field through current I Signal generator and power amplifier I Three types of eavesdropping antennas I Path Loss measurements

Eavesdropping Antennas NFC Antenna Design Principles H-Loop Antenna I Matched to 50 with a resistor (10 ) inseries

Eavesdropping Antennas Path Loss Measurements Various H-fields for H-loop and trolley only

Eavesdropping Antennas Quarter Wavelength Antenna S 11 Reflection Coe cients

Eavesdropping Antennas Quarter Wavelength Antenna Worn over body I Water content of body reduces e ciency

Eavesdropping Antennas Path Loss Measurements Trolley

Eavesdropping Antennas Path Loss Measurements Summary I H-loop and trolley are most e cient I Antenna orientation I H-field strength I Proceed with FER measurements

Experimental Work Eavesdropping Near Field Contactless Payments Near Field Contactless Payments I PHY layer based on ISO 14443 standard I Half-duplex communication I Type A and Type B

Experimental Work Near Field Contactless Payments ISO 14443 type A communication I 106kbps or 9.4 µs bit duration I Manchester encoded baseband I 847 khz Subcarrier modulation (OOK) I Standard / short frames I SOF and EOF markers

Experimental Work Eavesdropping Near Field Contactless Payments Computing Frame Error Rates I A known (random), long sequence I Transmitter / Receiver I Processing and computation

Experimental Work Eavesdropping Near Field Contactless Payments Transmitter arrangement Signal Generator PC Data Card Pad Attenuator IQ Modulator Coil Antenna RF Amp Step Attenuator I Synthetic data, 60 bytes per frame I Subcarrier generated in software I External trigger signal at 1.7 MHz

Experimental Work Eavesdropping Near Field Contactless Payments Sequence of 5 bits

Experimental Work Eavesdropping Near Field Contactless Payments Transition between two PICC frames

Experimental Work Eavesdropping Near Field Contactless Payments Receiver arrangement Covert Antenna LNA RF Amp BPF 13.56 MHz Notch Filter PC Data Card Peak Detector I LNA maximises SNR I Band Pass Filter 12.7-14.4MHz I Logarithmic detector

Introduction Eavesdropping Antennas Experimental Work Results Conclusions Experimental Work Eavesdropping Near Field Contactless Payments Receiver arrangement

Experimental Work Eavesdropping Near Field Contactless Payments Receiver arrangement Covert Antenna LNA RF Amp BPF 13.56 MHz Notch Filter PC Data Card Peak Detector I LNA maximises SNR I Band Pass Filter 12.7-14.4MHz I Logarithmic detector I Capture card sampling at 1.7MS/s

Experimental Work Eavesdropping Near Field Contactless Payments Noise corruption I Frame synchronisation becomes challenging

Experimental Work Eavesdropping Near Field Contactless Payments Noise corruption I Frame synchronisation becomes challenging I Variance computing sliding window I Threshold crossing

Experimental Work Eavesdropping Near Field Contactless Payments Variance sliding window

Experimental Work Eavesdropping Near Field Contactless Payments Variance smoothing and threshold I Gaussian smoothing

Experimental Work Eavesdropping Near Field Contactless Payments Robust Frame Synchronisation I Frame length I Rough estimate based on fl crossing I (EOF SOF 32) ± Y multiple of 144 I Cross correlation for bit decoding

Results Eavesdropping Near Field Contactless Payments Experimental Set-up Outside Chamber PC Data Card IQ Modulator 13.56 MHz carrier Pre Amp Step Attenuator RF Amp Tx Antenna Rx Antenna Receiver & Peak detector Inside Chamber

Introduction Eavesdropping Antennas Experimental Work Results Conclusions Results Eavesdropping Near Field Contactless Payments Receiver circuit and antenna

Results Eavesdropping Near Field Contactless Payments Preliminary testing I Anechoic chamber I Controlled environment I 500 frame tests I Establish and fl values

Results Eavesdropping Near Field Contactless Payments and fl selection at 7.45 A/m

Results Eavesdropping Near Field Contactless Payments Experimental procedure I 5000 frames (20 minutes per run) I 20 170 cm, increments of 5 cm (2 30 cm for trolley) I 1.5, 3.45, 7.45 A/m I Experiments ran over 2 days

Results Results H-Loop Antenna FER I Normal approximation, 95% confidence interval levels

Results Eavesdropping Near Field Contactless Payments Shopping trolley eavesdropping arrangement

Results Eavesdropping Near Field Contactless Payments Shopping trolley FER ( = 10, fl = 50) I Trolley generates its own noise, lossy antenna

Conclusions Conclusions and Future work Conclusions I Eavesdropping distance 45-90 cm in shielded environment I Similar conditions to those found in underground stations I Relatively inexpensive equipment, inconspicuous antennas I Gaussian filtering and variance computation are reliable Future work I Real data with real devices I Improve portability (FPGA), integrate a skimmer I What does this mean for the user?

Conclusions Eavesdropping Near Field Contactless Payments Thank you for listening Please forward any questions

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback