RFID Eavesdropping Using SDR Platforms: Lecture Notes in Electrical Engineering June 2018
RFID Eavesdropping Using SDR Platforms: Lecture Notes in Electrical Engineering June 2018
RFID Eavesdropping Using SDR Platforms: Lecture Notes in Electrical Engineering June 2018
net/publication/318235597
CITATIONS READS
2 4,639
5 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Ali Mansour on 21 August 2017.
1 Introduction
Radio-Frequency Identification (RFID) is a contactless use of Radio-Frequency
(RF) electromagnetic fields to transfer data between a reader and a RFID tag.
Nowadays, RFID is widely used in access control systems, public transports and
stock control. RFID can be implemented in different technologies, however the
widely used one is described by the standard ISO14443 [1]. Using sophisticated
and expensive equipment, previous work demonstrates the vulnerability of this
technology. Indeed, interception, decoy or jamming hacks of the ”RFID air in-
terface” demonstrate the weakness of systems using contactless chips [2]. Many
studies have shown that encryption algorithms or sophisticated protocols can
not completely guarantee the communication security between a reader and a
RFID tag [3][4][5].
To prevent harmful attacks on RFID devices, various vulnerabilities should
be clearly identified [4][5]. Many references in the literature describe in details
these security holes, for example: The relay attack on credit card presented in [6]
or the Mifare classic cloning tag attack presented in [7]. Due to their big number
of varieties, RFID attacks can not be easily classified. However, the wireless
RFID attacks can be mainly divided into two classes:
– Passive attack: The attacker only intercepts the communication between a
reader and a tag. Eavesdropping [8] or side-channel attacks (or side channel
analysis) [9] are the most used passive attacks.
– Active attack: The attacker transmits radio signals in ordre to stimulate the
tag. Activation or deactivation, skimming [10] emulation/spoofing [11] and
relay [6] are often used to prove the insecurity of RFID.
2 Le Roy, Quiniou, Mansour, Lababidi, & Le Jeune
Most common cheap tags use Low or High Frequencies with inductive cou-
pling. In this case, the reader (called Proximity Coupling Device (PCD)) es-
tablishes a magnetic coupling with the tag (called Proximity IC Card (PICC))
which enables us to power-up the passive tag and push this one to exchange data
with the reader.
2.1 Attack context
In modern societies, connected objects are invading our everyday life. These
smart relatively small sensors will be deployed in outrageous number and they
will exchange data among themselves using new network technology such as the
An eavesdropping of RFID with SDR platforms 3
Internet of the Things (IoT). Some of them will use a RFID technology. To
demonstrate the concept of an eavesdropping attack on a RFID tag, we targeted
in our experience RFID toys1 . The targeted PICC toys ”Rabbits” can exchange
data with a computer through a PCD device called ”mirror”. In the original
application, PCD is used to identify a PICC and trigger specific applications
(such as reading a weather forecast or playing music).
The signal shown in figure 1a was obtained without the presence of any tag. By
making a zoom over the time axis, we can notice the existence of a simple carrier
at fc = 13.56 MHz which can be related to the RFID standard2 ISO/IEC14443-2
[1]. According to that standard, PCD generates periodic scanning signals. Each
scanning cycle can be divided into: an active simple carrier period (11.6ms) (a
part of this time is shown in fig. 1a), a silence period of 300 µs, then the carrier
is again activated before being periodically modulated during 580 µs (see the
red circle A of figure 1a), after that the carrier will be again transmitted without
any modulation and the cycle will be ended by another silence period of 1.8 ms.
After the modulation period A of the PCD (see figure 1b), a near PICC
transmits its data by modulating the load of its antenna, see the red circle B
of the same figure. The load modulation is generated using a subcarrier fsub =
fc /16 = 847.5kHz, as it is given by the standard [1]. The bandpass signal gen-
erated by the tag is the sum of two band-pass signals at fc − fsub = 12.713M Hz
and fc + fsub = 14.408M Hz. We should mention the existante of two RFID
standards ISO/IEC 14443-2 and ISO/IEC 15693 defined with two types of com-
munication schemes, types A or B with the same acrrier frequancy fc = 13.6
1
For further details on the used toys, see www.journaldulapin.com/tag/karotz
2
RFID and NFC standards are summarized in [5].
4 Le Roy, Quiniou, Mansour, Lababidi, & Le Jeune
MHz and the same bit rate Db = 106kb/s. Each standard use a specific modula-
tion as illustrated in table 2. Type A uses On-off-keying (OOK). While type B
uses an amplitude shift keying (ASK) modulation with an index of 10%. PICC
modulates its data using a binary phase shift keying modulation (BPSK). Fig-
ures 1a and 1b show PCD → PICC transmission (in area A) using an ASK
10% and a subcarrier around 800 kHz, therefore so the used standard can be
ISO/IEC 14443 (type B).
Table 2: RFID stabdard at 13.56 MHz
Standard Type Direction Modulation Line code Subcarrier Rate
PCD → PICC ASK 100% Miller no
A
PICC → PCD ASK Manchester 847.5 kHz
14443 106 kbps
PCD → PICC ASK 10% no
B NRZ
PICC → PCD BPSK 847.5 kHz
PCD → PICC ASK 100% or 10% 8-PPM no 1.65 kbps
Low
PICC → PCD ASK or FSK Manchester 423/485 kHz 6.62 kbps
15693
PCD → PICC ASK 100% or 10% 2-PPM no
Fast 26.5 kbps
PICC → PCD ASK or FSK Manchester 423/485
3 Platform description
Our platform contents a RFID antenna, a Digital Video Broadcasting - Terres-
trial (DVB-T) receiver, an upconverter and a computer with gnuradio [13]. Since
we are using passive tags, the PICC signals are very weak, therefore a specific
RFID antenna DLP-FANT was successfully introduced to eavesdrop PCD ↔
PICC communication. The DVB-T (R820T dongle from NooElec) is a common
USB2 television tuner based on RTL2832u. Palosaari showed that this device
can be used an a SDR platform. In our platform, we select the NooElec don-
gle. Using a chip Rafael Micro R820T, NooElec dongle can sample a radio signal
from 24 MHz to 1766 MHz at 2.4 Msps over an USB2. It is worth metioning that
the RTL2832u device can not handle the 13.56 MHz RFID frequency because
it is out side its range. To solve that problem, a frequency converter (Ham It
Up v1.2 from NooElec) has been used to upconvert the signal at 125 MHz. In
spite of the 10 dB conversion loss measured with a vectorial network analyzer,
the upconvertor can receive a strong PCD signal and a correct PICC signal.
block), we recorded our signals. In our application, the central frequency has
been set to the upper side band of PICC signal according to: fc + fsub + fIF =
13.56M Hz + 847.5kHz + 125M Hz = 139.4075M Hz. Figure 2 shows a cyclic
PCD signal registered and processed later on using Matlab. The Upper peaks
grouped by three are the BPSK signal replies by PICC to PCD.
5 PICC signal demodulation
Records used for PCD demodulation are the same that the PICC demodulation
because they always contain useful information. PCD transmits requests at PICC
with a 10% ASK modulation signal. Figure 5 shows the ASK signal and the
PICC response which have a higher amplitude because of the subcarrier load
modulation.
Fast Fourier transform of the signal gives the frequency of the signal to
processed in baseband. A frequency translation followed by a low pass filtering
gives the signal illustrated in the figure 6.
6 Le Roy, Quiniou, Mansour, Lababidi, & Le Jeune
A threshold applied on this signal gives us the binary data representing the
necessary but sufficient information to understand and reverse the complete
protocol.
7 Conclusion
In this article RFID eavesdropping between an RFID reader and a tag has been
successfully implemented using a low-cost hardware and an open source software
stack. Moreover, we have shown that the association of Python or Matlab with
Qnuradio toolkit makes signal processing on physical radio signals very powerful
and very easy to prototype. Using this raw material, the communication protocol
between reader and tag can then be intercepted and analyzed by more sophis-
ticated tools such as Wireshark: for example, association has been successfully
done for GSM eavesdropping. In future work, it’s expected to to see if more
An eavesdropping of RFID with SDR platforms 7
complex RFID attacks can be performed on SDR platform. Some of our recent
works shown that present studied codes used with R820T are easily portable to
other SDR platforms. On the contrary of R820T, BladeRF or HackRF platforms
has a transmit output usable for jamming. So, in future works, the feasibility
of more advanced attacks such as skimming or emulation will be explored. In
the software radio community, these kinds of attack are viewed as a smart wave-
form because antenna time, transceiver time and terminal time are different.
Thus, absolute, relative and immediate time concepts are crucial to manage
smart waveform. This coming work will focus in particular on a transceiver API
currently available as a draft document at the WinnF.
References
8. Hancke, G.: Eavesdropping attacks on high-frequency RFID tokens. In: 4th Work-
shop on RFID Security (RFIDSec), pp. 100–113, (2008)
9. Oren, Y., Shamir, A.: Remote Password Extraction from RFID Tags In: IEEE
Transactions on Computers, vol. 56(9), 1292–1296 (2007)
10. Juels, A., Molnar, D., Wagner, D.: Security and Privacy Issues in E-passports.
In: 1st International Conference on Security and Privacy for Emerging Areas in
Communications Networks, pp. 74–88. IEEE press, Athens (2005)
11. Winkler, M., Faseth, T., Arthaber, H., Magerl, G.: An UHF RFID tag emula-
tor for precise emulation of the physical layer. In: Wireless Technology Conference
(EuWIT), pp. 273–276, IEEE press, Paris (2010).
12. http://www.nxp.com/products/identification-and-security/
nfc-and-reader-ics/nfc-everywhere/iso-iec-14443a-licensing-information:
ISO-IEC-14443A-LICENSING-INFO
13. http://gnuradio.org/redmine/projects/gnuradio/wiki
14. https://sourceforge.net/p/openlte/wiki/Home/
15. Humphreys, T.E., Ledvina, B., Psiaki, M., OHanlon, B., Kintner J. Paul M.: As-
sessing the spoofing threat: Development of a portable GPS civilian spoofer. In:
21st International Technical Meeting of the Satellite Division of The Institute of
Navigation (ION GNSS 2008), pp 2314-2325, Savannah (2008)
16. Huang L., Yang Q.: GPS SPOOFING Low-cost GPS simulator. In: 23th DEF-
CON https://www.defcon.org/html/links/dc-archives/dc-23-archive.html,
Las Vegas (2015)
17. http://www.rtl-sdr.com/adsb-aircraft-radar-with-rtl-sdr/
18. Balduzzi, M.: AIS exposed understanding vulnerabilities & attacks 2.0. In: blackhat
asia, https://www.blackhat.com/asia-14/archives.html, Singapore , 2014.E.
19. http://fr.mathworks.com/products/matlab/
20. Feigin, J. : FEATURES-Featured Technologies:-Signal Processing-Practical Costas
loop design-Designing a simple and inexpensive BPSK Costas loop carrier recovery
circuit. In: RF design, 25(1), (2002)