15th USENIX Security Symposium Abstract
Pp. 4357 of the Proceedings
How to Build a Low-Cost, Extended-Range RFID Skimmer
Ilan Kirschenbaum and Avishai Wool, Tel Aviv University
Radio-Frequency Identifier (RFID) technology, using the
ISO-14443 standard, is becoming increasingly popular,
with applications like credit-cards, national-ID cards, Epassports,
and physical access control. The security of
such applications is clearly critical. A key feature of
RFID-based systems is their very short range: Typical
systems are designed to operate at a range of 5-10cm.
Despite this very short nominal range, Kfir and Wool
predicted that a rogue device can communicate with an
ISO-14443 RFID tag from a distance of 40-50cm, based
on modeling and simulations. Moreover, they claimed
that such a device can be made portable, with low power
requirements, and can be built very cheaply. Such a device
can be used as a stand-alone RFID skimmer, to surreptitiously
read the contents of simple RFID tags. The
same device can be as the "leech" part of a relay-attack
system, by which an attacker can make purchases using a
victim's RFID-enhanced credit carddespite any cryptographic
protocols that may be used.
In this study we show that the modeling predictions
are quite accurate. We show how to build a portable,
extended-range RFID skimmer, using only electronics
hobbyist supplies and tools. Our skimmer is able to
read ISO-14443 tags from a distance of ≈25cm, uses a
lightweight 40cm-diameter copper-tube antenna, is powered
by a 12V batteryand requires a budget of ≈$100.
We believe that, with some more effort, we can reach
ranges of ≈35cm, using the same skills, tools, and budget.
We conclude that (a) ISO-14443 RFID tags can be
skimmed from a distance that does not require the attacker
to touch the victim; (b) Simple RFID tags, that respond to any reader, are immediately vulnerable to skimming;
and (c) We are about half-way toward a full-blown
implementation of a relay-attack.
- View the full text of this paper in HTML and PDF. Listen to the presentation and Q & A in MP3 format.
Until August 2007, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.