Practical RFID
Attacks
M. Meriac &
H. Plötz
Introduction
Preliminaries
ISO 14443
Card types
Mifare
ISO 14443-4
Sniffing results
Hardware Toolset
Oscilloscope
OpenPCD
OpenPICC
Attacks
The End
Practical RFID Attacks
Chaos Communication Camp 2007
Milosch Meriac
Henryk Plötz
meri@openpcd.org
henryk@ploetzli.ch
Chaos Communication Camp 2007
2007-08-10
(1/30) CCCamp2007 – 2007-08-10
Practical RFID
Attacks
M. Meriac &
H. Plötz
Introduction
Preliminaries
ISO 14443
Card types
Mifare
ISO 14443-4
Sniffing results
Hardware Toolset
Oscilloscope
OpenPCD
OpenPICC
Attacks
The End
ISO 14443
I international standard for Proximity Integrated Circuit
Cards (PICC)
I works on 13.56MHz
I four parts:
1 physical characteristics
2 radio frequency power and signal interface
3 initialization and anticollision
4 transmission protocol
I two types (parts 2 and 3):
A most common, used in Mifare
B less common, transmits more power to the
card, used in some ePassports
(2/30) CCCamp2007 – 2007-08-10
Practical RFID
Attacks
M. Meriac &
H. Plötz
Introduction
Preliminaries
ISO 14443
Card types
Mifare
ISO 14443-4
Sniffing results
Hardware Toolset
Oscilloscope
OpenPCD
OpenPICC
Attacks
The End
ISO 14443A Modulation: PCD to PICC
I type A uses 100% Amplitude Shift Keying (ASK) for
the data from PCD to PICC
I the carrier is switched off for very short amounts of time
I easily receivable over a long range (as in 5m, maybe
10m, maybe more, depending on your receiver)
I easy to see in amplitude demodulated signal:
(3/30) CCCamp2007 – 2007-08-10
Practical RFID
Attacks
M. Meriac &
H. Plötz
Introduction
Preliminaries
ISO 14443
Card types
Mifare
ISO 14443-4
Sniffing results
Hardware Toolset
Oscilloscope
OpenPCD
OpenPICC
Attacks
The End
ISO 14443A Modulation: PICC to PCD
I type A uses load modulation on a 847kHz subcarrier for
the data from PCD to PICC
I the card repeatedly switches a load (a resistor) on and
off
~
A
PCD
PICC
I very weak signal: about 60dB to 80dB below the carrier
signal
I hard to receive over distances of more than a dozen cm,
very hard to r