Schneier on Security
A blog covering security and security technology.
« The Doghouse: ExeShield |
| Hacking the Papal Election »
April 13, 2005
Bluetooth Sniper Rifle
We've all known that you can intercept Bluetooth communications from up to a mile away. What's new is the step-by-step instructions necessary to build an interceptor for yourself for less than $400. Be the first on your block to build one.
Is there anyone who can make a reasonable argument that RFID won't be similarly interceptable?
Posted on April 13, 2005 at 12:47 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"In Part 2 of this article, we will explore how to install various open-source and never-before-released Bluetooth sniffing and attack tools on the Gumstix computer"
Nice How-To. A great feature to add would be a transparent HUD guidance system that would post targets as they are pointed to. Perpaps even involing laser targeting to allow the user to see the distance of the BT object they are attacking.
Maybe after part 2 we will start seeing these babies on eBay.
The main reason that RFID will be more difficult to intercept in this manner, although possible, is that the RFID frequency and power are much lower than Bluetooth on a Blackberry for instance.
RFID tags usually run in the 10-25 mHz range at 10-50 dBµA/m while Bluetooth on a Blackberry would run in the 2.5 GHz at 2.5mW.
RFID will have two different risk modes. There is an r^2 law effect on listening to the traffic between an RFID reader and device. There is an r^4 law for actual communications. There is also an antenna size issue for RFID.
The "rifle" is getting about a 40db gain, which is about what you would expect for a good antenna. With 40db gain and an r^2 law (which is what applies to Bluetooth) you get a 20db distance gain, or 100x improvement. Since normal Bluetooth range limts are 10-50ft, the quoted "up to a mile" sounds right.
With the same 40db gain (but see below) an RFID eavesdropper could listen to traffic at a checkout counter at 100x improvement. Normal RFID operating distances are a few feet, so the eavesdropping threat will be to a range of a few hundred feet. But for RFID query (where the RFID device is not powered) the r^4 law means only a 10x gain. So that will mean only a 15-30ft range. A hidden device could capture data from people walking by on the sidewalk, but not across a roadway. To get across a roadway would take 50-60 db gain, and that is very difficult.
A further factor is the difference in frequency. Antenna gain is vaguely proportional to the ratio of antenna size and wavelength. The 2.5GHz for Bluetooth is roughly 12cm, so the roughly 1m "rifle" is 10x the wavelength. To be 10x the wavelength of 25mHz means an antenna that is 100m big, or roughly the size of a soccer field. RFID that operates at higher frequencies will be easier to penetrate.
I think eavesdropping longer range RFID traffic, like automobile toll roads and warehouse shipping crates, will be feasible at modest cost. That eavesdropping risk is real. Maybe someone could hide an antenna with expensive receiver in a van to eavesdrop on a store's checkout traffic. But secretly querying RFIDs will be difficult.
Those are great arguments, but will the r^4 (which is a constraint on reliable communication) hold against all security attacks?
My experience is (and Bruce loves to say this) the attacks get better. Motivate people and they'll listen to cell phone calls from space.
People falling from the sky without parachutes have been even more motivated to violate the laws of physics and still managed to be unsuccessful.
Of course it isn't "new" (This premise noted on the first line where BS stated that we've all known about it).
The idea is that there is now a "How-To" available for those individuals that want to build their own. (... But have to wait until Part 2 to program it)
I'm sure pointing this device at banks and other large buildings in downtown L.A. won't attract ANY unwanted attention...
Many common high-frequency passive RFID typically operates at 13.56 MHz - a 22 metre wavelength. And the low-frequency RF tags (in car keys, for example) are down around 135 kHz - that 2000 metre wavelength makes for a big antenna.
I'm looking forward to Part 2, since it isn't clear from the article if they can actually communicate out to the Bluetooth devices, or if this is more of a BlueSniffer than a BlueSniper. And although there is a certain type of cool with the rifle version, I think that more cool would be had with a 24dBi parabolic antenna. That, and it would draw less potentially hostile antention.
People falling from buildings are short on both time and resources. Give me a week, and I'll learn to skydive, hang-glide, or rappel, and then you can defenstrate me.
So, sure. Laws of physics are laws of physics. I like betting on human ingenuity.
I have some questions on the r^4 factor.
Are the RFIDs powered by frequencies similar to those they transmit on? If the power frequency was much higher, a smaller antenna could beam the power. This will deliver constant power, independent of distance, for sufficiently small distances. (Limiting distance proportional to D^2/lambda, I think.)
Hm, I think this is the vital point: although you have two r^2 factors working against you, you have two antenna gain factors working for you: one for the power transmission antenna, one for the signal detection antenna. (Possibly these might be the same antenna, but it still acts for you twice.)
Note that antenna size/gain is not the only way we can improve range - we can also increase power transmision. RFIDs are presumably designed to be read by fairly low power equipment, so increasing the power transmitted by a factor of 100 or more should be viable - which increases range by another factor of 3.
Under special circimstances, we might also be able to 'piggyback' off a closer power source - e.g. the road-tolls RFID system might power the stock-control RFIDs of a truck's cargo. Can RFIDs be activated by proximity to power pylons?
"Are the RFIDs powered by frequencies similar to those they transmit on?"
That's the point, RFID tags, at least the passive kind, do not transmit, they merely modulate their reflection of the RF being transmitted by the RFID reader.
All of this assumes, of course, that you are using a tag protocol that doesn't require the RFID reader to transmit the entire id out to the tag to perform some operation on it. So do. Some don't.
Keep in mind that the RFIDs in e-passports are different from the WalMart ones. They are designed with a maximum readable range of only about 6 inches. Based on the analysis above the rifle could only query those tags from a distance of 5 feet due to the 4th power factor. Pointing a rifle at someone from 5 feet away is going to be conspicuous.
Eavesdropping on a legitimate query of the e-passport would be possible at a larger distance of about 50 feet. But if the querying happens at a customs station within an airport, it will probably not be easy for criminals to set up antennas within the necessary range, since airports are relatively high security environments these days. I'd imagine that aiming a bluetooth rifle inside an airport's perimeter would be a good way to get yourself killed.
I see now what you (and I guess Bruce) are saying. But, to cj and Cypherpunks' point, how stupid is it to create something that looks like a "rifle" that is really an antenna? I mean that's great if you want to get yourself shot, but how about something a little more practical? The Defcon presentation (watch the movie) was prestaged by a feeble statement "this is NOT a real weapon. Do not shoot us."
Novelties are novelties. If you want instructions (or to see when they really hit the press) you should look in the usual places. Heck even Popular Science had a do-it-yourself piece last October:
Oh, and here's June 2004:
Or you can read the instructions from July 2004 here:
And then there were the widely discussed tests last year by an engineering team with full documentation that proved a range of over 1 mile...but I hope I've made my point. This is not NEW.
Anyway, the simple fact remains that the real threat for bluetooth attacks is in crowded public spaces. If you stand with an antenna on a platform above commuters at rush hour, you will harvest sufficient information at rush hour within 50 meters. If you really want to scan an office building, there are typically only a few primary egress points all within a few hundred feet.
The main difficulty with RFID is if you have to supply the power to it (through the induction loop). It is very difficult to supply power at a long range. So an active long range attack is very difficult. (Bluetooth is different in having it's own power source).
But it is different in the case where a legitimate reader is reading the card (and thus supplying the power at short range). Listening in could potentially be done from quite a distance. (Passive attack).
Passive listening is a real threat: imagine, some guy with a notebook sitting at the airport would be able to record all this password information of all the people who get the password checked.
It is important to remember that the « output power » of an RFID is not proportional with the power of the “illuminating��? source. In other words, if you try to inject 2 GW (gigawatts) of RF power beamed on a single RFID, don’t expect to receive even 1 watt of reflected transmission. Most of the RFID systems are passive devices (from an RF point of view, not a “component��? point of view). That means that you cannot indefinitely compensate the distance between the RFID and the “reader��? with the help of a higher radiating power.
Some of the high-end RFID systems are using SHF or hyperfrequencies bands… the use of very short wavelength could change this point of view, knowing that power consideration and “line of sight��? transmission mecanisms are reacting differently than short waves (25MHz).
Imho, the “bluesnipper��? is just a funny piece of gear, totally inefficient, definitely unusable. If you really intend to eavesdrop or interfere with a Bluetooth device, you’d better use a bigger antenna located far away from the listened device, using low noise input amplifiers and high quality silver/Teflon cables. And this for several reasons:
-a big dish located 2 miles away and installed on a solid pole (or mast) is less remarkable than a serial killer looking dude playing with a M16 like antenna in the vicinity of a business building. (Edgar Allan Poe, "the stolen letter", about the "unseen visible evidences" ). Do you ever remark professional dishes located along the 1O1 highway ?
- a big dish on a pole is more stable and easier to beam on a precise focus than a hand-held listening device. Let's try to aim at a target during more than 5 minutes… even with a “large��? radiation pattern (yagi, helix, quad, shorted backfire antenna). You’ll be tired before the decoding the first megabyte…
-if you intend to launch a “man in the middle��? attack on the target, no network administrator will have the idea to look at -2 miles away- the presence of a rogue transmitter (excepted if this guy is a RadioHam, a trained military radio officer or a field RF technician able to know what radiogoniometry is)
The r^4 effects have held up for the past century and since they are derived from basic physics. They are safe. Nobody has beaten them yet.
What does happen is targetting the S/N in other ways. Tracking spot beams improve S while decreasing N. Increased power improves S. (There are limits here, since the RFID transmitter is also internally power limited by design. It is a powered device, but only pulls the power needed for its design use. Transmitting more power does not change this.) Better receivers improve both S and N. These are all linear effects.
Eavesdropping from parking lot and beyond is a potential threat that is within range of reasonable hardware. I'm not sure what the risks are from listening to warehouses, checkout counters, toll booths, etc. It depends on what information is part of the RFID transaction. I would not use an RFID enabled credit card for instance.
Communications risk is there in the very near field. Reading RFIDs while someone walks past could be a risk. Don't worry about someone scanning RFIDs across a roadway or parking lot.
The point is that the radius of risks is reasonably constrained. Entertaining toys don't change this significantly.
With regard to the low frequency of some RFIDS (10-40MHz) normally an antenna with gain at these frequencies would be very large (think LPDA with a 15 meter back elerment) and the sort of thing you would normally see on Diplomatic missions.
Well, many years ago three bods in the UK reworked Maxwells equations and came up with an idea they implemented as the Cross Field Antenna (CFA). This is an electricaly small antenna and would be quite small at the low frequencies the Pasport RFIDs work at (probably not much biger than a beer barel).
I know there has been a lot of controversy over the CFA and if it works or not, but there are quite a few people out there using them quite happily.
As for the Bluetooth interception dish idea, wouldn't it be even more practical to get a smaller interceptor that could be hidden in a coat sleeve and get closer to the source? Even if the smaller one had a range of only 100m, that would be plenty for many purposes.
If I were a spy, I wouldn't want to get a truck and a crew to install my listening device every time I needed to use it. The point of the rifle design is portability.
It's similar with RFID interception, though you'd want to be even more inconspicuous--attaching a line of devices at waist to shoulder height, for instance, could randomly pick up quite a few passports belonging to passersby. Good for identity theft, bad for anything more targeted.
yes, precisely. the ideal setup is a concealed directional antenna, similar to concealed portable video recorders. the best ones i've seen have been made from parts readily available at a cooking or dollar store (you can assemble them after reaching an urban area, rather than carry an entire kit, to avoid raising suspicion in transit)
the point of the rifle is to draw attention, which it seems to be doing quite well. maybe if they give it a sexy name or have a naked woman holding it, or make it suitable for storing hard liquor, it will be even more successful. engineering and practicality are clearly tertiary, which is also probably why it was presented at defcon instead of an IEEE meeting.
I heard about this on NPR a couple days ago. It was mentioned that you could possibly use this technology to literally track an individual with a vulnerable Bluetooth device - like a GPS....
I wonder if it also be used as a homing beacon for a smart bullet (re: The movie: Runaway) or smart missile (re: reality).
The developers/manufacturers of the Bluetooth protocol and Bluetooth devices had better SERIOUSLY start implementing security, or face rapidly declining sales figures!
I'm certainly not going to be purchasing ANTHING with Bluetooth in it - and I'll warn all of my clients to do the same.
'That means that you cannot indefinitely compensate the distance between the RFID and the “reader��? with the help of a higher radiating power.'
But you can compensate up to the distance at which you could conduct a passive attack.
Another unrelated thought: Say you need a 2 metre antenna to do this spying effectively. A 2 metre parabolic dish is hard to hide, especially if you need to be able to aim it. However, a phased array of small antennae would avoid this problem: 'steerable' by software, and it can be pretty much any shape so long as it is about 2 metres across. Get a van, replace the metal panelling by fiberglass, coat the interior with the small antennae. Not only do you have a spy platform that is inconspicuous from the outside, you might even be able to make it inconspicuous from the inside.
I expect the CIA or NSA could do this today.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.