Schneier on Security

FWIW, the recent issue of O'reilly's Make magazine has instructions for making a simple low frequency RFID tag reader. Some helpful references and links at the magazine's Web site: http://www.makezine.com/06/theorypractice/

Conductive mylar bags anyone?
http://www.esdproduct.com/metal-in_esd_bags.html

Just build a switched faraday cage for your RFID tag...

http://blog.mutatron.com/000035.html

...it could even be constructed as a slip on shell in various form factors. This would let you retrofit an on/off switch to your RFID credit card.

hmm, time to pop the e-passport in a microwave for a few seconds

"hmm, time to pop the e-passport in a microwave for a few seconds"

Supposedly that will invalidate it.

So will all these clever documents with RFID chips have a warning message along the lines of

"Do not microwave, expose to high magnetic fields or strong proton or neutron flux. Do not heat to over 700 degrees in a non oxidising atmosphere. Do not store document near RF transmitters or other sources of non-ionising radiation. Avoid lightning."

@Geoff Lane

No. But my passport came with a genenral guidline that i need to treat my passport like "any other portable electronic device" and then talks about bending the passport or getting it wet.

Also there are a few warnings that if the chip did get broken then i could experiance delays at borders and airports. Since i have experinced delays with the new card at airports i deduce that the chip must be broken ;).

Re invalidating your passport by microwaving it. AFAIK the ICAO standards documents specifically state that the passport should still be a valid document in the event of chip failire. So any border official telling you otherwise would be breaching the very standards they're all so damn keen on meeting, right?

Some salient points that I have made before but will repeate.

1) The RFID's use magnetic loop antennas tuned to aproximatly the resonant frequency of the RFID reader (say 13.5MHz for arguments sake).

2) All tuned circuits are detectable in a field that is at the frequency of resonance, usually at quite a considerable distance (look up Grid Dip Oscillators and their uses).

3) The tuned circuit will also respond to some close multiple or sub-multiple of the resonant frequency,

4) when a diode or other semiconductor is attached to the tuned circuit the harmonics generated are easily detected (this is how some anti theft / shop lifiting tags work, and how a number of bug dettectors work).

5) The range of tuned magnetic coil antennas is proportional to the area of both the receiving coil and the transmitting coil. DHL for instance have systems that work very reliably at well over 2 meters using hand held readers, and coils the size of the package lables.

http://www.idtechex.com/products/en/articles/00000392.asp

and probably considerably higher with a dustbin (trash can) lid size reading coil.

6) The detectable range is probably 4 to ten times that of the reliable reception range,

7) Also as I have said befor you do not have to be able to read the encrypted data for quite a few attacks. Just detecting the RFID is enough especially if you can also deduce the chip manufacture and chip step. This can then give you information on the passport country of origin or date of issue etc...

8) The coil in Pasports has been maximised to nearly the entire size of the pasport so is around 3-5 times the area of a credit card coil. For some some reason (possibly reliability or range limiting) the RFID coils in the credit cards I have seen split open have not been maximized.

My guess without sitting down and doing the theoretical math and a few practical experiments (Hey I have a Life ;) is that you could detect(!!! please note Detect not Read!!!) a pasport at upto 40meters with a largish detecting coil and sensitive receiver.

As I have also said in the past, you can is you have control of the are set up a Cell or other large antenna structure into which people walk (say a coridor) or you can place a passive probe (say a hand rail) that is close to the authorised detecting coil, so that the card re-emmision is ducted away to some quite considerable distance.

As an example the old cordless phones (whiched worked around 47MHz)with their very inefficient antennas have been heard upto 18Km from the base unit, which was supposed to have a maximum usable range of o.15-0.25Km. On the same multiple you would be looking at an RFID Passport re-emmision to be possibly readable at upto 35m and detectable at three to five times this range....

I have known the above since the early 1990's when working with other contactless tag systems (for electronic purses). Phillips who manufacture the MiFare system are well aware of it, but for some reason you never ever see it mentioned in security reviews. Likewise you never saw chip manufactures mention Differential Power Analysis untill it became to obvious to ignore...

So as I have said befor, RFID's of any kind (in your pocket or clothing) are vulnerable and can be used to identify you as part of a taget group, without actually reading the data off of the card..

Re invalidating your passport by microwaving it. AFAIK the ICAO standards documents specifically state that the passport should still be a valid document in the event of chip failire. So any border official telling you otherwise would be breaching the very standards they're all so damn keen on meeting, right?

John Lettice writes: "AFAIK the ICAO standards documents specifically state that the passport should still be a valid document in the event of chip failire."

This opens the way for use of forged documents that do not have the protection of on-chip digitised identity data and digitised photograph, secured against forgery by use of a digital signature.

As a protection against a denial of service attack by chip disablement, on-line checks could be made against the records of the passport-issuing authority. At borders of the country of issue, that would probably be relatively straightforward (excepting those borders where computer communications is difficult).

However, extensive international arrangements would be necessary to provide on-line access more widely. Without careful thought on the security architecture, and some inconvenience of operation, there would be a risk of the unauthorised access to personal data and to the data of passport issuing authorities in other countries.

It would be interesting to know how well all this has been thought out (by ICAO and the nations).

Best regards

Wow.... A whole 9 inches!! Someone will look really suspicious weaving through a group of people with that copper loop trying to get it within 9 inches of your RFID tag.

And if you crank up the amplifier current to 4A, you can increase the range to a whopping 15 inches!!! That's an awful lot of current to be generating... and an awful lot of heat you have to get rid of to keep your device from giving of smoke signals.

@kurt:

"Someone will look really suspicious weaving through a group of people with that copper loop trying to get it within 9 inches of your RFID tag"

Unless the antenna is concealed. In clothing, a briefcase or other kind of suitcase, etc.

"And if you crank up the amplifier current to 4A, you can increase the range to a whopping 15 inches!!! That's an awful lot of current to be generating... and an awful lot of heat you have to get rid of"

As impedance is not given in Kfir and Wool's paper, it is not possible to hazard an RMS power consumption out of a current. Additionally, K&W made it pretty clear that the 4A are peak pulse current, that on a 1:10 ratio is just 400 mA.

Apart from passport skimming, this device has other uses...

What I thing would be interesting (and more legit) is to take this device through the aisles at Wal-mart and other retail outlets that are gearing up for RFID everywhere, database all the information, and post it online so that we can all see what information these folks are tracking when we make our purchase(s).

Frankly, in the spirit of "full disclosure", wouldn't you like to know?

Somewhere there is a college student with some extra time and a need to write a paper...

TG

@Tom Grant

"Wal-mart and other retail outlets that are gearing up for RFID everywhere"

There are several RFID types operating on different frequencies right up to the low microwave bands.

However economies of scale have allready come into play and everybody seams interested in the 13.56MHz (HF) RFIDs that will be used for transport tokens credit cards and passports...

Some of the reasons given are legitimate in that the HF tags can have reasonable sized antennas that will give a range of 50meters or so for use in the packaging and transportation industries.

Likwise for inventory control etc. Walmart has actually specified the HF ones in clothing as the UHF ones take time for the stock control and checkout personell to find.

In all applications I have looked at to date the operators are looking for bigger and bigger ranges not smaller...

In one UK experiment RFIDs have been added tp Police car number (licence) plates and are easily readable at over 200 meters...

So expect your passport to be read whilst the aircraft is still in international air space... (just sort of kidding).

Meant to say "What I think"...

I very rarely thing.

TG

Interesting work, but really not a lot of RF expertise.

With better, but still relatively simple radio-ham-style antenna design and RF engineering techniques, they could easily extend the range to tens or hundreds of meters; if this seems improbable, remember that a _small_ home satellite dish can recieve a good signal from a satellite in geosynchronous orbit 20,000 miles away, and a slightly larger VSAT dish can uplink over the same distance.

A possible countermeasure: RFID tag protocols should use the physics of the RF link to measure the round-trip communications time to nanosecond accuracy or better: at least this will reduce the size of the volume within which potential attackers can operate.

@Waldo

One improvment that immediatly springs to mind is to use 15m of rg174 coax and four diodes to form a TX/RX issolator for the receiver.

ie antiparellal diodes down to ground 5m coax (Quater wave) to antenna, 10m coax from antenna antiparellel diodes in series to TX output cappacitor.

What happens is when not in TX the halfwave is open CCT which makes it look like an infinate impedence at the antenna, so the antenna sees the 50 imput impedence of the RX.

When the TX is on all the diodes conduct, those at the end of the quaterwave go short to ground which makes the quarterwave look open CCT at the antenna. The diodes also limit the maximum signal to the RX to less than 0.5volts so the receiver will not be damaged by the very high voltage of the TX.

This sort of thing was a "bit neat" technology wise back in the late 1970's when I was cutting my teeth on R.F. engineering. Ahh the good old days ;)

My guess is they would get 20-40dB more usable signal at the RX so the range would go up consiquently (say a 3 to 7 times improvment in range).

Opps sorry the brains a bit dead this PM (blaim it on the heat)

Each 6dB incresse in signal at the RX effectivly doubles the range so it should say 8-100 times improvment in range.

Time to go put my head in the fridge ;)

Hi I am Ketan Patel, can you please send me some information on magnetic coil
Thankyou

ILL JUST WILL LIKE TO KNOW HOW TO MAKE MY OWN HAND HELD CARD SKIMMER IF YOU HAVE ANY ADDIONAL IFO PLEASE LET ME KNOW THANK YOU FOR TIME barnbascarl@yahoo.com

I'd like to know how to disable the chips
without destroying them. Some things
don't fit in the microwave; also popping a chip can leave unsightly burn holes that
could ruin a document, garment, etc. See:

www.prisonplanet.com/022904rfidtagsexplode.html