Comments

Geoff LaneJune 21, 2006 12:53 AM

So will all these clever documents with RFID chips have a warning message along the lines of

"Do not microwave, expose to high magnetic fields or strong proton or neutron flux. Do not heat to over 700 degrees in a non oxidising atmosphere. Do not store document near RF transmitters or other sources of non-ionising radiation. Avoid lightning."

gregJune 21, 2006 3:37 AM

@Geoff Lane

No. But my passport came with a genenral guidline that i need to treat my passport like "any other portable electronic device" and then talks about bending the passport or getting it wet.

Also there are a few warnings that if the chip did get broken then i could experiance delays at borders and airports. Since i have experinced delays with the new card at airports i deduce that the chip must be broken ;).

John LetticeJune 21, 2006 5:01 AM

Re invalidating your passport by microwaving it. AFAIK the ICAO standards documents specifically state that the passport should still be a valid document in the event of chip failire. So any border official telling you otherwise would be breaching the very standards they're all so damn keen on meeting, right?

Clive RobinsonJune 21, 2006 5:18 AM

Some salient points that I have made before but will repeate.

1) The RFID's use magnetic loop antennas tuned to aproximatly the resonant frequency of the RFID reader (say 13.5MHz for arguments sake).

2) All tuned circuits are detectable in a field that is at the frequency of resonance, usually at quite a considerable distance (look up Grid Dip Oscillators and their uses).

3) The tuned circuit will also respond to some close multiple or sub-multiple of the resonant frequency,

4) when a diode or other semiconductor is attached to the tuned circuit the harmonics generated are easily detected (this is how some anti theft / shop lifiting tags work, and how a number of bug dettectors work).

5) The range of tuned magnetic coil antennas is proportional to the area of both the receiving coil and the transmitting coil. DHL for instance have systems that work very reliably at well over 2 meters using hand held readers, and coils the size of the package lables.

http://www.idtechex.com/products/en/articles/...

and probably considerably higher with a dustbin (trash can) lid size reading coil.

6) The detectable range is probably 4 to ten times that of the reliable reception range,

7) Also as I have said befor you do not have to be able to read the encrypted data for quite a few attacks. Just detecting the RFID is enough especially if you can also deduce the chip manufacture and chip step. This can then give you information on the passport country of origin or date of issue etc...

8) The coil in Pasports has been maximised to nearly the entire size of the pasport so is around 3-5 times the area of a credit card coil. For some some reason (possibly reliability or range limiting) the RFID coils in the credit cards I have seen split open have not been maximized.

My guess without sitting down and doing the theoretical math and a few practical experiments (Hey I have a Life ;) is that you could detect(!!! please note Detect not Read!!!) a pasport at upto 40meters with a largish detecting coil and sensitive receiver.

As I have also said in the past, you can is you have control of the are set up a Cell or other large antenna structure into which people walk (say a coridor) or you can place a passive probe (say a hand rail) that is close to the authorised detecting coil, so that the card re-emmision is ducted away to some quite considerable distance.

As an example the old cordless phones (whiched worked around 47MHz)with their very inefficient antennas have been heard upto 18Km from the base unit, which was supposed to have a maximum usable range of o.15-0.25Km. On the same multiple you would be looking at an RFID Passport re-emmision to be possibly readable at upto 35m and detectable at three to five times this range....

I have known the above since the early 1990's when working with other contactless tag systems (for electronic purses). Phillips who manufacture the MiFare system are well aware of it, but for some reason you never ever see it mentioned in security reviews. Likewise you never saw chip manufactures mention Differential Power Analysis untill it became to obvious to ignore...

So as I have said befor, RFID's of any kind (in your pocket or clothing) are vulnerable and can be used to identify you as part of a taget group, without actually reading the data off of the card..

John LetticeJune 21, 2006 5:43 AM

Re invalidating your passport by microwaving it. AFAIK the ICAO standards documents specifically state that the passport should still be a valid document in the event of chip failire. So any border official telling you otherwise would be breaching the very standards they're all so damn keen on meeting, right?

Nigel SedgwickJune 21, 2006 7:33 AM

John Lettice writes: "AFAIK the ICAO standards documents specifically state that the passport should still be a valid document in the event of chip failire."

This opens the way for use of forged documents that do not have the protection of on-chip digitised identity data and digitised photograph, secured against forgery by use of a digital signature.

As a protection against a denial of service attack by chip disablement, on-line checks could be made against the records of the passport-issuing authority. At borders of the country of issue, that would probably be relatively straightforward (excepting those borders where computer communications is difficult).

However, extensive international arrangements would be necessary to provide on-line access more widely. Without careful thought on the security architecture, and some inconvenience of operation, there would be a risk of the unauthorised access to personal data and to the data of passport issuing authorities in other countries.

It would be interesting to know how well all this has been thought out (by ICAO and the nations).

Best regards

KurtJune 21, 2006 8:22 AM

Wow.... A whole 9 inches!! Someone will look really suspicious weaving through a group of people with that copper loop trying to get it within 9 inches of your RFID tag.

And if you crank up the amplifier current to 4A, you can increase the range to a whopping 15 inches!!! That's an awful lot of current to be generating... and an awful lot of heat you have to get rid of to keep your device from giving of smoke signals.

Another StudentJune 21, 2006 8:48 AM

@kurt:

"Someone will look really suspicious weaving through a group of people with that copper loop trying to get it within 9 inches of your RFID tag"

Unless the antenna is concealed. In clothing, a briefcase or other kind of suitcase, etc.

"And if you crank up the amplifier current to 4A, you can increase the range to a whopping 15 inches!!! That's an awful lot of current to be generating... and an awful lot of heat you have to get rid of"

As impedance is not given in Kfir and Wool's paper, it is not possible to hazard an RMS power consumption out of a current. Additionally, K&W made it pretty clear that the 4A are peak pulse current, that on a 1:10 ratio is just 400 mA.

Tom GrantJune 21, 2006 8:54 AM

Apart from passport skimming, this device has other uses...

What I thing would be interesting (and more legit) is to take this device through the aisles at Wal-mart and other retail outlets that are gearing up for RFID everywhere, database all the information, and post it online so that we can all see what information these folks are tracking when we make our purchase(s).

Frankly, in the spirit of "full disclosure", wouldn't you like to know?

Somewhere there is a college student with some extra time and a need to write a paper...

TG

Clive RobinsonJune 21, 2006 10:03 AM

@Tom Grant

"Wal-mart and other retail outlets that are gearing up for RFID everywhere"

There are several RFID types operating on different frequencies right up to the low microwave bands.

However economies of scale have allready come into play and everybody seams interested in the 13.56MHz (HF) RFIDs that will be used for transport tokens credit cards and passports...

Some of the reasons given are legitimate in that the HF tags can have reasonable sized antennas that will give a range of 50meters or so for use in the packaging and transportation industries.

Likwise for inventory control etc. Walmart has actually specified the HF ones in clothing as the UHF ones take time for the stock control and checkout personell to find.

In all applications I have looked at to date the operators are looking for bigger and bigger ranges not smaller...

In one UK experiment RFIDs have been added tp Police car number (licence) plates and are easily readable at over 200 meters...

So expect your passport to be read whilst the aircraft is still in international air space... (just sort of kidding).

WaldoJune 22, 2006 5:53 AM

Interesting work, but really not a lot of RF expertise.

With better, but still relatively simple radio-ham-style antenna design and RF engineering techniques, they could easily extend the range to tens or hundreds of meters; if this seems improbable, remember that a _small_ home satellite dish can recieve a good signal from a satellite in geosynchronous orbit 20,000 miles away, and a slightly larger VSAT dish can uplink over the same distance.

A possible countermeasure: RFID tag protocols should use the physics of the RF link to measure the round-trip communications time to nanosecond accuracy or better: at least this will reduce the size of the volume within which potential attackers can operate.

Clive RobinsonJune 23, 2006 7:13 AM

@Waldo

One improvment that immediatly springs to mind is to use 15m of rg174 coax and four diodes to form a TX/RX issolator for the receiver.

ie antiparellal diodes down to ground 5m coax (Quater wave) to antenna, 10m coax from antenna antiparellel diodes in series to TX output cappacitor.

What happens is when not in TX the halfwave is open CCT which makes it look like an infinate impedence at the antenna, so the antenna sees the 50 imput impedence of the RX.

When the TX is on all the diodes conduct, those at the end of the quaterwave go short to ground which makes the quarterwave look open CCT at the antenna. The diodes also limit the maximum signal to the RX to less than 0.5volts so the receiver will not be damaged by the very high voltage of the TX.

This sort of thing was a "bit neat" technology wise back in the late 1970's when I was cutting my teeth on R.F. engineering. Ahh the good old days ;)

My guess is they would get 20-40dB more usable signal at the RX so the range would go up consiquently (say a 3 to 7 times improvment in range).

Clive RobinsonJune 23, 2006 7:17 AM

Opps sorry the brains a bit dead this PM (blaim it on the heat)

Each 6dB incresse in signal at the RX effectivly doubles the range so it should say 8-100 times improvment in range.

Time to go put my head in the fridge ;)

ketanJanuary 4, 2007 11:52 AM

Hi I am Ketan Patel, can you please send me some information on magnetic coil
Thankyou

barnabasFebruary 1, 2007 1:02 PM

ILL JUST WILL LIKE TO KNOW HOW TO MAKE MY OWN HAND HELD CARD SKIMMER IF YOU HAVE ANY ADDIONAL IFO PLEASE LET ME KNOW THANK YOU FOR TIME barnbascarl@yahoo.com

thrivalAugust 22, 2007 5:25 AM

I'd like to know how to disable the chips
without destroying them. Some things
don't fit in the microwave; also popping a chip can leave unsightly burn holes that
could ruin a document, garment, etc. See:

www.prisonplanet.com/022904rfidtagsexplode.html

KILLOMay 6, 2009 11:21 AM

do any one know how to make a small card skimmer? or how to make anything like a scanner which can take pictures of both side of credit card and which sends information wireless?

let me know if you know anything!

letmebuyone@hotmail.com

JimJune 7, 2009 6:18 AM

I'd like to use an RFID system to record and time bicycle races, Criterium format events routinely have 20+ laps over the course. Some riders get lapped. Riders cross the finish line at 35+ mph.
AMB has a solution package that is musch to costly ($14,000+) for a local club.
Can you recommend an inexpensive solution?
Go Fast ... JIM

StudentAugust 25, 2010 4:11 PM

Hey Guys,
I am a college student who enjoys tinkering in his spare time. I have been researching RFID recently because I have several projects that involve using RFID for accessing different things and one of my goals is to use my student id. However I do not know what the frequency is or any of the data on it other than that it lets me in doors and those I have asked at the campus haven't been able to help. So if I want to use my student ID with my projects I'll either have to get lucky asking the right people on campus or build a skimmer. I have read the paper by Ilan and Avishai, however it is a bit above my head. I am wondering if any of you know of any similar projects or explanations of how to build an rfid skimmer that might be a little bit easier to digest. My budget is relatively low and what I don't know I make up for by picking up books at the library.

So any advice would be great! Thanks!
-PS it WOULD be fun to see exactly what is on my passport

Thanks guys
-Student

Clive RobinsonAugust 25, 2010 6:00 PM

@ Student,

Before you do much else you need to check with your project supervisor that what you intend to do with your ID is allowable within the rules of your institution.

They own the system and the cards etc and may well not want it to be used as part of a project.

However you may still have to show that you have some knowledge of what you are doing so a little background knowledge would possibly help.

Most cards and readers have a manufactures name or logo on them if you can identify them you can look them up on the Internet to get catalogues etc that will provide some if not all the information you require (look for expressions such as "compatable with" or "compliant with" and standards indicators such as ISO or CENLEC that you can then further look up.

Also as all these cards are externaly energised by an EM signal from the reader a small pocket frequency meter and loop probe should tell you the frequency of operation. A few are LF many are HF and cheaper ones VHF and UHF the latter ones often working in ISM bands that require no licence.

You can usually obtain the reader heads from various companies and cost between 50 & 500 USD depending on what you get. I would advise against building your own head end as the work involved in getting it to work correctly is a project in it's self.

Finaly even if you do have all the system information you may not be able to get it to work simply because some systems involve encryption for which you would require the "secret key".

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..