SHMOOCON 2009: CHRIS PAGET’S RFID CLONING TALK

When we first saw [Chris Paget]’s cloning video, our reaction was pretty ‘meh’. We’d seen RFID cloning before and the Mifare crack was probably the last time RFID was actually interesting. His ShmooCon presentation, embedded above, caught us completely off-guard. It’s very informative; we highly recommend it.

The hardest part about selling this talk is that it has to use two overloaded words: ‘RFID’ and ‘passport’. The Passport Card, which is part the the Western Hemisphere travel initiative (WHTI), is not like the passport book that you’re familiar with. It has the form aspect of a driver’s license and can only be used for land and sea travel between the USA, Canada, the Caribbean region, Bermuda, and Mexico. They’ve only started issuing them this year.

The Passport Card also uses RFID… but not the same technology as e-passports that have been issued world wide. You’re probably familiar with 125KHz access control cards and 13.56MHz smartcards, MiFare tags, and e-passports. These are all inductively coupled technologies. The RFID used in Passport Cards is in the 900MHz band and is a capacitive technology. It’s EPC class 1 Generation 2, the same sort of technology used to track goods in warehouses. Each EPC has a 96bit ID number. By design, they have to be readable from a minimum of 30 feet.

To start his research, [Chris] purchased an XR400 RFID reader of off eBay. This is an industrial reader with four antenna ports and Windows CE. He got a terrific deal… because it didn’t work. He guessed that the ball grid variety (BGA) solder joints had cracked. putting enough pressure on the chips allowed the device to boot. He repaired the board using a heat gun to reflow the solder. He referenced this video of an Xbox 360 being repaired with the same technique. [bunnie] has a post from last year investigating Xbox 360 RRODs and possible BGA failures.

900MHz RFID cards are not inductively coupled to the reader, so their read range is not limited by the wavelength. With a HAM license in the US, you can broadcast with up to 1500W. At Defcon this year, [Chris] plans on going for a new read record. He cited the company ThingMagic using 10W into a 12dbi antenna and getting 100% read reliability from 213ft. The theoretical limit for 1500W through a 18dBi antenna is 2.35 miles; you’d be limited by how far the identify can transmit though. He’s set up the site RFIDHackers.com to help coordinate efforts.

Another future project is using the GNU Radio USRP board to do differential power analysis against the Passport Card. It’s a brute force method for extracting the 32bit kill and lock codes for the tags, which could then be used to deactivate cards.

The goal of [Chris]’ research from the beginning was to show that RFID is unsuitable for safety situations like this. Passport Cards assign a special identifier to each holder. This ID can be read from a distance and coordinated with the holders other RFID items like their credit scores card. any party can track someone holding these cards, and they don’t make border crossings any faster, considering that the cards still have to be checked in person.

The USA is now tracking its residents with the same respect given to items in Walmart.

Leave a Reply

Your email address will not be published.