From the archive, originally posted by: [ spectre ]
http://www.cs.vu.nl/~melanie/rfid_guardian/papers/lisa.06.pdf
from boingboing:
Personal firewall for the RFIDs you carry
“A Platform for RFID Security and Privacy Administration is a paper by
Melanie R. Rieback and Georgi N. Gaydadjiev that won the award for Best
Paper at the USENIX LISA (Large Installation Systems Administration)
conference today. It proposes a “firewall for RFID tags” — a device
that sits on your person and jams the signals from all your personal
wireless tags (transit passes, etc), then selectively impersonates them
according to rules you set. Your contactless transit card will only
send its signal when you authorize it, not when some jerk with an RFID
scanner snipes it as you walk down the street. The implementation
details are both ingenious and plausible — it’s a remarkable piece of
work. Up until now, the standard answer to privacy concerns with RFIDs
is to just kill them — put your new US Passport in a microwave for a
few minutes to nuke the chip. But with an RFID firewall, it might be
possible to reap the benefits of RFID without the cost.
This is a must-read paper for anyone who cares about electronic privacy
and who wants to catch a glimpse of the future.
Tag Spoofing Demystified
“RFID readers produce an electromagnetic field that powers up RFID
tags, and provides them with a reference signal (e.g. 13.56 MHz) that
they can use for internal timing purposes. Once an RFID tag decodes a
query from an RFID reader (using its internal circuitry), it encodes
its response by turning on and off a resistor in synchronization with
the reader’s clock signal. This so-called “load modulation” of
the carrier signal results in two sidebands, which are tiny peaks of
radio energy, just higher and lower than the carrier frequency. Tag
response information is transmitted solely in these sidebands2, rather
than in the carrier signal. Figure 5 (from the RFID Handbook[6])
illustrates how these sidebands look, in relation to the
reader-generated carrier frequency. The comparatively tiny sidebands
have approximately 90 decibels less power than the reader-generated
carrier signal, and this is the reason why RFID tag responses often
have such a limited transmission range.
The secret to creating fake tag responses is to generate the two
sideband frequencies, and use them to send back properly-encoded
responses, that are synchronized with the RFID reader’s clock signal.
The simplest way to generate these sidebands is to imitate an RFID tag,
by turning on and off a load resistor with the correct timing. The
disadvantage of this approach is that passive modulation of the reader
signal will saddle our fake tag response with identical range
limitations as real RFID tags (˜10 cm for our test setup).””