15 Jan

During this test exercise, we will be using The Bus pirate (BP) to connect to  a MILFARE 13.56Mhz Reader/Writer (transceiver).

We could just connect the  RFID transceiver to a  bog standard USB RS232 dongle such as those sold by  FTDI or other well known manufacturers.

The approach detailed below has a number of advantages:

1. The Bus-pirate is capable of supplying the needed supply voltage to the RFID board
2. Using the BP allows us to have a greater control over exactly what is sent and received by the  RFID transceiver, some drivers filter the byte stream.
3. The BP is scriptable.
4. It is more fun.

Image of our test system  clearly showing the RFID card, antenna loop, RFID Transceiver and the Bus Pirate (I will not insult anyone by labeling the parts)

Bus-pirate & MILFARE 13.56Mhz transceivers

Wiring Schematic of Bus-pirate & MILFARE 13.56Mhz transceiver

Articles containing RFID chips (besides the BORING old RFID cards)

door entrypassport
A door entry card for a Housing EstateA Passport RFID Chip

Reading Data from a device

Writing Data to a device

Additional reading and research papers

“Attacking smart card systems: Theory and practice”
K.Markantonakis, M. Tunstall, G.P. Hancke, I. Askoxylakis and K.E. Mayes. Information Security Technical Report, Vol. 14, Issue 2, pp 46-56, May 2009.
Short overview of smart card attacks for a non-technical audience.

“A Practical Relay Attack on ISO 14443 Proximity Cards”
G.P. Hancke, February 2005.
Authentication protocols in payment or access control systems based on contactless smartcards (or other NFC device) can be circumvented by simply relaying messages between the reader and smartcard. A proxy device is placed within range of the reader and communicates with another device held close to a valid card. The attack is based on the “grand master chess problem” and it is known that identification of physical entities are vulnerable to such real-time attacks. It should therefore be noted that this paper does not introduce a new attack, neither does it claim to be a high-tech, optimal realization. It describes a very simple working system, using off-the-shelf modules and standard components available from most electronic stores (Maplin etc), which I though would be fun to build. Research regarding relay attacks on RFID/contactless cards are limited to a few papers although many briefly mention it during some handwaving in the introduction.

“Eavesdropping Attacks on High-Frequency RFID Tokens”

“Confidence in Smart Token Proximity: Relay Attacks Revisited”
G.P. Hancke, K.E. Mayes and K.Markantonakis. Elsevier Computers & Security, Vol. 28, Issue 7, pp 615-627. October 2009.
An overview of relay attacks in the smart token environment that discusses attack implementations, implications and possible countermeasures.


Leave a Reply