

Building an RFID Proximity Card Cloner for $30 - trotsky
http://proxclone.com/reader_cloner.html

======
heyrhett
This is why Richard Stallman recommends that you wrap your RFID card in
aluminum foil.

[http://slashdot.org/articles/05/11/19/149242.shtml?tid=133&#...</a>

~~~
gvb
Hmmm, how effective is aluminum foil in blocking the RFID? Despite having "RF"
in the name, the signal is primarily magnetic induction.

One google hit says "helps a lot, but doesn't prevent":
<http://www.omniscienceisbliss.org/rfid.html> Note that the picture of the
reader and the unshielded read distance (18") indications it is the long
distance version.

I'll have to experiment at work tomorrow. ;-)

~~~
tgflynn
Electromagnetic signals are attenuated exponentially in metals with a
frequency dependent decay constant called the skin depth. The formula is given
in this wikipedia page :

<http://en.wikipedia.org/wiki/Skin_depth>

If you know what frequency RFID uses and the thickness of the foil you can
easily calculate how much attenuation you'd get.

~~~
gvb
125KHz => 0.024mm skin depth

Looks like typical aluminum foil is thicker than that. The box in our kitchen
doesn't say how thick it is, but the Wikipedia page indicates it is likely
thicker than 0.025mm since it needs to be thicker than that to be impermeable
to oxygen and water.

Ref: <http://en.wikipedia.org/wiki/Aluminium_foil#Properties>

~~~
tgflynn
Hmm, one of us is off by an order of magnitude, I get 0.24 mm.

For Al foil thickness I'm seeing conflicting numbers from 0.2 to 1.1 mm. If my
cheap digital micrometer hadn't died I'd measure some.

If my skin depth is right then the attentuation probably won't be complete, if
yours is then it might nearly be. Of course that's only the case if the
receiver and/or transmitter is completely wrapped. Although at low frequencies
like that you could probably tolerate quite a large gap.

~~~
gvb
You are right, 0.24mm. I did the m->mm conversion in my head (d'oh).

My cheap digital micrometer only has two digits of precision in mm mode.
Measuring my cheap (not "heavy duty") aluminum foil is at the limits of its
resolution, 0.01mm.

~~~
tgflynn
I folded a sheet of heavy duty foil into 16 sheets and tried to measure the
thickness and it was still << 1mm, so I think your estimate of about 0.01mm is
reasonable.

In that case I would predict that a single sheet would have little affect on
an RFID device operating at 125kHz. Note however that RFID devices appear to
span a very large frequency range :

<http://www.rfid-handbook.de/rfid/frequencies.html>

and the foil would certainly block the higher frequency devices.

~~~
gvb
Experimental evidence, sample size of 1: a single layer of ordinary aluminum
foil completely enclosing the card prevents a "normal distance" (4" square)
reader from reading my card.

~~~
tgflynn
Are you sure it's a 125 kHz device ? Maxwell has never failed me before.

~~~
gvb
No, I'm not sure, but it does physically match the cards and readers in the
article.

With no foil, the badge is read at 3-4".

With a single slice of foil ~18"x12" held in front of the sensor, the badge is
read at ~1" (a noticeable reduction in signal).

With the foil folded in half and the badge in the fold so that it forms a
single layer on both sides of the card, it was effective (could not read the
badge).

With the badge in an aluminumized mylar antistatic bag, there was no evidence
of a signal reduction (read at full distance).

I would theorize that Maxwell hasn't failed us, but the signal is weak enough
that the foil attenuated the signal sufficiently to disrupt reading. The RFID
reader works by modulating the sensor tuned loop by detuning on/off, which is
going to be a pretty weak signal.

~~~
tgflynn
The read range you're seeing also seems compatible with a low frequency
device.

I'm quite perplexed. I don't think the foil could be attenuating the signal
directly. It might be reflecting it/altering the field pattern so as to reduce
the effective gain between the transmitter and receiver antennas.

------
achille
Great, but where can I buy one now? My apartment compex issues only one single
bulky RFID+garage opener that I hate carrying in my keychain.

~~~
simonsarris
I think dealextreme.com had a few a while back. Yeah:

<http://www.dealextreme.com/details.dx/sku.17230>

$66

------
bmalicoat
Do RFID tags have anything to prevent a replay attack or is owning a bit for
bit copy of an RFID tag the same as owning the original?

~~~
deutronium
Regarding 'contactless smart cards' which use a similar radio protocol to
RFID:

One example being MIFARE used in the London underground, where they found a
vulnerability in the encryption algorithm being used on the card (the cards
are 'intelligent' in that they have a processor on board to perform the
cryptography etc.). Once you can break the encryption, you can then set about
making a clone.

With contactless bank cards, (which in the UK you can use to pay for the M6
toll), you could imagine people electronically picking your pocket, by
relaying the signal from a transceiver near a cash point over RF to another
transceiver which communicates with the card in your pocket. (hopefully they
use distance bounding protocols to prevent this!)

Karsten Nohl (<http://www.cs.virginia.edu/~kn5f/>) has some fascinating papers
on how they broke Crypto1 (the algorithm used by MIFARE). They took photos of
the chip in the card using an optical microscope, after dissolving the card in
acetone (They had to sand off each layer of the chip to get to the next)

They then applied image recognition to identify logic gates from their
constituent transistors. And then looked for XOR gates, as they mention
they're rarely used for anything other than crypto on this type of chip. Once
they had found the area of the chip involved in cryptography, they converted
the logic gates into the actual algorithm used, and then picked apart
weaknesses with it.

~~~
mikedmiked
Remarkable! Thank you for sharing this.

~~~
flawawa2
[http://media.ccc.de/browse/congress/2007/24c3-2378-en-
mifare...](http://media.ccc.de/browse/congress/2007/24c3-2378-en-
mifare_security.html)

[http://media.ccc.de/browse/congress/2008/25c3-3032-en-
analyz...](http://media.ccc.de/browse/congress/2008/25c3-3032-en-
analyzing_rfid_security.html)

Nowadays he is busy cracking and hacking GSM. Remarkable person.

