Professional Documents
Culture Documents
AsystemforextendingtherangeofRFIDoveradistance.
MIT6.101AnalogElectronicsLaboratory
Spring2014
VineelAdusumilli
AustinDuffield
BrandonVasquez
Abstract
In this report, we describe a methodfor tunneling 125KHz RFIDtagsoveradistance.We
deal explicitly with tunneling amplitudeshift keying RFID tags, and propose amethod for
tunnelingthephaseshiftkeyingtagsthatarecommonlyusedforsecuritypurposes.
TableofContents
ListofFigures 3
Introduction 4
Overview 4
SystemBreakdown 4
RFIDOverview 5
Design 7
ReaderEmulator 7
CardEmulator 8
RFTransmission 9
Testing 10
Discussion 13
Conclusion 15
Acknowledgements 16
WorksCited 17
ListofFigures
1. SystemBlockDiagram 4
2. AmplitudeshiftKeying 4
3. PhaseshiftKeying 4
4. ReaderEmulatorSchematics 8
5. CardEmulatorSchematics 8
6. TransmitterSchematics 9
7. ReceiverSchematics 10
8. OutputofEnvelopedetectorwithoutcard 11
9. OutputofEnvelopedetectorwithcard 11
10. Outputoffilterwithoutcard 11
11. Outputoffilterwithcard 11
12. Outputoffilterandcomparator 12
13. Outputofcarddata 12
14. ProposedPSKCardEmulatorSchematics 13
Introduction
Overview
The RFID Tunnel project is meant to demonstrate a fundamental security flaw in RFID:
readers have no way of verifying that the tag isphysically present. Todemonstratethisa
system was designed to trick readers into believing they are reading a tag that is far
outsidetherangeofthereader.
TheRFIDTunnelrelays an RFIDsignaloveraconsiderabledistancebyactingasabridge
between an RFIDcardand an RFIDreader, specificallyusing125KHzcardsandreaders.
Therearetwodistinctphysicaldevices:areaderemulator andacardemulator.The reader
emulator isbeplacednearacard, exciting it and sending any output dataoveranRFlink
to the card emulator, which is placed near a reader.The card emulatorthenconveys the
received informationto the actualreader. Both thereaderemulatorandcardemulatorare
designed to be low powerandportable,yetstillabletotransmitasignaloverareasonable
distance.
SystemBreakdown
Themain goal ofthisprojectwas toimplement one way communicationbetweenanRFID
card andreader. The critical pathis denoted using the solid lines.Apossibleextensionto
this project is denoted using the dotted lines. This extension would be to implement two
way communication, bringing on newchallenges suchasusing twodifferenttransmission
frequencies and detecting whento receiveand transmit data for RFID systems thatuse a
handshake.
Figure1:Systemblockdiagram
RFIDOverviewbyVineelAdusumilli
There are three methods of conveying information over RFID: frequencyshift keying,
amplitudeshift keying, and phaseshift keying. This final project dealt explicitly with the
lattertwomethods,andwouldlikelyworkwiththefirstwithminimalornomodification.
Amplitudeshift keying works by selectively attenuating the RFID carrier frequency. In the
case of our project, this frequency is 125KHz. When the carrier is attenuated, the value
conveyed is a digitalone.Whenthe carrier isunattenuated,thevalueconveyedisadigital
zero.
Figure2:AmplitudeshiftKeying(Source:Microchip)
Frequencyshift keying works in a similar manner: the tag switches between two
frequencies, onemeant torepresent a one, and the othermeant torepresent a zero.Due
to selectivity of the reader coil, one of the frequencies isattenuated morethanthe other,
creating a result that is nearly indistinguishable from the amplitudeshift keying shown
above. This iswhy webelieve oursystem would also work wellwith tags thatmakeuseof
frequencyshift keying.Themajorityofcheap,commercialRFIDreadersonthemarketare
ASK/FSKreaders.
Figure3:PhaseshiftKeying(Source:Microchip)
Design
ReaderEmulatorbyBrandonVasquez
Thereaderemulatorhasfourmajorstages:1) 125KHzsignalgenerator,2)RFamplifier3)
Sharp 62.5KHz filter and 4) Peak detection. The 125KHz signal generator was
accomplished using a 555 in an astable configuration with a potentiometer for fine
adjustments.The 125KHz signal was used to drive the RFamp,abjtpushpulldriver. This
amp wasused todrive theresonantLC circuitwhichwouldtransferpowertothecard.The
2N2222 and 2N2907 were used for the high and low bjts. Two diodes were used to
compensate for crossover distortion which was not entirely necessary since the input
signal was 05V square wave from the555.A 470 resistor was usedto limit thecurrent
intothebjtswhile10resistorswereplacedontheemitterstoincreasestability.
The push pull driver drives a series LC circuit which was designed to resonate around
125KHz. A series LC circuit was used instead of a parallel one to maximize the current
through the coil, whichresults in moreefficient energy transfer tothecard. The coil, which
was constructed using 22 gauge magnet wire and 80 turns, achieved an inductance of
approximately1.2mHat 125kHz.The dimensions oftherectangularcoilwereabout10cm
x 8cm.A capacitanceof 1.5nF wascalculatedtocauseresonancewiththecoilsoa1.3nF
and200pFcapwereused.
The output of the LC circuit was AC coupled through a 1uF cap to an envelope detector
whichconsisted oftwodiodes, a 1Mresistor,anda1nFcap.Thisportionofthecircuitis
used to detect the envelope of the 125Khz carrier frequency which isthe 62.5Khzsignal
frequency. The 62.5 KHz signal is then sent throughan ACcoupling cap andadded toa
DC voltage of around 1.2V which is set by 100K and 330K resistors. This now DC
biased signalis putthrougha3polefiltercreatedwithaLClowpassfilterand asallenkey
filter.Theresistorsandcapacitorswerechosentocreateasharpfilterat62.5KHz.
Figure4:ReaderEmulatorSchematics
CardEmulatorbyVineelAdusumilli
The amplitudeshift keying card emulator turns out to be a fairly simple design.
Unfortunately, we were not able to get the frequencyshift keying emulator working(more
detailsareprovidedintheDiscussionsection).
Theschematicsfortheamplitudeshiftkeyingcardemulatorareasfollows:
Figure5:CardEmulatorSchematics
The 74H inductor is a customwound coilmadeoutof magnetwire. It ismatched witha
22nF capacitor inorder tocreate aresonant tank that resonates atafrequencyveryclose
tothe125KHzoperatingfrequencyofourRFIDsystem.
RFTransmissionbyAustinDuffield
The radio transmitter and receiver operate at 25.125MHzusing simple onoff modulation
with carrierdetection. Thetransmitterusesanexcitedcrystaltoachievethedesiredcarrier
signal, appropriately filtered to remove harmonics and achieve a clean sinewave. Thisis
then coupled to the base of a 2n2222 bjt for amplification. The amplified signal is then
passed through a simple LC matching network into a simple 12 wire antenna. The
capacitanceistunedforbestpowertransmissionintotheantenna.
Figure6:TransmitterSchematics
Figure7:ReceiverSchematics
One complication in the implementation is the inductors in the tuning circuits of both the
transmitter and receiver. In order to avoid core losses and strange behavior at high
frequency,thesewereimplementedashandwoundaircoreinductors.Theinductancewas
roughly calculated using the standard formula L= (d^2 * n^2)/(18d+40l), and then tuned
usingavariablefrequencyLCRmeter.
Testing
Totest theReaderEmulator,variouspointsalongthesignalpathwerescoped.Tocheckif
the MITRFID cards werebeing excited,theoutputoftheenvelopedetectorwasobserved.
Without the presence of a 125KHz RFID card, the output was expected to be relatively
constant. In the presence ofacard, noticeable spikesintheRFIDsignalcanbeobserved,
whichsignifyattenuationofthe125KHzsignalbythecard.
10
Figures 8 and 9: The figureontheleftistheoutputoftheenvelopedetectorintheabsenceofan
MIT RFID card (vertical scale 500mV). The right figure iswithanMITRFIDcardwithinrangeof
theantenna(sameverticalscale).
After applying the filter, significant reduction in the amplitude of noise can be seen
comparedtothesignal.
Figures 10 and 11:Thefigureontheleftistheoutputofthe3polefilterintheabsence ofanMIT
RFID card (vertical scale 100mV). The figure on the right is withanMITRFIDcardwithinrange
oftheantenna(samescale)
Lastly, tocheckifthefinalgainstageandcomparatorisworking,thesignalontheoutputof
thefilterwascomparedtothatofthecomparator.
Figures 12 and 13:The figure ontheleftistheoutputofthefilter(yellow)comparedtotheoutput
ofthecomparator(blue).Thefigureontherightisalongercaptureofthedatasentbythecard.
Unfortunately, the type of RFID reader necessary to read an MIT ID card is prohibitively
expensive, so we had no effective method of testing our tunneling system outside of
11
walking tothe nearest readeraftereverytweak. This madeiterationdifficult.Weendedup
testing the tunnel using 125KHz amplitudeshift keying tags and a cheap RFID reader
sourcedfromeBay.
12
DiscussionbyVineelAdusumilli
TheoriginalgoalofthisprojectwastotunnelMITIDcards.Thisprovedtobeafairlydifficult
task. The only concrete information available on MIT ID cards was a paper published in
2004 as a result of a class on Information Security (6.805). [2] Most of the paper was
concerned with nontechnical details, and the short technical section claimed that MITID
cards used amplitudeshift keying to convey information. As we found out through the
course of theproject, this information waseitherincorrect or out ofdate. ModernIDcards
usephaseshiftkeying,whichissignificantlymoresensitivetotiming.
WemadeanefforttobuildacardemulatorthatwouldworkwithPSK:
Figure14:ProposedPSKCardEmulatorSchematics
The 555 timer is used to create a square wave of 62.5KHz (half of the 125KHz carrier
frequency)at approximatelya 50% dutycycle.Thissquarewave istheninvertedtocreate
one that is exactly out of phase. The "Data" node represents the samedatainput as the
ASK cardemulator.Webuiltamultiplexerthatwouldswitchbetweenthetwosquarewaves
13
basedon thedatainput.TheoutputofthemultiplexeristhenfedtotheASKcardemulator,
whichwillselectivelyattenuatethecarrier.
We werenotable to getthisdesignworking.WebelievethisisbecausePSKreadersare
much moresensitiveto timing, and the squarewave outputfromthe555timerwasoff.We
likelyneed very closeto a 50% duty cycle, andthe waves shouldbesynchronizedwiththe
carrier.A better design would somehowderive the62.5KHzsquarewavebydirectlyusing
thecarrier,thussolvingthesynchronizationanddutycycleissues.
14
Conclusion
Our project was partially successful in its goal. We were able to demonstrate that RFID
could be tunneled over a distance by faking the presence of amplitudeshift keying tags.
Our team learned a lot about RFID: howitworks,the differentmethods used, and how to
implement it. Given more time, we believe that we would abletoaccomplishour original
goal of tunneling MIT RFID cards over a distance. We have already demonstrated a
fundamentalsecurityflawofRFID.
15
Acknowledgements
Wewouldliketothankthefollowingpeoplefortheirsupportofourproject:
GimHom(6.101Professor)forgivingustheopportunitytopursuethisproject.
DevonRosner(6.101TeachingAssistant)forhishelpinlab.
16
WorksCited
[1] Microchip,"microID13.56MHzRFIDSystemDesignGuide,"2004.[Online].
Available:http://ww1.microchip.com/downloads/en/DeviceDoc/21299E.pdf.
[AccessedMay19,2014].
[2] Agrawal,Bhargava,Chandrasekhar,Dahya,Zamfirescu,"TheMITIDCardSystem:
AnalysisandRecommendations,"Dec.10,2004.[Online].
Available:http://groups.csail.mit.edu/mac/classes/6.805/studentpapers/fall04papers
/mit_id/
[AccessedMay20,2014].
17