RFIDTunnelProjectReport

AsystemforextendingtherangeofRFIDoveradistance.

MIT6.101AnalogElectronicsLaboratory
Spring2014

VineelAdusumilli
AustinDuffield
BrandonVasquez

Abstract
In this report, we describe a methodfor tunneling 125KHz RFIDtagsoveradistance.We
deal explicitly with tunneling amplitudeshift keying RFID tags, and propose amethod for
tunnelingthephaseshiftkeyingtagsthatarecommonlyusedforsecuritypurposes.

TableofContents

ListofFigures 3

Introduction 4
Overview 4
SystemBreakdown 4

RFIDOverview 5

Design 7
ReaderEmulator 7
CardEmulator 8
RFTransmission 9
Testing 10

Discussion 13

Conclusion 15

Acknowledgements 16

WorksCited 17

ListofFigures

1. SystemBlockDiagram 4
2. AmplitudeshiftKeying 4
3. PhaseshiftKeying 4
4. ReaderEmulatorSchematics 8
5. CardEmulatorSchematics 8
6. TransmitterSchematics 9
7. ReceiverSchematics 10
8. OutputofEnvelopedetectorwithoutcard 11
9. OutputofEnvelopedetectorwithcard 11
10. Outputoffilterwithoutcard 11
11. Outputoffilterwithcard 11
12. Outputoffilterandcomparator 12
13. Outputofcarddata 12
14. ProposedPSKCardEmulatorSchematics 13

Introduction

Overview
The RFID Tunnel project is meant to demonstrate a fundamental security flaw in RFID:
readers have no way of verifying that the tag isphysically present. Todemonstratethisa
system was designed to trick readers into believing they are reading a tag that is far
outsidetherangeofthereader.

TheRFIDTunnelrelays an RFIDsignaloveraconsiderabledistancebyactingasabridge
between an RFIDcardand an RFIDreader, specificallyusing125KHzcardsandreaders.
Therearetwodistinctphysicaldevices:areaderemulator andacardemulator.The reader
emulator isbeplacednearacard, exciting it and sending any output dataoveranRFlink
to the card emulator, which is placed near a reader.The card emulatorthenconveys the
received informationto the actualreader. Both thereaderemulatorandcardemulatorare
designed to be low powerandportable,yetstillabletotransmitasignaloverareasonable
distance.

SystemBreakdown
Themain goal ofthisprojectwas toimplement one way communicationbetweenanRFID
card andreader. The critical pathis denoted using the solid lines.Apossibleextensionto
this project is denoted using the dotted lines. This extension would be to implement two
way communication, bringing on newchallenges suchasusing twodifferenttransmission
frequencies and detecting whento receiveand transmit data for RFID systems thatuse a
handshake.

Figure1:Systemblockdiagram

RFIDOverviewbyVineelAdusumilli

Radiofrequency Identification (abbreviated RFID) is a technology that has existed for

decades. The originalpurposewastotrackgoods,animals,orothermaterials.Nowadays,
itisalsousedforsecuritypurposessuchasaccesscontrolorpayingtollsandfares.

RFID systems are composed of twocomponents:atagandareader.Readersexcite tags

using an RF field generated by an antenna coil. The tag then selectively reflects or
attenuatesthe signalinordertoconveydata.MostRFIDsystemsinusetodayarepassive,
meaning that the tags don't contain a power source and are entirely powered by theRF
outputofthereader.

There are three methods of conveying information over RFID: frequencyshift keying,
amplitudeshift keying, and phaseshift keying. This final project dealt explicitly with the
lattertwomethods,andwouldlikelyworkwiththefirstwithminimalornomodification.

Amplitudeshift keying works by selectively attenuating the RFID carrier frequency. In the
case of our project, this frequency is 125KHz. When the carrier is attenuated, the value
conveyed is a digitalone.Whenthe carrier isunattenuated,thevalueconveyedisadigital
zero.

Figure2:AmplitudeshiftKeying(Source:Microchip)

Frequencyshift keying works in a similar manner: the tag switches between two
frequencies, onemeant torepresent a one, and the othermeant torepresent a zero.Due
to selectivity of the reader coil, one of the frequencies isattenuated morethanthe other,
creating a result that is nearly indistinguishable from the amplitudeshift keying shown
above. This iswhy webelieve oursystem would also work wellwith tags thatmakeuseof
frequencyshift keying.Themajorityofcheap,commercialRFIDreadersonthemarketare
ASK/FSKreaders.

Phaseshift keying ismuch more complicated, but supportsahigher data transferrate:up

to half of the carrier frequency (62.5KHz in the case of MIT IDs). It works by switching
control of the attenuation of the carrier between two square waves that are half of the
carrier frequency and exactly out of phase with each other. The phase shift boundaries
denotewhethertheinformationconveyedisaoneorazero.[1]

Figure3:PhaseshiftKeying(Source:Microchip)

Design

ReaderEmulatorbyBrandonVasquez
Thereaderemulatorhasfourmajorstages:1) 125KHzsignalgenerator,2)RFamplifier3)
Sharp 62.5KHz filter and 4) Peak detection. The 125KHz signal generator was
accomplished using a 555 in an astable configuration with a potentiometer for fine
adjustments.The 125KHz signal was used to drive the RFamp,abjtpushpulldriver. This
amp wasused todrive theresonantLC circuitwhichwouldtransferpowertothecard.The
2N2222 and 2N2907 were used for the high and low bjts. Two diodes were used to
compensate for crossover distortion which was not entirely necessary since the input
signal was 05V square wave from the555.A 470 resistor was usedto limit thecurrent
intothebjtswhile10resistorswereplacedontheemitterstoincreasestability.

The push pull driver drives a series LC circuit which was designed to resonate around
125KHz. A series LC circuit was used instead of a parallel one to maximize the current
through the coil, whichresults in moreefficient energy transfer tothecard. The coil, which
was constructed using 22 gauge magnet wire and 80 turns, achieved an inductance of
approximately1.2mHat 125kHz.The dimensions oftherectangularcoilwereabout10cm
x 8cm.A capacitanceof 1.5nF wascalculatedtocauseresonancewiththecoilsoa1.3nF
and200pFcapwereused.

The output of the LC circuit was AC coupled through a 1uF cap to an envelope detector
whichconsisted oftwodiodes, a 1Mresistor,anda1nFcap.Thisportionofthecircuitis
used to detect the envelope of the 125Khz carrier frequency which isthe 62.5Khzsignal
frequency. The 62.5 KHz signal is then sent throughan ACcoupling cap andadded toa
DC voltage of around 1.2V which is set by 100K and 330K resistors. This now DC
biased signalis putthrougha3polefiltercreatedwithaLClowpassfilterand asallenkey
filter.Theresistorsandcapacitorswerechosentocreateasharpfilterat62.5KHz.

Theoutput of thefilterwas ACcoupledagainand givenaDCbias voltageof2.5V.Itwas

then gained by 11through an opamp withavirtualgroundof2.5V.Thisvirtualgroundwas
created with a resistor divider and buffered by an opamp. The last stageof the Reader
Emulator involvedavoltage comparator withhysteresis. Thethreshold levels werechosen
to pickupthepeaksofthe 62.5KHz signal and turnthem intoadigitalsignal.Eachphase
transition would result in a peak which would be translated into a high or low given the
direction of the peak. This makes transferring the data from the Reader Emulator to the
CardEmulatoreasierandmoreimmunetonoise.

Figure4:ReaderEmulatorSchematics

CardEmulatorbyVineelAdusumilli
The amplitudeshift keying card emulator turns out to be a fairly simple design.
Unfortunately, we were not able to get the frequencyshift keying emulator working(more
detailsareprovidedintheDiscussionsection).

Theschematicsfortheamplitudeshiftkeyingcardemulatorareasfollows:

Figure5:CardEmulatorSchematics

The 74H inductor is a customwound coilmadeoutof magnetwire. It ismatched witha
22nF capacitor inorder tocreate aresonant tank that resonates atafrequencyveryclose
tothe125KHzoperatingfrequencyofourRFIDsystem.

The"Data In" nodeis a digitalsignalcoming from thereaderemulatorandthroughtheRF

link. When the signal is low, thediodebridge acts toattenuatethesignalacrossthe coil.
Whenthesignalishigh,thediodebridgehasnoeffect,leavingthecarrierunattenuated.

RFTransmissionbyAustinDuffield
The radio transmitter and receiver operate at 25.125MHzusing simple onoff modulation
with carrierdetection. Thetransmitterusesanexcitedcrystaltoachievethedesiredcarrier
signal, appropriately filtered to remove harmonics and achieve a clean sinewave. Thisis
then coupled to the base of a 2n2222 bjt for amplification. The amplified signal is then
passed through a simple LC matching network into a simple 12 wire antenna. The
capacitanceistunedforbestpowertransmissionintotheantenna.

Figure6:TransmitterSchematics

A typical regenerative receiver topology is used to pick up the signal at a distance.The

same 12 wire antenna is used, easily couplingwith the transmit antenna at a distanceof
more than ten feet. A simple LC tank circuit tunes thereceiverto the 25MHzcarrier.The
resulting signal is lowpass filtered to remove the carrier. Because the signal is onoff
modulated, the result of the lowpass is eitherahigh or a low,indicating the presence or
absence of the carrier. This is passed to two gain stages, also using 2n2222s, which
servetocleanupthesignalanddeliver5Vrailedvoltagelevelsforadigitaloutput.

Figure7:ReceiverSchematics

One complication in the implementation is the inductors in the tuning circuits of both the
transmitter and receiver. In order to avoid core losses and strange behavior at high
frequency,thesewereimplementedashandwoundaircoreinductors.Theinductancewas
roughly calculated using the standard formula L= (d^2 * n^2)/(18d+40l), and then tuned
usingavariablefrequencyLCRmeter.

Testing
Totest theReaderEmulator,variouspointsalongthesignalpathwerescoped.Tocheckif
the MITRFID cards werebeing excited,theoutputoftheenvelopedetectorwasobserved.
Without the presence of a 125KHz RFID card, the output was expected to be relatively
constant. In the presence ofacard, noticeable spikesintheRFIDsignalcanbeobserved,
whichsignifyattenuationofthe125KHzsignalbythecard.

10


Figures 8 and 9: The figureontheleftistheoutputoftheenvelopedetectorintheabsenceofan
MIT RFID card (vertical scale 500mV). The right figure iswithanMITRFIDcardwithinrangeof
theantenna(sameverticalscale).

After applying the filter, significant reduction in the amplitude of noise can be seen
comparedtothesignal.

Figures 10 and 11:Thefigureontheleftistheoutputofthe3polefilterintheabsence ofanMIT
RFID card (vertical scale 100mV). The figure on the right is withanMITRFIDcardwithinrange
oftheantenna(samescale)

Lastly, tocheckifthefinalgainstageandcomparatorisworking,thesignalontheoutputof
thefilterwascomparedtothatofthecomparator.

Figures 12 and 13:The figure ontheleftistheoutputofthefilter(yellow)comparedtotheoutput
ofthecomparator(blue).Thefigureontherightisalongercaptureofthedatasentbythecard.

Each phase changeresultsin a changein the digital signalwhichcanbe observed inthe

figures above. The figure on the right demonstrates the repetitive signal sent by the MIT
RFIDcard.

Unfortunately, the type of RFID reader necessary to read an MIT ID card is prohibitively
expensive, so we had no effective method of testing our tunneling system outside of

11


walking tothe nearest readeraftereverytweak. This madeiterationdifficult.Weendedup
testing the tunnel using 125KHz amplitudeshift keying tags and a cheap RFID reader
sourcedfromeBay.

We hadtwodistinct RFIDtags. Eachone, whenpresentedtothereader,would causeitto

display a unique number on the computer it was connected to. We set up the tunnel by
presentingthe card emulator tothereader,and thetagsto the readeremulator. Whenwe
did this,the same unique numbers would show up as when wepresentedthetagsdirectly
tothereader.

12


DiscussionbyVineelAdusumilli

TheoriginalgoalofthisprojectwastotunnelMITIDcards.Thisprovedtobeafairlydifficult
task. The only concrete information available on MIT ID cards was a paper published in
2004 as a result of a class on Information Security (6.805). [2] Most of the paper was
concerned with nontechnical details, and the short technical section claimed that MITID
cards used amplitudeshift keying to convey information. As we found out through the
course of theproject, this information waseitherincorrect or out ofdate. ModernIDcards
usephaseshiftkeying,whichissignificantlymoresensitivetotiming.

WemadeanefforttobuildacardemulatorthatwouldworkwithPSK:

Figure14:ProposedPSKCardEmulatorSchematics

The 555 timer is used to create a square wave of 62.5KHz (half of the 125KHz carrier
frequency)at approximatelya 50% dutycycle.Thissquarewave istheninvertedtocreate
one that is exactly out of phase. The "Data" node represents the samedatainput as the
ASK cardemulator.Webuiltamultiplexerthatwouldswitchbetweenthetwosquarewaves

13


basedon thedatainput.TheoutputofthemultiplexeristhenfedtotheASKcardemulator,
whichwillselectivelyattenuatethecarrier.

We werenotable to getthisdesignworking.WebelievethisisbecausePSKreadersare
much moresensitiveto timing, and the squarewave outputfromthe555timerwasoff.We
likelyneed very closeto a 50% duty cycle, andthe waves shouldbesynchronizedwiththe
carrier.A better design would somehowderive the62.5KHzsquarewavebydirectlyusing
thecarrier,thussolvingthesynchronizationanddutycycleissues.

14


Conclusion

Our project was partially successful in its goal. We were able to demonstrate that RFID
could be tunneled over a distance by faking the presence of amplitudeshift keying tags.
Our team learned a lot about RFID: howitworks,the differentmethods used, and how to
implement it. Given more time, we believe that we would abletoaccomplishour original
goal of tunneling MIT RFID cards over a distance. We have already demonstrated a
fundamentalsecurityflawofRFID.

15


Acknowledgements

Wewouldliketothankthefollowingpeoplefortheirsupportofourproject:

GimHom(6.101Professor)forgivingustheopportunitytopursuethisproject.

DevonRosner(6.101TeachingAssistant)forhishelpinlab.

Mary Caulfield (Writing Advisor) for herfeedbackandadviceregardingwrittenmaterialsforthis

project.

16


WorksCited

[1] Microchip,"microID13.56MHzRFIDSystemDesignGuide,"2004.[Online].
Available:http://ww1.microchip.com/downloads/en/DeviceDoc/21299E.pdf.
[AccessedMay19,2014].

[2] Agrawal,Bhargava,Chandrasekhar,Dahya,Zamfirescu,"TheMITIDCardSystem:
AnalysisandRecommendations,"Dec.10,2004.[Online].
Available:http://groups.csail.mit.edu/mac/classes/6.805/studentpapers/fall04papers
/mit_id/
[AccessedMay20,2014].

17