Eavesdropper setup
RFID eavesdropping attacks rely on receiving, amplifying, processing, and decoding leaked signals from the reader-to-tag air interface.
The communication interception setup comprises the reception antenna, the analog front-end with amplifiers and demodulators, the signals decoding modules, and data analysis. As full real-time operation is not required, most functions can be implemented offline in the digital domain with basic DSP functions.
Quite a number of front-ends are available with capabilities for capturing NFC signals, ranging from very decent open hardware/software platforms to highly valued commercial products. As it could be foreseen, one standard DSO provides most functions needed for starting experimentation.
For the reception antenna, three to five turns of wire will do the job (see picture below), although for long distances a better design is required. It should be said that this setup is very useful for observing isolated events occurring in the air interface. For an effective eavesdropping attack, the DSO should support sampling at 100 MHz (minimum) during the whole time it takes to complete the transaction. For analyzing communications at high bit rates (424 kbps and above) a higher sampling rate (150/200 MHz) gives better results.
Next graph shows a segment taken from the ISO14443A anti-collision loop as captured using this setup. In the close-up shown in the lower part of the figure, both communication channel activities can be clearly identified.
Partial Conclusions
One fact that emerges as an obvious conclusion is: in terms of security, the NFC air interface, as well as almost any other air interface, must always be considered part of the unsecured region, since it can be observed and manipulated by an attacker.
Can we do something to prevent an attacker who tries to eavesdrop on the air interface? Is it worth doing something about it?
I propose this engineering exercise for our novel colleagues: Is it possible to alter this signal with a few passive components so we can digitize it at a much lower sampling frequency?
For the next part in this series I will introduce SciLab and some DSP basic concepts through their use for decoding NFC air interface captured signals.
Coaxial RF attenuators, readily available from electronic parts distributors, can be used on the transmitter antenna jack to reduce the radiated signal. These attenuators are available in a wide variety of values to apply a specific amount of attenuation. Improvements in the receiver antenna, or placing it in close proximity to the transmitter, allows even greater attenuation of the transmitter output power while still allowing the wireless system to work inside the room.
I guess that the effectiveness of the wireless system is very sensitive to the positioning of the attenuators.