ShmooCon 2009: Chris Paget’s RFID Cloning Talk


When we first saw [Chris Paget]’s cloning video, our reaction was pretty ‘meh’. We’d seen RFID cloning before and the Mifare crack was probably the last time RFID was actually interesting. His ShmooCon presentation, embedded above, caught us completely off-guard. It’s very informative; we highly recommend it.

The hardest part about selling this talk is that it has to use two overloaded words: ‘RFID’ and ‘passport’. The Passport Card, which is part the the Western Hemisphere Travel Initiative (WHTI), is not like the passport book that you’re familiar with. It has the form factor of a driver’s license and can only be used for land and sea travel between the USA, Canada, the Caribbean region, Bermuda, and Mexico. They’ve only started issuing them this year.

The Passport Card also uses RFID… but not the same technology as e-passports that have been issued world wide. You’re probably familiar with 125KHz access control cards and 13.56MHz smartcards, MiFare tags, and e-passports. These are all inductively coupled technologies. The RFID used in Passport Cards is in the 900MHz band and is a capacitive technology. It’s EPC Class 1 Generation 2, the same sort of technology used to track goods in warehouses. Each EPC has a 96bit ID number. By design, they have to be readable from a minimum of 30 feet.

To start his research, [Chris] purchased an XR400 RFID reader of off eBay. This is an industrial reader with four antenna ports and Windows CE. He got a great deal… because it didn’t work. He guessed that the ball grid array (BGA) solder joints had cracked. Putting enough pressure on the chips allowed the device to boot. He repaired the board using a heat gun to reflow the solder. He referenced this video of an Xbox 360 being repaired with the same technique. [bunnie] has a post from last year investigating Xbox 360 RRODs and possible BGA failures.

900MHz RFID cards are not inductively coupled to the reader, so their read range is not limited by the wavelength. With a HAM license in the US, you can broadcast with up to 1500W. At Defcon this year, [Chris] plans on going for a new read record. He cited the company ThingMagic using 10W into a 12dbi antenna and getting 100% read reliability from 213ft. The theoretical limit for 1500W through a 18dBi antenna is 2.35 miles; you’d be limited by how far the tag can transmit though. He’s set up the site to help coordinate efforts.

Another future project is using the GNU Radio USRP board to do differential power analysis against the Passport Card. It’s a brute force method for extracting the 32bit kill and lock codes for the tags, which could then be used to deactivate cards.

The goal of [Chris]’ research from the beginning was to show that RFID is unsuitable for security situations like this. Passport Cards assign a unique identifier to each holder. This ID can be read from a distance and coordinated with the holders other RFID items like their credit card. Any party can track someone holding these cards, and they don’t make border crossings any faster, since the cards still have to be checked in person.

The USA is now tracking its residents with the same respect given to items in Walmart.

13 thoughts on “ShmooCon 2009: Chris Paget’s RFID Cloning Talk

  1. Outside passive car ECM systems and inventory control, rfid is still kinda boring to most people. if you where associated with a trademarked firm though this would be a worth while investment though.

  2. Actually it’s great, if you are actually accused of criminal activity you can now claim the RFID detected could be anybody, since this busts open the uniqueness argument, and that’s pretty good for us that don’t like the complete 1984-style tracking of people.

  3. congratulations for the great talk!

    I would like to propose a new direction for further research:

    The long range antenna stuff is nice for record breaking. For security there is no point in increasing the range any further. I can read your tag without you noticing … that should be far enough.

    But Antenna gain and more power can also help against shielding.
    Have you ever wondered why your cell phone still shows network bars within the microwave? (don’t turn it on!) The oven shields but only some dB. The GSM signal will be attenuated but there is still enough left for establishing a connection.

    Same thing could be done with better antennas and higher power. A tag within a shipping container or a truck might still be readable. Or probably tags with the tin foil shield could then be read?

    Only for short distance, high power and antenna gain – but there would be no way of escaping any more …

  4. i wonder if i am the only person who thinks that this all seems a little pointless and self-congratulatory. he didn’t even do anything that the technology isn’t supposed to do in the first place. all he did was fix a broken reader and then use it for what it was designed to do.

    you may clone as many people’s RFID passcards as you like, but it won’t change the fact that when you swipe it at the border it’ll be some other dude’s face that comes up on the screen.

    using the RFID tags people regularly carry to ‘profile’ and thus track them is an issue that has been discussed for years, and it being reiterated by mr. paget doesn’t really bring anything new to the table.

    to be honest, recently it seems that purely by playing with RFID and making some sarcastic comments one can go far in the ‘security’ community. obviously we need to approach new technologies with a cynical eye (and rigorous testing), but in this case chris paget doesn’t really say or do anything novel.

  5. simple. I’m not that bright, but the first thing that occurred to me was that someone needs to fabricate an RFID that emits a jamming carrier. Go ahead and try to read *my* passport! The jammer would be stuck just inside the front cover.

  6. Like anything DHS was involved in WHTI is very flawed technology.
    I would not call the implementation of WHTI bad because it goes beyond bad it’s utter sh–.
    The only way to make RFID secure is to make it’s range as short as possible having a 30 foot range is fundamentally broken.
    It would be all to easy to randomly kill the tags and the device to do could be as small as a first gen ipod.
    I wish they would simply disband DHS as I do not feel safer because of them if anything the opposite and it would free up a lot of tax dollars for more important things.
    You should be thankful of guys like him for pointing out that anything Orwellian is flawed.

  7. hi…
    i am not really posting a comment just trying to get an information..pls does anyone have a link to any hacker that could help me with a one time job..this is so very important to me…its a matter of urgency..pls i need a genuine hacker..someone that could crack into something not quite easy to crack into.
    pls if you have any such information pls kindly send me an email to
    thank you…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.