GuardBunny Active RFID Protection Going Open Hardware

There are two sides to every coin. Instead of swiping or using a chip reader with your credit card, some companies offer wireless cards that you hold up to a reader for just an instant. How convenient for you and for anyone who might what to read that data for their own use. The same goes for RFID enabled passports, and the now ubiquitous keycards used for door access at businesses and hotels. I’m sure you can opt-out of one of these credit cards, but Gerald in human resources isn’t going to issue you a metal key — you’re stuck hauling around that RFID card.

It is unlikely that someone surreptitiously reading your card will unlock your secrets. The contactless credit cards and the keylock cards are actually calculating a response based on a stored key pair. But you absolutely could be tracked by the unique IDs in your cards. Are you being logged when passing by an open reader? And other devices, like public transit cards, may have more information stored on them that could be harvested. It’s not entirely paranoid to want to silence these signals when you’re not using them.

One solution is to all of this is to protect your wallet from would-be RFID pirates. At this point all I’m sure everyone is thinking of a tin-foil card case. Sure, that might work unless the malicious reader is very powerful. But there’s a much more interesting way to protect against this: active RFID scrambling with a project called GuardBunny. It’s a card that you place next to whatever you want to protect. It’s not really RFID — I’ll get that in a moment — but is activated the same way and spews erroneous bits back at any card reader. Kristin Paget has been working on GuardBunny for several years now. As of late she’s had less time for active development, but is doing a great thing by letting version 1 out into the world for others to hack on. In her talk at Shmoocon 2016 she walked through the design, demonstrated its functionality, and shared some suggestions for further improvement.

Mimicking Contactless Systems at 13.56 MHz

RFID is a catch-all word for Radio Frequency IDentification. In this case, we’re talking about any system that operates in the 13.56 MHz band, including NFC, MiFare, Smart Cards, and the like.

GuardBunny protects against unauthorized reads by activating in the same way any standards-compliant tag would. It uses a tuned antenna that activates a power supply when exposed to 13.56 MHz electromagnetic waves. This feeds a 4-bit counter IC whose output is connected to a modulator and limiter circuit. The result is a transmitted signal with the specifications the reader is listening for, but carrying a payload that is gibberish. As long as this is in the same path as the card you’re trying to protect, this gibberish will prevent the reader from getting an appropriate response from the real contactless card.

Hardware Design

What’s the deal with that 4-bit counter? It all hinges on how these contactless readers work. The key to the concept is that tags don’t carry their own batteries; they are powered from the readers themselves. So the reader transmits a 13.56 MHz signal but the answer coming back is a sub-carrier signal. The data is transferred when the target modulates a load on that sub-carrier signal. FC16 is the designation of this scheme which divides the frequency carrier by 16. So dividing 13.56 MHz by 16 yields a sub-carrier signal of 847.5 kHz. The 4-bit counter is used to make the division, with the most significant bit driving the modulator circuit to signal back to the reader.

Perhaps the most interesting design element to me is the power supply. The power coming off of the reader is really small so the PSU on the tag needs to be as efficient as possible.

On the right you see the layout of the power supply, with ground in the middle and connections to the antenna made on the capacitors on the left. The symmetry above and below the ground line form rectifiers; RFID readers are putting out AC and these two combined circuit rectify that to the DC needed by the counter IC.

Diodes D2 and D4 compensate for the voltage drop of D1 and D3. The two tank capacitors in the middle (C2 and C4) turn this into a voltage quadrupler. Without this compensation the voltage would be below the minimum threshold for the counter.

Finally, the two LEDs are acting as voltage protection. Proximity to the reader, and the reader’s power output have a huge effect on how much voltage this PSU pushes to the IC. Once the voltage reaches a certain level the LEDs turn-on and start consuming current to protect against damaging the counter chip. They have the added advantage of signaling that there is a reader nearby.

Passing the Torch

Kristin has done a great job with this, and an on-stage demonstration during her talk showed that GuardBunny performs better than the few other active RFID protection products out in the market now, like SignalVault. SignalVault combines shielding with active protection but for best results you need two of them, one on either side of the card you are protecting. GuardBunny had much better protection in terms of distance from the card it was protecting, distance from the reader, and protected even if it was not between the real card and the reader. Signal Vault is also itself an RFID tag, so if you’re concerned with being tracked by the contactless devices this is yet another UID which can be recorded by covert readers. GuardBunny is nothing, just gibberish, and therefore can’t be tracked.

But, the key fault in all of these active protection schemes is alignment with the card being protected. You can move the two cards apart and still get protection, but rotate one or the other just a degree or two, or move them so that they’re not directly atop one another, and the antennas get out of phase causing GuardBunny to lose its ability to confuse the reader.

Gerber view of GuardBunny shows the small hardware footprint
Gerber view of GuardBunny shows the small hardware footprint

This is part of the impetus behind releasing GuardBunny as Open Hardware. Kristin has taken the project this far, but hopes others will pick it up and run with it. The aforementioned alignment problems could be addressed by designing more antennas. The hardware footprint is very small so coming up with an antenna that takes less space would allow for multiple antennas per card. These can be summed for more power, or phase-corrected and combined, to improve the effectiveness. There are also a few other design vectors worth looking into, like a better solution for voltage protection than the LEDs (which are simple but slough too much power) and other alerts, like a BTLE connection with your phone.

In the end the real issue is RFID tags that can’t be turned off. We should be designing security by default, and Kristin did mention the need for a slide lock like SD cards have, or a button to hold down in order for your contactless cards to work with a reader. I agree, this is the smart way to go. But I’m glad to have had a seat in her talk and enjoyed working through the hardware design behind this simple device.

33 thoughts on “GuardBunny Active RFID Protection Going Open Hardware

    1. Not really. I think ISO compliant cards have some sort of medium arbitration, timeslots or whatever method that allows them to be read by a single reader (which must support it, though).

  1. You can’t make it not exist so this seems like a proper solution. I’m more of a fan of EMV contact cards though with the dynamic double-verify mode. I haven’t got around to buying the equipment to research it.

    In the US all the systems seem intentionally designed to be weak. Like mag-stripe mode cloning on EMV by design.

    1. There are a ton of RFID tag types and payload formats, so I’d imagine they’re ripe for the usual data validation attacks. More importantly, the skimmers likely are not well-QA’d so they are probably just as prone to such attacks if not more than “valid” commercial readers.

      1. Still, there could always be bugs in readers. In the other thread, people mentioned barcode readers that can be programmed, *using barcodes*! There’s probably a few little cracks somewhere, perhaps in certain readers, that might be fruitful to poke around in. You can get quite powerful programmable RFID stuff now, and of course it’s not hard to create your own. You don’t have to get it into the credit-card form factor. Just stick a coil in, say, a glove, and use that, along with a dummy or disabled card, to send whatever you like from a microcontroller.

        Probably best to try at home first, which would mean getting hold of your own RFID reader to try cracking, but they’re available to the public. Perhaps prices will fall, as more uses are found for it.

        There’s also the method of monitoring the airwaves and recording transactions to pick apart later. I remember reading stuff that said there’s a lot less security than you’d expect, in some applications. Public-key encryption in milliseconds, on a parasitically-powered MCU, might be a bit much to ask, so they do without it.

        What sort of voltage and current do you get in a typical setup? For the travel-card type, where you place the card (not exactly “swipe”) within a centimetre or so, and also for the stock-control type, where it’s scanned from some distance away? Fast ARMs can run on very little current nowadays.

        1. It doesn’t have to be public key cryptography. HMAC with a secret key is sufficient in this case, as the back end can quite easily have a hardened storage system for them (think an HSM with a wrapping key and wrapped keys in a database).

          Public key crypto would get you the ability for universal trust between devices in the field (for instance, your two credit cards could mutually trust each other as long as they each trust the PKI root), but that’s not part of the use case for token based authentication.

  2. Keep your cards in shielding and modify this thing to flood their reader with a lot of fake information. when it senses activation, have it start a flood of cards reporting all the data as fast as it possibly can. this will flood the reader/skimmer full of fake or bad data.

    Will it protect anyone? no, but it will annoy the scumbag with the reader.

  3. I’m not from the US, so there may be something lost in translation. Under “Hardware Design”, what does this sentence [“The data a load put on that sub-carrier signal by the target device.”] mean? I feel like there may be a few words missing, is this just a US Engrish-sm?

    Similarly, in the second to last paragraph, there’s this sentence: “… LEDs (which are simple but sluff too much power)…”. Again, I’m genuinely curious. I’m guessing, based on the context, that the English “slough” is what I’d use in place of “sluff” – is this another Americanism?

    1. You’re right, that is not clear. I’ve tried again to explain it. Basically, the data is placed on the subcarrier frequency when the target (an RFID tag) modulates a load.

      And yes, I managed to use a lazy slang term and have changed it to “slough”. Thanks!

  4. I want a programable device that I can load with all the RFID things in my life (work keycard, car fob, credit card, to name a few). This device is active (battery powered) such that replies to readers can be disabled when not being used to unlock/pay. I think all the hardware to do this is in my phone right now? Would also be nice as a ring or implant, though harder to turn on (enable replies) – maybe detecting a fistbump with the reader would work.

  5. I don’t like to leave unused digital inputs floating. Even less when RF is involved, and the chip is CMOS based. Why not put the pins 3 to 6 to VCC which is already present on pin 7 of IC1? Wouldn’t cost a cent, and, possibly, could prevent some bad things to happen…

  6. Neat idea and kinda fun. I’d love to see some real-world tests compared to other options.
    I’ve found that a credit-card sized piece of aluminum or copper, about half the thickness of the card works great when placed against one or between two cards, it creates a shorted turn and capacitivity couples to the cards, reducing their range down to almost nothing(plus robbing the card of power), or at least I haven’t found a standard reader that can still detect the cards.
    If this works through a whole wallet even if it’s not in contact with/very close to a card, such as a thick wallet with many cards, that would be the real benefit compared to something that simple.

    1. That’s essentially the same as wrapping the card in foil, or a conductive wallet. Not quite as reliable, perhaps, I’d want it to be foolproof if I was gonna use one. A conductive holder isn’t a complicated thing.

  7. Wrapping your card is creating a faraday shield. Electra says s/he is using a single side “shield” to create a shorted turn (although without more braincells than I can currently muster, I don’t quite see this).
    I suspect the ‘half’ solution is just a reduced effectiveness faraday shield : but I would be happy to receive criticism on this assumption.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.