There are two sides to every coin. Instead of swiping or using a chip reader with your credit card, some companies offer wireless cards that you hold up to a reader for just an instant. How convenient for you and for anyone who might what to read that data for their own use. The same goes for RFID enabled passports, and the now ubiquitous keycards used for door access at businesses and hotels. I’m sure you can opt-out of one of these credit cards, but Gerald in human resources isn’t going to issue you a metal key — you’re stuck hauling around that RFID card.
It is unlikely that someone surreptitiously reading your card will unlock your secrets. The contactless credit cards and the keylock cards are actually calculating a response based on a stored key pair. But you absolutely could be tracked by the unique IDs in your cards. Are you being logged when passing by an open reader? And other devices, like public transit cards, may have more information stored on them that could be harvested. It’s not entirely paranoid to want to silence these signals when you’re not using them.
One solution is to all of this is to protect your wallet from would-be RFID pirates. At this point all I’m sure everyone is thinking of a tin-foil card case. Sure, that might work unless the malicious reader is very powerful. But there’s a much more interesting way to protect against this: active RFID scrambling with a project called GuardBunny. It’s a card that you place next to whatever you want to protect. It’s not really RFID — I’ll get that in a moment — but is activated the same way and spews erroneous bits back at any card reader. Kristin Paget has been working on GuardBunny for several years now. As of late she’s had less time for active development, but is doing a great thing by letting version 1 out into the world for others to hack on. In her talk at Shmoocon 2016 she walked through the design, demonstrated its functionality, and shared some suggestions for further improvement.
Mimicking Contactless Systems at 13.56 MHz
RFID is a catch-all word for Radio Frequency IDentification. In this case, we’re talking about any system that operates in the 13.56 MHz band, including NFC, MiFare, Smart Cards, and the like.
GuardBunny protects against unauthorized reads by activating in the same way any standards-compliant tag would. It uses a tuned antenna that activates a power supply when exposed to 13.56 MHz electromagnetic waves. This feeds a 4-bit counter IC whose output is connected to a modulator and limiter circuit. The result is a transmitted signal with the specifications the reader is listening for, but carrying a payload that is gibberish. As long as this is in the same path as the card you’re trying to protect, this gibberish will prevent the reader from getting an appropriate response from the real contactless card.
What’s the deal with that 4-bit counter? It all hinges on how these contactless readers work. The key to the concept is that tags don’t carry their own batteries; they are powered from the readers themselves. So the reader transmits a 13.56 MHz signal but the answer coming back is a sub-carrier signal. The data is transferred when the target modulates a load on that sub-carrier signal. FC16 is the designation of this scheme which divides the frequency carrier by 16. So dividing 13.56 MHz by 16 yields a sub-carrier signal of 847.5 kHz. The 4-bit counter is used to make the division, with the most significant bit driving the modulator circuit to signal back to the reader.
Perhaps the most interesting design element to me is the power supply. The power coming off of the reader is really small so the PSU on the tag needs to be as efficient as possible.
On the right you see the layout of the power supply, with ground in the middle and connections to the antenna made on the capacitors on the left. The symmetry above and below the ground line form rectifiers; RFID readers are putting out AC and these two combined circuit rectify that to the DC needed by the counter IC.
Diodes D2 and D4 compensate for the voltage drop of D1 and D3. The two tank capacitors in the middle (C2 and C4) turn this into a voltage quadrupler. Without this compensation the voltage would be below the minimum threshold for the counter.
Finally, the two LEDs are acting as voltage protection. Proximity to the reader, and the reader’s power output have a huge effect on how much voltage this PSU pushes to the IC. Once the voltage reaches a certain level the LEDs turn-on and start consuming current to protect against damaging the counter chip. They have the added advantage of signaling that there is a reader nearby.
Passing the Torch
Kristin has done a great job with this, and an on-stage demonstration during her talk showed that GuardBunny performs better than the few other active RFID protection products out in the market now, like SignalVault. SignalVault combines shielding with active protection but for best results you need two of them, one on either side of the card you are protecting. GuardBunny had much better protection in terms of distance from the card it was protecting, distance from the reader, and protected even if it was not between the real card and the reader. Signal Vault is also itself an RFID tag, so if you’re concerned with being tracked by the contactless devices this is yet another UID which can be recorded by covert readers. GuardBunny is nothing, just gibberish, and therefore can’t be tracked.
But, the key fault in all of these active protection schemes is alignment with the card being protected. You can move the two cards apart and still get protection, but rotate one or the other just a degree or two, or move them so that they’re not directly atop one another, and the antennas get out of phase causing GuardBunny to lose its ability to confuse the reader.
This is part of the impetus behind releasing GuardBunny as Open Hardware. Kristin has taken the project this far, but hopes others will pick it up and run with it. The aforementioned alignment problems could be addressed by designing more antennas. The hardware footprint is very small so coming up with an antenna that takes less space would allow for multiple antennas per card. These can be summed for more power, or phase-corrected and combined, to improve the effectiveness. There are also a few other design vectors worth looking into, like a better solution for voltage protection than the LEDs (which are simple but slough too much power) and other alerts, like a BTLE connection with your phone.
In the end the real issue is RFID tags that can’t be turned off. We should be designing security by default, and Kristin did mention the need for a slide lock like SD cards have, or a button to hold down in order for your contactless cards to work with a reader. I agree, this is the smart way to go. But I’m glad to have had a seat in her talk and enjoyed working through the hardware design behind this simple device.