The corpus contain:

• Explanation of the project
• Source code
• Pictures of the setup
• My bibliography as a .bib file
• Youtube videos with demo of the setup

This project is about analysing the vulnerabilities of commercially available RFID tags and to identify potential contermeasure. This corpus focus principally on the MIFARE DESfire EV2 card and on the distance bounding implemented on it.

Two attacks have been implemented:

• Eavesdropping of the RF This have been done using a SDR device (BladeRF + xb200 downconvertor) Data had been recovered from around 50cm, although no demonstration of it will be shown in this corpus.
• Relay attack (mafia fraud) Using 2 suplementary readers to have a tag emulator and a rogue reader

Samples of communication have been acquired from an oscilloscope. The goal was to detect if there was timing difference in some situation. 4 test have been done with 150 samples for each test:

• ok_1x8 Using a valid key, check the proximity of the card by sending 1 ProximityCheck command of 8 bytes.
• ok_8x1 Using a valid key, check the proximity of the card by sending 8 ProximityCheck command of 1 byte.
• wrong_1x8 Using an invalid key, check the proximity of the card by sending 1 ProximityCheck command of 8 bytes.
• wrong_8x1 Using an invalid key, check the proximity of the card by sending 8 ProximityCheck command of 1 byte.

Exact timing average/mean/standard deviation of all of the sample will maybe be calculated for the final dissertation. For now only a manual checking on only 3 samples for each test have been done using oscilloscope cursors. (cf timing.txt)

EV2 proximity check script

python2 ./ev2.py -f 0

Data acquisition

./scope.py --repeat 1 --time 290 --dest ./test/ --cmd "python2 ../ev2_communication/ev2.py -f 0"

Generation of sample graph:

./process.py --decimation=1 --out process_ok_1x8_0.png --ranges "0:190 88.12:88.21 89.75:89.84" output/ok_1x8/0.npy

Running the tag emulator program

./emulator ./target_info

Running the rogue reader script

python2 ./fake_reader.py -r 1

eavesdrop.grc A GNU Radio code that takes as input an IQ sample generatated by a SDR device and do some signal processing to output a simple to parse file.

decode.py A Python script that akes the file generated by the eavesdrop.grc and display the raw APDU bytes sent by the reader.

ev2.py A python script that send proximity check and verify APDUs to an ev2 card. This is the distance bounding feature of the EV2 that we want to check.

This script contains some cryptographic algorithm (mostly on the verify() function) that are not from me (written by my supervisor).

fake_reader.py A python script acting as a rogue reader

... < - FIFO - > [./fake_reader.py] < - USB - > [(rogue) reader] <- NFC -> [real card]

Makefile Makefile that compiles the next to .c file into executable files.

emulate.c C code that communicate with a PN532 nfc device to emulate an EV2 card.

[legitimate reader] < - NFC - > [tag emulator] < - USB - > [./emulate] < - FIFO - > ...

getinfo.c C code that get the basic informations from the card to be able to emulate it. (Protocol/etc)

instrument.py This file is from here

process.py Python script that takes a numpy file in input and display a graph of this data.

scope.py Python script that automate the acquisition of data from the oscilloscope.

checksum_md5.txt Md5 of every file in this directory. (Not present on github because too big)

rfid.bib Bibliography for this research

timing.txt Early timing result of data sample.

3_readers_plus_card.jpg

coil_1.jpg

coil_2.jpg

coil_between_reader_and_card.jpg

coil_on_reader.jpg

relay_attack.jpg

scope_result.jpg

process_ok_1x8_0.png

gnuradio.png

sdr_device.jpg

relay attack demo

video of the screen while doing the relay attack

scope data acquisition

Data from the oscilloscope acquisition (*)

(*) As it takes a lot of time to send all of this data (14Go) to my server, it won't be all sent by the deadline. However, all of the files checksums are present on the checksum_md5.txt and allow me to prove that the files have been generated before the deadline. All of these files are also present on the hard drive I handed in (on the kent_corpus_data directory). This mostly act as a backup solution if there is a problem with the hard drive.