Physical-layer Identification of RFID Devices Authors: Boris Danev, Thomas S. Heyde-Benjamin, and Srdjan Capkun Presented by Zhitao Yang 1

Outline 1.Background knowledge about RFID 2.Implementation of RFID 3.Purpose and motivation 4.Hardware setup 5.Four experiments 6.Feature extraction and selection 7.Application to cloning detection 8.My conclusion 2

1. Background knowledge about RFID RFID = Radio Frequency Identification. An ADC (Automated Data Collection) technology that: uses radio-frequency waves to transfer data between a reader and a movable item to identify, categorize, track. Is fast and does not require physical sight or contact between reader/scanner and the tagged item. Performs the operation using low cost components. Attempts to provide unique identification and backend integration that allows for wide range of applications. Other ADC technologies: Bar codes, two-dimension code. 3

RFID system components 4

Types of Tags Passive Tags No battery Low cost Active Tags On-board transceiver Battery – must be replaced Longer range High cost 5

How RFID system works Magnetic / Inductive Coupling Transceiver Tag Reader antenna RFID Tag IC or microprocessor antenna 6

How RFID system works Propagation Coupling Transceiver Tag Reader antenna RFID Tag IC or microprocessor antenna 7

Hardware of RFID tags 8

Frequency Ranges Low – kHz short range, low data rate, cost, & power Intermediate – MHz (13.56MHz) medium range and data rate High – MHz & GHz large range, high cost, high data rate needs line of sight 9

2. Implementation of RFID RFID changes our lives not completely, but a lot Barcode 10

2. Implementation of RFID 11

Other implementations 12

3. Purpose and Motivation Purpose: Classify and identify RFID tags by the fingerprint of tags on physical-layer What is the fingerprint of tags? 1) It is a kind of physical-layer character of tags 2) The difference of fingerprints between tags is random 3) Introduced by the manufacturing of the RFID tags (Analog devices have resistive, capacitive, and inductive character) 13

How to detect the fingerprint of tags? RFID Reader antenna RFID Tag antenna 1. Training signal 2. Resonances in RF circuitry 3. Resonances are sent to Reader 4. Characteristic value (fingerprint) of resonance can be detected and extracted by algorithms 14

4. Hardware setup 15

5. Four experiments Experiment 1: observation from Reader side Training signal is defined by Type A and B protocols in the ISO/IEC Fc = MHz (in the (ISO/IEC 1443) specification carrier frequencies) The purpose is to test if the tag’s responses can be distinguished Stage 1: unmodulated signal to power the tags Stage 2: modulated signal with weak-up command Stage 3: unmodulated period of carrier while the scope records the response from the tag Stage 4: Tag response 16

Experiment 2 observation from Reader side Fc = 13.06MHz (out of (ISO/IEC 1443) specification carrier frequencies) Purpose: to test tag responses to the same signals as in Experiment 1. Stage 1: unmodulated signal to power the tags Stage 2: modulated signal with weak-up command Stage 3: unmodulated period of carrier while the scope records the response from the tag Stage 4: Tag response 17

What is the difference between experiment 1 and 2 1) Central frequency Fc = MHz (Experiment 1, in) Fc = MHz (Experiment 1, out) 2) Purpose Experiment 1: test if the tag can work in the specification carrier frequency Experiment 2: test if the tag can response out of specification carrier frequency 3) The amplitudes of tag response are different. Why? Experiment 1 and 2 are to suited for transponder classification 18

Experiment 3 (Burst) Signal : 10 cycles (2 us) of non-modulated 5 MHz carrier Amplitude Vpp = 10V Purpose: test the tag’s response to an additional out-of-specification signal, then to see variation in different tags’ responses. 19

Experiment 4 (Frequency sweep) Signal: non-modulated carrier linear sweep from 100 Hz to 15 MHz Amplitude Vpp = 10 V Duration = 10 ms Purpose: to examine how the tags react to many different frequencies, then find the resonance frequency 20

6. Feature extraction and selection Samples: 8 passports from 3 countries 50 JCOP NXP smart cards (same model and manufacturer) 21

Modulation-shape features– based on experiment 1&2 1) The shape of the signal with on-off keying modulation can be extracted with the amplitude l at the time t. 2) Then, apply Hilbert transformation: H(t,l) = Hil(f(t,l)) 3) Feature match between a reference 4) A test fingerprints is performed using standardized Euclidean distance Summary: this method is to find the two information: signal amplitude and time, use these two information to compare with a reference, then find a fingerprint matched. 22

Spectral feature– based on experiment 3&4 1) Remove noisy dimensions a. one-dimensional FFT b. remove DC component and redundant part of spectrum 2) Change into a formula with spectral feature 3) Compute the eigenvalues with PCA training 4) Use the feature (fingerprint) to match with a reference 23

7. Application to cloning detection Scenario 1: the fingerprints are stored in a back-end database The attacker should perform two tasks: 1)Obtain the fingerprint template of tags 2)Produce or find a tag with the same fingerprint Infeasible: the fingerprints are due to manufacturing process variation 24

7. Application to cloning detection Scenario 2: the fingerprints are stored in tags separately Use with digital signature 1)The tag authenticity is validated by digital signature; 2)The fingerprint is ensured; 3)The stored fingerprint is compared to the measured fingerprint. Advantage: the tag authenticity can be verified “off-line” Drawback: The fingerprint can be obtained remotely by attackers. 25

8. Conclusion The authors’ conclusion: 1)This paper is the first comprehensive study of physical-layer classification and identification of RFID tags. 2) The fingerprint of tags can be extracted in the base of the modulation shape and spectral features of response signals to in and out of specification reader signals 26

My conclusion: 1)The use of out-specification signals as training signal is a kind of interference to others in multiple readers scenario; 2)The number of samples used in experiments is too small can not verify the uniqueness of fingerprint; the authors did not give any evidence to show the uniqueness; 3) I trust there must be tags with the same measured fingerprint in one group; that means since fingerprints generate randomly during manufacturing process, the difference between fingerprints cannot be identified by algorithms. Thus, this kind of method cannot used in practical scenarios. 27