 All right, first talk today, Chris Padgett and it's extreme range RFID. Let's give him a big hand here. Thank you. Ashley, that's a little better. Can everyone hear me? Can everybody hear me? There we go, okay. All right, a couple of notes about privacy and safety just before I get going here. There is only one type of RFID tag that I'm reading in this demonstration and that's EPC generation 2. That's the tags that were handed out at the door. If you have other RFID tags on you and you're worried about them being read, sit on them. You're asked to shields them really, really well. The tags that were handed out for the demo, they've all got unique serial numbers on them. So, you know, feel free to assume that I'm tracking every single one of you. Throw them away when the talk's done. Unlike the tags that the federal government issues, you can throw mine away. One quick point about RF safety. There isn't much power coming out of these antennas. There's about three watts coming out of this one and this is receive only. So, as long as you're like two feet away from it, you're perfectly safe. So, don't touch. But, yeah. The power amp's not even on yet. I'll you'll see when I turn it on. So, okay. So, what is EPC generation 2? It's a electronic product code compared to a universal product code. That's a bar code. EPC is effectively an RFID bar code. It's a 96-bit ID number, typically. You can get other size tags. They go from 64-bit up to 128-bit. It's passively powered. So, all of the energy that's running those tags and letting them switch on and transmit their IDs, it's coming out of this antenna and out of this power amplifier. So, I am powering those tags. Works in the 900 megahertz ISM band. So, 902 to 928. There is no security. There is, you know, Barbie doll security in that they have these kill codes and these lock codes. And if you send the kill code, then the tag will disable itself. If you send the lock code, then the tag will lock itself so that you can't change the ID number. Only problem is both of these codes are over the air in plain text with about a watt of RF. So, you can just sniff these things off the air from several miles away. It's pathetic. It really is. So, no security, no access control. This is the tag that's used in the US passport card. If anyone has one of those, a little card that gets you around North America. Anyone has an enhanced driver's license. It's the same RFID tag in there. It's also the same RFID tag that Walmart used for stock control. They've been using it for pallet level tagging for quite some time and they're now going to be deploying to every single item. At least that's the plan. So, how is this different from traditional RFID? Well, traditional RFID is an inductive system. You have a coil of wire in the reader. You have a coil of wire in the tag. The two couple together with a magnetic field. And each side of that gets to modulate that field and transmit data to the other one. So, because it's a magnetic field, we've got an inverse cube law on field strength, which means that the available power drops off as the sixth power of range. So, very, very sharp drop off in available power for the tag. Extremely difficult to power these things at long distance. EPC Gen 2 on the other hand, it's much more accurate to think of these tags that you're all holding as radar IFF transponders. So, the radar systems that identify friend or foe, that's basically what these things are doing. So, you've got a little radio receiver in there that charges up and powers the tag. And then upon being interrogated by the reader, the tag will modulate its coefficient of reflectivity. So, you can think of that if there was an aircraft. As the aircraft tips towards the radar tower, exposes more of its area and gets a bigger reflection back to the radar tower. As it tips upright, less surface area exposed, less reflection. That's exactly what these tags are doing electronically. So, it is radar. It's a proper backscattering system. Inductive coupling, a lot of the time, inductive coupling RFID systems are referred to as backscatter. It's not correct. This is a backscatter system. It's radar. And thank you to whoever's attacking my ninja badge right now. So, because we're dealing with radar, we're dealing with radio and we can use radio techniques and radar techniques to increase our read range. We've got proper electromagnetic waves. We've got a transmission coming out here. It's not an inductive thing. It's not a near field. It's proper radio transmission. So, we can treat it as radar and we can use radar techniques to increase the read range. What does that mean? Well, fundamentally it comes down to this, the radar range equation. There's lots and lots and lots of different forms of the radar range equation. Lots of different ways of substituting out different values for different things that you can and can't control. This is the one that I find most useful. They came from ThingMagic, a company that makes RFID readers so they should probably know a thing or two about how it works. I'm not going to go into this in too much detail, but the two things that I do want to point out is that the maximum range is derived from two things that we can control and a bunch of things that we can't. The two things that we can control are the gain of the antennas. If we put a smaller antenna, sorry, if we put a bigger antenna with higher gain, let's say we get a hundred times better gain out of our antenna. We should get ten times the gain out of our read range because we get the square root of the antenna gain as read range. Likewise, transmit power. If we go up to a hundred times the transmit power, we get the square root of that in read range. Going from one watt to a hundred watts, you'd expect to get ten times the read range. A bunch of other stuff we can't control, like frequency. Obviously, lambda is a factor in there. We have some control over that a little bit within the band, but not really enough to make much difference. A bunch of stuff we can control, a bunch of stuff we can't control. One thing that's really convenient with all of this is to work with ratios against a reference. If we look at a commercial off-the-shelf Gen 2 reader like this, this puts out one watt into six DBI of antenna and gets about a 30-foot read range. If we treat that as our reference and then scale everything from there, in theory, if we went from one watt to a hundred watts, we should go from 30 feet to 300 feet. We can work it that way in terms of ratios to our reference value. Ultimately, that means that we're working in decibels. How many folks are familiar with the basic mechanics of decibels? Okay, most of you. I'll skip through this then. The quick version is that a decibel is a ratio between two numbers. It's ten times the base ten logarithm of them. Decibels are really convenient because you get to add them together in order to multiply values. You can also take a square root by halving it. If you're working in this logarithmic scale, just the number crunching gets quite a lot easier. Obviously, DBs on their own are dimensionless, so they only really express gain. If we define one of the things that we define, if we define one of the points that we have gain in reference to, we get some useful units out of it. DBM and DBI are the two main ones. DBM is how many decibels of power are you putting out relative to one milliwatt? Ten DBM is ten milliwatts, twenty DBM is a hundred milliwatts, and so on. DBI is gain over an isotropic antenna. An isotropic antenna is one that radiates equally in every direction. Obviously, these Yagis are a very high forward gain, they're very directional, so effectively it focuses all of that RF energy into a narrow beam, and effectively produces a stronger signal if you're looking into that beam. So we have gain versus an isotropic antenna, and that's where DBI comes from. It's perfectly valid to add these three things together, even though they look like different units, they're really not. If I've got ten DBM coming out of my transmitter, and I put it through a twenty decibel amplifier, and into fifteen DBM of antenna, I've then got, what's that, twenty, thirty, forty-five, forty-five DBM coming out of the antenna, or forty-five DBM relative to an isotropic radiator at least. So you can add these things together, and they're not really different units. So the band that we're operating in, 902 to 928 megahertz ISM band, industrial scientific medical, this is what ISM stands for, and if you're working under these rules, you've got some very tight restrictions. You can only use very low power, one watt is, I believe, the limit. You have to make very little utilization, so I think your transmitter can only be on for a maximum ten percent duty cycle. You have to hop frequency a couple hundred times a second. Certainly the reader that I've got here hops frequency very, very fast. So it's really tough to comply with ISM rules, but as it turns out, 902 to 928 megahertz is a ham radio band. Ham radio operators don't like it because it's full of all of this ISM crap. There's too much noise. So a lot of ham radio operators will look at it and say, it's not even a ham band, because nobody does anything in it. Well, it is a ham band. And in fact, ham radio operators are the primary users of the band. If a ham operator and an ISM operator conflict, it's the ISM operator that has to solve the problem. So by operating under ham radio rules, we get to avoid a lot of the ISM restrictions and get to have a little more fun on the way. So let's look at what. So amateur radio licenses, they're pretty easy to get. The URL here is for a training program. You just go up and they'll keep asking you the same questions over and over and over and over again until you get them right. And it's the actual questions from the test. So it's no brainer to pass it. If you actually take the time to figure out things that you don't understand, look them up on Wikipedia, you'll learn a lot out of it. I highly recommend doing that. So once we've done that, we instantly qualify for a 1,500 watt power limit. That's a lot of power. I have an amplifier here that does 600 watts. And this thing scares me so much I haven't even turned it on yet. 1,500 is huge power. The only other restriction specifically for this band is you're only restricted to, you're only allowed 50 watts if you're within 241 kilometers of White Sands missile testing range. I don't quite know what they're doing at White Sands, but I'm not sure I want to point my yagis at them and find out. So in general terms, if you're operating under an amateur radio license, you're allowed to transmit an unspecified digital code as long as the specifications of that code are published. So in this case, we've got a digital communication system. There's bits going between the reader and the tag and back and forth. So as long as, you know, the URLs there for the standard, you can go look it up. It's all published. It means it's fine to transmit at amateur radio power levels. You're not allowed any cryptography. Well, that's not a problem because the tags are so dumb. No limits on antenna basically is as big and bad as you can get and, you know, whatever you're prepared to cart around. The only other real restriction is RF exposure limits. I'm not allowed to fry you guys for some reason, I don't quite understand. And then the station has to identify itself every 10 minutes. So you have to morse code out a call sign every 10 minutes. So let's take a look at a quick look at a commercial Gen2 reader just to get a benchmark here. So this is a symbol XR400. This was 250 bucks on eBay. I've talked about this thing before and how it was so cheap because it was broken. It'll do 30 foot read range right out of the box. So you connect it to its standard antenna, all ISM compliant. You'll read these tags from 30 feet away. It's very, very fast frequency hopping. It's so fast that I've yet to find a spectrum analyzer that can keep up with it. You're looking at kind of $100,000 real-time tectronics gear just to even see the transmission coming out of this. So it's pretty much impossible to just follow the hopping sequence and identify on whatever channel it transmits after the fact because it jumps around so fast you just can't follow it. As I mentioned, one watt of output power, 6 dBi of antenna gain, that's ISM limits. And one of the other things that it does because it operates an ISM is it actually checks if you're using an authorized antenna. Supposedly this prevents you from abusing the ISM band. Epic fail. So let's just take a quick look at how we can improve on this one. So the first thing that we can do is replace the antenna. The standard antenna is 6 dBi. These yargis they give us 13 dBi. So that's a 7 dB improvement. 50 bucks a piece. So for 100 bucks of antenna we should get a 3.5 dB increase in read range. Obviously the square root of our 7 dB antenna gain. 3.5 dB works out to a factor of 2.25 which in this case gives you 67.5 feet. And as I mentioned, we have to defeat the antenna protection first. So let's take a quick look at that. What the antenna protection actually looks like, it's just a 10K resistor from the active element to ground. That's it. That's the sum total of the protections on this thing. When the reader starts up it looks at each of the read ports, each of the antenna is connected and it looks for the DC impedance. If it doesn't see 10K of DC impedance it just turns off the port. So that's well, it gives us a two-part problem. Firstly we have to give it that 10K which is easy enough to do, just solder the resistor inside the reader. Second thing we need to do is slightly tweak our antennas because if you look at the active element of these Yagis right near the poles here you can see there's a loop. At DC, that's zero ohms, effectively zero ohms. So we need to tweak it a little bit and you can see on this antenna there's a little filter hanging in line. What that does is because the filter is it has a passband over the entire ISM spectrum, so as far as it's concerned all of the RFID stuff just goes straight through it. But it presents effectively a capacitance to the reader which is at DC, it's an open circuit so you combine open circuit with the 10K resistor that we've got inside and we've bypassed the antenna locks. We've given it its 10K DC impedance. So if you do this and you put it all together you actually get a read range of 70 feet. So it conforms quite nicely with theory. This is I believe that in 2005 I think it was when Flexilis set the RFID record at DEF CON I believe they were using almost an identical reader almost identical antennas. My guess is that they fried their power amp and that they set their 69 feet by just connecting these antennas to this reader. I'd love to talk to someone from Flexilis but that's my suspicion. So we can put antennas on. What about amplifying the signal? We want more power, that's where the fun starts. So we could stick a power amp on this and just bump the signal up but we need to ID and if we're going to be operating under ham radio rules we should be a little better behaved. It's very difficult to quantify if you can't see it on a spectrum analyzer if you don't actually have any test equipment that can see the signal how do you really mess with it? So yeah, you could just bump up the signal from a commercial reader but you're going to be breaking FCC rules and it's kind of ugly. So instead we go to the USRP and that's this black box here. So this is it's a software radio device effectively the computer does all the hard work of modulation and figuring out what that signal needs to look like when it goes out over the radio dumps it all over USB the USRP up converts it to whatever baseband frequency you specify and just sends it out on the wire and then likewise in reverse it comes in it's digitized, it's down converted and just dumped over USB again for the computer to decode it so very powerful, very flexible and you can use the one device for a lot of different things so this top link is for a EPC Gen 2 reader for the USRP but it gives us straight off the bat is it's fixed frequency so we don't have to worry about frequency hopping, we don't have to worry about chasing it after the fact and identifying we know what frequency it's on we can control what frequency it's on the package also includes a Gen 2 sniffer so I was mentioning that these kill and lock codes you can retrieve remotely if you have a USRP too and you download this package you can just sniff kill and lock codes and anything else that you want I would recommend if anyone has a USRP, check out the clock tamer I do a lot of work with GSM as you might have heard and I actually switch back and forth between 64 megahertz and 52 megahertz clocks on the USRP clock tamer is by far the best USRP clock I've ever come across so if you do have a USRP and you do some GSM work, please check it out so we've got frequency control now we know what channel we're on we've got stability over what frequency we're transmitting at so we need a way to identify the station well identifying in ham radio terms is really quite simple it's just a question of morse coding out a call sign every 10 minutes straight carrier wave, no modulation you can modulate it if you want but if you want to just treat it as carrier wave you're perfectly fine doing so I could have screwed with the USRP implementation and tried the hook Morse code into there but to be honest it was too much effort and there's an easier way to do it the easier way being having a second transmitter if you've got a second transmitter that's tuned to exactly the same frequency then when that second transmitter morse is out of call sign it'll just DOS the RFID signal so we need a second transmitter preferably something that we can script easily so we come to the IME how many folks have one of these things or have hacked one of them oh come on people you're missing out so the whole point about these things Travis Goodspeed put me onto these they're really quite nifty little devices obviously you've got a keypad and LCD on there you've got a very very flexible radio reasonable power output works over a very wide frequency range C source code available there's no firmware security they don't come as standard with SMA and JTAG ports that was an aftermarket modification but yeah if you've got a good you get one of these things for 20 bucks you've got one of the most flexible radios you'll ever need so what we need to do is match the frequency and the power level to the USRP well that's easy enough to do with a spectrum analyzer as it turns out we need to amplify the signal from the IME just a little bit and attenuate the signal from the USRP quite a bit mix them together send them off to the power amp and we're golden so quick demo of what that looks like what I'm going to do here is okay so I've just started the RFID reader turning on the power amp have a good bit so what I have here is a little ham radio receiver that's tuned to the the frequency that I'm transmitting on and if I turn the volume up here for a second so that clicking each click is a bunch of commands from the reader telling the tags to wake up and activate and you know do their thing so on top of that if I push a button on the IME you'll hear the IME morse out my call sign and you should see the screen flash as well anyone manage to copy that oh come on someone must know Morse code there you're all useless anyway suffice to say it works we can identify the station as long as we've got that thing turned on it just cranks out a call sign every 8 minutes and we're legal so it's all good let's turn this power amp off again so we've taken care of the identification and we can now look at just scaling up the power level so we're ham compliant we've got an upper ceiling now of 1.5 kilowatts and you know it's just a question of what we can find now so this is the power amplifier that I'm currently using this big box here is actually the power supply for it this thing will deliver it's rated at 70 watts but if you really crank it up it'll probably deliver 100 before it blows up it costs me about 400 bucks not a tremendously expensive piece of equipment considering the amount of power that you get out of it one thing about RF amplifiers they don't tend to have volume knobs so you control how much power you get out of it by restricting the output into it so in order to increase my power level I've got all kinds of attenuators here and I just adjust the attenuation before I go into the power amp in order to control how much comes out of it and as I said we have to amplify the signal from the IME attenuate the signal from the USRP bring it all down to the level that the power amp needs and off we go so an interesting artifact about range reads when the tags turn on they require an initial burst of power to first switch on for the first time and then once they're operating they require lower power so you can actually exploit this to figure out what the current limit is of your RFID read range in this case if you get your tag and you have to walk closer to the reader so it gets more power and more power and then it turns on and you can walk back and walk back and walk back and walk back and it turns off then at that point you know that you're limited by power you're limited by the power that's available to the tag to switch on so you can amplify your power output if on the other hand you get closer and it just picks up the signal and you get further away and it just loses it then that's receiver sensitivity so just by looking at whether there's any hysteresis on the read range you can determine whether we're limited by the power coming out of the reader to the tag or whether the power coming back from the tag to the receiver it's quite a neat little thing and it allows us to notch up our output power incrementally notch up the receive gain incrementally and just kind of keep track of the whole system quite a neat little artifact quite handy a few limits on read range we've got 1500 watts of RF power 10 of limits obviously you're not going to be carrying around an antenna the size of a building unless you're really keen so primary sources of limits on read range other ISM stations obviously anyone else who's transmitting on the same frequency is going to get in the way ultimately the sensitivity of the receiver will play a limiting factor there's only so small a signal that you can amplify up into something that the USRP can actually make sense out of transmitter crosstalk this is a big one and this is somewhat unique for this system as well we've actually got a transmitter and a receiver on exactly the same frequency in radio that's actually pretty again it swamps the signal from the tag and you lose the signal other things ground interference the antennas aren't completely parallel beams some of it will be going down bouncing off the ground and up at the tag that scrambles things at the tag the signal comes off the tag again it's going to be bouncing some of it off the ground and back to the reader so you've got all kinds of multi-path effects all kinds of distortion eventually that's going to be a limit atmospheric effects as well the radar range equation doesn't really work in real life it's a good approximation but the atmosphere attenuates things and that'll get in the way as well and eventually when we get up to really insane ranges the curvature of the earth is going to be a limit the HF does not bounce off the ionosphere you can't reflect it around the earth so there's a lot of eventual limits that we'll reach but in the meantime let's figure out what we should be able to do with this system we're going from one watt of RF power in the commercial reader to 70 watts coming out of the power amplifier that's an 18 decibel increase in power which from the radar range equation you get the square root of that as a range gain that's a 12.5 decibel increase in range from the antennas we've gone from 6 decibels to 13 decibels over isotropic so 7 dB increase gives us a 3.5 dB range increase so overall we should see a 12.5 decibel increase in range so comparing that to our 30 feet reference from the commercial reader we should see a range of about 565 feet what did we get? 217 not what I was hoping for but if you can see in the picture my wife in the distant background holding the tag 217 feet is a long way to be reading an RFID tag from so what happened? why so little? why didn't we get the full 565 feet? well as it turns out that was with about 3 watts of RF power as measured on my meter the meter wasn't entirely accurate it was about 10 watts increasing the power beyond that actually decreased the read range which is counter-intuitive until you look at the picture this was I was using an empty lot by the Googleplex in Mountain View as it turned out not so empty at the end of it but anyway in the background you can see the tent and the chain link fence that's shoreline amphitheater by steel chain link fence that runs all the way around it as I was increasing my power to power the tags at higher distances I was getting more and more reflection from that chain link fence clutter so as I increased my output power the signal coming back off that chain link fence increased and just swamped the tag clutter was the limit however if you work out the numbers on it and you do the number crunching 10 watts of RF gives us 10 times the power so 10 dB power gain 7 dB from the antennas if you work it out we're actually still consistent with the radar range equation so we can swap out antennas and see a square root of the antenna gain from the radar range equation if we increase power again we've validated the radar range equation so yeah okay 117 feet but more importantly we've validated that these tags the read range is dictated by the radar range equation so if you actually do the math it should still be able to do that I'm trying to get access to all kinds of different places that would be nice wide open areas to test in if anyone has any friends at NASA Ames that wants to give me access to a runway for a day I'll be a friend forever we did actually get roof access we not quite roof access we got access to DT Suite and we fired off the roof off the balcony as it turns out 120 degree air isn't really good for power amps that get really really hot anyway magic smoke did escape I was I was up quite late last night fixing all of this so fingers crossed that something works okay so demo of actually reading tags then so just to give you an idea of what kind of range I'm looking at so unfortunately one of the problems with the Gen 2 RFID reader on the USRP it needs an extremely low latency USB Gen 2 is very very sensitive to latency so if you've got a full operating system it's too much it's going to get in the way so I've literally I've got a very very bare bones here running the absolute minimum possible so there's nothing that gets in the way unfortunately that means it's pretty much incapable of talking to the projectors here so hopefully what we're going to try is I believe there was a plan to focus video on the screen and try and project that so we'll see if that works let me just set this up here so and if you can actually see that okay so what you're looking at there's three things that you're going to be seeing on the screen here white text is where the system has interacted with a tag in some fashion maybe hasn't you know quite gotten the response it expected but it sent a command and it got a response something went on if you see a red text red text means that it's red attack but something went wrong there was an error maybe the EPC that came back failed its checksum something like that blue text is a successful read so don't worry too much about what's actually on the screen just look at the color of the text white means it's interacting red means it's a bad read or fault of some kind blue means it's a successful read so let me turn the power amp on here okay and straight away without anyone holding up any real tags you can see we've got collisions so that's largely due to the sheer density of tags in this environment it's really not designed for this many tags so we'll see how this codes if you look at the tags that you were given you should see there's a metal strip inside it the orientation of the metal strip has to match the antennas it has to be the same polarity so make sure to hold the tags up sideways so that that metal strip is vertical just like the bars on the antenna so you can see there's quite a huge amount of traffic scrolling by here if I could ask maybe the first five rows to put down their tags that was a lot more than five but okay so you can see we're getting back to just in front of the camera area maybe another five rows back the IDME is identifying at the moment let me just restart it did I mention that it's kind of flaky too so we're now interacting with tags well behind the camera man here I can't actually see whether there's any successful reads are we getting any blue reads here or not so it's certainly clearly interacting with tags I was kind of hopeful that we get some successful reads but like I say all the DEFCON badges and your sunglasses and even your faces are causing clutter so not too surprised it doesn't work what I am going to be doing though is once I get back to California I'm actually going to be calling the folks from Guinness World Records and once I get to access to a test range I'm going to get them down because the 217 feet that I read at I believe that is a world record so I'm going to get Guinness in get it certified and then announce it officially so let me turn the power amp off I am also after the talk I'm going to be up in the hardware hacking village so if you want to see the equipment up close and have a play with it and just validate that it does read tags in slightly less hostile environments please feel free to do so okay so what's the upper limit here we've clearly validated the radar range equation we've got solid evidence that the radar range equation is valid in this environment so how far can we take it well under ham radio rules we can have one and a half kilowatts power so what's the biggest antenna that we can get well this is the largest I've been able to find this is a 2 by 2 array of 26 foot long Yagi so each Yagi each boom is 26 feet long and the four antennas that you see actually are all configured as one big antenna so we actually get about 26 DBI gain out of this and if you run the numbers and you get a bit transmitter into that big an antenna you should get a read range of about 2 miles so that's what you can do with ham radio what about the military this is a naval radar system called ANSPS 49 SPIDS 49 is how they refer to it runs at 851 to 942 megahertz so nicely overlaps our band 280,000 watts peak power that's tiny want dish 24 feet wide 14 feet high gives us about 35 DBI if you crunch the numbers on this assuming it's possible to backport a gen 2 system into this you should get a read range of about 80 miles kind of scary but we're not done yet logical limit Arocebo radio observatory believe it or not amateur radio operators do get access to Arocebo sometimes a couple of months ago a group got access they put a 400 watt transmitter on the Arocebo dish pointed it at the moon with little tiny handheld much smaller than this pointing them at the moon and bouncing reflections off the moon to Arocebo and talking from anywhere around the world to Arocebo with a moon bounce entirely amateur run so it does happen it's theoretically possible that we could put a 1.5 kilowatt legal limit transmitter on the Arocebo radio observatory again if you crunch the numbers with that 317 miles to put that into perspective if you would have put an EPC gen 2 tag on the International Space Station you should be able to read it with this as it flies overhead it's ridiculous range absolutely preposterous just insane so let's bring it back to reality here 317 miles it's probably not going to work you're going to get a lot out of it but 317 maybe that's arguing a little much either way we have still validated the radar range equation in this situation so significant ranges are definitely possible I've done 3217 feet I believe the equipment is capable of 500 maybe more and clearly we've got a problem here we can read these tags at very very long ranges eventually round trip time is going to become a limit it's very sensitive to timing either way I firmly believe that it's possible to read these things at over a mile I hope to prove that but for the moment I'm going to give you a little Guinness certificate assuming they come through with that in the meantime clutter is the primary limiting factor certainly the ranges that you can get from the available power and the available antennas clutter is going to be the most significant factor so I had a bunch of scenarios here for long range RFID I gave this talk at Black Hat and they give you a little more time at Black Hat so I'm just going to kind of skip through these three threats for this so assuming that you can read RFID tags like these from 200 feet and assuming that they're in identity documents and you know Walmart and all the rest of it in other words assuming nothing beyond what's actually real at this time now assuming an attacker gets hold of this stuff what can he do I'm going to skip through most of them these slides are already up on my blog if you've seen my Twitter there's a link from there to my blog the slides are up there so I'll skip these there we go number three so I bought 1,500 RFID tags to give away at Black Hat and Defcon for $100 these tags are reprogrammable you can give them any ID number you like which means that you know that the the way that the numbers are allocated they let's say New York State wants to issue a bunch of enhanced licenses they go to EPC and they say give us a prefix it's like a MAC address you can think of the way that they're structured so you can look at that prefix and you can know where that tag came from so if you kind of flip that on its head and you take those 1,500 tags and you reprogram them with a known prefix and then sequential numbers after that you can produce 1,500 effectively passport cards or EDLs or you know whatever kind of tag it is you want wait until your friend crosses a border drop that in his trunk or stick them to his car I don't know what the hell Customs and Border Protection are going to do when they see you try and cross a border with 1,500 passports in your trunk but it ain't going to be pretty I'll say the same thing I did at Black Hat please don't do this or if you do record video and send it to me sniffing clothing this one creeps me out I don't like this at all Walmart have stated that they're going to be using this technology to identify individual SKUs so you'll have distinct RFID tag numbers for every size every color every style of every item of clothing in that store so when you combine that with the ability to read tags from a mile away 10 miles away however far away I can stand here on stage and know what kind of way you're all wearing that gets creepy really quickly I don't really want to think about how that can be abused but just the concept of knowing that much detail about someone from that far away it's just doesn't not right and the number one that I came out with and the reason this gets my number one is because I believe it's a viable business model you can actually install multiple RFID readers at the doors to a mall read people's credit cards read their driver's licenses every single tag that walks through correlated all together by time because you've got these very short range reads and then track those identities from the long range tags that they have on them so you can watch people as they wander around the mall you can see what route they take you can see whether they stop in any shops you can see whether they pause and look in any windows you can get a huge amount of information about how people behave within that mall environment and to a typical mall owner it's very valuable info because they can then use that to figure out well most people can take this way around so we'll charge more for this advertising spot that's in the more popular path all this kind of stuff it's all the kind of really deep data that folks that run malls really love and again in the majority of states it's perfectly legal most states do not have any laws on RFID sniffing so you can do this and like I say it's probably a viable business model as well if someone wants to you could make some money out of it so two quick defences just before I stop for some questions two solutions for all of this and I'm sure that pretty much any privacy advocate would agree with these two number one do not put RFID in identity documents here's the thing about the tags that you were given those all have unique serial numbers but you don't know whether I arranged with the people at the doors handing out the tags let's say I knew that a certain person was coming and I wanted to make sure that that person got a specific ID number you don't know if I was doing that you don't know if the people at the doors had hidden cameras and they were taking pictures of everyone and you know making a note of what RFID tag corresponds to what face you don't know how those tags could be abused by me or by anyone else but here's the thing the tag that's in your driver's license you can't throw that away these ones you can that's the big difference so all of the privacy threats are exactly the same but when it's in a federally issued identity document you cannot escape it secondly disable all store issue RFID tags upon purchase a lot of stores that use RFID do do this but because of weaknesses in EPC Gen 2 you can either kill the killers or reprogram the tags to change the lock codes there's all kinds of ways of preventing people from disabling these tags and there should be some kind of consequences if that process failed beyond that informing people that RFID is in use is always good there's a lot of fud surrounding RFID a lot of people use RFID and don't really want to call it RFID because RFID has such a stigma either way if you're worried about an RFID tag stick it on the microwave for 3 seconds 3 seconds in the microwave will kill pretty much any RFID tag that you'll ever come across be careful though because 5 seconds in the microwave will probably set fire to any RFID tag you'll ever come across and then also bear in mind if you're doing this to an identity document technically you're tampering with your ID so depending on what kind of ID and what people want to take a look at out of it you could be done for a felony at the end of it so I guess I've got a few minutes for questions yes so the question is are all RFID tags in that same band well all EPC Gen 2 are in that band but there's lots of different bands to use for RFID lots and lots yes have I seen people sniff 13.56 yes 13.56 there is actually an upper limit in terms of how big you can make the antenna and how far you can project a magnetic field from it I think that limit lies somewhere around 70 feet that's the passport book yes another question second these ones it's fun okay so I think that's about it Q&A in a room out here thank you very much