So are there any tags that are compatible with either of the two readers that Parallax sells that have a 3 to 4 foot range? I actually only need about 2 feet but figured I would extend it a bit. I want to make my back door open and close for my dog. I do not want to spend a bunch of money on the electronic dog doors, etc. I pretty much have everything I need but my dog needs to be extremely close with the current Parallax tags.
EDIT: If this is not feasible, I may switch to my EasyVR. My dog has a very specific bark when he wants to go out and come back in. I am wondering if it is possible but will leave that for another thread so as not to hijack Rich's!!!!
So are there any tags that are compatible with either of the two readers that Parallax sells that have a 3 to 4 foot range?
I think it is the other way around. The readers that I were looking at had much larger, and presumably very directional, antennas that would work with standard tags.
I was a speaker in Las Vegas BSides last August, and again last October at IWS-7. ( Information Warfare Summit ) involving long range RFID sniffing where we were able to achieve 15 feet from a passive 125kHz RFID tag. This particular approach is different and more of a security problem than just reading a tag by close proximity. What we are doing different, is listening to the "door reader" when a tag is brought towards it during normal access reads. During this stage, when the tag is modulating the door reader, the door reader becomes a radio transmitter that we can pick off at a considerable distance. Audibly we can "hear" the signal a good 25 or more feet away, however the noise floor is great enough we can't decipher it just yet ( more R&D required ) unless we are closer ,,, more like 10-15 feet. Keep in mind our detector coil was only about 2 inches in diameter. The real security problem here is that no matter what, we can "see" BOTH sides of the negotiation, meaning that the supposed smart RFID cards that require any kind of handshaking can be broken using this technique or similar. The fact that we were doing this with 125kHz tags is irrelevant, and for the presentation was just proof of concept. This same technique can be applied to any RFID tag.
This is mind blowing. I wonder if the reason I'm having a problem finding a long range reader (8 to 10") for my chicken's 125kHz leg bands is because they can be used to hack security codes. If your a RFID reader manufacture making a long range reader would be self defeating as hackers would use them to read cards as people walk by. I get that but I have a legitimate need. The "long range" readers I can find are from China and have sketchy specs and say they work with long range cards so I don't think they will work with my leg bands.
The readers from Parallax only have a 4" range at most according to the documentation. I could probably make 4" work but I fear that is the max and the leg tags will most likely have to be right up against the reader. The chickens walk up a 8" wide ramp to get into their coop. I want to read a chicken's tag as it stands on the ramp and open the door to let her in. I have the leg tags and a reader but the reader I have requires the tag to be held right up against it.
There has got to be a solution out there. I know it may be a little pricy but if it is under $300 I would make it work. After all I only need the serial stream from the reader I can take it from there.
I would be tempted to buy the Parallax reader and try placing it on/under the ramp where the hen would stop and place her legs. If that did not work reliably I would replace the coil on the pcb with an 8" by 8" coil. Might take a bit of trial and error to get it tuned to 125KHz, but there is a good chance that it would work.
I would be tempted to buy the Parallax reader and try placing it on/under the ramp where the hen would stop and place her legs. If that did not work reliably I would replace the coil on the pcb with an 8" by 8" coil. Might take a bit of trial and error to get it tuned to 125KHz, but there is a good chance that it would work.
Humm I'm tempted but the Parallax RFID manual says their reader works exclusively with their tags?? I have to use the 125kHz tags that I have, they are designed to not harm the chickens.
The reader I have that works with the tags right up against them is from SparkFun https://www.sparkfun.com/products/11828. If Parallax's reader would work I would give it a try. I have been trying to avoid making my own antenna but its looking more and more like that is going to be the answer.
Why not dig up the recipe for a good old Radio Beacon navigator - basically a highly directional radio receiver operating in the long LW frequencies. I used those for navigating across the sea when sailing - years ago. All you need is a long ferrite rod antenna and a sensitive receiver circuit that is tweaked to handle the digital signalling. Easy. If you have plenty of time. Would think the Parallax reader could be modified to use a ferrite antenna too.
Thanks had a good read but I'm am trying something quite different by putting a micro tag used on bees ,and try to get extra distance buy putting a battery on it ,do you think it would work!
e.g.http://www.microsensys.de/transponder/mini-tag.html
Active power does not equal Active tag ... this will not work. You need something that is going to be able to transmit some real power and something other than a standard door reader to "listen" for the signal.
I was a speaker in Las Vegas BSides last August, and again last October at IWS-7. ( Information Warfare Summit ) involving long range RFID sniffing where we were able to achieve 15 feet from a passive 125kHz RFID tag. This particular approach is different and more of a security problem than just reading a tag by close proximity. What we are doing different, is listening to the "door reader" when a tag is brought towards it during normal access reads. During this stage, when the tag is modulating the door reader, the door reader becomes a radio transmitter that we can pick off at a considerable distance. Audibly we can "hear" the signal a good 25 or more feet away, however the noise floor is great enough we can't decipher it just yet ( more R&D required ) unless we are closer ,,, more like 10-15 feet. Keep in mind our detector coil was only about 2 inches in diameter. The real security problem here is that no matter what, we can "see" BOTH sides of the negotiation, meaning that the supposed smart RFID cards that require any kind of handshaking can be broken using this technique or similar. The fact that we were doing this with 125kHz tags is irrelevant, and for the presentation was just proof of concept. This same technique can be applied to any RFID tag.
Beau, I couldn't find much on this when I searched, specifically I couldn't find video, audio, or slides from your talks.
I'm a noob at electronics and RF, when I first read various materials my understanding was that the LF wave was an attenuating wave and not a propagating wave, and a magnetic field not an electrical field, so it's strength would diminish at the inverse square (or is it cube). Meaning that you'd need to be very close (within cms) or that you need a very big antenna(e) and high power, sensitive receiver, etc. to get longer distances (100cm) and that it would basically become physically impossible due to noise and SNR to go any further. I thought this applied to the whole thing, powering and RX/TX. After reading your post, I re-read some materials and saw that I had missed some points - that this point had been raised already, was a "known issue" that when the card/fob is energised it radiates and can it's emanations can be snooped from a long distance.
Is it correct to say that the reader powers the card by induction, which is a magnetic field, which is non-propagating wave (attenuating wave) that diminishes at inverse square (or cube or something exponential) but that once the card is energised the signal which is a propagating wave, that can be snooped at a long distance? My terminology is probably very wrong, my main question is - is the RF signal coming off the card able to be read (understood) at long distances. That's my new understanding. In other words, the main limiting factor for the popular considered attack is powering the card, needing to be close enough to power it for it's chips to work and so that it can modulate the signal via backscatter - reading the signal is not the distance limiting factor - powering is. Is that correct?
Could you publish your slides, and/or code?
I've noted in my use of a Proxmark3 that the relative 3D orientation of the Proxmark3's anntenna and the card has a big impact, and I've read that commercial readers have multiple antenna for different orientations (like one for each plane, 3 in total), and that some antenna designs have better performance trade-offs in this regard etc. I've also read of readers that use many antennae and complex DSP to be able to scan and read multiple cards simultaneously - is any of these what is necessary/helpful to snoop at long distance? Or is it more just better signal processing algorithms?
I started looking more into the source code of the Proxmark3 and saw features for snooping. I broke my antenna before I could do any testing. I'd like to do testing with two Proxmark3s, one to energise and read a card, and another to snoop at a distance to see if it can distinguish the data.
You probably already know this, but he MitM problem you mention, seeing both sides, has been solved in cryptography via protocols such as Diffie-Hellman (DH) key exchange and authentication protocols (X.509 PKI for example). The DH needs to be authenticated such as through RSA signatures etc.. It's all up to the implementation to take appropriate measures (and to implement them correctly), some do, some don't, probably HF is more likely to as they have more BW.
I am in the middle of a house move, so all of my stuff is scattered. Basically, my original speech was to point out and exploit a vulnerability to a group of security experts at RMISC (Rocky Mountain Information Security Conference) ... After that presentation I was approached and was asked / instructed / told (<-take your pick) to give a speech at BSides security conference which overlapped DEFCON in August of 2014.
The Exploit essentially is a radio tuned to 125kHz that listens to the modulation created from any door reader as you "badge in" ... it's NOT the tag being modulated, but rather the door reader that I am listening to. As you pointed out it's not RF in the conventional sense this is purely a magnetic coupling. The analogy would be trying to detect a refrigerator magnet spinning at 7.5 million RPM (or 125kHz) at a distance of 10 feet. That's what my circuit design did at RMISC. It all started with a friend of mine that works for the DoD and is a hired Penetration tester, asked me in February to help him with a presentation project... he just wanted a proof of concept to show at RMISC during the middle of May. We ended up setting a world record for getting a valid read on a passive RFID tag at a distance of 15 feet in front of a captive audience of about 30 people.
When the dust settles, I am planning on releasing a new improved SMT version of the design and selling it on my eBay store, but it may not be until the first of the year before that happens. Right now we are in the process of buying a new house and a horse to top it off.
Here is a video teaser of a 125kHz RFID door reader field strength meter sensitive to about 6 feet ....
Thanks Beau, is there any presentation material, slides, or code/schematics available?
Can you put me down for pre-sales of your new SMT version. I saw on you kit-start site that all RDID Sniff Project kits were sold out, I'm guess that was the a kit form of this project.
Yes, that was the kit ... we made 90 units and sold out in less than two weeks. The kits sold for $30. It became soldering 101 which is why I didn't make another run. Soldering 101 is such a headache and really gets on my OCD... So with an improved circuit design, I'm just going to play with my SMT re-flow oven and build and test them myself. <-- It's much more therapeutic that way. There is a series of products focused around the main design so my hope is to offer a few options.
Comments
Sounds like some powerful good eatin' there. That's how me make the boiled peanuts I miss from over yonder in my home state of Souf Cakalaki...
EDIT: If this is not feasible, I may switch to my EasyVR. My dog has a very specific bark when he wants to go out and come back in. I am wondering if it is possible but will leave that for another thread so as not to hijack Rich's!!!!
I think it is the other way around. The readers that I were looking at had much larger, and presumably very directional, antennas that would work with standard tags.
IWS Reference:
http://iwsokc.com/
http://iwsokc.com/?page_id=21
The readers from Parallax only have a 4" range at most according to the documentation. I could probably make 4" work but I fear that is the max and the leg tags will most likely have to be right up against the reader. The chickens walk up a 8" wide ramp to get into their coop. I want to read a chicken's tag as it stands on the ramp and open the door to let her in. I have the leg tags and a reader but the reader I have requires the tag to be held right up against it.
There has got to be a solution out there. I know it may be a little pricy but if it is under $300 I would make it work. After all I only need the serial stream from the reader I can take it from there.
Humm I'm tempted but the Parallax RFID manual says their reader works exclusively with their tags?? I have to use the 125kHz tags that I have, they are designed to not harm the chickens.
The reader I have that works with the tags right up against them is from SparkFun https://www.sparkfun.com/products/11828. If Parallax's reader would work I would give it a try. I have been trying to avoid making my own antenna but its looking more and more like that is going to be the answer.
The Parallax reader works with standard 125kHz tags.
Erlend
I suppose it would be possible. I don't know if you'd get better range by adding the battery.
Did you see the link I added about active tags in this post?
http://forums.parallax.com/discussion/comment/1204219/#Comment_1204219
e.g.http://www.microsensys.de/transponder/mini-tag.html
Beau, I couldn't find much on this when I searched, specifically I couldn't find video, audio, or slides from your talks.
I'm a noob at electronics and RF, when I first read various materials my understanding was that the LF wave was an attenuating wave and not a propagating wave, and a magnetic field not an electrical field, so it's strength would diminish at the inverse square (or is it cube). Meaning that you'd need to be very close (within cms) or that you need a very big antenna(e) and high power, sensitive receiver, etc. to get longer distances (100cm) and that it would basically become physically impossible due to noise and SNR to go any further. I thought this applied to the whole thing, powering and RX/TX. After reading your post, I re-read some materials and saw that I had missed some points - that this point had been raised already, was a "known issue" that when the card/fob is energised it radiates and can it's emanations can be snooped from a long distance.
Is it correct to say that the reader powers the card by induction, which is a magnetic field, which is non-propagating wave (attenuating wave) that diminishes at inverse square (or cube or something exponential) but that once the card is energised the signal which is a propagating wave, that can be snooped at a long distance? My terminology is probably very wrong, my main question is - is the RF signal coming off the card able to be read (understood) at long distances. That's my new understanding. In other words, the main limiting factor for the popular considered attack is powering the card, needing to be close enough to power it for it's chips to work and so that it can modulate the signal via backscatter - reading the signal is not the distance limiting factor - powering is. Is that correct?
Could you publish your slides, and/or code?
I've noted in my use of a Proxmark3 that the relative 3D orientation of the Proxmark3's anntenna and the card has a big impact, and I've read that commercial readers have multiple antenna for different orientations (like one for each plane, 3 in total), and that some antenna designs have better performance trade-offs in this regard etc. I've also read of readers that use many antennae and complex DSP to be able to scan and read multiple cards simultaneously - is any of these what is necessary/helpful to snoop at long distance? Or is it more just better signal processing algorithms?
I started looking more into the source code of the Proxmark3 and saw features for snooping. I broke my antenna before I could do any testing. I'd like to do testing with two Proxmark3s, one to energise and read a card, and another to snoop at a distance to see if it can distinguish the data.
You probably already know this, but he MitM problem you mention, seeing both sides, has been solved in cryptography via protocols such as Diffie-Hellman (DH) key exchange and authentication protocols (X.509 PKI for example). The DH needs to be authenticated such as through RSA signatures etc.. It's all up to the implementation to take appropriate measures (and to implement them correctly), some do, some don't, probably HF is more likely to as they have more BW.
The Exploit essentially is a radio tuned to 125kHz that listens to the modulation created from any door reader as you "badge in" ... it's NOT the tag being modulated, but rather the door reader that I am listening to. As you pointed out it's not RF in the conventional sense this is purely a magnetic coupling. The analogy would be trying to detect a refrigerator magnet spinning at 7.5 million RPM (or 125kHz) at a distance of 10 feet. That's what my circuit design did at RMISC. It all started with a friend of mine that works for the DoD and is a hired Penetration tester, asked me in February to help him with a presentation project... he just wanted a proof of concept to show at RMISC during the middle of May. We ended up setting a world record for getting a valid read on a passive RFID tag at a distance of 15 feet in front of a captive audience of about 30 people.
When the dust settles, I am planning on releasing a new improved SMT version of the design and selling it on my eBay store, but it may not be until the first of the year before that happens. Right now we are in the process of buying a new house and a horse to top it off.
Here is a video teaser of a 125kHz RFID door reader field strength meter sensitive to about 6 feet ....
Can you put me down for pre-sales of your new SMT version. I saw on you kit-start site that all RDID Sniff Project kits were sold out, I'm guess that was the a kit form of this project.
Yes, that was the kit ... we made 90 units and sold out in less than two weeks. The kits sold for $30. It became soldering 101 which is why I didn't make another run. Soldering 101 is such a headache and really gets on my OCD... So with an improved circuit design, I'm just going to play with my SMT re-flow oven and build and test them myself. <-- It's much more therapeutic that way. There is a series of products focused around the main design so my hope is to offer a few options.
I PM'd you some additional information