January 22nd, 2010 at 23:56 UTC by Markus Kuhn
A few days ago, BBC2’s Newsnight approached me to have a look inside what might have been some kind of smartcard, but had long been suspected to be part of a simple-minded and dangerous fraud that may already have cost lives.
Background: The Iraqi army (among others) has bought for millions of pounds ADE651 devices, which according to the vendor’s website can detect almost any substance of interest to the military (explosives, banknotes, drugs, etc.) even kilometres away. The devices contain no power source (“powered by the user’s static electricity”, no battery), resemble very much a dowsing rod, and generally leave much to be desired regarding a plausible operating principle or performance in repeatable double-blind trials. There are several such military dowsing rods on the market. The ADE651 distinguishes itself by being “programmable” with a plastic card that can be inserted into the unit to select the substance to be detected. Having already established that the card reader end was just an empty box, the BBC team wanted to know whether there is anything inside these programming cards.
They provided me with a few sample cards, which when held against a bright light showed in the centre the outline of what might be a loop antenna, similar to those used in RFID tags designed for short-wave frequencies.
I opened some of these cards by first heating them on a 60 °C hotplate to soften the glue that keeps the two layers of the laminate together and then slowly cut them apart from all sides, parallel to the card surface, using a sharp utility knife. About 16 mm from the centre of the cards, I encountered instead of glue an inserted 32 mm x 32 mm large paper sticker, and the card layers fell apart there easily. This paper sticker looked very much like it was designed to be used as part of an RF electronic article surveillance system, which is attached to goods in high-street shops and raises an alarm at sensors near the exit door if the tag hasn’t been deactivated at the till. Several observations confirmed this:
- The barcode looked very similar to the UPC one used by scanner tills in shops, but it was misaligned, the check digit of the number (048572 020000) was incorrect, the prefix of the number had been chosen such that it was not assigned to any country in UPC, and the barcode didn’t even match the number. All this suggests that the barcode is just carefully designed camouflage, to hide the real purpose of these stickers when used in shops, without the risk of being accidentally recognized at a checkout scanner. A member of the Newsnight team even found in a Currys shop an item with a security tag that had the exact same 8-digit number under the fake barcode.
- I cut away the remaining card plastic and used solvent (white spirit, ~80 °C) to dissolve the glue underneath the sticker. After a short time, the sticker paper with the barcode separated and revealed underneath a laminate of aluminium foil and transparent plastic foil. The aluminium was shaped into a coil. The coil centre had been folded out to form two plates of a capacitor. This was clearly meant to be a simple LC resonator, shaped exactly like the ones that RF electronic article surveillance systems near shop doors detect.
- I first used my fingers to find any hints of a semiconductor chip or other electronic component in the laminate, and could not feel any. To be completely sure that there was no chance of there being any semiconductor chip inside that I might have missed, I left the laminate overnight at room-temperature soaking in white spirit, such the remaining glue dissolved and all layers of the laminate came apart easily and completely. Another careful inspection of all surfaces and the solvent showed again no trace of any form of semiconductor device or other integrated circuit than the capacitor and coil formed by the aluminium foil.
All this left me very confident that the sticker was indeed a security label with fake barcode that had no capacity to be programmed with any other information than being deactivated at a shop till by a strong RF field (which shorts out the capacitor by breaking down the foil dielectric). There is no way in which this device could be programmed to distinguish the many different substances that the ADE651 manufacturer claimed it could, not to mention that any useful interaction with such an LC circuit would require a transmitter antenna, a power source, and lots of other components that the ADE651 appears to lack. And, to state the obvious, there is no way in which an anti-theft RF tag, like I found in these cards, could be able to help in detecting explosive substances such as TNT (as the Arabic letters on the card had claimed). I strongly suspect that these tags have been chosen because they are the cheapest and most easily available items that look vaguely electronic and are flat enough to fit inside a plastic card.
See the BBC News coverage and the BBC2 Newsnight programme on 22 January 2009, 22:30 for the full story.