Monday, January 27, 2020

Gone in 6 seconds - How Anti-Theft Shop System Works



Yep, it's been a while since I wrote in my blog, mostly for business and personal reasons, but from this year, I'll try to publish more and it starts right now.

Have you ever been in a situation when you bought something and they forgot to put off the protection? Me, I don't go shopping often, but sometimes it happens and for me it's an opportunity to play with it.

Basically, there are 2 protection levels : mechanical and electrical, we will start with the first one.

Mechanics

Nothing fancy here, really. After disassembly of the shell using cutters and pliers, there are 5 main parts:
  • the needle, which is embedded into plastic cover
  • the big cap, containing the small cap
  • the small cap with some holes for the balls, where the needle goes
  • 3 small metal balls that hold the needle in the small cap and are held in the holes of the small cap
  • the spring, pushing the small cap



 
The principle isn't that complex, basically after the 3 balls are put into the small cap they don't hold the needle, but after the small cap is put into the big one, since its form isn't straight but rather triangular, when the needle is pulled down, it puts the small cap down alongside and since there ais less and less volume for the balls, they retract and block the needle between them. Thus, the stronger you try to put the needle, the harder it will be. Moreover, since the small cap is blocked by the big one, which itself is pulled down by the spring and protected by the plastic, there are not  too many options to pull it up. The way it's done in the shopping center is simply by using a magnet to create a field strong enough to move the small cap first without touching it, which makes the big cap free and thereafter the needle.
Simple and effective.




The spring will complicate the process a little bit, hence a really strong magnetic field is required (+10kg), plus it has to be in a certain direction.
Nonetheless, in order for such system to work, all metal parts should be ferromagnetic, so they can be pulled by the magnet.
Lastly, those balls are made from steel (#thatsWhatSheSaid, an alloy of iron with another metal or/and carbon), as well as the caps and needle, but they are covered in nickel which gives a coefficient of friction from 0.7 to 1.1 and so even if lubricated, it still will remain about 0.3, so WD-40 won't do much.
Of course, you can always use a liquid nitrogen to freeze the needle and just break it, but such attack is a bit far to be practical.

Electronics

Now, it gets interesting, given the fact that a thief can just take the goods and break the protection later, such fact has to be detected in the first place. This is done using RFID. In principle, it's not too much different from a basic tag operation, since those are passive systems, you need to send a pretty strong signal in order it's deformed or/and reflected by the tag and catch it on the other side. If the signal is different (induction by the tag) or reflected (response) then it's detected and the alarm goes.

I will not go deeply in electromagnetic theory of solenoids in this article, but I'll try to explain it simply and give some references for further understanding.

So, that's how the inductor coil looks like after disassembly:


You also may have noticed that there is a small capacitor, that's useful in order to determine the frequency of the induction, but first, let's make some measurements:




The diameter of the coil (D) is something about 3.5cm, the wire thickness (d) is close to 0.3mm (0.33mm with insulation), the distance between two wires (pitch) is ~0.5mm, it's copper, the number of turns (N) is 7 and the winding length (l, depth) is 0.4cm. With this information we can calculate the inductance (L) using this approximation formula :


Which will be equal about 3.3uH (I adjusted the value a little bit according to the real formula which is actually much more complicated). This also corresponds to ~80cm of wire and the reactance of such coil will be ~180 Ohm.

Connecting the capacitor (C) of 100pF (approximate value after measurements) to the coil will force the current to oscillate with a specific frequency (LC circuit), which can be calculated as follows:



Something around 8.7MHz, which is kind of close to the NFC spectrum (13.5MHz) and as my tests show, the coil reacts pretty good at such frequency:



I mean, you can even power a LED with it:

 
The basic theory behind this is that an inductor will resist the changes in current and the capacitor will charge and discharge the current. When two combined, the current will oscillate by discharging the capacitor and charging it again with the force of induction. Given that the resistance is zero, this cycle will be repeated infinitely.
Two inductors (coils) close together will exchange the fields and transform it back to the electric field, hence the purpose of transformers and the reason why the LED is gloving.


The induction itself is just a creation of electromagnetic field of a certain force and direction, which is just an exchange of photons between particules and... but I think I probably already have given too many physical details. If you want to check my results and maybe learn something, you can use a pretty good free tool - Coil64 and watch some of Eugene's videos, as well as simulate such circuit.

Note that solenoids also show that the famous Kirchhoff-Ohm's law isn't an actual law, but just a particular case of Faraday's law, which determines the electromagnetic flux defined by Maxwell's equations. Thus, if we measure the voltage in two points of a solenoid in different directions, we will get different values. Pretty interesting paradox, you can make this test yourself or just read the paper on this topic (or just watch a video).

But yeah, let's get a bit practical, shall we? For instance, let's simulate a shop anti-theft protection ourself by putting an NFC antenna and another coil close together. Next, we will connect an oscilloscope to see the voltage drop when the protection is passed by since it will absorb a huge part of EMF, because it was tuned to such frequency. This is how the alarm works:


Bypass

So, as you might now, it was Christmas a month ago (depends where you live and when you read of course) and I bought some foie gras, but they forgot to remove the protection and the security was too busy to notice the alarm. We are going to try to bypass the protection with not too much effort:


Well, it works pretty well in this case. Note that you would need a really strong neodynium magnet for some shells and those are not cheap since, their magnetic field remains strong for a long time and they act only at a close distance.

Another way, is to simply put it in a Faraday cage, thus the emittions will be absorbed by it and not transmitted to the tag, but it also could cause a false positive alarm since the electric potential will still vary.

The reason I publish this is to simply show that current protections aren't perfect and that they can be bypassed pretty easily with right tools. Don't forget that there are also cameras and security in the shops, so EMF will not be the only problem to deal with.

Anyway, I should say that it's not good to steal since, it causes unbalance in property/work value and the state will be very grateful for the VAT, as well as companies for the profit (although vendors were considered the lowest social class in Japan, since they don't produce anything by themself) and this profit still will have some taxes and some of this money could be stolen by the employees or/and by politicians so... in a case of a theft, it's actually difficult to say who lost in the end.

Finally, I hope that you learned something from this and happy that I began my writing again. Until next time and be safe.