Feeds

back to article RFID chips snooped from 66 metres

RFID tags can be read at a surprising range, a researcher has found. When he's not listening in to GSM phone calls, Chris Paget has been busy seeing at what distance an RFID tag can be read, managing a respectable 217 feet. Paget also reckons the US military could read an EPC Gen2 tag from 80 miles off, though the connection …

COMMENTS

This topic is closed for new posts.
Badgers

Detecting holidays...

Or how about detecting the presence of passports in houses in a street, and when those passports disappear then it's holiday / break-in time.

Badgers sign because it almost looks like burglars...

3
0
Badgers

Badgers.

Badgers also sneak around at night and leg-it as soon as they're spotted

1
0

One ...plus?

That wouldn't be a big deal in the US...most people don't have Passports...

2
0
FAIL

Errrm not really!

Or.... it could be one of the frightening % of people who have no passport because they are either too unfortunate, too lazy or too Luddite to go abroad... they just happened to have a visitor last time you were there!

It's surely no worse for security than the car not in the drive, all the lights are off or the neighbour seen feeding the cat...

1
1
Anonymous Coward

Re: That wouldn't be a big deal in the US...

Recall that it was the US that pushed everyone else into making lots of haste with RFIDing passports. And everywhere else, most people do have passports, for various reasons. Everyone else, you _don't_ get a foil jacket with your RFIDed passport. In fact, there's plenty countries where not being able to show one causes a fine or worse legal trouble. So I say: Nice and hateful comment there.

Responsibility? They've heard of it. The state department even spells it in large letters on their website: r e c i p r o c i t y.

0
0
J 3
Big Brother

@One ...plus?

Maybe, but no problem -- they will put them in the driver's license.

0
0
Silver badge
Boffin

Detecting holidays

Yeah cos there aren't much simpler and tech-free ways of detecting when people are on holiday... Even simple films such as Home Alone taught us that

0
0

The 10 mile isn't realistic

if you're happy to use these tags for neferious purposes surely you'll take out the 100ms filter first?

2
1

BacoFoil Shares Worth Buying?

Aluminium foil - not just for turkeys!

2
0
Thumb Up

Luverly

Tin foil hats - not just for people anymore!

0
0
Flame

No, a microwave

In Holland they do things even "better" and thus put your biometric data (fingerprints) onto the RFID chip used in both passports and European ID cards.

And because I trust my government to do everything in its power in keeping this information secured I fried my ID card. One flash, 2 holes and no more RFID.

Paranoid? I don't think so, just protecting my rights because I know how "safe" RFID is. Esp. when a government "designs" the security scheme behind it.

0
0
Big Brother

Big Brother??

"Whatever the risks, the real joy is in seeing what can be achieved and pushing the technology to its limits, for no reason beyond seeing if it can be done."

And when it can be done every single government in the civilised world will adopt this to surrepticiously spy on absolutely everyone. We are not safe and we are being watched......

2
0
Thumb Down

Oh how embarrassing...

The fuzz will know what I buy in the supermarket :-(

0
3
Big Brother

Re: Embarassing

Or, as is currently happening in the US:

"Sorry, sir, but we have a warrant to search your home and outlots. See, you bought Brand X of shampoo, and Brand Y of cough syrup, and Brand Z of incent repellent. You bought these at different times in different stores, and this matches the pattern of a Meth Lab. Please follow this nice officer as he handcuffs you and places you in the back of his patrol car, for your protection..."

This IS HAPPENING NOW in the US. Wal-Mart... "Always" is more than just a slogan...

0
0
Silver badge
Boffin

From page 8 of the referenced PDF:

"In reality there are several factors which limit the read range to far less than these maximums, and one of the most fundamental may lie in Gen2 itself. There are strict timing requirements placed on both the reader and the tag, with both sides abandoning communication if timeouts are reached. Ironically, this timing restriction may be the ultimate self-imposed limit on Gen2 read range – a 10-mile read range* (for a 20 mile round trip) takes about 100 microseconds, so we still believe that reading RFID tags from more than a mile away is entirely possible."

The 100μs timeout applies at both ends, ignoring it at the receiving end won't stop the chip itself from respecting the limit. I would assume that these chips use some form of request-response type interaction, where the chip is queried and it asks for authentication, expecting it within those 100μs.

*(The actual round-trip distance here is calculated by multiplying the speed by the time taken, c x 100μs = 3e8 m/s x 1e-4 s = 3e4 m, which is 30km, or 15 km each way)

2
0
Boffin

Re: Chip respecting limits

Warning: Armchair physics reasoning ahead...

This could be easily circumvented by changing the timestamp of the signals from the transmitter, assuming that's how the chip knows the "time". Even if the chip records the last "time" there was a communication, without the power of the signal, there is nothing for it to run an independent timer to verify that the next signal was transmitted within the timeout period.

Because of this, once the range is known, the transmitter could modify the timestamp to fool the chip into thinking the 100μs have not elapsed...

Unless, of course, the 100μs is how long the signal powers the chip... so that if the chip loses power, it automatically "forgets" the conversation, forcing the timeout.

0
0
Boffin

Given enough knowledge of the circuit involved...

It should still be possible to get the data you want. Assuming the timing remains fairly consistent between two reads, one could create a reader that reads a tag once, times the response based on round trip, forms a response based on the received packet, then transmit a second read request, closely followed by the response packet. Assuming the response doesn't change between reads, one should be able to read up to the maximum distance.

Granted, the hardware required would be complicated, but it is possible.

0
0
Coat

it's passive

since the rfid is passive how can it enforce a time out; it uses the power if the incident signal to impose a digital signal on the 'reflection' (it's actually a parasitic oscillator at work so not really a reflection just good old 'Q' at work).

The rfid tag is dumb - so tickle it with the right frequency and listen for the 'reply' - basic radar; sonar; lidar technology; so not only do you get the information you also get the range to within a few yards(/metres) and bearing.

Of course; not only is the power a factor; but also the curvature of the earth and the atmospheric conditions. The absolute range is proportional to the power^2 AND the sensitivity of the receiver AND the signal path; but if you're not bothered by licence (or health) restrictions; then several miles should be easy. And that's before you start using diversity reception.

my coat is the one with kitchen foil lined pockets

0
0
Anonymous Coward

So

that means that vehicle number plates with embedded rfid tags can be read from the roadside......

1
0
Silver badge
Pirate

Vehicle number plate RFID

We knew that anyway. The ones proposed for vehicles are battery powered, and have a larger design range than the unpowered ones. Which, of course, opens up a whole host of possible ways to screw their operation, all of which I shall be investigating should they ever become compulsory.

GJC

0
0
Thumb Up

Metal biscuit tin

Now you know why all your Granny's important documents were kept in an old biscuit tin - it's good at keeping all the radio stuff out of it and makes your passport invisible. Also keeps mice, damp and all sort of other things away as well.

5
0
Linux

Ol' Granny Faraday was a cagey old bird.

<----- a bird.

1
0
Joke

patented

I'm afraid that all those nefarious uses for this form of reading of RFIDs have already been patented by Apple

1
0
Silver badge
Pirate

Got a new credit card?

So, those new Visa "PayWave" cards will really be a wave of crime, then? Ignoring the fact that stores will be able to track you all the way round the mall to map out your shopping prefs, crims will be able to clone your card from the other side of town! No PIN to worry about now for Mr Shay D Karactor, and now he doesn't even have to walk behind you and scan your backpocket (see http://www.engadget.com/2008/03/19/rfid-credit-cards-easily-hacked-with-8-reader/), he can sit comfortably in his car in the carpark and scan you as you walk into the mall. I expect the next "must-have" accessory to be wallets lined with metal mesh or tinfoil.

/Yeargh!

0
1

Err...

Ok, that wasn't an $8 reader from ebay, it was part of a POS device. He can't sit in a car and read cards, he said that he thought he may be able to do that, but this would be far over the effective range of NFC. He keeps refering to the cards as RFID when they are NFC. He says that the decryption should happen in a datacentre when the whole point of paywave is that it happens locally, so you don't have to wait for a connection to a datacentre to be established. Also, there is absolutely no verification that he is doing what he claims, the reader goes beep and he says, "look at the screen". Furthermore, as I understand the operation of paywave type cards, they have a separate "card number" for the paywave part of the card and while it is implied that having the credit card number is "bad" he doesn't even imply that he would be able to create another card with this data. I could go on...

All in all, I call FUD.

0
0

do you mean something like this...

http://www.firebox.com/product/2635/Ogon-RFID-Wallets?via=ser

that is all

0
0
Silver badge

317 miles = 510 km

With the ISS orbiting at 340 km, it shouldn't be much of a problem.

So, is there any way to check if your Gen2 tag respects the 100 microsecond rule? Meh, tinfoil is probably cheaper.

0
0
Silver badge
Unhappy

"especially if said criminals are less respectful of ham licensing restrictions"

Forget 'less respectful', they most likely don't even know what a 'ham' is.

And if you shop at the Gap or Walmart your clothes will be good substitutes for radar reflectors, some garments have more than two RFID.'s in them.

RFID's can be neutered by placing the object in a microwave oven, along with a mug of water, and turning it in high for a minute.

1
0
Black Helicopters

Search and destroy?

How can we locate these in items we own and relocate the chips?

I could see the possibility for hijinks here: remove the chips and stuff them in random locations, preferably in the stores they came from in the first place.

0
0
Gold badge
Thumb Up

This Chrismas's Must Have Present.

RFID early warning receiver.

Possibly backed up by something to put out a response pulse powerful enough to blow out the front end of any snoopy receiver.

1
0
Happy

Get some prospective

Let's be clear here, Gen2 RFID tags are around the size of bricks as they have their own battery built-in. The usual RF-ID tag called Gen1 like Walmart is wanting to use are the size of a postage stamp....

0
1
Joke

Arecibo. A warning ...

... to Fidel Castro not to shoplift at the local Wal-Mart, or any in Puerto Rico.

0
0
Bronze badge

...or you could use it to find your golf balls

like this company - www.radargolf.com

Admittedly I don't think the device is reading the data from the RFID tag at long distances but rather there's a tag which is responding to the scan and how strong a signal is being 'bounced' back.

0
0

This post has been deleted by its author

Coat

Detecting holidays the high tech way?

Why bother, most morons put home address, phone number and a neat little calendar on their facebook page saying when they will be on holiday. then dont make their profile private....

nuff said

0
0

Ok...

Two things:

1) Passports, bank cards etc use NFC, which can currently only be ramped up to 50cm max, more realistically about 5-10cm. NFC is not the same thing as RFID.

2) You may be reading an RFID at X miles, but how do you target a specific tag, rather than just the first one that comes back? The chances are that there will be a fair few RFID tags in and direction you choose to look.

1
0

What about large numbers of tags?

What happens if you have large number of tags close enough together for the responses to seem simultaneous? Does that confuse the reader? The further away you're reading from, the more tags you're likely to get responses from.

1
0
Anonymous Coward

Oh please, not that canard

The standard specifies that passport RFID chips must function up to _at least_ 20cm. That doesn't mean it guarantees all passports will not repond when held at 21cm. What this is about is how far you can stretch things, regardless of standard. As it turns out: Quite a lot. Even stretching to just a yard may be more than enough.

Maybe you find it hard to believe, but it's the same principle as a lock manufacturer saying "this lock ought to only work with this specification key", and then someone comes along with a lock picking set and opens it anyway. We all know it works that way; no reason RFID should magically be different. It's been up and down the news several times already that, surprise, it in fact is not at all different from everything else we make in that respect.

Similarly, sometimes you don't care what tags you read, just that they're part of some class, like, "contactless payment cards with at least a tenner on them", and then you trigger a transaction to transfer, not to be overly greedy, 9.99 to you. Walk up and down a busy shopping street, loiter a bit in a mall, and you'll have easily filched a couple hundred, maybe a couple thousand. Then scram and try again in a different part of town, or a different city altogether.

Or, sometimes you don't care what else you read. If you can read tag X within the range of your device, distance Y, you can draw conclusions like, well, since tag X is subject Z's passport RFID tag (or simply the one in his oyster or barclay card, his employee access badge, a tag factory sewn into his shoes, the one implanted in his dog, what have you, any will do), then that's likely Z within Y right there. That already enables surveillance by some unobtrusive logging device stuck on a wall, hidden in some other device, and so forth and so on. Or you could trigger a detonator. Why not.

0
0
This topic is closed for new posts.