A Technical RFID Primer

gManZboy writes "Roy Want, principal engineer at Intel Research, has a pretty meaty technical overview of RFID up at Queue. If you ever wondered how these little things actually work it's worth a read. For instance, I was intrigued to find out how the tags (which are generally battery-free) can absorb enough energy from RFID readers to then power up and transmit their own signal back to the reader."

RFID isn't a problem-free technology for retailers

[hrbrmstr]

A little over a week ago, Yahoo! posted a story from TechWeb about IBM's experiences with Wal-Mart in their RFID deployment.

During the deployment, IBM consultants have encountered interference from handheld devices such as walkie-talkies, forklifts, and other devices typically found in distribution facilities. And nearby cell-phone towers, which transmit at the high end of the frequency band, sometimes leak unwanted radio waves into the RFID readers. Bug zappers in the grocery sections of the pilot stores also caused interference. "When you have a bug that hits the zapper, the RF power generated by the interaction with the bug produces noise in the coax cables," says Douglas Martin, executive consultant at IBM Global Services.

Regardless of how much a retailer's internal facility might disrupt their ability to monitor me, I still plan on getting one of RSA's RFID jammers when they're out.

errrm....

[mr_snarf]

I was intrigued to find out how the tags (which are generally battery-free) can absorb enough energy from RFID readers to then power up

I thought that was the WHOLE POINT of RFID tags? Pretty useless if they need their own power source.

Re:errrm....

[Rimbo]

"I thought that was the WHOLE POINT of RFID tags? Pretty useless if they need their own power source."

This is called Passive RFID. There is also Active RFID, where the tag has its own power source.

Active RFID is more expensive, because of the need for a power source, but it gets much better range than the ~10 feet (with an antenna that will cook you under perfect conditions) you can get with a passive tag.

Person-tracking RFID systems are the sorts of things that would use an active tag; you need greater range, and the tagged item has a much higher value than, say, a can of soup, so it's worth the extra cost.

As for the dream/nightmare of passive tags tracking people's purchase as they walk from store to store, I have enough trouble getting six tags placed directly onto an antenna powerful enough to make you feel warm if you stand next to it to get read; it's highly bloody unlikely that someone or some company with an antenna ten feet away is going to surreptitiously record your purchases without your knowledge. Don't believe the RFID industry's hype.

Re:I'd like more info, actually

[Technician]

could an "eraser" pulse be sent out from some unscrupulous individual?

There are some spec's on the standards. Google search for ISO15693. That covers near field tags operating on 13.56 MHZ.

Search for EPC-96 standard for the far field 915 MHZ tags.

Most tags are either read only with a unique ID number, or read/write, also with a non-alterable unique ID number. Some, but not all tags can be told to become de-activated. So yes, an eraser signal could be used against some tags. A huge surge of RF could simply fry them also. Tossing them in a microwave oven comes to mind..

Since the tags have collision avoidance, an unscrupulous individual could make an emitter that chattered garbage. With that, items with active tags could be taken past readers without being read as they wouldn't be heard in the chatter.

There is mention of RFID jammers. Do a Google search again. Google is your friend.

transmission vs. reflection and foil bags

[Wansu]

I was intrigued to find out how the tags (which are generally battery-free) can absorb enough energy from RFID readers to then power up and transmit their own signal back to the reader."

The high frequency tags don't actually transmit. They change the impedance of their antenna to modulate the reflection back to the transmitter.

Another problem the article didn't mention is that bags lined with aluminum or copper foil will thwart these systems.

Lukas Grunwald's Blackhat pres. + Linux tools!

[phreakmonkey]

Lukas Grunwald did an excellent presentation at BlackHat USA 2004 about this very subject.

The most interesting thing that I learned was that most all RFID tags have a 128 byte "user data" buffer than can be read or written by ANY RFID gate. (Ie: you can put an RFID interface on your laptop and query the tags and change the "user data" portion on them.)

Obviously, this means that any application that is sensitive to tampering should only use the hard-coded serial numbers, not the "user data" area... but history has told us how well people stick to "common sense" security practices in their implementations.

His paper and the Linux tool that allows you to query and change the data are located here: http://www.blackhat.com/html/bh-media-archives/bh- archives-2004.html (scroll down to Lukas Grunwald under "Layer 0".

Some add on...

[feloneous+cat]

Yah, but the transmitters are not clean (how the eff do they get them through FCC?). They splatter around their set frequency. Really a freakin mess.

-The energy sent BACK is very weak. So you really don't need much to block it. White noise around 125 Khz should be enough. Or, as I mentioned before, chewing gum wrapper. Take your pick.

-Random codes won't do it. Sorry, but there IS a check (pretty pitiful, but there is one) and if the checksum don't match, nothing goes through. Nothing gets stuffed. Most readers use 8051 or something lightweight. If it doesn't pass first base, it doesn't go no where.

-Pliers work real good at breaking them. Easier than EMP (which might be noticed). They also break pretty easily on their own.