A Platform for RFID Security and Privacy Administration is a paper by Melanie R. Rieback and Georgi N. Gaydadjiev that won the award for Best Paper at the USENIX LISA (Large Installation Systems Administration) conference today. It proposes a "firewall for RFID tags" — a device that sits on your person and jams the signals from all your personal wireless tags (transit passes, etc), then selectively impersonates them according to rules you set. Your contactless transit card will only send its signal when you authorize it, not when some jerk with an RFID scanner snipes it as you walk down the street. The implementation details are both ingenious and plausible — it's a remarkable piece of work. Up until now, the standard answer to privacy concerns with RFIDs is to just kill them — put your new US Passport in a microwave for a few minutes to nuke the chip. But with an RFID firewall, it might be possible to reap the benefits of RFID without the cost.
This is a must-read paper for anyone who cares about electronic privacy and who wants to catch a glimpse of the future.
Tag Spoofing Demystified
RFID readers produce an electromagnetic field that powers
up RFID tags, and provides them with a reference signal
(e.g. 13.56 MHz) that they can use for internal timing
purposes. Once an RFID tag decodes a query from an
RFID reader (using its internal circuitry), it encodes its
response by turning on and off a resistor in synchronization
with the reader's clock signal. This so-called "load
modulation" of the carrier signal results in two sidebands,
which are tiny peaks of radio energy, just higher
and lower than the carrier frequency. Tag response information
is transmitted solely in these sidebands2, rather
than in the carrier signal.
Figure 5 (from the RFID Handbook) illustrates how
these sidebands look, in relation to the reader-generated
carrier frequency. The comparatively tiny sidebands
have approximately 90 decibels less power than the
reader-generated carrier signal, and this is the reason why
RFID tag responses often have such a limited transmission
The secret to creating fake tag responses is to generate
the two sideband frequencies, and use them to send
back properly-encoded responses, that are synchronized
with the RFID reader's clock signal. The simplest way
to generate these sidebands is to imitate an RFID tag, by
turning on and off a load resistor with the correct timing.
The disadvantage of this approach is that passive modulation
of the reader signal will saddle our fake tag response
with identical range limitations as real RFID tags
(Ëœ10 cm for our test setup).