A Platform for RFID Security and Privacy Administration is a paper by Melanie R. Rieback and Georgi N. Gaydadjiev that won the award for Best Paper at the USENIX LISA (Large Installation Systems Administration) conference today. It proposes a "firewall for RFID tags" -- a device that sits on your person and jams the signals from all your personal wireless tags (transit passes, etc), then selectively impersonates them according to rules you set. Your contactless transit card will only send its signal when you authorize it, not when some jerk with an RFID scanner snipes it as you walk down the street. The implementation details are both ingenious and plausible -- it's a remarkable piece of work. Up until now, the standard answer to privacy concerns with RFIDs is to just kill them -- put your new US Passport in a microwave for a few minutes to nuke the chip. But with an RFID firewall, it might be possible to reap the benefits of RFID without the cost. This is a must-read paper for anyone who cares about electronic privacy and who wants to catch a glimpse of the future.

Tag Spoofing Demystified

RFID readers produce an electromagnetic field that powers up RFID tags, and provides them with a reference signal (e.g. 13.56 MHz) that they can use for internal timing purposes. Once an RFID tag decodes a query from an RFID reader (using its internal circuitry), it encodes its response by turning on and off a resistor in synchronization with the reader’s clock signal. This so-called “load modulation” of the carrier signal results in two sidebands, which are tiny peaks of radio energy, just higher and lower than the carrier frequency. Tag response information is transmitted solely in these sidebands2, rather than in the carrier signal. Figure 5 (from the RFID Handbook[6]) illustrates how these sidebands look, in relation to the reader-generated carrier frequency. The comparatively tiny sidebands have approximately 90 decibels less power than the reader-generated carrier signal, and this is the reason why RFID tag responses often have such a limited transmission range.

The secret to creating fake tag responses is to generate the two sideband frequencies, and use them to send back properly-encoded responses, that are synchronized with the RFID reader’s clock signal. The simplest way to generate these sidebands is to imitate an RFID tag, by turning on and off a load resistor with the correct timing. The disadvantage of this approach is that passive modulation of the reader signal will saddle our fake tag response with identical range limitations as real RFID tags (˜10 cm for our test setup).