Attacks on the RF Interface
RFID systems are radio systems and communicate via electromagnetic waves in the near-field and the far-field range. An attacker is therefore likely to try and attack an RFID system via the RF interface. Such an attack is attractive as it does not require any physical access to the reader or transponder, but can be carried out from a distance. Currently, the following attacks are known and have been investigated:
interception of the communication between reader and transponder (eavesdropping);
interruption of the communication between reader and transponder through jamming;
extending the read range in order to being able to skim a remote transponder, without being detected;
blocking a reader with DOS attacks;
undetected use of a remote transponder through a relay attack.

The Interception of Communication (eavesdropping)
As RFID systems communicate with electromagnetic waves, systems can be generally intercepted with very basic means. The interception of the communication between reader and transponder is therefore one of the most prominent threats to RFID technology. The ranges given for RFID systems vary between a few centimetres (e.g. ISO/IEC 14443, 13.56 MHz) and several metres (ISO/IEC 18000-6, 868 MHz) and apply to the active communication which even requires the transponder to be supplied with power and to generate several volts at the antenna.

Radio receivers only need an antenna output voltage that is an order of magnitude lower in order to receive useful signals. This gives reasonable grounds to suspect that communication can be passively intercepted from a much larger distance.

Corresponding studies (Finke and Kelter, n.d.) show that at 13.56 MHz the communication of inductively coupled systems can still be intercepted at a distance of 3 m. For a receiver bandwidth of only a few kHz, the unmodulated carrier signal of a reader can be detected at a distance of several hundred metres. However, the successful interception of the complete communication between reader and transponder is affected by the larger receiver bandwidth required which – depending on the bitrate – can vary between some 100 kHz and several MHz. On the one hand, the input voltage required at the receiver increases with a ratio of Uin [dB] = (B1 + B2) (Bensky, 2000) with an increasing range. On the other hand, interference increases at the same rate due to partly very strong transmitters in this shortwave frequency range.

The situation in the UHF frequency range at 868 MHz, 915 MHz or at 2.45 GHz is much more favourable as the interception range can be significantly improved by using beam antennas. Under very favourable conditions, the down-link signal of a reader should be receivable over several hundred metres, and the relatively weak backscatter signal of the transponder should be detectable over at least several dozen metres. However, interference may be caused by metal surfaces, i.e. fences, aluminium panels at walls, but also by large buildings in the propagation path of the waves as they shade the signals.

A very simple, but efficient method for interrupting data transmission between transponder and reader is to use jamming in order to send an interfering signal. When recalling the frequency spectrum of an RFID system (see Figure 3.17), we see that in addition to the reader’s very strong carrier signal used by passive RFID systems for supplying the transponder with power, there occur two very weak modulation sidebands that are generated by the transponder’s load modulation (for inductive coupling) or by modulated backscatter (for backscatter systems). In order to be able to superimpose a reader’s strong carrier signal and thus interfere with data transmission from reader to transponder (down-link), distance, transmission power and antenna gain or antenna diameter, respectively (for inductive coupling) have to correspond at least to the reader that is used. As opposed to this, interfering with the transponder’s weak response signal, and thus with data transmission from transponder to reader (up-link) requires much less effort.

For a backscatter system at 915 MHz and assuming an antenna gain of G = 1 for the reading antenna and of G = 1.64 (dipole) for the transponder antenna at a distance of slightly more than 3 m, the corresponding free-space attenuation will amount to 40 dB (see Table 3.7). For an effective radiated power of 4 W EIRP, the transponder still experiences a reception power of Pe = 0.4mW. Therefore, power Ps reflected by the transponder theoretically lies in the range of 0 <Ps <4Pe,

i.e. it has a maximum of 1.6 mW (see Figure 4.89). If a jamming device has the same distance to the reader as the transponder and operates at the frequencies of the transponder’s modulation sidebands, it requires only a transmission power of a few mW to cause significant damage.

A similar relationship applies to inductively coupled systems. It has to be taken into account, though, that the field strength curve also applies to jamming. This means that any jamming device has to be either positioned close enough to the reader or has to use sufficiently large antennas or transmission power.

It is important to point out, that jamming devices are radio systems and therefore, in most countries, operating such devices is illegal.