Reading with Extended Read Range
Extending the read range of a reader might be an interesting option for an attacker. This way, the attacker may be able to read the transponder from a safe distance, without being detected. However, especially regarding the read range, technical opportunities and physical limits of RFID systems are often widely overestimated. Due to the large difference between inductive coupling and backscatter process, we will discuss these two separately.

Inductive Coupling
Figure 4.29 shows the equivalent circuit diagram of an inductively coupled RFID system. Current i1 in the antenna coil of reader L1 generates a magnetic field which is coupled to transponder coil L2 through mutual inductance M and induces the supply voltage of transponder UQ2. Reversely, current i2 in the transponder coil affects via magnetic mutual inductance Mits cause, i.e. current i1. This feedback is used to transmit data from the transponder to the reader through load modulation (see also Section 4.1.10.3).

If a transponder is moved beyond the normal read range of such RFID systems, the communication can be disrupted for two different reasons. One possible reason is that the transponder simply does not receive sufficient power from its antenna to be able to operate. Another possible reason is that the transponder is supplied sufficient power to operate, but that the amplitude of the generated load modulation is no longer sufficiently large to be detected by the reader. The maximum reach of the power supply is called the energy range of the system; as opposed to the load modulation range, i.e. the maximum distance between transponder and reading antenna at which the reader still is able to detect the transponder’s load modulation.

If the reader’s read distance is to be increased, we have to increase the reader’s energy range, too. This can be done by increasing the diameter of the reader antenna and the current in the transmitting antenna (i.e. the reader’s transmission power; see also Section 4.1.1.2). There remains the problem that even for a constant distance between transponder and reader antenna, for an increasing antenna diameter of the reader antenna, magnetic mutual inductance will decrease and so will the strength of the load modulation signal. In addition, a larger transmission power of the reader will also increase the (parasitical) noise generated by the transmitter in the frequency range of the load modulation sidebands. Consequently, there is a rapidly reached limit that requires an increasing technological effort in order to be able to receive the transponder’s load modulation signal. Kfir and Wool (2005) state that a transponder designed according to ISO/IEC 14443, which can be easily read by commercial readers from a distance of 10 cm, cannot be read from a distance larger than 40 cm, even given optimization of all parameters.

Backscatter Coupling
Figure 4.76 presents the model of a passive backscatter system. We can recall that part of power P1 emitted by the reader’s antenna reaches the transponder’s antenna, with power Pe being necessary to operate the transponder. Another part of the energy is then re-radiated or reflected by the transponder’s antenna as power Ps. A small portion P3 of the reflected power eventually returns to the reader where it can be detected and demodulated.

If the transponder moves beyond the read range of the backscatter system, the communication can be disrupted for two different reasons. An obvious reason is an insufficient energy supply Pe of the transponder to be operated via the antenna. However, it is just as likely that the transponder still has sufficient power to operate, but that the reflected power Ps is no longer sufficiently large to be detected by the reader. For today’s backscatter systems, the energy intake of the transponder chip1,i.e.energy Pe required for transponder operation, is decisive for the range of a system. We call this range the energy range of the system; as opposed to the backscatter range which is the theoretical range of the signal reflected by the transponder antenna.

An obvious option for increasing the range is therefore an increased transmission power of the reader. Looking at Equation (4.61) we see that we need to increase the transmission power of the reader fourfold in order to double the energy range. For a doubled range we need to increase the transmission power of the reader by sixteen in order to keep power P3 – which returns from the transformer – at a constant level; this corresponds to Equation (4.67). A representation of the necessary transmission power as a function of energy range and backscatter range (Figure 8.5) shows that the two graphs intersect.

As mentioned before, we can assume that the range of most transponder systems is determined by the system’s energy range. For a specific transmission power, the corresponding point on the energy range’s straight line is situated to the left of the intersection. To the left of the intersection, the range is proportional to the square root of the transmission power. When increasing the transmission power by a factor of ten the system range may be increased by a factor of three. However, this only applies to the point where the two straight lines intersect. At any point to the right of the intersection, the transponder still has sufficient power to operate, however the signal reflected by the transponder soon becomes too weak to be detected by the reader. After reaching the intersection of the straight lines, we have to increase our transmission power by a factor of a hundred in order to once more increase the read range by a factor of three. In order to increase the range by a factor of 10, starting from the intersection of the two lines, we even have to increase the transmission power by a factor of 10 000. However, this causes other effects, such as an increased sideband noise around the reader’s carrier signal, as well as intermodulation products due to nonlinearities in the simultaneously operated receiver of the reader which further reduces the theoretically possible range substantially.

Returning to Figure 4.76, we see that the antenna gain of the reading antenna enters the propagation path of the signals twice. First, power P2 that reaches the transponder at distance r is amplified by the antenna gain. Power Ps which is reflected by the transponder is increased by the same value. The portion of reflected power P3 received by the reader is once more amplified by the antenna gain of the reading antenna. The total effect is that both graphs in Figure 8.5 will shift to the right.

The range gained through increasing the antenna gain can be easily calculated using Equation

(4.114) and is graphically presented in Figure 8.7.

Gains of up to 17dB can be reached quite easily by using a long Yagi–Uda antenna (Rothammel, 2001). For an antenna gain of 17 dB, however, the boom would have to have a length that corresponds to almost ten times the wavelength λ, i.e. 3.4 m for 868 MHz, 3.3 m for 915 MHz or 1.2 m for 2.45 GHz. However, in this way it is possible to reach seven to eight times the read range as opposed to using a dipole antenna. According to the theory, the gain can increase by a maximum of 3 dB for a doubling of antenna length and number of elements (Rothammel, 2001). To reach an antenna gain of 20 dB and thus a tenfold read range requires at least one antenna with double length, i.e. twenty times wavelength λ. For 868 MHz, this results in a boom length of 7 m; which is rather difficult to handle. In order to reach twenty times the read range, we need an antenna gain of approximately 26 dB. This is only possible if several long Yagi–Uda antennas are combined into an antenna group which would result in an antenna monster of several metres. Attacks with long Yagi–Uda antennas have already occurred. In mid-2005, a successful attempt to read a transponder from a distance of 21 m (69 ft) led to substantial repercussions in the specialist press (Defcon, 2005; Cheung, 2005).

If the antenna gain has to be further increased in order to further extend the range, we have to use parabolic mirrors. With a gain of 40 dB, a read range that is a hundred times larger can be achieved. For 868 MHz, the required mirror diameter amounts to almost 15 m (5.1 m for 2.45 GHz). Finally, a thousandfold read range requires a gain of 60 dB which would need a parabolic mirror of 145 m (52 m for 2.45 GHz).

These calculations clearly illustrate what distances are feasible for an attack. The most favourable combination appears to be a long Yagi–Uda antenna together with a moderately increased transmission power of the reader. It would be reasonable to hit the intersection of both straight lines in Figure 8.6. More than twenty times the range does currently not appear to be achievable using reasonable efforts.