Power Analysis of RFID Tags
Yossi Oren     Adi Shamir

Abstract (Summary)

We show the first power analysis attack on passive RFID tags. Compared to standard power analysis attacks, this attack is unique in that it requires no physical contact with the device under attack. While the specific attack described here requires the attacker to actually transmit data to the tag under attack, the power analysis part itself requires only a receive antenna. This means that a variant of this attack can be devised such that the attacker is completely passive while it is acquiring the data, making the attack very hard to detect.

As a proof of concept, we describe a password extraction attack on Class 1 Generation 1 EPC tags operating in the UHF frequency range. The attack presented below lets an adversary discover the kill password of such a tag and, then, disable it. The attack can be readily adapted to finding the access and kill passwords of Gen 2 tags.

The main significance of our attack is in its implications – any cryptographic functionality built into tags needs to be designed to be resistant to power analysis, and achieving this resistance is an undertaking which has an effect both on the price and on the read range of tags.

A Brief introduction to Power Analysis

Power analysis is a form of side-channel cryptanalysis – that is, the art of finding information about a secret from aspects of the physical implementation of a cryptosystem, usually without attacking the "official" algorithm itself. Power analysis focuses on relating changes of power consumption to changes in the internal state of a cryptosystem. The power consumption of most hardware devices is roughly proportional to the amount of bits changing their values at a certain time. This means a busy device consumes more power than an idle device, allowing an attacker to learn exactly how long an operation takes and raising the possibility of timing-based attacks. If an attacker has sufficiently sensitive equipment, he can even detect individual bits being flipped, allowing even more powerful attacks.

All side channel attacks assume some knowledge of the internal workings of the device under attack. This knowledge may be acquired by use of inside information, by reverse engineering or simply by educated guessing.

For more information about power analysis, try this article by Paul Kocher or this tutorial by Elisabeth Oswald .

UHF RFID tags and how they get their power

UHF tags are tags which operate in the 900MHz frequency band. They are easily recognized by their dipole antenna, which is shaped more or less like a straight line. These tags can be read from as far away as 3 metres and are planned to be used as replacements for the optical bar code.

To provide power to a UHF tag, it is placed next to a device called a reader. This reader generates a powerful electromagnetic field. When this field, which varies in time, hits the tag's dipole antenna, it causes an electrical current to flow back and forth in the antenna, generating a standing wave. This standing wave is rectified and amplified using a circuit called a Dickson charge pump and used to charge the tag's internal power storage. This power storage provides the direct-current voltage required to drive the tag's internal circuitry.

Since the dipole now has a variable electrical current flowing through it, it generates an electromagnetic field of its own. The strength of this field is a function of the current flowing through the dipole, which is in turn a function of the power consumption of the tag. It is through monitoring this reflected field that we are able to mount our attack.

For more information about the electrical characteristics of RFID tags , try this excellent tutorial by Daniel Dobkin or this article by Udo Karthaus and Martin Fischer .

Class 1 Generation 1 tags

The tag under attack uses the EPCGlobal Class 1 Generation 1 (C1G1) air interface. The RFID reader communicates with such a tag by alternating its transmit power between two values - high power and low power. A '0' bit consists of a narrow gap of lower power followed by a wide high-power pulse, and a '1' bit has a wider gap and a narrower pulse. This scheme is formally known as pulse amplitude modulation. The value of the bit is detected at the falling edge of the signal, that is, the exact moment of transition between high and low power levels. Generally speaking, any calculations are also made at this falling edge, since this is the moment in time in which the tag has accumulated the most power. Note that tags send their data back to the reader using a method called backscatter modulation, which is not covered here.

As mentioned before, the tag draws the power it needs for operation from the reader's field. Its internal power storage is depleted during the gaps of low power and charged up during the high power pulses. The electrical properties of the capacitors used in the tag's internal power storage cause the tag to draw more power from the reader when the storage is empty and to draw less when it is full.

Class 1 Generation 1 tags usually have 128 bits of internal tag memory (ITM). 96 bits are used for the tag's payload - the 96-bit identifier it provides in response to queries. 8 additional bits are used for the kill password. The remaining 24 bits contain a checksum calculated over the payload data (using the standard CCITT CRC-16 function) and a "lock code". Once this lock code to is set to 1010 0101, the tag hides its kill password and will not disclose it to any reader.

To kill the tag, the reader sends a short header followed by the 16 bit checksum, the 96 payload (identifier) bits, the 8 bits of the kill password itself, two bits of odd parity and finally a special end-of-frame (EOF) symbol. All values are sent MSB first. If all bits match, the tag self-destructs. The tag does not send any (intentional) data to the reader during the kill operation.

For more information about the C1G1 air interface, try the official EPCGlobal standard or the aforementioned tutorial by Daniel Dobkin.

Some of our results

Here are some initial results which show the effectiveness of our attack. In all figures shown below the X axis represents time while the Y axis represents the relative field strength detected by our directional antenna.

First, here is the power of the signal sent from the reader, compared to the signal reflected from the tag. Each pulse in this trace represents a single '0' bit, which is detected at the falling edge of the pulse, as described above. It is easy to see that the tag is adding information to the relatively clean signal sent by the reader.

Figure 1:Reader signal vs. tag signal.

The next figure below shows the strength of the field reflected by a tag while the reader is sending it '1' and '0' bits. Compared with a '0' bit (shown below in green and in yellow), a '1' bit (shown in blue) has a wider gap followed by a narrower pulse. Now, examine the wider gap before a '1' bit. As mentioned before, the tag's internal power storage is depleted during these low-power gaps. At the end of the long gap which forms the beginning of the '1' bit, the tag's power supply is nearly empty. This makes it draw more power from the next pulse it receives. As the tag consumes more power, it causes a stronger current to flow through its antenna. Because of this stronger current, the tag radiates a stronger reflected field, as indicated in blue, which the attacker can pick up.

The '1' bit has more than a wider gap – it has a narrower pulse as well. This means the tag's power storage is not fully charged up even at the end of the blue pulse. As a result, the tag also draws more power from the next '0' bit, as indicated in green. As the tag receives more '0' bits, it slowly charges up, reducing the current flowing through its antenna. This causes the tag to reflect less power, as indicated in yellow.

Figure 2:"Thirsty" tags reflect more.

The final set of figures shows a close-up view of the last 2 bits of a kill password being sent to a tag, followed by the first parity bit following them. The figure below indicates in red the exact location of the trace we are about to see: the final bits of the kill password, right at the end of the VALUE parameter of the command. The values and meanings of the various fields shown in this diagram (spin-up, start-of-frame, etc.) are defined in the C1G1 air interface.

Figure 3:Zooming into a Gen 1 kill command.

To minimize the variability due to the reader's field, it was programmed to always send a kill password of '0000 0000' and a parity bit of '1'. In both cases shown below, we used the exact same tag in the same physical location, each time programming it with a different kill password.

In the experiment shown on top (figure 4a), the tag expects a kill password of '1111 1111', while on the bottom (figure 4b) it expects a password of '0000 0001'. This means the top tag already knows the kill command will fail, having previously received many wrong bits. The bottom tag, however, only learns that the kill password is wrong after it finishes decoding the last '0' bit. The increased power consumption of the tag in figure 4b can be seen by the spike it exhibits as it receives the parity bit, as compared to the gentler slope on figure 4a, as indicated in red.

Figure 4:Killing FF vs. killing 01.

More results will be posted in the coming weeks.

Affected Systems

This discussion was focused on UHF (EPC) tags, which operate in the 900MHz frequency range. These tags have a higher read range which makes them easier to attack. Both generation 1 and generation 2 EPC tags are vulnerable. Another common type of tag is the HF (ISO/IEC 14443) tags, which have an operating frequency of 13.56MHz. These tags rely on slightly different principles to provide power to the tag and have a shorter read range, but there is nothing about them which makes them safe against a variant of this power-analysis attack. Even active tags (which have an internal power source) can be attacked using this method if the attacker has sufficiently sensitive equipment. Simply put, a tag is safe against power analysis if and only if its manufacturer did something about it.

Can this attack be performed with a cell phone?

UHF tags and cell phones have very similar operating frequencies. The cell phone's antenna has the right shape for talking to RFID tags. The transmitter is strong enough. The receiver is more than sensitive enough. The air interface protocol of modern cell phones is much more complicated than the RFID air interface . This means that with the appropriate firmware a cellphone can be modified to attack and kill UHF tags. HF tags have different frequencies and antennas, but more and more vendors are adding HF reader circuitry to their phones. These so-called "wallet phones" will be capable of attacking HF tags.

Discussion

Well, there are some bad news, and there are some good news.

The bad news is that most of the tags out there are vulnerable to this attack, and they'll probably stay that way at least for a year or two. Making a hardware device resistant to power analysis is provably possible, but it is far from trivial. There are many issues to be resolved – there are patents to be licenced, designs to be modified, tests to be devised. One sure thing is that a resistant device will be more expensive and have a shorter read range due to its increased gate count and power consumption. A rough estimate is twice the price and half the range.

The good news is that it's probably going to be fixed. There is a sizeable amount of knowledge about power analysis attacks and countermeasures. Today's smart cards are designed to resist power analysis, or at least to cause the attacker to spend too much time for the attack to be practical (a million years, for example). This knowledge can be applied to RFID tags as well.

Acknowledgements

The authors wish to thank Simon Krausz, Oded Smikt, Eran Tromer, Amir Yakoby, Oren Zarchin and the many other people who shared their knowledge, time and equipment and helped this research take shape. Special thanks go to Mickey Cohen for his helpful editorial suggestions.

Contacting the authors

If you want to provide us with feedback about this research, you can reach me at yossi.oren strudel weizmann.ac.il.

Please note: if your question is interesting, it will be posted on this page along with its answer.

Go back to my home page.