Electromagnetic Emissions and Performance for
Proximity RFID
Jeff R Guerrieri' David R. Novotny', Michael H. Francis", Kato Remley!
‘Electromagnetics Division, National Institut of Standards and Technology
325 Broadway, Boulder, CO 80308, USA
juerrierieboulder.
et gov
wslder nit .cov
franciegpoulder.niet.gov
renleyaboulder nist gov
Absiract— We examined the electromagnetic emissions, and
performance of commercial High-Frequency (HE) proximity
Radio Frequency Ideatifeation (RFID) systems including
their susceptibility to jamming and eavesdropping. These
proximity RFID systems are used in an increasing number of
Financial identification, and access control applications. We
performed Investigations of whether transactions can be
Aetected and read at a distance. The measurements were
performed to determine the power radiated by commercial
systems and how they perform in adverse electromagnetic
(EM) environments,
LINTRODUCTION
High Frequency (HF) proximity Radio Frequency
Identification (RFID) systems are used in an increasing
umber of eritical applications such as financial
transactions (credit cards), access control, identity
verification, and inventory ‘tracking, Some of ‘these
applications involve the transfer of proprietary or biometric
information. ‘The privacy of information and reliability of
the transmission lnk is very important. These preliminary
measurements show how detectable these transactions are
at certain distances and ther resistance to interference from
outside sources,
HF proximity RFID systems operate in the 13.56 MHz
Industrial, Scientific, and Medical (ISM) band and are
primarily’ govemed by Intemational Standards
Organization (ISO) standards 14443, 15693, 18000-3 and
18092 [I-4]. This ISM band also coatains systems such as
high power plasma generators, medical telemetry
equipment, and other unlicensed communication
equipment. Operational compatibility with these types of
systems is necessary for low-power RFID to function
correctly,
LHF proximity RFID systems are designed to operate at a
range of 10.em oF les. This range is limited by the level of
field available to power a passive tag. Limits are placed on
allovable transmitted field levels at a given distance
(7.5 Alm at 37.5 mm from the antenna).
‘WS Goverament Work NotSubjon To US Copyright
1997
‘The practical effect is that standard-compliant HF
proximity RFID has a limited transaction range on the
order of 10 to 20 em. However, the information
transmited by a remotely powered tag and reader can be
detected at greater distances 5]
‘The measurements in [6] highlight the operating
conditions in which these commercial RFID systems can
be used. Some basic issues regarding security and the range
at which a transaction can be detected are reported in {7,8}
Note that eavesdropping is defined for this paper as
remotely detecting and deciphering 2 legitimate reader-to-
tag transaction using another system. Skimming, which
refers tothe use of a remote reader to sureptitiously query
a tag at along distance (possibly without the tag holder's
consent) isnot addressed in this paper.
Il, PROTOCOL and BACKGROUND
HF RFID systems operating at 13.56 MHz come in two
forms: vicinity and proximity. Proximity tags generally
requite more power to operate, but they can involve much
‘more information and functionality (for example: active
encryption, limited amounts of processing power, data
storage and retrieval). The power requirements for
sctvation and operation limit the operating distance to less
than 20 om, Vicinity tags are a simple read device that will
send back a limited number of bits (I 10 64) at lower data
rates. They are employed in seenarios such as inventory
control and theft deterrence systems. Their limited
functionality requires less power and can be used in the 2
‘to 5 meter range. This study focuses on proximity systems.
Consequently, HF RFID is assumed to be HF proximity
RFID from this point forward inthe paper.
‘There are many types of proximity systems operating at
13.56MHz. They usually differ in communication
protocol: the ISO compliant “type A” and “type BY
systems, the “GO-card” used in some fare and. transit
systems, and the “type C” card used mostly in Asian fare
and tariff systems. We will further focus our study on the
analysis of the “type A” and “type B” tags, as they are
‘more widely used and utilize ISO conformance standards.Il, HF PROXIMITY EMISSIONS and
SUSCEPTIBILITY
A. RFID Emissions
HF proximity readevinterrogators transmit a carrier
frequency, fof 13.56 Milz modulated ata data rate, fy, of|
fL2B=108.9375 kHz, £I64-211.875 kHz, f/92 = 42375
lz, or //16=847.5 ki
‘The HF RFID tags modulate a backscattered carrier to
produce sub-carier transmissions back to the reader a.
£f/16 = 13.56 0.8475 MHlz= 14.4075 and 12.7125 MElz
“These sub-cartiers are modulated at one of the data rates
available to the interrogator. We recognize that the lower
side-band modulation falls into a martime-mobile band,
and the upper side-band modulation falls into an aviation
band, Furthermore, the relatively wide modulation
bandwidth of the carir frequency ean smear energy from
the reader over a bandwidth of 13.56 MHz fi. Similarly,
the tag radiates in the 12.7125 MHz f, to 144075 MHz:
orange.
While the very low power emissions ftom the tag are
probably of litle concen to maritime or aviation
applications, the modulation spll-over from the reader ean
bbe much higher and may extend beyond the ISM limited
13.56 MHZ 7 kiiz, It comes very close to the prohibited
radio astronomy band between 13.36 and 13.41 MHz.
Patents are now being issued for ISM communications and
nonstandard tagging systems that suppress effects of RFID
sidebands and limit system susceptibility 9}
Figue | Typia SO 1443 ype A emission spectrum. The top graphs
‘ow ts ene twe-nayconstuniaion inboth he me dona
‘nd euoney domain ght). The eaer-onag query inte mile,
fndthe ng-terende responsi at te bot. Note that fe reader mst
‘nan the carter sgl or te psive lg ean nega
B. HE Eavesdropping and Jamming
In Figure 1 and Figure 2, we see that the 13.56 MHz
carrer is on during the entite transaction, delivering power
1998
to the tag. ‘The cartier is modulated to send information to
the tags. Since the tag lacks a power source and only
‘modulates its loop antenna load to seater back information,
the retuned signal is small compared to the carrier
(typically 60 dB less than the carrier ata distance beyond
10 em)
Eavesdropping systems must be able to distinguish the
very weak fag response from the relatively strong carrier
response, Aggressive filtering allows an eavesdropper to
detect the tag in the presence of the reader at moderate
distances (over several meters),
Since HF RFID systems typically ely on relatively low
power transmissions, they may be susceptible to
interference from intentional jamming and unintentional
sources. Jamming can occur By interrupting the reader-to-
tag communications by interfering with the carrier and/or
the reader information, Jamming can also occur by
interfering with the tageto-reader transaction. ‘The reader
transmits at several watts and is inthe very near-field ofthe
tag. Therefore, to overcome the carrier signal at the tag
requires @ considerable amount of power if jamming is
done at a distance. As tageto-reader power levels are
orders ‘of magnitude less than the cartier, itis easier to
upset the transaction by overpowering the weakest link in
the RF power budget.
igure 2 Typical iSO 1445 ype emission spectrum. The top graphs
how the en tvo-vay commutation bah fe tine-domain eh).
‘hd eqeney dona igh) ‘The ender ng gor is he mie,
hd the tngto-ende response feat be tom. Tha ag ronda
‘ont pase modulated CW eursignal tf. o= 133648475 MBE
IV, MEASUREMENTS and RESULTS
A. Eavesdropping
The eavesdropping research was performed on a
commercial off-the-shelf (COTS) reader and COTS tags.
We chose several tags including a type A tag with 16 KB of
memory that has a processor capable of performing fairlycomplex computational and encryption tasks used for
RFID financial transactions.
The reader and the tag are coupled loops that are
typically axially aligned in the same plane. To study the
RFID emissions, the orientation of the reader and tag was
kept constant and the eavesdropping anteana was moved
relative to them. Since the pattems of the reader and the
tag antennas are those of small loops, we can assume that
the radiation patterns conform to the simple loop fields
siven by Harrington [10]:
“oS
cf = o
ak
GF
Hire ris the distance from the tag to an outside point and @
is the elevation angle, both illustrated in Figure 3. is the
ccurent in the loops, S$ is the surface area, 17 is the
impedance of free space, and kis the wave number.
1s om Rite
Reader
_
Ble Ange
\
Tag,
Figure3, Relative dtstions for xveséroping on an HF RED syst,
‘When lott the reader, couplings bast ow elation sles (8-05
‘When fre avy approaching waveeogh (20m), exvesdroping
shold Be mor efient st (250
For short distances, r, the axial magnetic field, Hy, is
stronger than the @ directed field, Ha At larger distances,
the 1/ dependence of Hdominates. So, we expect that at
close distances (h)
eavesdropping should be easier in the plane of the reader
antenna (Figure S).
Bavesdeopping
/
Figue ¢. Oxenaton for shor discs (14) eavestopping (0-09,
1999
Endep
ne
Se
im i
Pipe 5 Orrin fr lng dss (1) ervey (8-907)
We used a single 1 m loop with a capacitive bridge to
_atch the 50 0 input ofthe receiving system. The receiver
‘nominally had 60 dB of gain at the subcarrier f. + f/16
and had 70 dB of relative rejection atthe carrer ffequency
J- This allowed for detection ofthe carier modulation and
the tag response while suppressing the carrier power. Our
tests showed that ifa tag response of 6 dB above the noise
floor is captured the information in the signal could be
reliably decoded. This set the criterion for a successful
eavesdropping session
Figure 6 shows the raw output of the eavesdropping.
antenna at 2 m. Without filtering, the reeder modulation
can easily be distinguished, but the tag response cannot.
After receiver filtering, shown in Figure 7, the tag and
reader are both distinguishable and the information ean be
decoded,
igre 6, Raw signal rzaved by the eavesdropping antenna. Here the
tag resposecanot be eiinguised.
Figure 7 Reslsof an eavestopped ype A aanaon at 2m ditanoe
fle ering othe ere. Toe burs on he ef the tases nthe
Samir modslton, The but onthe ight the ag ripenTeble I summarizes the resuls ofthe eavesdropping tests.
Otter groups have reported considerably longer range
results in more idealized testing environments. We limited
these tests t using low-cost COTS equipment, small
anteanas, and performed these tests in @ non-ideal, RF
clutered environment. Also by placing the tag at an
‘optimal distance from the reader antenna, the RFID system
‘an be tuned to maximally radiate outwatd (which was not
done for this ts), ‘Table I also. shows that the
‘eavesdropping, distance is stronaly ted to tag design. We
saw litle variation between these tags in the activation
Field (el level to turn on the tag), but we saw appreciable
‘variations inthe eavesdropping distance.
TABLET
EAVESDROPPING RESULTS for TYPE A TAGS
Manica | — Tag] Enveappng | Favestopring
runier | disaneet (009 | diane at (0-00%)
(osFig 5) tx) _| (ae ig 6)
1 | Aor 65 15
1___| aooz 65 1s
2] A003, 3.0 9
2 TAooe 3.0 9
2 Aoos: 3.0 9
3 A006: 6.0 8
‘A007 6.0 8
B.Jamming
To test the communications reliability of these HF RFID
systems, they were subjected to in-band energy. Previous
swept frequency measurements indicate vulnerabilities
only near the frequency band of operation. We show that
jamming at the carrier and sub-earrers would provide the
Dest opportunity to upset the communication between the
reader and tag.
We used three types of antennas: (1) a set of dual 1 m
Joop antennas, (2) a single 15 em ISO 10373-6 standard
Proximity Coupling Device (PCD) loop, and (3) a set of
dual 15 em ISO 1037346 standard PCD loops, shown in
ure 8, Each antenna was tuned to the frequency of the
Jamming signal (runing between tests were required). The
‘1m loops represent an easily deployable and relatively
efficient transmit configuration. The 15 em loops represent
a small device with less radiation efficiency, or a nearby
RFID system.
‘One scenario studied was jamming at the carrier or reader
‘wansmit frequency, £.. Other scenarios include jamming at
the upper and lower sub-cartiers or the tag backscatter
frequency, fe
To ensure maximum readability ofthe tag signal by the
reader and to present the most difficult upset scenario for
the jammer, the tag was placed in close proximity to the
reader antenna (within the limits ofthe reader geometry <
05 cm). Ifthe tag is further from the reader but still within
its nominal operating range (<10 em), the transaction is
2000
much easier to upset as the tag backscatter falls off very
rapidly with distance in the near-field.
Figure Stacked PCD antennas,
A diagram of the jamming system is shown in Figure 9.
‘Three basic wavefoims were used to mimic probable threat
scenarios, A continuous wave (CW) source at, f a CW
‘carer atthe sub-carier equency, f+ f,,and a CW carier
at the sub-carier frequency, f¢ +f, modulated at fi 0
‘mimic a nearby reader or tag.
‘The power delivered to the antenna wes monitored to
censure that the tuning was correct. ‘The system was
considered upset when consistent failures were noted.
Some HF RFID systems have robust data failure and retry
algorithms; only consistent deta failures assure upset
coger
E=]—