Long-Distance RFID Snagging Possible, Already Done

After posting about the danger posed by magic wand credit cards, some readers pooh-poohed the notion that someone could build a device capable of reading RFID from a distance.

For the benefit of readers not scouring the comments, let us point you to this item from the summer of 2005. A SoCal group twenty-year-olds at DefCon 13, an annual gathering of security analysts and hackers, “…set the world record for transmitting data to and from a “passive” radio frequency identification (RFID) card — covering a distance of more than 69 feet.” [Washington Post]

Here’s some more cool pictures of the device they made.

The security vulnerability exists. Just because it’s hard, doesn’t mean someone won’t find a way to exploit it. There’s money to be made.

After all, it’s kinda difficult to make a fake ATM card reader and slip it on top of an ATM machine and harvest credit card numbers, right? Or decrypt PINs mistakenly stored at checkout counters? Or slip a hand inside your pocket and steal your wallet?


Edit Your Comment

  1. Karl says:

    69 feet is nothing. We’ve been able to read passive tags at over 100 feet with standard equipment (and staying inside FCC regulations, which I doubt Flexilis did). However, there’s a few things to keep in mind:

    – These are new EPC Generation 2 tags and readers. They’re designed to be read from long distances in harsh environments.

    – The test was conducted down a long hallway. We suspect the hallway acted as a waveguide, giving us much better performance than if we were to repeat the experiment in an open-air environment.

    Hopefully we will be publishing a technical report with these results soon.

    Now, just because we can read passive tags at such a long distance doesn’t mean it’s feasible for credit cards. Credit card tags are designed to be read at a close range, communicate using the magnetic field instead of the electric field and at a much lower frequency, etc. I’m not saying it’s impossible, but you’re really comparing apples and oranges.

  2. Ben Popken says:

    Just to be clear, so what you’re saying is the tech used in the Flexilis test is fundamentally different than what is used by RFID credit cards?

  3. Karl says:

    I wouldn’t say it’s fundamentally different, but it’s different enough that the Flexilis results don’t really apply. The frequencies are different, the protocols are different, and the physics is different.

    The paper on the credit card vulnerabilities says that the maximum read distance of that particular RFID technology is in dispute, but Shell Canada has reported 26 inches, and researchers at Tel Aviv University have built a reader that works at 9 inches. Neither are anywhere close to 69 feet.