back to article RFID chips snooped from 66 metres

RFID tags can be read at a surprising range, a researcher has found. When he's not listening in to GSM phone calls, Chris Paget has been busy seeing at what distance an RFID tag can be read, managing a respectable 217 feet. Paget also reckons the US military could read an EPC Gen2 tag from 80 miles off, though the connection …


This topic is closed for new posts.
  1. Andrew the Invertebrate

    The 10 mile isn't realistic

    if you're happy to use these tags for neferious purposes surely you'll take out the 100ms filter first?

  2. Chris Bygrave

    Detecting holidays...

    Or how about detecting the presence of passports in houses in a street, and when those passports disappear then it's holiday / break-in time.

    Badgers sign because it almost looks like burglars...

    1. Anonymous Coward


      Badgers also sneak around at night and leg-it as soon as they're spotted

    2. mlo0352


      That wouldn't be a big deal in the US...most people don't have Passports...

      1. Anonymous Coward
        Anonymous Coward

        Re: That wouldn't be a big deal in the US...

        Recall that it was the US that pushed everyone else into making lots of haste with RFIDing passports. And everywhere else, most people do have passports, for various reasons. Everyone else, you _don't_ get a foil jacket with your RFIDed passport. In fact, there's plenty countries where not being able to show one causes a fine or worse legal trouble. So I say: Nice and hateful comment there.

        Responsibility? They've heard of it. The state department even spells it in large letters on their website: r e c i p r o c i t y.

      2. J 3
        Big Brother


        Maybe, but no problem -- they will put them in the driver's license.

    3. Anonymous Coward

      Errrm not really!

      Or.... it could be one of the frightening % of people who have no passport because they are either too unfortunate, too lazy or too Luddite to go abroad... they just happened to have a visitor last time you were there!

      It's surely no worse for security than the car not in the drive, all the lights are off or the neighbour seen feeding the cat...

    4. Annihilator

      Detecting holidays

      Yeah cos there aren't much simpler and tech-free ways of detecting when people are on holiday... Even simple films such as Home Alone taught us that

  3. Mark Jan

    BacoFoil Shares Worth Buying?

    Aluminium foil - not just for turkeys!

    1. Anonymous Coward
      Thumb Up


      Tin foil hats - not just for people anymore!

    2. Anonymous Coward

      No, a microwave

      In Holland they do things even "better" and thus put your biometric data (fingerprints) onto the RFID chip used in both passports and European ID cards.

      And because I trust my government to do everything in its power in keeping this information secured I fried my ID card. One flash, 2 holes and no more RFID.

      Paranoid? I don't think so, just protecting my rights because I know how "safe" RFID is. Esp. when a government "designs" the security scheme behind it.

  4. LuMan
    Big Brother

    Big Brother??

    "Whatever the risks, the real joy is in seeing what can be achieved and pushing the technology to its limits, for no reason beyond seeing if it can be done."

    And when it can be done every single government in the civilised world will adopt this to surrepticiously spy on absolutely everyone. We are not safe and we are being watched......

  5. Loyal Commenter

    From page 8 of the referenced PDF:

    "In reality there are several factors which limit the read range to far less than these maximums, and one of the most fundamental may lie in Gen2 itself. There are strict timing requirements placed on both the reader and the tag, with both sides abandoning communication if timeouts are reached. Ironically, this timing restriction may be the ultimate self-imposed limit on Gen2 read range – a 10-mile read range* (for a 20 mile round trip) takes about 100 microseconds, so we still believe that reading RFID tags from more than a mile away is entirely possible."

    The 100μs timeout applies at both ends, ignoring it at the receiving end won't stop the chip itself from respecting the limit. I would assume that these chips use some form of request-response type interaction, where the chip is queried and it asks for authentication, expecting it within those 100μs.

    *(The actual round-trip distance here is calculated by multiplying the speed by the time taken, c x 100μs = 3e8 m/s x 1e-4 s = 3e4 m, which is 30km, or 15 km each way)

    1. I didn't do IT.

      Re: Chip respecting limits

      Warning: Armchair physics reasoning ahead...

      This could be easily circumvented by changing the timestamp of the signals from the transmitter, assuming that's how the chip knows the "time". Even if the chip records the last "time" there was a communication, without the power of the signal, there is nothing for it to run an independent timer to verify that the next signal was transmitted within the timeout period.

      Because of this, once the range is known, the transmitter could modify the timestamp to fool the chip into thinking the 100μs have not elapsed...

      Unless, of course, the 100μs is how long the signal powers the chip... so that if the chip loses power, it automatically "forgets" the conversation, forcing the timeout.

    2. ArmanX

      Given enough knowledge of the circuit involved...

      It should still be possible to get the data you want. Assuming the timing remains fairly consistent between two reads, one could create a reader that reads a tag once, times the response based on round trip, forms a response based on the received packet, then transmit a second read request, closely followed by the response packet. Assuming the response doesn't change between reads, one should be able to read up to the maximum distance.

      Granted, the hardware required would be complicated, but it is possible.

    3. peter_dtm

      it's passive

      since the rfid is passive how can it enforce a time out; it uses the power if the incident signal to impose a digital signal on the 'reflection' (it's actually a parasitic oscillator at work so not really a reflection just good old 'Q' at work).

      The rfid tag is dumb - so tickle it with the right frequency and listen for the 'reply' - basic radar; sonar; lidar technology; so not only do you get the information you also get the range to within a few yards(/metres) and bearing.

      Of course; not only is the power a factor; but also the curvature of the earth and the atmospheric conditions. The absolute range is proportional to the power^2 AND the sensitivity of the receiver AND the signal path; but if you're not bothered by licence (or health) restrictions; then several miles should be easy. And that's before you start using diversity reception.

      my coat is the one with kitchen foil lined pockets

  6. Anonymous Coward
    Thumb Down

    Oh how embarrassing...

    The fuzz will know what I buy in the supermarket :-(

    1. Anonymous Coward
      Big Brother

      Re: Embarassing

      Or, as is currently happening in the US:

      "Sorry, sir, but we have a warrant to search your home and outlots. See, you bought Brand X of shampoo, and Brand Y of cough syrup, and Brand Z of incent repellent. You bought these at different times in different stores, and this matches the pattern of a Meth Lab. Please follow this nice officer as he handcuffs you and places you in the back of his patrol car, for your protection..."

      This IS HAPPENING NOW in the US. Wal-Mart... "Always" is more than just a slogan...

  7. Anonymous Coward
    Anonymous Coward


    that means that vehicle number plates with embedded rfid tags can be read from the roadside......

    1. Geoff Campbell Silver badge

      Vehicle number plate RFID

      We knew that anyway. The ones proposed for vehicles are battery powered, and have a larger design range than the unpowered ones. Which, of course, opens up a whole host of possible ways to screw their operation, all of which I shall be investigating should they ever become compulsory.


  8. Anonymous Coward


    I'm afraid that all those nefarious uses for this form of reading of RFIDs have already been patented by Apple

  9. Refugee from Windows
    Thumb Up

    Metal biscuit tin

    Now you know why all your Granny's important documents were kept in an old biscuit tin - it's good at keeping all the radio stuff out of it and makes your passport invisible. Also keeps mice, damp and all sort of other things away as well.

    1. Anonymous Coward

      Ol' Granny Faraday was a cagey old bird.

      <----- a bird.

  10. Matt Bryant Silver badge

    Got a new credit card?

    So, those new Visa "PayWave" cards will really be a wave of crime, then? Ignoring the fact that stores will be able to track you all the way round the mall to map out your shopping prefs, crims will be able to clone your card from the other side of town! No PIN to worry about now for Mr Shay D Karactor, and now he doesn't even have to walk behind you and scan your backpocket (see, he can sit comfortably in his car in the carpark and scan you as you walk into the mall. I expect the next "must-have" accessory to be wallets lined with metal mesh or tinfoil.


    1. Anonymous Coward
      Anonymous Coward


      Ok, that wasn't an $8 reader from ebay, it was part of a POS device. He can't sit in a car and read cards, he said that he thought he may be able to do that, but this would be far over the effective range of NFC. He keeps refering to the cards as RFID when they are NFC. He says that the decryption should happen in a datacentre when the whole point of paywave is that it happens locally, so you don't have to wait for a connection to a datacentre to be established. Also, there is absolutely no verification that he is doing what he claims, the reader goes beep and he says, "look at the screen". Furthermore, as I understand the operation of paywave type cards, they have a separate "card number" for the paywave part of the card and while it is implied that having the credit card number is "bad" he doesn't even imply that he would be able to create another card with this data. I could go on...

      All in all, I call FUD.

    2. D@v3

      do you mean something like this...

      that is all

  11. Eddy Ito

    317 miles = 510 km

    With the ISS orbiting at 340 km, it shouldn't be much of a problem.

    So, is there any way to check if your Gen2 tag respects the 100 microsecond rule? Meh, tinfoil is probably cheaper.

  12. JaitcH

    "especially if said criminals are less respectful of ham licensing restrictions"

    Forget 'less respectful', they most likely don't even know what a 'ham' is.

    And if you shop at the Gap or Walmart your clothes will be good substitutes for radar reflectors, some garments have more than two RFID.'s in them.

    RFID's can be neutered by placing the object in a microwave oven, along with a mug of water, and turning it in high for a minute.

  13. FARfetched
    Black Helicopters

    Search and destroy?

    How can we locate these in items we own and relocate the chips?

    I could see the possibility for hijinks here: remove the chips and stuff them in random locations, preferably in the stores they came from in the first place.

  14. John Smith 19 Gold badge
    Thumb Up

    This Chrismas's Must Have Present.

    RFID early warning receiver.

    Possibly backed up by something to put out a response pulse powerful enough to blow out the front end of any snoopy receiver.

  15. Stuart Halliday

    Get some prospective

    Let's be clear here, Gen2 RFID tags are around the size of bricks as they have their own battery built-in. The usual RF-ID tag called Gen1 like Walmart is wanting to use are the size of a postage stamp....

  16. Anonymous Coward

    Arecibo. A warning ...

    ... to Fidel Castro not to shoplift at the local Wal-Mart, or any in Puerto Rico.

  17. Haku

    ...or you could use it to find your golf balls

    like this company -

    Admittedly I don't think the device is reading the data from the RFID tag at long distances but rather there's a tag which is responding to the scan and how strong a signal is being 'bounced' back.

  18. This post has been deleted by its author

  19. yomchi86

    Detecting holidays the high tech way?

    Why bother, most morons put home address, phone number and a neat little calendar on their facebook page saying when they will be on holiday. then dont make their profile private....

    nuff said

  20. Anonymous Coward
    Anonymous Coward


    Two things:

    1) Passports, bank cards etc use NFC, which can currently only be ramped up to 50cm max, more realistically about 5-10cm. NFC is not the same thing as RFID.

    2) You may be reading an RFID at X miles, but how do you target a specific tag, rather than just the first one that comes back? The chances are that there will be a fair few RFID tags in and direction you choose to look.

    1. John Sturdy

      What about large numbers of tags?

      What happens if you have large number of tags close enough together for the responses to seem simultaneous? Does that confuse the reader? The further away you're reading from, the more tags you're likely to get responses from.

    2. Anonymous Coward
      Anonymous Coward

      Oh please, not that canard

      The standard specifies that passport RFID chips must function up to _at least_ 20cm. That doesn't mean it guarantees all passports will not repond when held at 21cm. What this is about is how far you can stretch things, regardless of standard. As it turns out: Quite a lot. Even stretching to just a yard may be more than enough.

      Maybe you find it hard to believe, but it's the same principle as a lock manufacturer saying "this lock ought to only work with this specification key", and then someone comes along with a lock picking set and opens it anyway. We all know it works that way; no reason RFID should magically be different. It's been up and down the news several times already that, surprise, it in fact is not at all different from everything else we make in that respect.

      Similarly, sometimes you don't care what tags you read, just that they're part of some class, like, "contactless payment cards with at least a tenner on them", and then you trigger a transaction to transfer, not to be overly greedy, 9.99 to you. Walk up and down a busy shopping street, loiter a bit in a mall, and you'll have easily filched a couple hundred, maybe a couple thousand. Then scram and try again in a different part of town, or a different city altogether.

      Or, sometimes you don't care what else you read. If you can read tag X within the range of your device, distance Y, you can draw conclusions like, well, since tag X is subject Z's passport RFID tag (or simply the one in his oyster or barclay card, his employee access badge, a tag factory sewn into his shoes, the one implanted in his dog, what have you, any will do), then that's likely Z within Y right there. That already enables surveillance by some unobtrusive logging device stuck on a wall, hidden in some other device, and so forth and so on. Or you could trigger a detonator. Why not.

This topic is closed for new posts.

Other stories you might like