Remote Power Analysis of {RFID} Tags

We describe the first power analysis attack on passive RFID tags. Compared to standard power analysis attacks, this attack is unique in that it requires no physical contact with the device under attack. The power analysis can be carried out even if both the tag and the attacker are passive and transmit no data, making the attack very hard to detect. As a proof of concept, we use power analysis to extract the kill passwords from Class 1 EPC tags operating in the UHF frequency range. Tags from several major vendors were successfully attacked. Our attack can be extended to HF tags and to remote fault analysis. The main significance of our attack is not in the discovery of kill passwords but in its implications on future tag design -- any cryptographic functionality built into tags needs to be designed to be resistant to power analysis, and achieving this resistance is an undertaking which has an effect both on the price and on the performance of tags. (this is my Master\u27s thesis, carried out under the supervision of Prof. Adi Shamir. It may be considered as the extended version of the article Remote Password Extraction from RFID Tags , recently published in IEEE Transactions on Computers and indexed as http://dx.doi.org/10.1109/TC.2007.1050 or as http://ieeexplore.ieee.org/iel5/12/4288079/04288095.pdf

Security and Privacy of Radio Frequency Identification

Tanenbaum, A.S. [Promotor]Crispo, B. [Copromotor

Remote Power Analysis of RFID Tags

We describe the first power analysis attack on passive RFID tags. Compared to standard power analysis attacks, this attack is unique in that it requires no physical contact with the device under attack. The power analysis can be carried out even if both the tag and the attacker are passive and transmit no data, making the attack very hard to detect. As a proof of concept, we use power analysis to extract the kill passwords from Class 1 EPC tags operating in the UHF frequency range. Tags from several major vendors were successfully attacked. Our attack can be extended to HF tags and to remote fault analysis. The main significance of our attack is not in the discovery of kill passwords but in its implications on future tag design- any cryptographic functionality built into tags needs to be designed to be resistant to power analysis, and achieving this resistance is an undertaking which has an effect both on the price and on the performance of tags. 1 Acknowledgements I am truly thankful for having the opportunity to work on such an exciting topic of research. The results presented here are the result of collaboration with many people, and would not have been possible if not for the generosity and guidance of those who helped me along the way