Radio Frequency Identification (RFID)

This capability decreases time for a transaction, but there are weaknesses and, as shown in the articles, they have been reported to the public for years.

Sniffing or Skimming

RFID enabled elements are subject to sniffing (also called skimming), the practice of using non-authorized technology to query an RFID enabled element and inappropriately receive the information. See


Good video from Xeni Jardin of BoingBoing.TV at the 2008 O’Reilly Emerging Technology Conference showing how an RFID sniffer can be had for about $8. Watch it on Flixy or YouTube both 3m 22s. Starting at 0:41 listen to Pablos Holman’s opinion about the difference between “real security” and something that “feels like” security to the consumer.

Specific vs Generic

Tags are generally application specific. No one tag fits all.

Fixed vs Flexible

RFID tags are generally programmed with information and that information remains in the tag until replaced by a device external to the tag.


More than one tag can respond to a query at the same time.

More on RFID Weaknesses:

WTHR report on how RFID can be easily read from your wallet
Story www.wthr.com/story/14001597/the-risk-inside-your-credit-card
Video 6m09s http://youtube.googleapis.com/v/lLAFhTjsQHw%26sns=em

The problem continues

Despite warnings from at least 2010 RFID cards are still being snooped.

10/26/2015 Train Rider e-PickPocketed

from Sophos

2/03/2016  Hackproof RFID?

MIT and Texas Instruments have developed an RFID chip that resists more complex attacks.

RFID chips have been susceptible to side-channel attacks where memory patterns are analyzed after access or power fluctuation to extract a small piece of information. Repeated executions of the attack can lead to complete compromise. The defeat this the RFID chip can change the encryption keys. The power glitch attack cuts power so the RFID can’t re provision the cryptographic keys. Then the side channel attack is more effective. For how they did it see this from MIT.


Return to References page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.