Eavesdropping

Eavesdropping on RFID

RFID communication." data-category="Security">Eavesdropping is a passive attack where an adversary intercepts the radio-frequency communication between an RFID reader and tags without the knowledge of either party. Unlike active attacks such as cloning or replay attacks, eavesdropping does not require the attacker to transmit any signal — they simply listen with a sensitive receiver tuned to the RFID operating frequency.

Attack Mechanics

RFID communication consists of two links with very different power characteristics:

Forward link (reader-to-tag): The reader transmits at high power (up to 1W conducted in FCC regions, plus antenna gain). This signal propagates well beyond the intended read zone and can be intercepted at distances of 10-100 metres with a directional antenna.

Reverse link (tag-to-reader): The backscattered signal from a passive tag is extremely weak — typically 60-80 dB below the forward link. Intercepting backscatter requires a high-gain antenna and low-noise receiver, and is generally feasible only at distances up to 5-15 metres for UHF tags.

An eavesdropper positioned within range can capture: - The reader's commands (Query, Select, Read, Write) - The tag's EPC responses - Data read from User Memory or TID Memory - Access Passwords transmitted in plaintext during Lock/Unlock operations

What Is at Risk

Identity tracking: If a unique EPC is associated with a person (e.g., a tagged garment worn by an individual), an eavesdropper can track that person's movements by detecting the tag in different locations. This is the core privacy concern addressed by GDPR and the Untraceable Command.

Credential theft: Plaintext Access Passwords and Kill Passwords captured during eavesdropping give the attacker full control over the tag's memory — enabling data modification, cloning, or permanent destruction.

Competitive intelligence: In supply chain environments, intercepting EPCs from a competitor's shipments could reveal product types, quantities, and shipping patterns.

Countermeasures

Crypto Suite authentication: When mutual authentication is employed, the communication is encrypted. Even if the attacker captures the RF exchange, they cannot extract the authentication keys or plaintext data.

Untraceable Command: Reducing tag range and hiding EPC data limits the useful information available to an eavesdropper.

Physical security: Shielding reading zones with RF-absorbing materials (ferrite tiles, metallic enclosures) contains the signal within the intended area. Portal reader tunnels with metal walls are inherently resistant to external eavesdropping.

Short-range operation: Using near-field antennas limits the communication range to centimetres, making eavesdropping impractical without physical proximity to the reader.