Practical eavesdropping and skimming attacks on high-frequency RFID tokens

RFID systems often use near-field magnetic coupling to implement communication channels. The advertised operational range of these channels is less than 10 cm and therefore several implemented systems assume that the communication channel is location limited and therefore relatively secure. Nevertheless, there have been repeated questions raised about the vulnerability of these near-field systems against eavesdropping and skimming attacks. In this paper we revisit the topic of RFID eavesdropping and skimming attacks, surveying previous work and explaining why the feasibility of practical attacks is still a relevant and novel research topic. We present a brief overview of the radio characteristics for popular HF RFID standards and present some practical results for eavesdropping experiments against tokens adhering to the ISO 14443 and ISO 15693 standards. We also discuss how an attacker could construct a low-cost eavesdropping device using easy to obtain parts and reference designs. Finally, we present results for skimming experiments against ISO 14443 tokens.