Two types of RFID. Passive and Active.
Passive tags are generally read-only, meaning the data they contain cannot be
altered or written over and can be read upto 20 feet away.
Passive RFID tags are powered by the radio signal of a RFID reader, which
"dehibernates" them to request a reply.
Active RFID tags, act as transponders and are designed for communications up to
100 feet from the RFID reader.
These puppies are read/write, so once you figure out which type of tag you are
talking to, try and write over the data on the tag.
As I understand it, the tags wont talk to you unless you talk to them first.
Here's something I pulled out of the spec that might help you understand:
[quote]
Proper RFID system design suggests that a reader would be commanded by a host
(or timed
internally) to address a population of tags, for either a read of all tag Ids
or a confirmation read of specific tags. Before and after this polling process,
the reader is not emitting RF energy. This allows other readers and other 900
MHz ISM band devices to operate. The negotiation between the reader and tags
can be divided into three categories: start up signals, tree traversal
negotiations, and command communication.
[/quote]
[quote]
Start up signals are sent at the beginning of the addressing of the population
of tags, and
after a frequency hop. During this process, the reader will emit signals to
power the tags,
calibrate the tag oscillator, and train the tag to interpret the three
reader-to-tag data symbols. After the setup, the reader and tags will
communicate digitally, the reader with
three symbols, and the tags with two symbols.
[/quote]
[quote]
ID1 is a static pseudo-random number that is contained on chip, and is used in
tag singulation, and sometimes in recalling an already established tag
identity. ID0 is a fully randomized number that is generated on chip as needed,
and will be rerandomized at each address by the reader of the full population
of tags. ID0 may be used in tag singulation, but must always follow with the
reading the EPC data for establishing a tag identity. Under interrogator
command, any one of ID2, ID1, or ID0 may be used for singulation.
[/quote]
Something else you might like to consider is the secure reader command - it's
supposed to render RFID tags unreadable. Might be a nice way to do a blanket
DoS against the shops RFID tags.
I've searched through various implementation, specification and technical
option papers but have yet been able to find any more on the "secure reader
command". If anyone else has come across detailed information on the command
I'd certainly like to have a look at it.
Some useless information so you know where to stand:
* 125 - 14813.56 MHz broadcast/receive up to 3 feet
* 915 MHz 25 feet broadcast/receive up to 25 feet
* 2.45GHz broadcast/receive up to 100 feet
You might like to read:
http://www.epcglobalinc.org/standards_technology/Secure/v1.0/UHF-class0.pdf
The document specifies the communications interface and protocol for 900 MHz
Class 0 operation. It includes the RF and tag requirements and provides
operational algorithms to enable communications in this band.
Particularly concentrating on sections 12 through 14.
Not sure if this has helped or hindered, but its my take on it and certainly
where I'd begin my research into laying a big juicy one on the chest of RFID.
Bon Voyage ;-)
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
