Radio Frequency Identification:
Adversary Model and Attacks on Existing Protocols
Gildas Avoine
Swiss Federal Institute of Technology in Lausanne
School of Computer and Cmmunication Sciences
EPFL - I&C - ISC - LASEC
Station 14 - Building INF
CH-1015 Lausanne, Switzerland
Technical Report LASEC-REPORT-2005-001, September 2005
Abstract. Radio Frequency Identification (RFID) systems aim to identify objects in open en-
vironments with neither physical nor visual contact. They consist of transponders inserted into
objects, of readers, and usually of a database which contains information about the objects. The
key point is that authorised readers must be able to identify tags without an adversary being able
to trace them. Traceability is often underestimated by advocates of the technology and sometimes
exaggerated by its detractors. Whatever the true picture, this problem is a reality when it blocks
the deployment of this technology and some companies, faced with being boycotted, have already
abandoned its use. Using cryptographic primitives to thwart the traceability issues is an approach
which has been explored for several years. However, the research carried out up to now has not
provided satisfactory results as no universal formalism has been defined. In this paper, we propose
an adversary model suitable for RFID environments. We define the notions of existential and uni-
versal untraceability and we model the access to the communication channels from a set of oracles.
We show that our formalisation fits the problem being considered and allows a formal analysis of
the protocols in terms of traceability. We use our model on several well-known RFID protocols and
we show that most of them have weaknesses and are vulnerable to traceability.
Key words: RFID, Adversary Model, Privacy, Untraceability, Cryptanalysis.
1 Introduction
1.1 RFID Motivation
Often presented as a new technological revolution, Radio Frequency Identification (RFID) makes the
identification of objects in open environments possible, with neither physical nor visual contact. RFID
systems are made up of transponders inserted into the objects, of readers which communicate with the
transponders using radio frequencies and usually of a database which contains information on the tagged
objects.
This technology is not fundamentally new. It has existed for several decades and has been used in the
public domain for several years, for example in ticketing on public transport or ski-lifts, on motorway
tollgates, or even for animal identification. RFID technology is thus found on a whole range of applications
which have very different purposes and therefore different needs. The boom which RFID technology is
enjoying today rests essentially on the willingness to develop low-cost transponders (for around of 5 US
cents) thus rendering them disposable. Such transponders are called tags. Advocates of this technology
say that they are the super barcodes of the future. Indeed, identification by radio frequency represents a
major innovation in relation to optical identification. It allows objects to be read en masse, without the
need for visual contact, and each tag has a unique identifier representing a single object, unlike barcodes.
Moreover, the minute size of the tags allows them to be implanted within objects.
One area of application for RFID tags is the management of stock and inventories in shops and
warehouses. The American mass-marketing giant, Wal-Mart, has recently placed a requirement on its

main suppliers that they use electronic tags on the palettes and cartons that are delivered to its stores.
The advantages of using RFID tags can also be seen, for example, in libraries where putting an electronic
tag in each book simplifies the borrowing and returning procedures and facilitates the staff’s job. Several
libraries in the United States have already adopted the RFID technology, e.g., the Santa Clara City
Library in California, the University of Nevada, the Las Vegas Library, and the Eugene Oregon Public
Library [22]. Among the actual applications, we can also cite locating people in a public area, e.g.,
amusement parks [25]. The aim is to help customers to keep in touch with other members of their group
in the park.
1.2 RFID Primer
RFID tags are electronic microcircuits equipped with an antenna. The least expensive ones have only
extremely limited computation, storage, and communication capacities, because of the cost and size re-
strictions dictated by the targeted applications. Capabilities of the tags ensue from the ISO standards [15]
and the EPC Global Inc. standards [8].
Tags have no microprocessors and are equipped with only a few thousand logic gates at the very most,
which makes it a real challenge to integrate encryption or signature algorithms into these devices. This
difficulty is reinforced by the fact that the tags are passive, meaning that they do not have an internal
power source: they use the power supplied by the reader. Fortunately, promising research is being done
at the moment, notably the implementation of AES encryption for RFID tags proposed by Feldhofer,
Dominikus and Wolkerstorfer [10]. Note that such an implementation cannot fit a very low-cost tag, but
it may be suited to reasonably inexpensive tags.
The storage capacities of RFID tags are also extremely limited. The cheapest devices have between
64 and 128 bits of ROM only, which allows the unique identifier of the tag to be stored, but adding
EEPROM remains an option for more developed applications. Contrary to smartcards made for secure
applications (credit cards, pay TV, etc.), the tags are not tamper-resistant. This fact does not mean that
all security measures are impossible. Indeed, we have to consider the cost of the attack in relation to its
gain. For example, the ease of reading the content of a tag may be counter-balanced by the difficulty of
getting access to it. Subcutaneous tags are a good illustration of this difficulty of access. A less extreme
example is the use of tags in bracelets to locate people in enclosed spaces: the tag could be initialised
when it is given out to a customer and the data could be erased when the customer gives the bracelet
back. However, it would not be secure for all the tags to contain the same secret, as the cost of the attack
could become negligible when compared with the gain.
The communication distance between tags and readers depends on numerous parameters, in particular
the communication frequency. Two main categories of RFID systems coexist: the systems using the
frequency 13.56MHz and the systems using the frequency 860-960MHz, for which the communication
range is greater. In this latter case, the information sent by the reader can be received in practice up to
a hundred meters, but the information returned from the tag to the reader reaches a few meters at most.
These limits, resulting from the standards and regulations in place do not mean that the tags cannot be
read from a greater distance. Indeed, an attacker could exceed these limits, for example by transgressing
the laws relating to the maximum power.
1.3 RFID Security Issues
Security problems in RFID systems can be put into two categories. The first concerns those attacks
which aim to wipe out the functioning of the system, e.g., denial of service attacks. The second category,
the one which interests us, is related to privacy: the problem is information leakage, as a tag may reveal
data about an object which contains it (for example the title or author of the book) and also traceability.
Information leakage can be avoided if the tag only transmits one identifier which can only be used by
those persons having access to the system’s database. However, this does not prevent traceability. By
“traceability” we mean that an adversary is able to recognize a tag which he has already seen, at another
time or in another place. The traceability of tags, and by extension of people, is a difficulty that RFID
technology must surmount if it is to be widely used. For example, companies like Gillette and Benetton
have been the victims of virulent boycott campaigns [29].
Beyond hardware-based techniques [11, 20], many researchers have looked into the problem in order
to design protocols which allow authorised persons to identify the tags without an adversary being able
2