RFID and Its Vulnerability to Faults

  • Michael Hutter
  • Jörn-Marc Schmidt
  • Thomas Plos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5154)


Radio Frequency Identification (RFID) is a rapidly upcoming technology that has become more and more important also in security-related applications. In this article, we discuss the impact of faults on this kind of devices. We have analyzed conventional passive RFID tags from different vendors operating in the High Frequency (HF) and Ultra-High Frequency (UHF) band. First, we consider faults that have been enforced globally affecting the entire RFID chip. We have induced faults caused by temporarily antenna tearing, electromagnetic interferences, and optical inductions. Second, we consider faults that have been caused locally using a focused laser beam. Our experiments have led us to the result that RFID tags are exceedingly vulnerable to faults during the writing of data that is stored into the internal memory. We show that it is possible to prevent the writing of this data as well as to allow the writing of faulty values. In both cases, tags confirm the operation to be successful. We conclude that fault analysis poses a serious threat in this context and has to be considered if cryptographic primitives are embedded into low-cost RFID tags.


RFID Fault Analysis Antenna Tearing Optical Injections Electromagnetic Analysis Implementation Attacks 


  1. 1.
    Anderson, R.J., Kuhn, M.G.: Tamper Resistance - a Cautionary Note. In: Second Usenix Workshop on Electronic Commerce, pp. 1–11 (November 1996)Google Scholar
  2. 2.
    Atmel Corporation. Website - Secure RFID: CryptoRF,
  3. 3.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerer’s Apprentice Guide to Fault Attacks. Cryptology ePrint Archive Report 2004/100 (2004),
  4. 4.
    Batina, L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., Verbauwhede, I.: Public-Key Cryptography for RFID-Tags. In: Workshop on RFID Security 2006 (RFIDSec 2006), Graz, Austria, July 12-14 (2006)Google Scholar
  5. 5.
    Blitshteyn, M.: Mastering RFID Label Converting: Where Understanding Static Control Can Help Prevent RFID Transponder Failures. Technical report, Ion Industrial (2005)Google Scholar
  6. 6.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurinand, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, Springer, Heidelberg (2007)Google Scholar
  7. 7.
    Canniére, C.D., Preneel, B.: TRIVIUM Specifications. eSTREAM, ECRYPT Stream Cipher Project Report 2005/030 (April 2005),
  8. 8.
    Carluccio, D., Lemke, K., Paar, C.: Electromagnetic Side Channel Analysis of a Contactless Smart Card: First Results. In: Oswald, E. (ed.) Workshop on RFID and Lightweight Crypto (RFIDSec 2005), Graz, Austria, July 13-15 (2005)Google Scholar
  9. 9.
    Feldhofer, M.: Comparing the Stream Ciphers Trivium and Grain for their Feasibility on RFID Tags. In: Posch, K.C., Wolkerstorfer, J. (eds.) Proceedings of Austrochip 2007, Graz, Austria, October 11, 2007, pp. 69–75. Verlag der Technischen Universität Graz (2007) ISBN 978-3-902465-87-0Google Scholar
  10. 10.
    Feldhofer, M., Dominikus, S., Wolkerstorfer, J.: Strong Authentication for RFID Systems using the AES Algorithm. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 357–370. Springer, Heidelberg (2004)Google Scholar
  11. 11.
    God, R.: Lean Manufacturing of RFID Products - Put the Chip on the Box. In: Electronics Systeminteg ration Technology Conference, Proceedings of IEEE Conference, September 2006, pp. 1118–1121. IEEE Computer Society, Los Alamitos (2006)CrossRefGoogle Scholar
  12. 12.
    Hell, M., Johansson, T., Meier, W.: Grain - A Stream Cipher for Constrained Environments. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/010 (revised version 2005) (2006),
  13. 13.
    Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B., Lee, C., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J., Chee, S.: HIGHT: A New Block Cipher Suitable for Low-Resource Device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Hutter, M., Mangard, S., Feldhofer, M.: Power and EM Attacks on Passive 13.56 MHz RFID Devices. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 320–333. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  17. 17.
    Kömmerling, O., Kuhn, M.G.: Design Principles for Tamper-Resistant Smartcard Processors. In: USENIX Workshop on Smartcard Technology (Smartcard 1999), pp. 9–20 (May 1999)Google Scholar
  18. 18.
    McLoone, M., Robshaw, M.J.B.: Public Key Cryptography and RFID Tags. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 372–384. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    NXP Austria GmbH. Website - contactless smart cards,
  20. 20.
    Oren, Y., Shamir, A.: Remote Password Extraction from RFID Tags. IEEE Transactions on Computers 56(9), 1292–1296 (2007)CrossRefGoogle Scholar
  21. 21.
    Plos, T.: Susceptibility of UHF RFID Tags to Electromagnetic Analysis. In: Malkin, T. (ed.) Topics in Cryptology - CT-RSA 2008, The Cryptographers’ Track at the RSA Conference 2008, San Francisco, CA, USA, April 8-11, 2008. LNCS, vol. 4964, pp. 288–300. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Poschmann, A., Leander, G., Schramm, K., Paar, C.: A Family of Light-Weight Block Ciphers Based on DES Suited for RFID Applications. In: Workshop on RFID Security 2006 (RFIDSec 2006), Graz, Austria, July 12-14 (2006)Google Scholar
  23. 23.
    Poupard, G., Stern, J.: Security Analysis of a Practical ”on the fly” Authentication and Signature Generation. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 422–436. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  24. 24.
    Quisquater, J.-J., Samyde, D.: Eddy Current for Magnetic Analysis with Active Sensor. In: Proceedings of Esmart, pp. 185–194 (2002)Google Scholar
  25. 25.
    Schmidt, J.-M., Hutter, M.: Optical and EM Fault-Attacks on CRT-based RSA: Concrete Results. In: Posch, K.C., Wolkerstorfer, J. (eds.) Proceedings of the Austrochip 2007, October 2007, pp. 61–67. Verlag der Technischen Universität Graz (2007) ISBN 978-3-902465-87-0Google Scholar
  26. 26.
    SecureRF. SecureRF - Secure RFID Solutions,
  27. 27.
    Skorobogatov, S.P., Anderson, R.J.: Optical Fault Induction Attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Standaert, F.-X., Piret, G., Gershenfeld, N., Quisquater, J.-J.: SEA: a Scalable Encryption Algorithm for Small Embedded Applications. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 222–236. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  29. 29.
    Tan, K., Tan, S., Ong, S.: Functional failure analysis on analog device by optical beam induced current technique. In: Proceedings of the 1997 6th International Symposium on Physical & Failure Analysis of Integrated Circuits, 1997, pp. 296–301. IEEExplore (July 1997)Google Scholar
  30. 30.
    Tuyls, P., Batina, L.: RFID-Tags for Anti-counterfeiting. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 115–131. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Michael Hutter
    • 1
  • Jörn-Marc Schmidt
    • 1
    • 2
  • Thomas Plos
    • 1
  1. 1.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria
  2. 2.Secure Business Austria (SBA)ViennaAustria

Personalised recommendations