An RFID Skimming Gate Using Higher Harmonics

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9440)


This paper describes a novel antenna design for communicating with ISO/IEC 14443A RFID cards at larger distances than the normal 5-10 cm. The set-up consists of two antennas, one to activate the card at the normal frequency of 13.56 MHz, and another to receive its response at the higher harmonic frequency of 40.68 MHz. The strong field required to power the card at larger distances is likely to drown out its response. By detecting the higher harmonic frequencies originating from the card’s response this problem is solved, making communication at larger distances possible. The two antennas, placed 100 cm apart, form an RFID gate that can communicate with cards in the middle of the gate. This is a substantial improvement of the maximum skimming distance of 25 cm reported in literature.


RFID contactless smart card ISO/IEC 14443 skimming eavesdropping 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    The ARRL Antenna Book. The American Radio Relay League (2000)Google Scholar
  2. 2.
    Engelhardt, M., Pfeiffer, F., Finkenzeller, K., Biebl, E.: Extending ISO/IEC 14443 type a eavesdropping range using higher harmonics. In: Proceedings of 2013 European Conference on Smart Objects, Systems and Technologies (SmartSysTech), pp. 1–8. IEEE (2013)Google Scholar
  3. 3.
    European Radiocommunications Committee (ERC): ERC report 69 – propagation model and interference range calculation for inductive systems 10 kHz - 30 MHz (1999)Google Scholar
  4. 4.
    Finkenzeller, K.: RFID Handbook: Fundamentals and Applications in Contactless Smart Cards and Identification, 3rd edn. Wiley (2010)Google Scholar
  5. 5.
    Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical NFC peer-to-peer relay attack using mobile phones. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 35–49. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  6. 6.
    Hancke, G.P.: Practical attacks on proximity identification systems. In: IEEE Symposium on Security and Privacy (S&P 2006), pp. 328–333. IEEE (2006)Google Scholar
  7. 7.
    Hancke, G.P.: Practical eavesdropping and skimming attacks on high-frequency RFID tokens. J. Comput. Secur. 19(2), 259–288 (2011)Google Scholar
  8. 8.
    ISO/IEC: ISO/IEC 14443-3:2011, Identification cards – Contactless integrated circuit cards – Proximity cards – Part 3: Initialization and anticollision (2011)Google Scholar
  9. 9.
    Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard. In: First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SecureComm 2005), pp. 47–58. IEEE (2005)Google Scholar
  10. 10.
    Kirschenbaum, I., Wool, A.: How to build a low-cost, extended-range RFID skimmer. In: Proceedings of the 15th USENIX Security Symposium, pp. 43–57. Usenix (2006)Google Scholar
  11. 11.
    Oren, Y., Schirman, D., Wool, A.: Range extension attacks on contactless smart cards. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 646–663. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  12. 12.
    Texas Instruments: HF antenna cookbook - technical application report 11-08-26-001, March 2001Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Techno CenterRadboud University NijmegenNijmegenNetherlands
  2. 2.Institute for Computing and Information SciencesRadboud University NijmegenNijmegenNetherlands
  3. 3.School of Computer ScienceUniversity of BirminghamBirminghamUK

Personalised recommendations