I realized I didn’t have any good notes on Radio Frequency Identification (RFID) tags/badges/etc, so I figured it was time to compile that and update it while I’m at it. This post is just a quick run-down of the frequencies, types, and common cards/IDs. If you don’t know what an RFID is, for the purposes of most pentesting it’s a security badge or a key fob, like you can see in the image at the top of this posting.
RFID cards work by communicating some identifier (the ID, typically just a number) via radio frequency (RF), hence the name. The lower the frequency the less susceptible it is to interference, but the slower the transmission. Lower frequency systems also — typically — require the RFID to be closer to the reader.
You have to have power to transmit RF, which means there are basically three ways this can be done. The reader can just receive the signal (in which case the RFID has to have it’s own power source), or it can send a signal that tells the RFID to send a signal (in which case the RFID still has to have its own power source), or the reader can transmit a higher amount of energy which the RFID then uses to power its response (in which case no power source is required from the RFID). These are called by the names PRAT, ARPT, and ARAT, as follows:
- Passive Reader, Active Tag (PRAT) means the RFID provides the power.
- Active Reader, Passive Tag (ARPT) means the reader provides the power.
- Active Reader, Active Tag (ARAT) means both the reader and the RFID provide power.
Strictly speaking there could be Passive Reader, Passive Tag (PRPT) but that would be a system that just doesn’t communicate at all. 😉
Low Frequency (LF)
LF RFIDs technically operate in the 30 kHz – 300 kHz frequency range, although in practice they’re normally at 125 kHz or 134.2 kHz. The defined standards are:
- ISO 11784 and ISO 11785 – RFID for animal tracking. Uses the 134.2 kHz frequency.
- ISO/IEC 18000-2 (ISO 18000 part 2) – Defines RFIDs operating below 135 kHz.
High Frequency (HF)
HF RFIDs operate at 13.56 MHz (or 13,560 kHz). The defined standards are:
- ISO/IEC 14443 – Defines the communications used by multiple payment systems (e.g. PayPass, ExpressPay, etc), Near Field Communications (NFC), as well as MIFARE cards.
- ISO/IEC 15693 – Defines the standard for vicinity cards (longer range access than NFC).
- ISO/IEC 18092 and ISO/IEC 21481 – Defines the NFC standard.
- ISO/IEC 18000-3 (ISO 18000 part 3) – Defines RFIDs operating at 13.56 MHz.
Ultra-High Frequency (UHF)
UHF RFIDs operate at 433 MHz or in the range of 860 MHz to 960 MHz. The defined standards are:
- ISO/IEC 18000-6 (ISO 18000 part 6) – Defines RFIDs in the 860 MHz to 960 MHz range. This is further split into Types A through D, which specifies the order of communications between the reader and the RFID
- Type A is pulse interval encoding (PIE) with ALOHA to avoid collisions
- Type B is Manchester interrogation with an adapative binary tree to avoid collisions
- Type C is PIE with random slotting to avoid collisions
- Type D is Tag Only Talks After Listening (TOTAL) using pulse position encoding
- ISO/IEC 18000-7 (ISO 18000 part 7) – Defines RFIDs operating at 433 MHz.
The following is a list of LF RFIDs:
- Applied Wireless Identifications (AWID)
- EM4100/4102/4103/4104/4105/4106/4110/4115 (EM4X generically)
- G Prox II
- HID Indala Proximity
- HID Prox
- ioProx (dual-encoded Wiegand and Kantech Extended Secure Format (XSF))
- ISO 11784/11785 FDX-A/FDX-B (Full Duplex)
- ISO 11784/11785 HDX (Half Duplex)
- Stanley Proximity Access Control
- Philips PCF7931
- Farpointe Pyramid
- Texas Instruments (TI)
The following is a list of HF RFIDs:
- ePassport (EPA)
- Europay, Mastercard, and Visa (EMV)
- LEGIC Identsystems
- MIFARE Ultralight
- TOPAZ NFC
The following is a list of UHF RFIDs:
- EPCglobal UHF Class 1 Gen 2 (ISO 18000-6C)