Cryptology ePrint Archive: Report 2007/330

Remote Power Analysis of {RFID} Tags

Yossi Oren

Abstract: We describe the first power analysis attack on passive RFID tags. Compared to standard power analysis attacks, this attack is unique in that it requires no physical contact with the device under attack. The power analysis can be carried out even if both the tag and the attacker are passive and transmit no data, making the attack very hard to detect.

As a proof of concept, we use power analysis to extract the kill passwords from Class 1 EPC tags operating in the UHF frequency range. Tags from several major vendors were successfully attacked. Our attack can be extended to HF tags and to remote fault analysis.

The main significance of our attack is not in the discovery of kill passwords but in its implications on future tag design -- any cryptographic functionality built into tags needs to be designed to be resistant to power analysis, and achieving this resistance is an undertaking which has an effect both on the price and on the performance of tags.

(this is my Master's thesis, carried out under the supervision of Prof. Adi Shamir. It may be considered as the extended version of the article "Remote Password Extraction from RFID Tags", recently published in IEEE Transactions on Computers and indexed as or as

Category / Keywords: cryptanalysis, power analysis, side-channel attacks, RFID

Publication Info: Remote Password Extraction from RFID Tags, IEEE Transactions on Computers 56(9):1292--1296, September 2007

Date: received 21 Aug 2007

Contact author: yossi oren at weizmann ac il

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20070822:184757 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]