The Operation Of RFID Tags And Readers, Or: How I Learned To Stop Worrying And Love The E-Z Pass
The operation of the RFID tolling tags, known commonly through the northeastern United States as E-Z Pass, have garnered some attention in the Facebook group, 2600: the hacker quarterly for a posted article by news website “The Blaze” A website created by former Fox News Channel Show host, Glenn Beck. The news article concerned a presentation at Defcon, the yearly computer security conference hosted on the Las Vegas Strip. A summery of the presentation was that a man modified a E-Z pass tag to light up and create a “moo” sound whenever the tag was read.
The way a RFID tag operates to a reader at a toll booth under normal operating conditions is that a reader with an antenna transmits a read request on a protocol (ATA/IAG being used for the E-Z pass tags) this transmission electrically induces voltage on the antenna by way of the carrier signal that transmits a request to a tag, the induced voltage powers the on tag chip which performs whatever request the reader is asking for, and to return data the tag modulates the inductance of the antenna, to encode a reply into the backscattered carrier signal the reader is sending to the antenna through propagation electromagnetic waves or inducted coupling.
Now the man has modified the tag to act as an antenna for some other device, but it is not specified that he isolates the signals coming in to only activate the device on the ATA/IAG protocol or on a particular frequency as FCC-part-90 the regulatory region concerning RFID protocols in the US require frequency hopping across a spectrum. Furthermore if he has decoupled the antenna from the internal IC embedded into the tag, he has no information being returned through backscatter, nor to mention that different tag protocol support different tag operations as per the EPC gen 2 LLRP protocol that concerns tag communications with readers.
In addition. Tags can be locked with passwords that prevent anyone even with a reader operating on the protocol from grabbing user data without first authenticating with the tag, the demonstration only shows evidence that RF waves activated the tag, there is no evidence that user data was ever read.
The NY transit authority statement says they used the tags to monitor traffic usage, which is entirely possible without reading personal user data from a tag as the tag ID is entirely separate from the registration data that is password locked. If it was not then anyone could easily duplicate a tag through repaying the tag ID.
