There are dozens and dozens of RFID protection products, which claim they can stop evil doers from stealing your identity and essentially ruining all life as we know it. We bought some of these products at random and tested them to see how effective they really are.
Some products claimed to prevent all RFID scanning, but under testing, proved to only prevent a subset. The good thing is all products blocked at least some signals.
A lot of the things we carry, such as credit cards, passports, and building access cards use Radio Frequency Identification (RFID) technology. The electromagnetic tags on these things usually contain some type of identifying serial number and other data—something static like a serial or inventory control number, or something triggering onboard circuitry to run and produce data, like a credit card. A reader can read the information on the tags—it could be just once or it could be many times. It may even be possible to write data onto the tags.
Someone armed with a reader could potentially stand near you and interrogate your credit card’s tag, copy whatever data gets coughed up, and then use that to create a duplicate credit card. If the reader is small enough to be held in the palm of the hand, then the reader is low-power and has an effective range of about a centimeter. Bumping up the power increases the effective range to about a meter, but the tag may also be limited in how far it can transmit its signals. The attacker still needs to get fairly close to the victim or the object, like 15 to 20 centimeters.
A higher-powered reader may be disguised as a briefcase or messenger bag, which would increase the range and help the attacker physically approach the target. But this is a more expensive attack.
Sure, this is a possible scenario, but consider if you are likely to be attacked this way. You may be targeted specifically because of who you are or where you work. Because of the proximity required, you are unlikely going to be targeted this way.
So before you buy something to protect yourself, especially if it is something you might not even need, shouldn’t you know how everything works and make an informed decision?
An RFID Primer
There are three types of tags - passive, battery-assisted, and active. Passive tags—found in credit cards, passports, hotel keys, building access cards, etc—are the cheapest to make and most popular. They have no power source, but when interrogated by the reader, use the electromagnetic field to power on-board circuitry to process the request and transmit a response back to the reader. Battery-assisted tags are very similar in that they do nothing until a reader interrogates them, and then they tell the battery to fire up and power the tag. Active tags usually have a battery and sometimes a dedicated power source, and are constantly transmitting data, even if there isn’t a reader nearby. Active tags have a greater range than other tags.
The potential attack scenario above is an oversimplification. All modern credit cards use some form of encryption, a fairly involved interrogation process where you insert the card into a slot for intense interaction, and typically do not give up usable data unless certain expectations are met (verified certificates and signatures, for example). But you could replace the victim credit card with a victim hotel room access card and it is roughly the same attack: Gather data from the victim’s card, duplicate it, and then proceed to perform the same functions with the card that the victim might, like unlocking a hotel room.
Do They Really Work?
There are many products out there that block RFID readers from querying tags. Most are quite cheap. I tested them, because naturally, I didn’t trust any of the vendors of any of the products to deliver the goods.
The most common product on the market is a blocking sleeve. Typically the sleeves are made of a foil-like material with some combination of copper and aluminum, and then covered in a strong material like Tyvek. RFID wallets and purses usually have the blocking foil-like material sewn into them and function just like the sleeve. We tested a selection of sleeves.
The second-most common is a blocking card—usually the size of a very thick credit card—which performs what amounts to a denial of service whenever it senses a reader. Doesn’t matter if the reader is good or bad. Most blocking cards are passive—and some of them merely have foil coating or a wire mess and are not different from sleeves. We tested both active and passive cards.
Finally, just because I had a couple of them around, I tested a couple of RFID blocking wallets—one using sewn-in blocking material like the sleeves and one made of metal—and my wife’s RFID-blocking purse.
It turns out standards for testing these RFID-blocking devices actually exists since the government wants to make sure these sleeves and cards actually work before buying them for government employees and contractors. There is an actual approved vendors list that meet FIPS 201 standards and testing details are outlined in Electromagnetically Opaque Sleeve Approval and Test Procedure(version 13.1.0 is the current version as of this writing).
I duplicated the testing procedures as best as I could—testing if I could read the tag without protection, and then protecting the tag and then trying to read it from eight different angles. I used the Proxmark3 testing tool to perform a generic scan and looked at the power readings of the “return” of energy to determine if the tag was being activated (or at least attempted). While the Proxmark3 does not do every kind of scanning I’d like, but it covered Low Frequency (LF) at 125Khz, which is commonly used with building access cards, and High Frequency (HF) at 13.56 Mhz, which is commonly used with credit cards and passports.
I used the sample cards that come with Proxmark3 and personal items—credit cards, hotel keys, and passport—for testing.
The result of the tests were mixed. Some products are built to protect only for one frequency, which is a problem if you are trying to protect something at a different frequency.
In the case of the sleeve, the most expensive sleeve didn’t block LF despite being from a FIPS 201-approved vendor, while two cheapest ones blocked both LF and HF. Neither of them were FIPS-201 approved, either. Just for the sake of it, I asked for foil from Chipotle and wrapped up the cards before testing. Turns out foil is good at blocking both LF and HF.
You expect things like a building access card to be protected if the credit card is being protected. In the case of the blocking/jamming cards, it matters what you are trying to protect. The blocking cards all worked for the higher frequency, but none for the lower frequency.
Testing the purse and the wallet showed that price doesn't automatically mean better protection. You can see the purse that was tested in the video, although I don’t show the wallets. The metal wallet that was tested did really well, except that it is going to be really hard to find in a store. I purchased that wallet from the EFF booth at Black Hat a few years ago, and the old DIFRwear website has been offline as of 2015.
If you are just looking to protect yourself from someone getting at your hotel access card, credit card, or passport, you’re in luck. Nearly all of the products block in those ranges. If you are looking to protect your company’s building access card, well, it’s probably best to stick with the sleeves or a metal wallet. If you are looking for a little fashion, the Pacsafe Anti-Theft Travel Handbag has other other features like wire reinforcement to prevent someone from cutting open your bag in a crowd and quickly reaching inside, but you will still need the Pacsafe sleeves for your building access card.
If you are a hardcore tin foil hat kind of person, hit up Chipotle for a free foil wrapper and elegantly wrap your credit cards in that. The nominal yield from one wrapper is four “pouches” for cards (two for passports), and trust me—you’ll be the talk of the party.
Will You Be A Target?
So is this a legitimate threat? Of course it is possible and there is a non-zero chance it could occur to you. Statistically, though, you will probably be in a car crash, mugged at knifepoint, or struck by lightning before you are scanned. Unless you are a government employee that works at an embassy overseas or a fulltime spy, you are paying for a piece of mind more than actual protection.
If it's peace of mind you are after, check-out my low-tech recommendations for protecting yourself.
How easy is it to scan one of these tags? As stated, an attacker would have a reader somewhere between one centimeter and meter, depending on the amount of power the reader has, to actually do anything. So the attacker has to get fairly close to you. The attacker has to be able to get around any encryption that may be in place as well, so even if they get close they have to be able to properly interrogate the tag to get through this added layer of security. AND they will sometimes only be able to get one shot at it.
I deem myself as a person at ever-so-slightly higher risk than an average person. My previous employer was a government contractor, I am a infosec person who might have access to some security “stuff”, and most importantly I work in the research department of a security company that specifically deals with authentication. It is within reason for me to take extra precautions simply because it is inexpensive to do so. And like some of you, sure I am just buying something for a little piece of mind more than anything. But in my defense, I’ve actually had my hotel room broken into with my tech targeted during a stay in Las Vegas while attending a rather popular security conference. So totally worth the extra effort just for the added piece of mind.
You may decide as a naturally paranoid person to go ahead and purchase some tech that protects tagged items you own, and that’s fine. Just realize the odds of someone physically stealing your passport, credit cards, or hotel key card is much higher.
Photo by Oliur from Unsplash