How to develop clairaudience - active eavesdropping in passive RFID systems

The large operation range of passive RFID systems and the ubiquitous deployment of passive tags introduce growing security and privacy threats such as tag skimming/tracking/cloning, in which eavesdropping the communication between the legitimate reader and the victim tag to obtain raw data is a basic tool for the adversary. However, given the fundamentality of eavesdropping, there are limited work investigating its intension/extension for passive RFID systems. In this work, we identify a brand-new attack at physical layer, called Unidirectional Active Eavesdropping, which defeats the customary impression that eavesdropping is a “passive” attack. In this attack, the adversary transmits an un-modulated carrier at a certain frequency, while a valid reader and a tag interacts at another frequency. When a passive tag modulates the amplitude of reader´s signal, it causes fluctuations on the blank carrier as well. By carefully examining the amplitude of the backscattered version of both blank carrier and reader´s carrier, the eavesdropper is able to recognize tag´s responses more confidently. Besides the formalization and the theoretic analysis, we set out to fill the literature´s gap by demonstrating this new attack towards a popular family of passive RFID systems, namely EPCglobal UHF Class-1 Gen-2, using software-defined radio devices and a programmable passive tag. Our empirically results further confirm that the active eavesdropping achieves a significant improvement in the reliability of the intercepted communication.