My wallet is full of plastic cards. Access cards, credit cards, loyalty cards, ID card, health insurance, stored value tickets and more.I like to have things done easily, no filling of forms, not having a lot of cash "just in case". Getting things done with just presenting one of theses neat "smart" cards looks like a great solution.
Being owner of the Nokia N9 smartphone with build-in NFC capability since a couple of month triggered my interest for NFC and RFID. There is recently also a of talk about mobile payment, which increased my interest. What standards are there? Would it be possible to transfer a part of my plastic load onto the phone and wave the phone instead of the single cards?
I try to summarize and give an overview about RFID (Radio-Frequency Identification) and NFC (Near Field Communication).
RFID vs. NFC
In short, RFID is the technology below NFC. The NFC forum has been founded by Nokia, Phillips and Sony to standardize and promote RFID applications on smartphones. It has now about 150 members. NFC standards describe the communication protocols (basically re-using existing RFID specifications) and data formats. E.g. a smartphone user could touch a smartposter with an embedded NFC tag, reading the tag using one of the standard RFID specs, and interpret the NFC standardized data record. This can be a URI, opening the phone's browser and direct him to a specific web page with more information.
As a "radio man", operating an amateur radio station for some time, I was firstly interested in frequency bands and the lower layers.
LF (Low Frequency) Band
120-150 kHz. This has been used for first deployments, access cards and animal IDs. Not widely used for new deployments anymore. Range about 10cm.
HF (High Frequency) Band
13.56 MHz. Most proximity card applications deployed today are using this band. Proximity in this context means the user has to narrow card or tag and reader intentionally, usually to not further than a couple of centimeters. One widespread standard in this band is considered a vicinity standard, allowing a maximum reading distance of 1-1.5m. In practice this distance depends on reader and card and is often less.
There are a couple of different modulations and protocol standards in use. I will focus on this band in this article.
UHF (Ultra High Frequency)
868-870 MHz (Europe) and 902-928 MHz (North America). This used for vicinity applications, e.g. reading is not limited to having objects to read very closely to the reader. The main use is article tracking in warehouses and shops, using EPCs (Electronic Product Codes). A reader can read all single EPC RFID tags of a pallet full of EPC tagged articles without getting close to each single item. This would allow a speedy check-out at the supermarket cashier, without unloading the shopping carts.
Other bands are in use for military applications, toll gates and other applications. Partly active tags are used here. Possible bands are, but not limited to: 433 MHz, 2.4 GHz, 5.8 GHz, 3.1 GHz, 10 GHz.
RFID readers generate a magnetic field which is inductively coupled to the passive RFID tag. The RFID tag can draw it's own power supply from this field, e.g. it works basically like a transformer. The reader can modulate this RFID field which will be read by the tag. The tag in turn does not transmit on it's own, but modulates the reader's field by changing the load. The communication is half-duplex, e.g only one side sends data at a time.
There are 4 main standards used on this band:
ISO 14443 A and B (counted as two standards as readers and cards often support only one variant)
The differences between A and B are the modulation, coding scheme and initialization procedure, which are described in part 2 and 3 of this ISO specification. The transmission protocol specified in part 4 is identical for both.
The reason of having two variants for 14443 is that two implementations had to be merged into this ISO standard: The A version originated from NXP/Phillips, while the B version came from Infineon.
It seems that 14443A applications are having the bigger market share. The Mifare RFID tags and cards from NXP use naturally the A version and have a big market share. Mifare tags are used as stored value tickets as well as as access cards. The ePassport as specified by the ICAO must be compatible to 14443 and depending on the chip manufacturer is using A or B.
ISO 18092 (FeliCa)
This RFID variant was designed by Sony and proposed as a third version (C) for ISO 14443. It did not make it into 14443 and was later standardized as ISO 19092. Main application seems to be electronic purse applications and in Japan and ticket systems in some other countries.
This is the vicinity standard among the 13.56 MHz standards. This specification allows card reads in up to 1.5 meter distance.
Contrary to payment and ticket system, were it is desired that the card is intentionally placed at a defined location to show consent to a specific transaction, this vicinity standard is suitable for access systems in which waving the card approximately into reader direction, or even keeping it in the pocket, is more convenient or desired.
The widespread iClass access cards from HID use this standard.
All the above mentioned applications require authentication / authorization of the reader. This can happen on various levels. Usually cards are divided into several application areas or segments / blocks. Each area requires a different key. There can be separate keys for just read access, read/write access or to increment or decrement an integer value like the monetary value. Early implementations like the Mifare Classic card have been already hacked and can be read / copied. iClass access systems use often the same master key in various deployments. In spite of those weaknesses, many of those vulnerable RFID systems are still in use.
Another threat are relay attacks, in which a man-in-middle provides a long distance communication path between the RFID tag and the reader, emulating a reader at the victim's location, and a card at the targeted reader. With this construction no keys needs to be hacked, only the low level communication needs to be implemented. It is enough to be close to the card owner and have an RFID antenna close to his card, e.g. in a crowded subway. On the remote end an assistant can operate like the real card was present, e.g. get access somewhere or do financial transactions. The feasibility of this attack has been proven already.
There is also a concern about location privacy. Without accessing secured tag data, the easily readable tag ID could be used to track the location of a person. Although this attack is difficult to do given the needed frequent proximity to the targeted person, especially for most 13.56 MHz standards, the risk is potentially there. As UHF EAN labels are emerging, e.g for clothing, there is a real risk here. UHF EAN labels can be tracked from a distance and would allow to get movement profiles of persons wearing clothes with such labels, mostly without their knowledge.
The goal of the NFC forum is to promote the usage of RFID applications on smartphones. To allow easy migration of existing applications and to allow smartphones to communicate with a wide area of tags and readers (in passive or card emulation mode), NFC compliant phones must support ISO 14443 A and B, as well as ISO 18092 as the RFID base for smartphone NFC applications. I found one source stating that 15693 was considered for NFC as well, but I could not get confirmation for this.
The N9 comes with a PN544 NFC controller from NXP. It supports all of the above mentioned 13.56 MHz RFID standards, including the 14443A Mifare variant . In "Card Operation Mode", the PN544 can appear like a passive tag / card to a reader and send data using load modulation. This seems to be NOT supported for ISO 15693.
NFC smartposters can already be read and the browser opens with the URI read on NFC compatible tags.
RFID and smartphones seem to have an interesting common future. I will follow the development and do some experiments using the N9's RFID capabilities, if my time allows.
Anyway, what I was looking for, to use the N9 as access card replacement, is not possible, as the card emulation mode for 15693 is not supported by the PN544. :D
It seems really odd / stupid that , /dev/pn544 is definitely there - very likely is the NXP PN544 NFC controller, yet either they (nokia) mis-configured it somehow to prevent it from reading those tags, or.. some other reason.
I don't see any logs or messages coming from their nfc daemon/server when those 'Vicinity tags' are tapped on the N9...
sucks big time..