RFID technology may or may not sound familiar to you, but what’s clear is that it’s present in our daily lives: intercoms, bank cards, public transportation passes, office badges, pet tracking, toll collection, etc.

In this article, we will explore how this type of technology works in a practical way from a theoretical framework.

What is RFID Technology?

RFID (Radio Frequency Identification) technology is a wireless communication method that allows data transfer between a reader and a tag or chip containing information. This technology uses radio waves to automatically identify and track objects, people, or animals carrying these tags.

The RFID system consists primarily of three elements:

  • RFID Tag: Contains a microchip and an antenna. The microchip stores information and the antenna is responsible for receiving and sending signals.
  • RFID Reader: Emits radio waves to activate tags and receives the information they transmit. The reader converts the radio waves reflected by the tag into digital data that can be processed by a computer system.
  • Middleware: Software responsible for processing the information received by the reader, integrating it into database systems and other computer systems. For example, thanks to this type of software, a company can integrate an ERP software with the RFID reader.

RFID middleware architecture

RFID Middleware Architecture on ResearchGate

In this article, we will focus primarily on the first two elements: the RFID tag and the RFID reader.

By definition and what we must always keep in mind is that RFID technology is used in many fields of our daily lives, and we will realize this as we progress through the article.

RFID Tags

Within RFID technology, there are what are called tags. These tags are devices that store information and can be read remotely via radio waves by an RFID reader. Each tag contains two main components:

  • A microchip, which stores the information.

  • An antenna, which enables communication with the RFID reader.

The combination of these components is what allows the reader to access the data stored in the tag wirelessly.

There are different types of tags, with the most common being passive tags. These do not have an internal power source and completely depend on the electromagnetic field of the RFID reader to activate. The internal chip of the tag remains off until the tag is exposed to the electromagnetic field generated by the reader. At that moment, the tag’s antenna begins to absorb energy from the field, which allows the chip to receive power, turn on, and begin communicating with the reader. It’s important to note that the tag’s antenna is tuned to a specific frequency, which means it can only activate when it’s within an appropriate electromagnetic field.

In addition to passive tags, there are active tags and semi-passive tags. Active tags have an internal power source (such as a battery), which allows them to transmit signals continuously or at regular intervals. On the other hand, semi-passive tags have an internal battery that powers the microchip, but depend on the reader’s electromagnetic field to activate data transmission.

Frequency Types

These tags are classified according to the frequency at which they operate and the power method. There are two main types of tags:

  • Low Frequency (LF): operate in a range from 125 KHz to 134 KHz. Despite being insecure, they continue to be used in primitive access control systems such as building intercoms, offices, homes, sports facilities, museums, etc. These tags have a generally short reading range, from a few centimeters up to one meter, and are less sensitive to interference from metals and liquids.
  • High Frequency (HF): operate at a frequency of 13.56 MHz and have an effective range less than low frequency tags. However, they have more complex protocols that support encryption, authentication, and cryptography. These tags are commonly used in contactless bank cards, for paying public transportation, and in high-security access control systems. They have medium data storage capacity and better read/write speed compared to low frequency tags, although they can be affected by the presence of metals and liquids.

Low frequency RFID tag 125 KHz

125 KHz

High frequency RFID tag 13.56 MHz

13.56 MHz

Many companies use RFID cards for access to their facilities, which is why it’s truly important to use secure cards and avoid using vulnerable technologies.

Low Frequency Tags - 125 KHz to 134 KHz

As we just mentioned, low frequency (LF) tags operate in the range of 125 kHz to 134 kHz. From this type of tags, we can extract some particular characteristics that make them useful in certain applications, but they also present notable limitations.

  • Long range - low frequency tags have a relatively long range compared to high frequency ones. Some low frequency (LF) readers, such as those for EM-Marin and HID protocols, can read tags from distances of up to one meter
  • Primitive Protocol - these tags operate with a basic protocol, which translates to a low data transfer rate (around 10 kbps). This means they can only transmit a short identifier (ID), generally a few bytes. Due to the protocol’s simplicity, the tags cannot handle complex data transfers or implement advanced security measures, such as cryptography.
  • Low security: the lack of authentication and encryption makes these tags vulnerable. They can be easily copied or read remotely without the owner’s consent, which represents a considerable security risk in applications where transmitted information needs protection.

As we just commented, these tags store a short ID. This ID is barely a couple of bytes. The tag’s ID will be compared with the IDs stored in a controller or intercom database. If the tag’s ID matches one of the IDs in the database, access is granted or the corresponding function is activated. This is how some access control systems operate. Due to the nature of these tags, as soon as they receive power, they transmit their ID.

Within low frequency tags, there are multiple protocols, but below we highlight the most used ones:

  • EM-Marin (EM4100, EM4102): This is one of the most popular protocols in the Commonwealth of Independent States (CIS) region. It’s characterized by its simplicity and stability, transmitting a unique identifier in unencrypted form, which allows for easy implementation. Its reading distance can reach approximately one meter, although this varies depending on the reader and environment conditions. While its simplicity is an advantage in terms of cost, its main disadvantage is vulnerability to cloning and lack of security.
  • HID Prox II: Introduced by HID Global, this low frequency protocol is widely used in Western countries. Its data structure is more complex compared to EM-Marin, which provides a higher level of security, although it’s still less secure than high frequency technologies (such as those based on 13.56 MHz). Both cards and readers compatible with this protocol tend to be more expensive. The reading distance is generally less than EM-Marin due to the authentication and encryption mechanisms involved.
  • Indala: This is an older low frequency protocol, originally developed by Motorola and later acquired by HID Global. Indala used a more complex signal scheme at its time and offered better security than EM-Marin. However, over time it has fallen into disuse due to the adoption of more modern and secure technologies. Today, it’s less common, although it can still be found in some legacy systems.

Although other low frequency protocols exist, most use similar modulation at the physical layer, such as ASK (Amplitude Shift Keying) modulation at 125 kHz. Despite sharing this characteristic, the different protocols are not necessarily compatible with each other due to differences in data structure and security levels that each one handles.

In general, the industry trend is shifting toward more secure and faster technologies, such as those based on high frequency (HF) and near field communications (NFC), which explains the decline of some low frequency protocols.

High Frequency Tags - 13.56 MHz

Leaving low frequencies aside, let’s now talk about high frequencies. As we already know, these operate at 13.56 MHz and offer several advantages in terms of controlled range, transfer speed, and security:

  • Short Range: High frequency cards are specifically designed to be placed close to the reader, which also helps protect them from unauthorized interactions. Normally, their operating range is less than 10 cm, although in some tests I did with custom-made long-range readers, up to 15 cm can be achieved. This reduced range not only improves security but also minimizes the risk of “sniffing” attacks or interceptions at greater distances. The range can depend on the reader’s power and the size of the card’s antenna.
  • Advanced Protocols: Thanks to data transfer speeds of up to 424 kbps, high frequency cards allow the implementation of complex protocols with full bidirectional data transfer. Examples of these protocols include ISO/IEC 14443, widely used in contactless cards such as MIFARE, and ISO/IEC 15693, common in NFC tags. These protocols enable mutual authentication between the card and reader, which facilitates advanced cryptography and secure data transfer. This level of security allows high frequency cards to be used in applications such as contactless payments and secure access.
  • High Security: High frequency contactless cards offer a level of security comparable to smart cards. Some cards, such as those based on MIFARE DESFire EV2 technology, support robust cryptographic algorithms such as AES and Triple DES, as well as asymmetric cryptography for greater security. These features allow the implementation of advanced authentication schemes, digital signatures, and data encryption, effectively protecting against cloning attacks, man-in-the-middle attacks, and other threats. Additionally, the use of asymmetric cryptography facilitates certificate-based authentication, which further reinforces security in critical applications.
Examples of High Frequency Tag Applications (NFC, MIFARE, and EMV)

High frequency tags have a set of standards and protocols. They’re often called NFC, but this isn’t always correct. Although NFC also operates at 13.56 MHz, it’s only a subcategory of this technology. The set of basic protocols used at the physical and logical level is ISO/IEC 14443, and many high-level protocols are based on this standard.

The most common implementation of ISO/IEC 14443 is ISO 14443-A, which is used in most public transportation systems, office access control, and contactless bank cards. This standard establishes the foundation for short-range communication used in a wide range of applications. A notable example is MIFARE technology, developed by NXP, which is based on ISO 14443-A at the physical level. MIFARE cards are very popular in transportation and access control systems, offering more secure versions like MIFARE DESFire, which implement advanced cryptography.

All high frequency cards based on the ISO 14443-A standard have a unique chip identifier (UID), which functions as the card’s serial number, similar to a network card’s MAC address. This UID is generally between 4 and 7 bytes, although in rare cases it can be up to 10 bytes. The UID is not secret and is easily readable, sometimes even printed on the card itself.

In many access control systems, the UID is used as a simple identifier to authenticate users and grant them access. However, relying only on the UID reduces security to the level of 125 kHz cards, which don’t implement advanced cryptographic measures. Although HF tags have the capability to support cryptography for greater security, many basic implementations still depend solely on the UID, making them vulnerable to cloning and man-in-the-middle attacks.

Now that we know about this standard’s existence, let’s look at some popular protocols that use it.

NFC (Near Field Communication)

NFC (Near Field Communication) technology is based on the ISO 14443-A and 14443-B standards, but offers more advanced and faster bidirectional communication capability between devices. Unlike traditional cards that have a fixed UID, NFC allows devices like mobile phones to interact more dynamically with readers.

An example of this is the use of virtual cards, such as Apple Pay or Google Pay, which use a dynamic UID. This means the identifier changes with each transaction, which increases security, as it prevents the same UID from being reused to perform other transactions or unauthorized actions, such as opening access doors. This flexibility is key to improving protection against attacks such as cloning or identity spoofing.

In the following image, we can see the NFC architecture, which shows how specific NFC features (such as NDEF) and various virtual card products rely on ISO 14443 standards at the low level:

NFC architecture based on ISO 14443 standards

Mifare Ultralight

Within smart cards, MIFARE, developed by NXP, is one of the most popular technologies for high frequency systems, with several versions available for different applications. One of the simplest cards in this family is the MIFARE Ultralight.

In its basic version, the MIFARE Ultralight offers only 64 bytes of embedded flash memory and has no cryptographic protection, making it more affordable but also less secure compared to other more advanced MIFARE cards, such as MIFARE DESFire. Due to its simplicity, these cards are primarily used in applications where security is not an absolute priority, such as temporary access passes, public transportation tickets, or basic access control systems.

An example of its large-scale use is Moscow’s public transportation system, where electronic tickets are based on MIFARE Ultralight technology.

EMV Bank Cards (PayPass, payWave, Apple Pay, Google Pay)

The EMV (Europay, Mastercard, and Visa) standard is the internationally established protocol for bank cards, designing a robust framework for smart cards used in contactless payments and chip transactions. EMV ensures that bank cards are much more than simple data storage devices, offering complex exchange protocols and asymmetric encryption to guarantee transaction security.

Bank cards under this standard, such as PayPass (Mastercard), payWave (Visa), as well as digital payment platforms like Apple Pay and Google Pay, allow much more than simply reading a UID. Through a compatible reader, it’s possible to access additional information such as the complete card number (16-digit PAN), the expiration date, and in certain cases, even the cardholder’s name and a recent transaction history. However, this data varies depending on the specific implementation of the EMV standard on each card and the issuer’s security policies.

It’s important to note that, although much information can be read, the CVV code (the 3 digits printed on the back of the card) is not accessible through this type of reading, as it’s not stored on the card’s chip nor transmitted during contactless transactions.

Additionally, platforms like Apple Pay and Google Pay implement an additional security layer by using dynamic tokens and a changing UID, which prevents the real card’s sensitive data from being directly exposed during transactions. This makes these platforms even more secure against fraud or cloning attempts.

How to Identify Tag Frequency

On the outside, tags can be very different: thick or thin cards, key fobs, bracelets, coins, rings, or even stickers. Judging by appearance, it’s almost impossible to distinguish the frequency or protocol with which the tag operates.

Different types of RFID tags: cards, key fobs, bracelets, and rings

Often, manufacturers use similar plastic housings for tags that operate at different frequencies. Two absolutely similar tags from a visual standpoint can be totally different inside. This is worth keeping in mind when distinguishing the type of tag you have.

The simplest way to identify what type of tag (frequency) is being operated with is to look at the antenna. Low frequency tags (125KHz - 134 KHz) have an antenna made of very fine wire, literally thinner than a hair. But these antennas have a large number of turns, so they appear as a solid piece of metal. On the other hand, high frequency tags (13.56 MHz) have a significantly smaller number of thicker turns, with visible spaces between them.

Antenna comparison between high and low frequency tags

You can illuminate an RFID tag to see the antenna inside. If the antenna has only a few large turns, it’s most likely a high frequency antenna. If the antenna looks like a solid piece of metal with no spaces between the turns, it’s a low frequency antenna.

Internal view of illuminated RFID tags showing their antennas

Low frequency tags are typically used in systems that don’t require high security:

  • Building access
  • Intercom keys
  • Gym membership cards
  • etc

For example, due to their longer range, they’re convenient for paid parking because the driver doesn’t need to bring the card close to the reader, as it activates from further away. At the same time, low frequency tags are very primitive, as we mentioned previously, they have a low data transfer rate. Therefore, it’s impossible to implement complex bidirectional data transfer, which would be necessary for advanced functions such as balance maintenance on payment cards or implementation of security methods like cryptography. Low frequency tags can only transmit a brief identification without any authentication, which means they cannot verify the user’s identity or protect transmitted information against unauthorized access.

High frequency tags are used for complex interactions between the reader and tag, such as cryptography, bidirectional transfers of large volumes of data, and authentication. These tags are common in bank cards, public transportation systems, and other secure passes.

Comparative table between low and high frequency RFID tags

With all this covered, let’s move on to see each type of tag in more detail.

Factors Affecting Tag Range

Throughout the article, we’ve mentioned the topic of each frequency’s range, that one has greater range than the other. Next, we’ll look at the reasons why this occurs and how various factors interact to influence the range and functionality of RFID tags in different applications.

Frequency and Wavelength

Lower frequencies like 125 kHz (LF) have longer wavelengths. On the other hand, higher frequencies (HF) have shorter wavelengths, which can be seen in the following image:

Wavelength comparison between low and high frequency RFID

Longer wavelengths (low frequency) allow signals to penetrate better through certain materials such as water, human beings, and non-metallic objects like wood, etc. This means they’re less affected by environmental interference, making them more suitable for environments with many obstacles.

On the other hand, shorter wavelengths (high frequency) have less penetration capacity and are more susceptible to environmental interference such as metal or water, which limits the reading range.

Communication Mode

Both high and low frequencies typically use electromagnetic induction, where communication is based on the tag’s proximity to the magnetic field generated by the RFID reader. At low frequencies, this normally translates to a short range (a few centimeters in most cases). However, specific RFID readers that have higher power can generate more intense magnetic fields, thus allowing readings at greater distances (up to one meter).

A reader with higher output power can partially compensate for the lower efficiency of high frequency tags in environments with interference, increasing their effective range. However, this could also increase the risk of accidental reading of other tags in the area.

For example, in parking access control systems, low frequency readers with high output power are used. These readers allow tags in vehicles to be read at greater distances, facilitating access without the driver having to physically bring the card close to the reader.

On the other hand, with high frequencies, due to the higher frequency (shorter wavelengths), the generated electromagnetic field decays more rapidly with distance. Therefore, the reading range is typically shorter.

Reader Power and Antenna Sensitivity

As we’ve mentioned, everything depends on the field generated by the RFID reader itself. Low frequency readers can be designed to have higher output power and use larger antennas, allowing them to achieve a wider range.

The antenna’s sensitivity in the reader also plays a crucial role. A more sensitive antenna can detect weak signals from tags affected by interference, improving the success rate in data reading.

On the opposite side, we can find high frequency readers that are generally designed for short-distance use, especially in applications where limiting the reading range is sought for security reasons, such as access and contactless payment cards.

So, to mention an example, in systems like parking where the device doesn’t need to be close to the reader to be read, low frequency readers designed to cover a wider area and detect tags from a greater distance are used. On the other hand, high frequency readers are intentionally designed to have a short reading range to avoid unauthorized interactions or accidental reading of tags at unwanted distances.

Enumeration Phase

After having seen everything regarding RFID tags and readers, let’s put ourselves in a real scenario of an audit of this type of cards. First, several phases can be distinguished for conducting an audit. One of them is the asset reconnaissance phase. In our case, the scenario we’re going to present is about an RFID access control system for which no useful information is available, that is, we don’t know if it’s a high frequency or low frequency scenario.

Faced with this situation of not knowing anything, the first thing an attacker would do is check what type of access control they’re facing, that is, whether it works with high frequency or low frequency protocols. For this, there’s specific hardware that allows us to identify it. In our case, we’ll use two different but equally valid options:

  • Proxgrind RFID Field Detector: detects and displays the presence of low frequency (125KHz) and high frequency (13.56MHz) fields.

Proxgrind RFID Field Detector device for identifying frequencies

You can get it from Lab401 with a 5% discount

  • Dangerous Things RFID Diagnostic Card: determines the frequency and duty cycle of any passive LF/HF reader. The difference from the previous one is that it determines the duty cycle (the frequency with which the field turns on) and checks the field strength through LED intensity.

Dangerous Things RFID diagnostic card

Low Frequency Enumeration

In this first case, to check what type of access control system we’re facing, we’ll use the Proxgrind RFID Field Detector. If we bring this device close to the access control reader:

Proxgrind detector showing red light indicating low frequency

We can see that a red light turns on at the bottom, which indicates that we’re facing a low frequency access control.

High Frequency Enumeration

Now let’s see an example of high frequency, for this case, there’s no need to have an access control. We can simply use a mobile phone and activate the NFC option. Remember that the mobile is used to pay with our bank cards and these cards use high frequency technology.

Diagnostic card detecting high frequency

High frequency detection with NFC mobile phone

In this case, both previously explained detectors have been used so that you can see how both detect that we’re facing a high frequency control system.

Conclusion

Throughout this article, we’ve seen RFID technology in detail, from its definition to the different types of frequencies and the most common applications. Now you have an overview of how RFID tags work, the different low and high frequency protocols, and the factors that influence their performance. However, if you still don’t feel completely comfortable with these concepts, don’t worry. This is just the first step to understanding RFID technology in depth.

In upcoming articles, we’ll address more advanced topics, such as creating an RFID lab, real case examples, and attack techniques at low and high frequencies. This way, you can continue learning progressively until you completely master this technology, simply by following the publications on this blog. See you very soon!

References

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page