Physical-layer Identification of UHF RFID Tags
Physical-layer Identification of UHF RFID Tags Problem Statement
0.4 Acquisition setup challenge (EPC commands)
• Tags are challenged by our acquisition setup • We explore the unique identification of passive UHF RFID tags.
0.3
• We mainly consider same model, same manufacturer tags.
Voltage [V]
to initiate an inventory round (to obtain their ID).
• Identification is based on physical-layer device identification techniques, i.e., by considering physical characteristics, or features, of RF signals.
Tag response RN16 (backscatter data)
0.2
0.1
• Tag responses are then collected and digital0
ized at the baseband for feature extraction and fingerprint matching. RF Signals
0
Uniquly identification of passive UHF RFID tags
Processing of RF signal characteristics
RFID Reader
Select
-0.1
Query 0.5
Nak
1 Time [ms]
1.5
2
Feature Extraction and Fingerprint Matching Time domain features
Spectral features 0.25
Results - Highlights
RN16 Preamble and Reference Clock
80 A
Amplitude (V)
Amplitude [mV]
Population: 70 tags (3 manufacturers, 3 models)
60 40 TIE
20 B
Time domain features
Spectral features
• 50 tags, same model, same manufacturer. • Distances from up to 6m. • Different tag orientations and communi-
• 50 tags, same model, same manufacturer.
0.2 0.15 0.1 0.05
0 0.5
1
1.5
2
2.5 3 Time [µs]
3.5
4
0
4.5
80
0
100
200
300 400 500 600 Time (microseconds) Single−sided power spectrum
700
800
60
Time Interval Error
• Controlled environment. • Identification: EER=0.0%.
cation powers.
40 20
• Classification: Accuracy=99.6%.
• Classification: Accuracy=71.4%.
Power
Time [ns]
60
0
Implications: Tracking & Cloning Detection
1
2
3
4 Clock cycle
5
40
20
0
6
5
10
15
20 25 30 Frequency bins
35
40
45
• Time domain features are based on the first derivate ∂T IE of the Time Interval Error (TIE), which measures how far each active edge of a signal, i.e., of a tag response, varies from its ideal position.
• Our work is the first that shows that tracking of passive UHF RFID tags is possible with high accuracy from their operating distance (i.e., within 6 meters).
→ Tracking is possible despite most privacy-preserving countermeasures on upper communication layers.
• Spectral features are based on the Fast Fourier Transform (FFT) and consider the spectrum of each cycle in a tag response.
• In time domain, we consider two additional features: the average baseband power P¯B for all cycles in a tag response and the combination of ∂T IE and P¯B . • For time domain features, fingerprints include one of ∂T IE , P¯B or (∂T IE , P¯B ). Two fingerprints are matched with Euclidean distance. For spectral features, Principal Component Analysis (PCA) is used to extract fingerprints and Mahalanobis distance to match fingerprints.
• Our work shows that, in controlled environments, it is possible to
Detailed Performance Results
achieve highly-accurate classification and identification.
• Identification accuracy of 50 tags, same model, same manufacturer. 1.6
Equal Error Rate (%)
Physical-layer Device Identification
0.7
1.4
6 EER(%)
the detection of product cloning in RFID-enabled supply chain.
0.6
1.2
Equal Error Rate (%)
→ This result motivates the use of physical-layer identification for
1 0.8 0.6 0.4
0.5
N=1 N=5
5.5
Feature
5 4.5
Classification Rate (%)
0.2
∂T IE P¯B (∂T IE , P¯B )
0.1
Spectral
0.4
1 Subspace Dimension 1
0.3
71.4 43.2 98.7 99.6
(69.7; (38.6; (98.0; (99.3;
73.0) 47.7) 99.4) 99.9)
0.2 0
0
1
3
5 7 Number of signals (N)
10
5
10
15
20 30 40 Subspace Dimension
50
• Identification accuracy on different models: 30 tags, 3 different models and manufacturers. 7.5 7 6.5
AD833 ALN9540 Dogbone
Classification Rate (%)
vices or their affiliation classes based on characteristics of devices that are observable from their communication at the physical layer.
Feature
5.5 5
2.75
4.5
2.7
P¯B
• Physical-layer device identification systems aim at identifying (or verifying the identity of) de-
P¯B [dBm]
6
4
2.6
3
Acquisition Setup
Transmitter
Waveform Generator Resolution: 12 bits Sampling rate: 600 KS/s
Type: Planar, circular Gain: 8.5 dBic Freq. range: 865-870 MHz
fco: 39 MHz
Freq. range: 5-1200 MHz CL: 4.97 dB
2.5 4
6
Feature Type: Planar, circular Gain: 8.5 dBic Freq. range: 865-870 MHz
Freq. range: 5-1200 MHz CL: 4.97 dB
ADC fco: 20 MHz Oscilloscope Resolution: 8 bits Sampling rate: 1 GS/s
Gain: 16.5 dB NF: 0.4 dB
fc: 866.7 MHz
12
100
99.6 72.6 100 100
14
• Feature stability: 10 tags (same model and manufacturer), 10 different configurations of tag
DAC
Gain: 20 dB NF: 2.5 nV/√Hz
8 10 −7 ∂T I E × 10
Spectral
8.28 8.295 ∂T I E × 10−7
72.4 53 93 96.9
position, orientation, and transmission power. Additionally, the acquired signals are downsampled by a factor of 10.
Gain: 20 dB NF: 3.97 dB
Receiver
∂T IE 72.5 P¯B 99.9 (∂T IE , P¯B ) 99.9
2.65
3.5
AD833 Dogbone ALN9540
∂T IE P¯B (∂T IE , P¯B ) Spectral
0°
Classification Rate (%) Nominal configuration Different configurations Reduced sampling rate (100 MS/s) 99.8 (99.5; 100) 64.6 (56.9; 72.3) 100 (100; 100) 100 (100; 100)
96.4 (95.01; 97.86) 15.92 (14.49; 17.35) 36.24 (26.73; 45.75) 37.6 (18.5; 56.8)
99.88 (99.49; 100) 60.25 (54.28; 66.22) 100 (100; 100) 100 (100; 100)
90° Band: 800-1050 MHz fco: 925 MHz
fco: 20 MHz ADC Gain: 20 dB NF: 2.5 nV/√Hz
Freq. range: 5-1200 MHz CL: 4.97 dB
References ˇ apkun, “Physical-layer Identification of UHF RFID Tags”, In ProceedD. Zanetti, B. Danev and S. C ings of the 16th Annual International Conference on Mobile Computing and Networking (ACM MobiCom), 2010.
ˇ apkun Davide Zanetti, Boris Danev and Srdjan C {zanettid, bdanev, capkuns}@inf.ethz.ch, System Security Group, Department of Computer Science, ETH Zurich, Switzerland
0.4 Acquisition setup challenge (EPC commands)
• Tags are challenged by our acquisition setup • We explore the unique identification of passive UHF RFID tags.
0.3
• We mainly consider same model, same manufacturer tags.
Voltage [V]
to initiate an inventory round (to obtain their ID).
• Identification is based on physical-layer device identification techniques, i.e., by considering physical characteristics, or features, of RF signals.
Tag response RN16 (backscatter data)
0.2
0.1
• Tag responses are then collected and digital0
ized at the baseband for feature extraction and fingerprint matching. RF Signals
0
Uniquly identification of passive UHF RFID tags
Processing of RF signal characteristics
RFID Reader
Select
-0.1
Query 0.5
Nak
1 Time [ms]
1.5
2
Feature Extraction and Fingerprint Matching Time domain features
Spectral features 0.25
Results - Highlights
RN16 Preamble and Reference Clock
80 A
Amplitude (V)
Amplitude [mV]
Population: 70 tags (3 manufacturers, 3 models)
60 40 TIE
20 B
Time domain features
Spectral features
• 50 tags, same model, same manufacturer. • Distances from up to 6m. • Different tag orientations and communi-
• 50 tags, same model, same manufacturer.
0.2 0.15 0.1 0.05
0 0.5
1
1.5
2
2.5 3 Time [µs]
3.5
4
0
4.5
80
0
100
200
300 400 500 600 Time (microseconds) Single−sided power spectrum
700
800
60
Time Interval Error
• Controlled environment. • Identification: EER=0.0%.
cation powers.
40 20
• Classification: Accuracy=99.6%.
• Classification: Accuracy=71.4%.
Power
Time [ns]
60
0
Implications: Tracking & Cloning Detection
1
2
3
4 Clock cycle
5
40
20
0
6
5
10
15
20 25 30 Frequency bins
35
40
45
• Time domain features are based on the first derivate ∂T IE of the Time Interval Error (TIE), which measures how far each active edge of a signal, i.e., of a tag response, varies from its ideal position.
• Our work is the first that shows that tracking of passive UHF RFID tags is possible with high accuracy from their operating distance (i.e., within 6 meters).
→ Tracking is possible despite most privacy-preserving countermeasures on upper communication layers.
• Spectral features are based on the Fast Fourier Transform (FFT) and consider the spectrum of each cycle in a tag response.
• In time domain, we consider two additional features: the average baseband power P¯B for all cycles in a tag response and the combination of ∂T IE and P¯B . • For time domain features, fingerprints include one of ∂T IE , P¯B or (∂T IE , P¯B ). Two fingerprints are matched with Euclidean distance. For spectral features, Principal Component Analysis (PCA) is used to extract fingerprints and Mahalanobis distance to match fingerprints.
• Our work shows that, in controlled environments, it is possible to
Detailed Performance Results
achieve highly-accurate classification and identification.
• Identification accuracy of 50 tags, same model, same manufacturer. 1.6
Equal Error Rate (%)
Physical-layer Device Identification
0.7
1.4
6 EER(%)
the detection of product cloning in RFID-enabled supply chain.
0.6
1.2
Equal Error Rate (%)
→ This result motivates the use of physical-layer identification for
1 0.8 0.6 0.4
0.5
N=1 N=5
5.5
Feature
5 4.5
Classification Rate (%)
0.2
∂T IE P¯B (∂T IE , P¯B )
0.1
Spectral
0.4
1 Subspace Dimension 1
0.3
71.4 43.2 98.7 99.6
(69.7; (38.6; (98.0; (99.3;
73.0) 47.7) 99.4) 99.9)
0.2 0
0
1
3
5 7 Number of signals (N)
10
5
10
15
20 30 40 Subspace Dimension
50
• Identification accuracy on different models: 30 tags, 3 different models and manufacturers. 7.5 7 6.5
AD833 ALN9540 Dogbone
Classification Rate (%)
vices or their affiliation classes based on characteristics of devices that are observable from their communication at the physical layer.
Feature
5.5 5
2.75
4.5
2.7
P¯B
• Physical-layer device identification systems aim at identifying (or verifying the identity of) de-
P¯B [dBm]
6
4
2.6
3
Acquisition Setup
Transmitter
Waveform Generator Resolution: 12 bits Sampling rate: 600 KS/s
Type: Planar, circular Gain: 8.5 dBic Freq. range: 865-870 MHz
fco: 39 MHz
Freq. range: 5-1200 MHz CL: 4.97 dB
2.5 4
6
Feature Type: Planar, circular Gain: 8.5 dBic Freq. range: 865-870 MHz
Freq. range: 5-1200 MHz CL: 4.97 dB
ADC fco: 20 MHz Oscilloscope Resolution: 8 bits Sampling rate: 1 GS/s
Gain: 16.5 dB NF: 0.4 dB
fc: 866.7 MHz
12
100
99.6 72.6 100 100
14
• Feature stability: 10 tags (same model and manufacturer), 10 different configurations of tag
DAC
Gain: 20 dB NF: 2.5 nV/√Hz
8 10 −7 ∂T I E × 10
Spectral
8.28 8.295 ∂T I E × 10−7
72.4 53 93 96.9
position, orientation, and transmission power. Additionally, the acquired signals are downsampled by a factor of 10.
Gain: 20 dB NF: 3.97 dB
Receiver
∂T IE 72.5 P¯B 99.9 (∂T IE , P¯B ) 99.9
2.65
3.5
AD833 Dogbone ALN9540
∂T IE P¯B (∂T IE , P¯B ) Spectral
0°
Classification Rate (%) Nominal configuration Different configurations Reduced sampling rate (100 MS/s) 99.8 (99.5; 100) 64.6 (56.9; 72.3) 100 (100; 100) 100 (100; 100)
96.4 (95.01; 97.86) 15.92 (14.49; 17.35) 36.24 (26.73; 45.75) 37.6 (18.5; 56.8)
99.88 (99.49; 100) 60.25 (54.28; 66.22) 100 (100; 100) 100 (100; 100)
90° Band: 800-1050 MHz fco: 925 MHz
fco: 20 MHz ADC Gain: 20 dB NF: 2.5 nV/√Hz
Freq. range: 5-1200 MHz CL: 4.97 dB
References ˇ apkun, “Physical-layer Identification of UHF RFID Tags”, In ProceedD. Zanetti, B. Danev and S. C ings of the 16th Annual International Conference on Mobile Computing and Networking (ACM MobiCom), 2010.
ˇ apkun Davide Zanetti, Boris Danev and Srdjan C {zanettid, bdanev, capkuns}@inf.ethz.ch, System Security Group, Department of Computer Science, ETH Zurich, Switzerland
