SIST-TP CEN/TR 16671:2014

SLOVENSKI STANDARD
01-september-2014
Informacijska tehnologija - Dovoljenje za uporabo mobilnih telefonov kot RFID-
bralnikov
Information technology - Authorisation of mobile phones when used as RFID
interrogators
Informationstechnik - Autorisierung von Mobilfunkgeräten als RFID-Lesegeräte
Technologie de l’information - Autorisation des téléphones mobiles utilisés comme
interrogateurs RFID
Ta slovenski standard je istoveten z: CEN/TR 16671:2014
ICS:
33.070.01 Mobilni servisi na splošno Mobile services in general
35.040.50 Tehnike za samodejno Automatic identification and
razpoznavanje in zajem data capture techniques
podatkov
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT
CEN/TR 16671
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
June 2014
ICS 35.240.60; 33.070.01
English Version
Information technology - Authorization of mobile phones when
used as RFID interrogators
Technologies de l'information - Autorisation des téléphones Informationstechnik - Autorisierung von Mobilfunkgeräten
mobiles utilisés comme lecteurs RFID als RFID-Lesegeräte

This Technical Report was approved by CEN on 20 January 2014. It has been drawn up by the Technical Committee CEN/TC 225.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16671:2014 E
worldwide for CEN national Members.

Contents Page
Foreword .4
Introduction .5
1 Scope .6
2 Normative references .6
3 Terms and definitions .6
4 Symbols and abbreviations .7
5 Executive summary and conclusions.8
6 Extending NFC phones capabilities to read RFID tags .8
6.1 Read range impacts due to inclusion of ISO/IEC 15693 .8
6.1.1 Short introduction to NFC .8
6.1.2 NFC Forum and NFC Forum tag types .9
6.1.3 Inclusion of support for ISO/IEC 15693 .9
6.1.4 NFC Forum directive on ISO/IEC 15693 capability extension . 10
6.1.5 Analysis of ISO/IEC 15693 tag type extension . 10
6.2 Extending NFC read range capabilities . 11
6.2.1 General . 11
6.2.2 Theoretical analysis of read range extension for NFC phones . 11
6.2.3 Extending existing hardware . 14
6.2.4 Extending with the use of a booster . 15
6.2.5 Conclusion . 16
6.3 Security features in the NFC phones . 16
7 Mobile phones enhanced with UHF RFID readers . 17
7.1 Introduction . 17
7.2 Internet research . 17
7.3 Republic of Korea . 18
7.4 Conclusion . 18
8 Development of multi-protocol readers. 19
8.1 HF multi-protocol readers . 19
8.2 UHF multi-protocol readers . 19
8.3 Combined HF and UHF multi-protocol readers . 19
9 Mobile phones as access portal for Internet of Things . 20
9.1 Application of NFC phones in homecare industry . 20
9.1.1 General . 20
9.1.2 Concept in a nutshell . 20
9.1.3 Dutch home care in practice . 21
9.2 Application of NFC phones in library automation applications . 22
9.3 Application of NFC phones in museums and shows applications . 22
Annex A (informative) ISO/IEC 14443 Eavesdropping and Activation Distance . 23
A.1 Introduction . 23
A.1.1 General . 23
A.1.2 Abbreviations and symbols . 23
A.2 Signal and Noise Power . 24
A.2.1 Bit Error Rate . 24
A.2.2 Signal Power and Density. 25
A.2.3 Magnetic field strength . 26
A.2.4 Noise Power and Density. 26
A.3 Eavesdropping distance . 28
A.3.1 General . 28
A.3.2 Near Field Distance . 28
A.3.3 Far Field Distance . 31
A.4 Activation distance . 33
A.4.1 General . 33
A.4.2 Power Transfer . 33
A.4.3 Data Transmission . 35
A.5 Interpretation of existing measurement results . 38
A.6 Conclusion . 40
A.6.1 General . 40
A.6.2 Real application impacts . 40
Bibliography . 42

Foreword
This document (CEN/TR 16671:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The
other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology - Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TR 16684, Information technology — Notification of RFID — Additional information to be provided
by operators
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16669, Information technology — Device interface to support ISO/IEC 18000-3 Mode 1
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16672, Information technology — Privacy capability features of current RFID technologies
— CEN/TR 16673, Information technology — RFID privacy impact assessment analysis for specific sectors
— CEN/TR 16674, Information technology — Analysis of privacy impact assessment methodologies relevant
to RFID
Introduction
In response to the growing deployment of RFID systems in Europe, the European Commission published in
2007 the Communication COM(2007) 96 ‘RFID in Europe: steps towards a policy framework’. This
Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst
respecting the basic legal framework safeguarding fundamental values such as health, environment, data
protection, privacy and security.
In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the
field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of
2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being
executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete
framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187
020, which was published in May 2011.
Phase 2 is concerned with the execution of the standardisation work programme identified in the first phase.
This Technical Report explores developments in the use of mobile phones as RFID interrogators. The
integration of Near Field Communication (NFC) in mobile phones, many years ago, has enabled mobile
phones for use as RFID interrogators. NFC is generally considered to be a close-coupled mechanism with a
defined operating distance of maximum 10 cm. Recently the NFC Forum, amongst other things formed to
advance the use of NFC technology by developing specifications, has started developments to extend the
support for NFC tag types in the phones to also support tags that are compliant to ISO/IEC 15693 and
ISO/IEC 18000-3 Mode 1.
Another recent development is the integration of Ultra High Frequency (UHF) reader chips into mobile phones.
That allows using mobile phones as interrogators to read UHF tags, for example UHF tags that are compliant
with ISO/IEC 18000-63 or the equivalent GS1 UHF EPC Gen2 standard. It is also realistic to expect that in the
future mobile phones might appear that have combined support for both NFC and UHF technology.
These new additions have the potential to increase the read range and might enable NFC and UHF mobile
phones to capture data without consent from RFID tags and ID badges compliant with these well-established
standards.
By nature mobile phones are connected to the GSM network that provides an access portal to the Internet of
Things (IoT). In addition modern mobile phones become equipped with strong processors that have the
potential to manipulate data. The ability to use the mobile phone as RFID Interrogators to surreptitiously read
data, the increased computing power and the access portal to the IoT can potentially ruin the efficacy of an
RFID application.
This Technical Report describes emerging developments in the functionality of mobile phones and analyses
the risks that these developments could have on the privacy and security aspects.
1 Scope
The scope of this Technical Report is to explore developments in the use of mobile phones as RFID
interrogators. It uses as a datum the communication protocols developed for near field communication, which
have a defined level of security. This Technical Report will explore known developments in the use of mobile
phones as RFID interrogators including (but not limited to):
— extending NFC phone capabilities to read RFID tags compliant with ISO/IEC 15693 and ISO/IEC 18000-3
Mode 1;
— using mobile phones as interrogators for UHF tags based on ISO/IEC 18000-6 Type C;
— the development of multi-protocol readers capable of switching between high frequency and UHF.
The objective of the Technical Report is to identify specific characteristics associated with mobile phones
being used as interrogators with tags that are primarily intended for other purposes. It will identify some
potential threats associated with the technology. It will also identify gaps in the standardization process that
might need to be addressed to mitigate against such threats.
To counterbalance any negative implications, the Technical Report also identifies real and potential
applications that could lead to an accelerated take-up of RFID and the Internet of Things through mobile
phones being used as RFID interrogators by individual citizens and organizations.
2 Normative references
Not applicable
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
anti-collision loop
algorithm used to prepare for dialogue between PCD and one or more PICCs out of the total number of PICCs
responding to a request command
3.2
contactless
pertaining to the achievement of signal exchange with and supplying power to the card without the use of
galvanic elements
EXAMPLE The absence of an ohmic path from the external interfacing equipment to the integrated circuit(s)
contained within the card.
3.3
contactless integrated circuit(s) card
card of the card type ID-1 into which integrated circuit(s) have been placed and in which communication to
such integrated circuit(s) is done in a contactless manner
[SOURCE: ISO/IEC 7810]
3.4
integrated circuit
IC
electronic component designed to perform processing and/or memory functions
3.5
NFC forum
near Field Communication Forum that was formed to advance the use of Near Field Communication
technology by developing specifications, ensuring interoperability among devices and services, and educating
the market about NFC technology
3.6
PCD
proximity coupling device
a reader/writer device that uses inductive coupling to provide power to the PICC and also to control the data
exchange with the PICC
3.7
PICC
proximity integrated circuit card
a card type ID-1 into which integrated circuit(s) and coupling means have been placed and in which
communication to such integrated circuit(s) is done by inductive coupling in proximity of a coupling device
3.8
PICC mode
mode in which NFCIP-2 device operates as Type A or Type B Proximity Integrated Circuit Card or Object as
specified in ISO/IEC 14443
3.9
PCD mode
mode in which NFCIP-2 device operates as Proximity Coupling Device as specified in ISO/IEC 14443
3.10
VCD mode
mode in which NFCIP-2 device operates as Vicinity Coupling Device as specified in ISO/IEC 15693
4 Symbols and abbreviations
CMOS Complementary Metal Oxide Semiconductor
HF High Frequency
IoT Internet of Things
kbit/s kbit per second
NOTE  data rate unit
NFC Near Field Communication
OOK On Off keying
PCD Proximity Coupling Device
PICC Proximity Integrated Circuit Card
RFID Radio Frequency IDentification
UHF Ultra High Frequency
5 Executive summary and conclusions
This document reports the potential impact that mobile phones can have when they are used as interrogators
to read tags that are primarily intended for other purposes.
The NFC Forum has started a new work item planning to add ISO/IEC 15693 into their specification, including
a new Type Tag Platform. Therefore in the future NFC phones might get capabilities to read and write
ISO/IEC 15693 compliant RFID tags. The analysis in this report leads to the conclusion that the introduction of
the new capability will increase the number of tags that an NFC phone can read. However, it will not have an
impact on the read range of the existing ISO/IEC 14443 based tags and therefore it will not increase the
capabilities of NFC mobile phones to capture data without consent from RFID tags and ID badges that are
currently in the field.
The capability to read and write to ISO/IEC 15693 compliant tags might cause a threat for applications that
currently use such tags. This point requires special attention for the privacy impact assessment of a new RFID
application where these tags will be applied.
The report also analysed potential capabilities to extend the read range for current NFC tags. The theoretical
analysis showed that it is practically impossible to extend the range of an existing NFC phone. That
conclusion is confirmed by attempts to extend the read range by changing the environment of applying
specific hardware like a special booster.
Extending the phones with UHF capabilities can potentially be a threat for the consumer's privacy. The
evaluation of such phones shows that the availability is currently only for industrial use. There are a few
phones that support the UHF RFID protocols EPCglobal UHF C1G2, ISO/IEC 18000 Type B, ISO/IEC 18000-
6 Type C and the HF protocol ISO/IEC 14443 Type A, but the threat for the consumer privacy appears to be
less than the threat caused by the availability of dedicated UHF handheld readers.
The impact of the development of multi-protocol readers that are capable of switching between HF and UHF
will be similar to the impact of the individual HF or UHF technology. A combination of both technologies will
not add more threats for the consumers' privacy.
6 Extending NFC phones capabilities to read RFID tags
NOTE This clause summarizes the evaluation of developments in using mobile phones as RFID interrogators.
6.1 Read range impacts due to inclusion of ISO/IEC 15693
6.1.1 Short introduction to NFC
NFC is a short-range, wireless connectivity technology that allows consumers to perform safe, contactless
transactions, access digital content, and connect electronic devices with the simplicity of a touch. Consumers
with NFC-enabled mobile phones may, for example, leave their wallets at home and use their phones to
conduct contactless financial transactions, or to gain electronic access to public transportation.
Tags are cards or labels with integrated circuits that store data that can be read by NFC-enabled devices to
support these applications. For example, a cinema goer with an NFC-enabled mobile phone may touch a
movie poster containing an embedded NFC tag to view a preview of the movie on the phone or to purchase a
ticket for watching the movie in a cinema.
NFC signal interfaces and protocols are specified in standards. The fundamentals of NFC are specified in
ISO/IEC 18092 containing a protocol to exchange data between two devices. The communication link is
based on ISO/IEC 14443 Type A and Japanese Industrial Standard (JIS) X 6319-4 (also known as Sony's
FeliCa). The interoperability extensions of NFC are specified in ISO/IEC 21481 and include full ISO/IEC 14443
card (PICC) and Reader/Writer (PCD) support, as well as JIS X 6319-4 card and Reader/Writer support as
well as ISO/IEC 15693 reader support.
Although ISO/IEC 18092, ISO/IEC 14443 and ISO/IEC 15693 all specify 13,56 MHz as their working
frequency, they specify distinct physical layer and distinct communication protocols.
ISO/IEC 21481 also specifies the mechanism to detect and select the communication mode based on the
features of the devices involved in the communication.
Additionally the standards do include a collision avoidance to avoid potential disturbance of any ongoing
communication for devices that are compliant with ISO/IEC 18092, ISO/IEC 14443 or ISO/IEC 15693.
6.1.2 NFC Forum and NFC Forum tag types
The NFC Forum was formed to advance the use of NFC technology by developing specifications, ensuring
interoperability among devices and services, and educating the market about NFC technology. The members
of the NFC Forum all work together to promote the use of NFC technology in consumer electronics, mobile
devices, and PCs.
NFC Forum is promoting interoperability of NFC-enabled devices by setting interoperability standards
including the features to be supported as well as test methods combined in a compliance program allowing
manufactures to certify devices. One part of those efforts focuses on accessing data and information stored
on passive tags. To accomplish that the NFC Forum has standardized so called operation specifications
describing how an NFC Forum Device can read and write relevant data for four globally relevant Type Tag
Platforms. The signal interfaces and protocols used by the four platforms are compliant with ISO/IEC 21481.
The mandate to support access to all four Type Tag Platforms by NFC Forum Devices is the backbone of
interoperability between NFC tag providers and NFC Forum Device manufacturers. It ensures a uniform user
experience. The coding of the information to be stored and the actual data format being used on such Type
Tag Platforms is standardized by the NFC Forum as well. This is specified in the NFC Data Exchange Format
(NDEF) specification and four Record Type Description (RTD) specifications. They are available for download
at www.nfc-forum.org/specs/.
The operation specifications for the NFC Forum tag types, numbered 1-4, provide the technical information
required to implement the reader/writer and associated control functionality of an NFC Forum Device, enabling
interaction with the tags. The four specifications are:
— Type 1 tag is based on ISO/IEC 14443 Type A. Tags are read and re-write capable; users can configure
the tag to become read-only. Memory availability on actual products is typically 96 bytes; communication
speed is 106 kbit/s.
— Type 2 tag is based on ISO/IEC 14443 Type A. Tags are read and re-write capable; users can configure
the tag to become read-only. Memory availability on actual products is in the range from 48 bytes to
2 KByte; communication speed is 106 kbit/s.
— Type 3 tag is based on JIS X 6319-4. Tags are pre-configured at manufacture to be either read and re-
writable, or read-only. Memory availability on actual products is variable, typical ranges are a few hundred
bytes up to a few KBytes; communication speed is 212 kbit/s or 424 kbit/s.
— Type 4 tag is based on ISO/IEC 14443 (Type A and Type B). Tags are pre-configured at manufacture to
be either read and re-writable, or read-only. Memory availability on actual products is variable, up to
32 KBytes per service; communication speed is up to 424 kbit/s.
6.1.3 Inclusion of support for ISO/IEC 15693
Recently the NFC Forum has started a new work item planning to add ISO/IEC 15693 into their specification
including a new Type Tag Platform based on this same technology.
6.1.4 NFC Forum directive on ISO/IEC 15693 capability extension
NFC technology is generally considered to be a close-coupled mechanism with a typical operating volume of a
few centimeters. The maximum operating volume known from ISO/IEC 14443 based systems is up to 10 cm.
As the NFC Forum is now extending the functionality with ISO/IEC 15693 is raises the concern that the read
capability could potentially grow with the support of ISO/IEC 15693 that in typical use provides a longer read
range.
The NFC Forum Board of Directors has issued the following directive on this issue:
— the Board confirms that the ISO 15693 VCD Mode (as proposed in a New Work Item according to their
processes) is within the scope of the NFC Forum;
— the Technical Committee (the organisational part that manages the technical specifications) shall take
into consideration for this and all future activities that a key feature of NFC technology is a “touch based”
user experience, characterised by a limited working distance (usually around 4cm to 10cm), which needs
to be reflected in any specifications where applicable.
6.1.5 Analysis of ISO/IEC 15693 tag type extension
The inclusion of ISO/IEC 15693 and a related new Type Tag Platform will not have an influence on the
performance of the mobile phone to read existing tags. In fact the majority of the modern NFC enabled phone
already use NFC reader ICs that are compliant with ISO/IEC 21481 (NFCIP-2) and for those phones there will
be no difference (in read range) at all.
Some of the NFC enabled phones that are compliant with ISO/IEC 21481 (NFCIP-2) can already read and
write ISO/IEC 15693 tags. Adding support for the new 15693 NFC Forum tag type will increase the
interoperability with NFC Forum devices, but will not have a consequence for the read range for reading
existing tags.
NFC phones can read ISO/IEC 14443 (proximity) tags and ISO/IEC 15693 (vicinity) tags. Loosely speaking an
ISO/IEC 15693 tag is designed to offer larger reading distances and as a consequence in general has less
functionality than an ISO/IEC 14443 tag. The architecture of the ISO/IEC 15693 tags is less complex and
therefore the tag needs less power to operate. The minimum operating field strength of ISO/IEC 15693 is
150 mA/m and the minimum operating field of ISO/IEC 14443 is 1500 mA/m. So the ISO/IEC 15693 tags need
ten times less power than the ISO/IEC 14443 tag and for that reason the ISO/IEC 15693 tags can be read at a
larger distance.
EXAMPLE A test with a Google Nexus S NFC phone shows that an ISO/IEC 14443 card can be read at: 2,5 cm. The
same phone can read an ISO/IEC 15693 card under the same circumstances at 7 cm.
This analysis leads to the conclusion that the introduction of a new ISO/IEC 15693 NFC forum tag type will
increase the number of tags that an NFC phone can read. It will not have an impact on the read range of the
existing ISO/IEC 14443 based tags and therefore it will not increase the capabilities of NFC mobile phones to
capture data without consent from RFID tags and ID badges that are currently in the field.
NOTE The fact that many modern NFC phones can read and write ISO/IEC 15693 tags forms a potential threat for
the privacy and security of existing systems that use ISO/IEC 15693 tags.
The inherent larger reading distance of ISO/IEC 15693 tags should get special attention in a privacy impact
assessment for an RFID system where these tags will be applied.
6.2 Extending NFC read range capabilities
6.2.1 General
NFC phones can read ISO/IEC 14443 (proximity) tags and ISO/IEC 15693 (vicinity) tags. The announcement
that the capability of NFC phones will be extended with NFC Forum tag type support for ISO/IEC 15693 might
cause a perception that the phone can now also read other existing tags at a larger distance. Especially
reading passports, medical or other privacy sensitive cards may be of concern. Due to the required complexity
of the privacy sensitive cards, most of the (if not all) work with proximity technology.
6.2.2 contains a theoretical analysis of the maximum activation range and possibilities to extend the read
range of proximity technology. 6.2.3 describes a possible extension of the read range using existing hardware
and 6.2.4 describes the possibilities by using special booster hardware. 6.2.5 draws a conclusion from the
theoretical analysis and the descriptions in this subclause.
6.2.2 Theoretical analysis of read range extension for NFC phones
This subclause provides a summary of the theoretical analysis for the maximum possible read range for an
NFC phone with a small antenna and a small battery. This analysis based on an application note “ISO/IEC
14443 Eavesdropping and Activation Distance“ from NXP Semiconductors that is attached to this report as
Annex A. This annex provides a theoretical analysis of the eavesdropping and activation distance of ISO/IEC
14443 smartcards based on a signal to noise ratio in their realistic environment.
Annex A uses typical reader antennas with diameters of 20 cm, 50 cm and even 1m. But these antenna sizes
are not realistic for an NFC phone. This subclause applies the theory to an (NFC) antenna in a mobile phone
and calculates what the theoretical maximum activation distance will be for an antenna with a size of 20 mm x
40 mm, The analysis assumes the use of an ordinary card (like the one that is used in Annex A), with a
minimum magnetic field strength of H = 1 A/m.
min
For the antenna in the NFC phone we assume the following parameters:
Coil size: Length a=20 mm and Width b=40 mm (coil size),
Wire diameter: d=0,5mm
Number of turns: N=6,
Quality factor: Q=20,
=0,2A,
Antenna current: I
ant
Such an antenna provides approximately 0,75W power usually yields a maximum reading distance of 5 cm.
 
 
N ⋅I ⋅a⋅b
 
1 1
1 1
H = ⋅ +
 
rect 2 2
2 2
 
 a b 
   
2 2
a b
   
 2
+x +x
   
4⋅π⋅ + +x
     
2 2
     
 
2 2
   
 
Applying the formula
shows the antenna power over the distance as illustrated below in Figure 1 .
Figure 1 — Antenna power over distance
Finally the power as function of the distance can be estimated using coil inductivity formula for rectangular
coils.
Table 1 — Reading distance over antenna power
Power [W] Distance [cm]
1 5,5
10 8,2
100 12
1000 18
Figure 2 — Reading distance over antenna power
Remember that these are optimistic values, i.e. not considered are the real implementation requirements (e.g.
very high coil voltages). One has also to separate the reader consumption DC current and the antenna current
and voltage.
The antenna current and voltage depends on the number of turns, still the RF-reader driver can only support a
maximum AC voltage which is given by the DC voltage. The maximum coil voltage is approximately Q times
higher than the driver voltage. This gives a maximum coil voltage of 54V for 3V DC and a Q factor of 20. The
results are printed in the table below.
Table 2 — Reading distance over antenna power
Power [W] 1 10 100 1000
Distance [cm] 5,7 8,6 12,8 18,8
I [A] 0,33 3,33 33,3 333
DC
N 4 1 1 1
L [µH]
0,42 0,08 0,008 0,08
I [A] 0,46 5,3 16 53
V [V] 47,8 37 119 376
NOTE The maximum coil voltage condition cannot be fulfilled for the 100W and 1000W approach because the least
number of turns is one.
In summary taking all factors into account some possible metal environment, the non-parallel orientation
between smart card and the attacker’s reader antenna, higher noise levels etc. expected in real life
applications, the estimated practical limit is certainly less than 10 cm.
6.2.3 Extending existing hardware
For one of their applications a company once required a larger reading range of a MIFARE DESFire card, an
ISO/IEC 14443 compliant card that is using the same air interface as NFC. This subclause describes how they
tried to increase the read range of the card by modifying the existing hardware.
The maximum read range of a MIFARE DESFire card is determined by two main factors.
1) H is the minimum magnetic field strength necessary to activate the RFID card and the prime factor that
min
influences the activation distance. For a MIFARE DESFire card the value of H is 1000 mA/m when the
min
AES security co-processor is activated.
2) Magnetic dipole moment in µA.m² which is a measure for the return signal of the RFID card.
The MIFARE DESfire card generally contains an antenna that consists of a rectangle with 4 or 5 turns of
copper or aluminium wire connected to the module. The dimension of the cards is fixed. There are no
possibilities to improve the read range on the card.
At the reader side one inductive loop antenna serves two purposes; 1) generating the magnetic field and 2)
receive the return signal from the card.
The reading distance is determined by the following properties of the reader antenna:
3) The surface area
The larger the surface area the larger the read range, but there is a maximum and an optimum.
4) Shape
Square, circular or oval/rectangular (length x width) A circular or square shaped antenna provides the
best efficiency. The ratio of Length x Width for an oval or rectangular antenna should not exceed 2:1.
5) Q-factor
Is determined by the Cu loss (resistance) of the coil. The higher the Q the more field strength is
generated. If the Q is too high it will dampen the return signal of the RFID card and as a consequence will
reduce the read-range, despite of a higher field strength. The optimum value seems to be around 30, but
a lower Q value is preferred to protect against large temperature variations in the environment of the
antenna. The resonance of the antenna changes with temperature swings and the higher the Q the larger
the change in frequency of the antenna.
6) Damping by surrounding metal materials
Mounting an antenna on a wall that contains metal (e.g. a metal doorpost) will dampen the antenna and
reduce the read range.
Figure 3 shows H=f (read range). The green line shows the H of a card. The blue (low power) and the
min
yellow line (high power) show the field strength ratio to reading distance. The point where the green line
crosses the blue and the yellow line indicates the estimated reading distance.
Figure 3 — Antenna field strength over distance
This practical experience showed that increasing the read range for the MIFARE DESFire card from 4cm –
6cm was extremely difficult. The conclusion is extending the read-range using existing hardware is not
practically possible, unless an external antenna is used. Of course theoretically an external antenna could be
connected to an NFC phone, but practically it would be more efficient (technically) and cheaper to use an
external, on the shelf, reader to get a better read range.
6.2.4 Extending with the use of a booster
Current NFC reader chips are usually running in a mobile phone with 3.3V or 5V supply voltage. In order to
increase the range of an RFID/NFC reader chip the power available to the antenna needs to be increased.
This can be done by providing external antenna drivers. Such antenna drivers are done in a different CMOS
technology that allows higher supply voltage of e.g. 12V. Furthermore there is space for much larger
transistors that allow lower output driver resistance and consequently higher current for the antenna feeding. If
the mobile phone is modified and the battery is able to support a charge pump for the high voltage then the
charge pump and the high voltage driver together form a kind of amplifier.

Figure 4 — Example of Range Booster
With the higher antenna feeding currents available also the antenna size may be increased while still being
able to have high enough antenna currents. The H field is a linear function of the current. As a result the range
for power supply increases linear with the voltage increase and the resistance decrease. However, as on the
other hand the coupling between the card and the reader decreases with the increase of the distance also the
limitations of 6.2.2 apply.
6.2.5 Conclusion
From the theoretical analysis and the descriptions in this subclause we can conclude that long read ranges
require a very large antenna and a large amount of energy. Both resources cannot practically be made
available on a mobile phone with a small antenna and a small battery. Therefore no substantial extensions in
read range are to be expected for NFC devices with ISO/IEC 15693 support. Only a small extension is to be
expected for reading ISO/IEC15693 based tags.
6.3 Security features in the NFC phones
In this subclause we list the existing security features in the NFC phones. We will consider two cases, namely
Android and Win8, of OS of mobile phones with NFC capabilities.
Let first explore the Android structure for NFC collected in android.nfc package. The data stored in an NFC tag
can be written in a variety of formats, but most of the Android framework APIs are based around a NFC Forum
standard called NDEF (NFC Data Exchange Format). Since in principle everything in Android is open source
all the resources are available to the Apps developer:
https://developer.android.com/guide/topics/connectivity/nfc/index.html
https://developer.android.com/reference/android/nfc/package-summary.html.
The framework provided by Android enables easy use of the various tag technologies. Those supported by
Android are NFC-A (ISO 14443-3A), NFC-B (ISO 14443-3B), NFC-F (JIS 6319-4), NFC-V (ISO 15693), ISO-
DEP (ISO 14443-4), NFC Forum NDEF formatted data and optionally MIFARE Classic, MIFARE Ultralight.
Still when someone is not working with NDEF data, or when he is working with NDEF data that Android does
not support, he has to manually read or write to the tag in raw bytes using his own protocol stack. But in
general any developer has a high level access thorough the OS to poll for tags, read a tag when one is in the
field and write to it. Thus the OS access writes prevents the developer to have access to the lower level
routines, like direct access to the parameters of the NFC chip.
In order to get access to lower level routines a “developer” would have to hack (jailbreak) the OS on the
phone. There are many examples of how to root Android – for example
https://en.wikipedia.org/wiki/Rooting_%28Android_OS%29. However even then some of the parameters of the
NFC chip can’t be changed unless it's (the chip) firmware is replaced; such parameters are for example the
power available for the antenna which is the only possible way (not considering HW changes) to achieve
better read and therefore attack range.
Very recently Win8 announced support for NFC too http://code.msdn.microsoft.com/windowsapps/Proximity-
Sample-88129731. But Microsoft does not provide yet so complete documentation as Android has on the
NFC. Still similar conclusions can be drawn, i.e. the OS provides only high level access to the NFC chip and
protects the lower level accesses.
One should consider the NFC chip firmware is as the last barrier against the attacker since it is usually
protected by cryptographic means, like digital signature. So to get full control a “developer” would have to
hack the NFC firmware update procedure, then to re-flash the chip firmware with his own version in order to
be able to boost the antenna as much as the HW (chip) allows.
Still even when the parameters of the NFC chip would be accessible, it would not be possible to extend the
read range essentially. The reason is that for the most part the NFC read range is determined by the size of
the antenna and the current that flows through it. These parameters cannot easily be changed from SW and
firmware. If an “antenna configuration” in an NFC would not be optimally tuned, it might be possible for a
specialist to get a few millimetres more read range out of it, but it will not be possible for example to double
the distance.
Therefore our conclusion is that with SW only access (attack) NFC range can’t be essentially extended.
It is also important to note that NFC Forum together with ECMA-385/386 have standardized NFCIP-1 Security
Services. These complementary series of NFC security standards (NFC-SEC) define a protocol stack that
enables application independen
...