Recently, RFID was in the headlines for being crackable by cellphone. At first glance, this article does not seem very extrodinary. SHA-1 encryption is weak and any engineer knows a cellphone is just a tiny computer with an antennae. However, the headlines fail to tell the entire story.

If you didn’t know, RFID tags do not contain batteries. Instead, they draw power electromagnetically from the reader. Shamir uses a directional antennae to monitor the power consumed by the RFID tag.

“The reflected signals contain a lot of information,” Shamir said. “We can see the point where the chip is unhappy if a wrong bit is sent and consumes more power from the environment…to write a note to RAM that it has received a bad bit and to ignore the rest of the string,” he added.

By monitoring power consumption, they are able to tell exactly which bit in the pass-phrase incorrect. Considering that half the bits could be guessed correctly as zero or one, it would only take 128 tries to crack a 256 bit pass-phrase. On the bright side, it ignores the proceeding bits instead of giving them away as well.

If you were wondering, a cell phone has all the hardware necessary to replicate this attack. Hopefully, 3rd party software is restricted from processing incoming RF signals directly.