RFID and NFC: How Powerless Tags Talk Back
Hold a plastic card near a reader and it answers, instantly, with no battery inside it. That is a genuinely strange thing when you stop to think about it. A transit card frozen in a drawer for two years works the moment it enters a turnstile’s field; a passport chip, a warehouse pallet tag, a rice-grain implant under a dog’s skin, a credit card tapped at a terminal — none of them stores power, yet all of them compute a response and transmit it back on demand. The trick that makes this possible is not miniaturized batteries or clever sleep modes. It is that the tag never had power of its own to begin with. It harvests energy from the reader’s electromagnetic field, uses that borrowed energy to wake a tiny chip, and then replies not by generating its own radio signal but by changing how much of the reader’s field it absorbs — a whisper made by modulating a load rather than shouting into an antenna. Understanding that one inversion, that the tag talks by listening louder and softer, unlocks the whole family of technologies from 125 kHz animal chips to the 13.56 MHz NFC in your phone.
RFID — radio-frequency identification — and NFC — near-field communication — are usually explained as a list of standards and use cases, which misses the physics that makes them interesting and the security failures that make them consequential. The honest version is a story about two completely different ways of coupling energy across empty space, a set of frequency bands that each buy a different trade between range and data rate, and a security history that ranges from genuinely strong cryptography to a wildly popular card whose 48-bit cipher was reverse-engineered from a photograph of the silicon. This is how the tags get their power, how they answer, and why some of them should never have been trusted.
Passive, active, and the middle ground
Before the physics, the taxonomy, because it determines everything else. RFID tags come in three power classes, and the interesting one is the first.
| Class | Power source | Range | Example |
|---|---|---|---|
| Passive | Entirely from reader’s field | mm to ~10 m | Transit cards, payment, pallet tags, pet chips |
| Semi-passive (BAP) | Battery runs chip; reply still by backscatter | tens of m | Toll transponders, sensor tags |
| Active | Battery powers a real transmitter | 100 m+ | Shipping container trackers, some toll tags |
An active tag is not conceptually mysterious — it has a battery and a transmitter and behaves like any small radio. The magic is in the passive tag, which has no power source at all and must run its logic and its reply on energy scavenged from the reader in real time, and in the semi-passive tag, which uses a battery to run its chip (so it can wake faster and drive sensors) but still replies by backscatter rather than transmitting. The rest of this article is about passive tags, because they are the ones that seem to violate common sense, and they are the overwhelming majority of the tags you actually touch.
Two ways to couple energy: near field and far field
The single most important fork in RFID is how the reader’s energy reaches the tag, and it splits cleanly by frequency. Low and high frequencies use inductive coupling in the near field; ultra-high frequencies use backscatter coupling in the far field. These are not variations on a theme — they are different physics.
Inductive coupling works like a transformer with an air gap. The reader drives an alternating current through a coil antenna, which creates an oscillating magnetic field. When the tag’s coil enters that field, the changing magnetic flux induces a voltage in it — exactly Faraday’s law, the same effect that runs every power transformer and wireless phone charger. That induced voltage powers the tag’s chip. This is a near-field effect: the magnetic field strength falls off extremely steeply with distance (roughly as the inverse cube), so inductive coupling only works when the tag is close, on the order of the antenna’s size. LF (125–135 kHz) and HF (13.56 MHz) tags work this way.
Backscatter coupling works like radar. At UHF (860–960 MHz) the wavelength is short enough (about 33 cm) that the reader launches a genuine propagating electromagnetic wave into the far field. The tag’s antenna captures a little of that wave’s energy to power its chip — and, critically, the tag replies by changing the reflectivity of its own antenna, bouncing a modulated echo back to the reader. This is far-field, so it reaches meters, but the harvested power is tiny.
INDUCTIVE (LF/HF, near field) BACKSCATTER (UHF, far field)
------------------------------ ----------------------------
reader coil tag coil reader tag
___ ___ antenna antenna
( ))) magnetic ( ) |)))) wave ((|
‾‾‾ flux link ‾‾‾ | ---> |
| (like a | | <--- | reflects a
| transformer)| | modulated | modulated
energy IN -------->| | echo back | echo
reply: tag varies | reply: tag varies
its load, reader | its antenna's
sees coil current | reflectivity
change |
The consequence is a clean trade you can read straight off the frequency:
| Band | Frequency | Coupling | Typical range | Data rate | Where you meet it |
|---|---|---|---|---|---|
| LF | 125–134 kHz | Inductive | ~10 cm | Slow | Animal microchips, car immobilizers |
| HF | 13.56 MHz | Inductive | ~10 cm | Medium | NFC, transit, payment, passports, library books |
| UHF | 860–960 MHz | Backscatter | 1–10+ m | Fast | Retail inventory, pallets, race timing, toll |
Lower frequency means better penetration through water and tissue (why animal chips are LF) but short range and low data rate. Higher frequency means longer range and faster data but poorer penetration and more sensitivity to orientation and interference. There is no “best” band, only the right band for the coupling distance you need. This is the same range-versus-throughput physics that governs Wi-Fi’s band choices, pushed to the extreme of a device with no power of its own.
Load modulation: how the tag whispers back
The part that trips people up is the reply. The tag has no transmitter, so how does it send data to the reader? The answer is load modulation, and it is beautifully economical.
Recall that in inductive coupling the reader and tag coils are magnetically linked like a transformer. Anything that changes on the tag’s side is reflected back as a change in the current the reader sees in its own coil — because the two are coupled. So the tag does not need to generate a signal. It simply switches an electrical load — a resistor or capacitor — across its coil on and off, in time with the bits it wants to send. When the load is connected, the tag draws more energy from the field and the reader’s coil current dips; when disconnected, it draws less and the current rises. The reader watches its own antenna and reads those tiny fluctuations as the tag’s data.
Tag's data: 1 0 0 1 1 0
Tag load: ON OFF OFF ON ON OFF
| | | | | |
Reader coil v ^ ^ v v ^
current: dip rise rise dip dip rise <- reader reads THIS
To make these faint variations easier to detect, HF tags usually modulate a subcarrier — they switch the load at a fixed offset frequency (847.5 kHz for ISO 14443, exactly the 13.56 MHz carrier divided by 16), so the tag’s reply shows up as clean sidebands the reader can filter out from the vastly stronger carrier it is transmitting. UHF backscatter is the same idea in the far field: instead of switching a load across a coil, the tag switches the impedance of its antenna between two states, changing whether it absorbs or reflects the incoming wave, and the reader detects the modulated reflection. Either way, the tag communicates by varying how much of the reader’s energy it takes — never by making energy of its own.
There is an elegant corollary: the reader must keep transmitting its carrier the entire time the tag is replying, because that carrier is simultaneously the tag’s power supply and the wave the tag is modulating. Cut the field and the tag dies mid-sentence.
NFC: RFID’s short, standardized cousin
NFC is not a different physics — it is a tightly specified subset of HF RFID at 13.56 MHz, designed for close, deliberate interactions (a few centimeters) and for a phone to be able to act as both a tag and a reader. It was built to interoperate with the existing HF contactless card infrastructure, so it is specified to be compatible with ISO/IEC 14443 (the proximity-card standard behind transit and payment cards), ISO/IEC 15693 (longer-range vicinity cards), and Sony’s FeliCa. That backward compatibility is why your phone can read a transit card and emulate a payment card: NFC deliberately speaks the languages already deployed.
NFC defines three operating modes, which map cleanly onto what the hardware is doing:
- Reader/writer mode — the phone acts as an RFID reader, powering and reading a passive tag (scanning an NFC sticker, a poster, a product label).
- Card emulation mode — the phone pretends to be a passive card, replying to an external reader by load modulation. This is how tap-to-pay works: the payment terminal is the reader, and your phone answers exactly as a contactless card would.
- Peer-to-peer mode — two powered NFC devices take turns being reader and tag to exchange data directly.
The NFC Forum standardized tag types and a data format (NDEF) so that a URL, a Wi-Fi credential, or a contact card written to a tag is interpreted the same way across devices. The genius and the limitation are the same: NFC is short-range on purpose. The few-centimeter reach is a security feature — you have to almost touch the reader — and a usability constraint. That deliberate proximity is what makes “tap” an intuitive, unambiguous gesture rather than a broadcast.
The security and privacy problem
Here the story turns uncomfortable, because the same properties that make tags convenient make them attackable, and the history is littered with cryptographic disasters. The core issue is that a passive tag answers anyone with a properly tuned reader — it has no way to know whether the field powering it belongs to a legitimate turnstile or an attacker’s coil in a backpack.
Cloning and the MIFARE Classic catastrophe. The most widely deployed HF access card in history, NXP’s MIFARE Classic, protected its data with a proprietary 48-bit stream cipher called Crypto1. Proprietary and secret — “security through obscurity.” Researchers reverse-engineered the algorithm (partly by imaging the chip’s silicon under a microscope) and found it hopelessly weak; nested and hardnested attacks now recover a card’s keys in seconds to minutes with cheap hardware. A MIFARE Classic 1K holds 1,024 bytes across 16 sectors, and with the keys extracted an attacker can read and copy all of it. Worse, so-called “magic” cards (sold cheaply online) allow writing the normally-read-only UID in sector 0, so a cloned card can impersonate the original completely. Millions of building-access and transit systems built on MIFARE Classic are, cryptographically, wide open. The industry’s answer — MIFARE DESFire, using real 3DES and AES — exists and is strong, but the installed base of broken Classic cards is enormous and slow to replace.
Relay attacks. Even a card with perfect cryptography can be defeated without breaking any cipher. In a relay attack, one attacker holds a reader near the victim’s card (in a pocket, on a train) while an accomplice holds a fake card near the real terminal; the two are linked over the internet, and every challenge and response is relayed in real time. The card answers correctly because it really is the card answering — just from far away. Contactless EMV payments are demonstrably relayable this way, and the primary defense is timing: the terminal measures the round-trip and rejects responses that took too long to have come from a card actually present. Distance-bounding is hard to get right, and deployment is uneven.
Silent tracking. A UHF inventory tag that answers any reader with a unique ID is a tracking beacon. Anyone can inventory what a person is carrying — which tagged clothes, which passport, which access badge — from meters away without consent. This is the privacy cost of the far-field convenience that makes warehouses efficient. Mitigations exist (a “kill” command that permanently disables a retail tag at checkout, randomized temporary IDs, shielded sleeves for passports and payment cards), but they are opt-in and inconsistently applied.
The general lesson mirrors the rest of security: the strong primitives exist. AES-based DESFire, the public-key cryptography behind EMV (see elliptic-curve cryptography), and hardware-backed NFC security keys (see YubiKey for SSH, GPG, and sudo) are genuinely robust. The failures come from deploying weak, proprietary ciphers at massive scale and leaving them in the field for a decade after they were broken. The RF fundamentals underneath all of this — modulation, bands, near versus far field — are the same ones covered in wireless networking fundamentals.
Trade-offs, honestly
RFID and NFC are mature, cheap, and everywhere, but the engineering involves real compromises that no marketing sheet mentions.
- Range is inseparable from vulnerability. UHF’s meters of reach is exactly what enables covert scanning and tracking; HF’s centimeters is safer but useless for inventory. You cannot have long range and inherent proximity-privacy at once — the physics couples them.
- Passive means power-starved means dumb. A tag running on harvested microwatts cannot do heavy cryptography quickly. The temptation to ship a cheap, weak cipher (Crypto1) instead of a slower strong one is a direct consequence of the energy budget, and it is why so many early systems were broken.
- Orientation and environment matter more than specs suggest. Inductive coupling depends on the coils’ alignment; a card held edge-on may not power up. UHF backscatter is detuned by water and metal — a UHF tag on a bottle of liquid or a metal can often simply will not read, which is why retail RFID has stubborn dead zones.
- The installed base is a security anchor. MIFARE Classic was broken years ago, yet ripping out every reader and reissuing every card in a city transit system or an office tower costs a fortune, so broken cryptography persists in production long after everyone knows it is broken. Security is gated by capital budgets, not by cryptographers.
- Standards compatibility is a blessing and a cage. NFC’s compatibility with ISO 14443 is why it works with existing infrastructure, but it also means NFC inherited that infrastructure’s legacy weaknesses, including support for the very cards that should be retired.
Verdict
RFID and NFC are one of those technologies whose everyday invisibility hides a genuinely elegant piece of physics: a tag with no power source that runs on stolen energy and answers by modulating how much of that energy it consumes, so that the reader hears the reply as a flutter in its own antenna. Once you see that inversion — the tag talks by listening louder and softer, never by transmitting — the entire zoo of cards, chips, fobs, and taps collapses into two clean ideas: inductive coupling in the near field for the close, secure interactions (LF and HF, including all of NFC), and backscatter in the far field for the long-range, high-throughput ones (UHF). The band you meet a tag in tells you its range, its speed, and its physics before you read a single spec.
The cautionary half of the story is that convenience and security pull in opposite directions here more sharply than almost anywhere else in computing. A device that answers anyone who powers it, using whatever cryptography fits in a microwatt energy budget, is structurally easy to clone, relay, or track, and the industry’s record of shipping weak proprietary ciphers to billions of cards — then leaving them deployed for years after they were publicly broken — is a genuine indictment. The strong building blocks exist and work; DESFire and EMV are not the problem. The problem is that the tag in your wallet was probably chosen for cost, not correctness, and it will keep answering strangers for as long as the reader on the wall keeps asking. Tap with appreciation for the physics, and mild suspicion of the security.
Sources
- Inductive and Backscatter Coupling — How Passive RFID Works (RFID4U)
- RFID Coupling Techniques: Backscatter, Capacitive, Inductive — Electronics Notes
- Near-field communication — Wikipedia
- ISO/IEC 14443 — Wikipedia
- MIFARE — Wikipedia
- Dismantling MIFARE Classic (Crypto1 cryptanalysis) — Radboud University
- Practical Relay Attack on Contactless Transactions Using NFC Mobile Phones — IACR ePrint 2011/618
Comments