• Knowledge

UHF RFID tag security for automatic vehicle identification

reading time



Ultra High Frequency (UHF) is a popular form of RFID technology. UHF is an automatic wireless communication technology that allows you to read data from a long distance. While UHF technology was primarily used for tracking goods in the supply chain in the simplest and most cost-effective way possible, it is now also widely used in access control and parking applications. However for these applications, security requirements for UHF tags are very important to avoid cloning. What are the security risks of UHF for vehicle access control and which security measures are possible to prevent cloning? We tell you more in this article.

Tracking of goods with UHF technology

Decades ago, UHF technology has been developed for tracking of goods in the supply chain sector. The UHF tags were introduced as a possible successor to product barcodes. The major requirements were to track goods with tags that are simple and low-cost. This manner was so relevant that many of the biggest retailers in the world are using UHF technology to track their goods.

Security risks of UHF for vehicle access control

The long read range and low tag price makes UHF RFID a popular choice for other applications, like parking and (vehicle) access control. However, the difference with the supply chain is that the security aspect is an important part for using UHF technology for parking and access control.

This works as follows: The tag emits its Electronic Product Code (EPC) number in plain text. This is unprotected and anyone can read the EPC. The EPC number cannot be changed, but can be copied into a new empty unprogrammed tag. This makes the tags vulnerable to cloning and counterfeiting attacks. For example for access control, this means that you can gain access to a gate in someone else’s name. You want to avoid this at all times. Therefore, it is necessary to add security measures to prevent tag cloning.

UHF tag memory

Before we discuss the security measures to prevent cloning, it is important to know that all UHF EPC Gen 2 compliant RFID tags consist of four tag-memory banks:

  1. EPC – Electronic Product Code Memory. EPC memory stores the EPC code or electronic product code. The EPC code is most often used as the unique identifier of the tag. This memory provides overwrite protection. Nedap will program the EPC.
  2. TID – Tag ID Memory. The TID memory contains chip manufacturer data and an unique serial number. This part of the memory cannot be changed.
  3. User Memory. This can be used if the user needs more memory than available in the EPC memory bank. It’s an optional part, not necessary and only for general purpose.
  4. Reserved Memory – Memory bank for storing the access password and a kill password. Each of the passwords has 32 bits. The destructive password permanently deactivates the tag (very rarely used), and the access password is set to block and unblock the tag’s recording capabilities.

Which security measures are possible to prevent cloning?

To reduce the security risks and to prevent cloning from taking place, there are several security measures that you can take into account.

1. TID check

Nedap’s UHF tags support a locked serialized TID. The TID value is programmed and locked by the chip manufacturer and cannot be cross-copied into another tag. The reader must be configured to read both the EPC and TID numbers. To make sure that cloning can’t happen, it’s important that the access control system verifies if both numbers are a valid combination.

Critical note: at the discretion of the chip manufacturers the TID values are locked. Remember that there are rogue manufacturers that sell chips on which the TID is writeable.

2. Password check

Nedap has implemented a two-way authentication anti-cloning method using the UHF tag passwords. This feature is supported in combination with all Nedap UHF tags. Since the passwords itself are password protected from reading, they cannot be easily copied into another tag.

The Nedap uPASS readers can perform the password check autonomously without any additional requirements or dependencies from the access control system. Nedap’s UHF readers (uPASS portfolio) have been developed in such a way that they can perform password verification completely autonomously without additional requirements from dependencies on the access control system. This means that Nedap’s readers read EPC and then check the access and kill passwords.

Critical note: The passwords are 32-bit size and are not encrypted, which is not considered very strong.

3. EPC Gen2 V2 secure authentication

The best possible and highest security measure to prevent cloning is to make use of EPC Gen2 V2 secure authentication. This is the second generation of UHF tags (EPC Gen2 V2) that support a good secure authentication method. The authentication data transmitted between tag and reader is enciphered using AES128 bit encryption. The encryption keys are diversified using the programmed EPC number to ensure that all keys are different for each tag. Because each tag has its own encryption key a high level of security is ensured.

The tags are backwards compatible with the standard UHF tags. This means that you can use them also on readers that do not perform the secure authentication. You can enable the secure authentication on specific readers or locations were the security is important. Required is that the tags contain an EPC Gen2 V2 compliant RFID chip.

Nedap highly recommends EPC Gen2 V2 tags because of the high security and the fact that cloning is not possible. More and more tags from the portfolio are provided with this method of secure authentication. You can easily indicate this when ordering.

Nedap’s UHF tag portfolio

Nedap offers a portfolio of UHF RFID readers and tags that provide convenient yet secure access control in e.g. parking facilities, gated communities and campuses. Examples of our tags with EPC Gen2 V2 secure authentication are UHF Windshield Tag, UHF ISO Card and UHF Combi. Depending on your situation and needs, we can jointly determine which tags are suitable for your application. We would be happy to get in touch with you to discuss the possibilities.