חומר רקע

PDF 29,852 תווים המסמך המקורי ↗
Extending ISO/IEC 14443 Type A Eavesdropping Range using Higher Harmonics Maximilian Engelhardt∗, Florian Pfeiffer†, Klaus Finkenzeller‡ and Erwin Biebl∗ ∗Fachgebiet Höchstfrequenztechnik, Technischen Universität München, Arcisstr. 21, 80333 München Email: [email protected], [email protected] †perisens GmbH, Landwehrstr. 61, 80336 München, Email: [email protected] ‡Giesecke & Devrient GmbH, Prinzregentenstraße 159, 81607 München, Email: klaus.fi[email protected] Abstract—Inductively coupled ISO/IEC 14443 compliant RFID systems are used in many security-relevant applications. A key security feature is their very short range of about 10 cm. Eavesdropping attack scenarios are a well known and recognised threat for these systems. In this paper, we show an approach, using higher-order harmonics to eavesdrop the data transmitted from a transponder to a RFID-reader (uplink). Practical distances for eavesdropping on higher-order harmonics are measured for exemplary ISO/IEC 14443 type A transponder and reader configurations in different environments. I. INTRODUCTION Inductively coupled ISO/IEC 14443 compliant RFID sys- tems are nowadays being used in a huge number of security- relevant applications such as payment (credit cards), ticketing (public transport and events), access control (company card) and identity verification (ePass, eID). Typical ISO/IEC 14443 passive tags are designed to operate over a maximum distance of about 10 cm. The short commu- nication range of a smart card is also regarded as an important security feature. Extended range [1], skimming attacks [2] and eavesdropping are well known threats for these systems which are seeking to overcome the short range. An extended range attack is the ability of an active tag to establish an unauthorised communication with a reader. Skimming is the unauthorised access of tag data without an authorised tag-reader connection. Eavesdropping is defined as unauthorised data access to an authorised reader-tag communication. Fig. 1. Eavesdropping attack of a RFID communication [3] In several studies eavesdropping attack scenarios have been analysed theoretically and experimentally. In [4] we have shown the theoretical limits of eavesdropping attacks, listening to the uplink (tag to reader) at the fundamental wave at 13.56 MHz of a contactless smart card, ID1 size. We resulted in an eavesdropping distance of between 2 m and approximately 10 m, depending on the tag type, the environmental noise figure and the field strength applied to the tag. Looking at the analogue front end of a transponder how- ever, one sees that the loop antenna is directly connected to a rectifier circuit in the RFID-chip, providing the power supply for the chip. This in the simplest case is done, using the strong nonlinear characteristic of diodes. As we know, any nonlinear- ity in an electronic component generally causes higher-order harmonics in the current, flowing through it. Therefore this higher-order components must also be a part of the current flowing through the transponder coil antenna connected to the rectifier, where they cause a magnetic field which finally gets radiated into the proximity of the transponder. Fig. 2. Schematic of the power supply, voltage regulation and generation of load-modulation with a 848 kHz subcarrier of a RFID transponder circuit [3] In this paper we focus on eavesdropping a transponder on the higher-order harmonics, generated by the nonlinear characteristic of the rectifier in the transponders analogue front end. II. ADVANTAGE IN EAVESDROPPING HIGH-ORDER HARMONICS Receiving at higher frequencies offers several advantages: A. Improved noise conditions In the HF band the external noise with atmospheric, galac- tic and man-made noise is typically significantly greater than the internal receiver noise. [5] gives an overview of average noise levels of external noise sources including atmospheric, galactic and man-made noise. Depending on the frequency, the environment conditions as well as the day and year time different noise sources can be relevant. The atmospheric noise strongly depends on the time of the day and even on the season of the year. Figure 3 shows the different noise levels expressed in noise factor Fam above thermal noise in dependence of the frequency. Fig. 3. Solid lines indicate median values of man-made noise in Fam (dB above thermal noise at 288 K), dashed lines indicate atmospheric noise and the dotted line shows the galactic background noise [6] Between 10 and 100 MHz man-made noise is the predom- inant noise source in a business and residential environment which is the most critical environment for attack scenarios. In logarithmic scale the man-made noise decreases linearly with frequency. The noise factor Fam is defined according to [5] with Fam = c −d log10  f 1 MHz  . (1) c and d are environment depending constants. The constant d TABLE I. ENVIRONMENT DEPENDING CONSTANTS [5] Noise source Business Residential Galactic c 76.8 72.5 52.0 d 27.7 27.7 23.0 determines the gradient of the noise figure curves. As we are interested in the harmonics of 13.56 MHz, the expression can be written as follows: Fam = c −d log10  n · 13.56 MHz 1 MHz  (2) Fam = c −d (log10(n) + 1.13) (3) In business and residential environment, the noise figure de- creases by 27.7 · log10(n) with the order n of the harmonic waves. Compared to the fundamental wave, the 3rd order harmonic wave has a noise level decreased by 13.2 dB, the 5th order harmonic wave by 19.4 dB. Another advantage of higher frequency is the possibility to use directional antennas. Directional antennas with one major lobe and negligible minor lobes receive signals mainly from one direction. As consequence, the reception of interference can be reduced by aligning the maximum directivity of the antenna to the desired signal source. B. Favourable propagation conditions The most limiting factor of eavesdropping a magnetic near field communication is the strong decrease of the magnetic field strength. By eavesdropping at higher-order harmonic frequencies this factor could be overcome as the near to far field transition occurs at closer distance. Figure 4 shows the tangential and radial magnetic field strength of a small loop antenna in dependence of the distance at the fundamental frequency of 13.56 MHz. Fig. 4. Normalised tangential and radial magnetic field of a small loop antenna in dependence of the distance at 13.56 MHz [3] At the near field to far field transition, the slope of the curve changes: For smaller distances, the magnetic field strength decreases with the inverse of distance to the power of three. For larger distances, it changes to a linear proportionality of the radial field. The location of the transition point is at r = λ 2π and thus directly depends on the wavelength. • In the near field with r ≪ λ 2π: H ∝r−3 • In the far field with r ≫ λ 2π: H ∝r−1 Therefore the location gets closer to the antenna with increas- ing frequency. The fundamental wave at 13.56 MHz has a near to far field boundary of 3.5 m, the 3rd order harmonic wave of 1.2 m and the 5th order harmonic wave of only 0.7 m. In most cases, the propagation conditions are more favourable in far field region, provided that there is a radiating element which transfers the near field energy into electromagnetic radiation. Wires on the electronic reader circuit or cables connected to the reader or placed near to the reader can act as radiating antennas. III. THEORY OF HIGH-ORDER HARMONICS GENERATION The high-order harmonics are generated due to the non- linearities of the rectifier diodes. Typically, full-wave bridge rectifier circuits are used in smart cards. Such a commonly used circuit is shown in figure 5. 13.56 MHz 2.5 µH 23 pF 4.7 Ω 10 nF 1 kΩ Fig. 5. Schematic circuit of a bridge rectifier in receiving mode To produce a steady DC supply, a smoothing capacitor is used at the output. The rectifier’s input is connected to the coil antenna of the smartcard which is put resonant using a capacitor. The resonant frequency is adjusted to 13.56 MHz. To analyse the behaviour of the rectifier circuit, it is modelled using a Spice simulation tool. As diodes Schottky diodes are used. In Figure 6, the spectrum of the output voltage with the even harmonics of 13.56 MHz is shown. 0 50 100 150 200 −150 −100 −50 0 DC 2 × 13.56 MHz 4 × 13.56 MHz 6 × 13.56 MHz ... Frequency in MHz Spectral output voltage in dB V Fig. 6. Simulated frequency spectrum of voltage at the output of the bridge rectifier showing the even harmonics of 13.56 MHz This result can easily be explained: A full wave rectifier with ideal diodes leaves the positive half cycle of an input sine unchanged and clips the negative half cycle. The ideal spectrum of such a rectified signal only consists of even harmonics of the sine wave frequency. However, at the input of the rectifier circuit the odd harmonics are produced. See figure 7 showing the simulated frequency spectrum of the coil current. Since the odd harmonics occur directly at the input of the smartcard circuit, there is a great risk of radiating especially 0 50 100 150 200 −160 −140 −120 −100 −80 −60 13.56 MHz 3 × 13.56 MHz 5 × 13.56 MHz ... Frequency in MHz Spectral coil current in dB A Fig. 7. Simulated frequency spectrum of coil current at the input of the bridge rectifier showing odd harmonics of 13.56 MHz these lower odd harmonics (3rd order harmonic at 40.68 MHz and 5th order at 67.8 MHz). IV. COMMUNICATION THEORY A successful eavesdropping attack requires that the attacker is able to detect the bidirectional data communication between a reader and a transponder with a sufficient accuracy. The reliability of the data detection is directly connected to the bit error rate (BER). The BER itself is a function of the modulation scheme and the signal-to-noise ratio (SNR). This paper concentrates on the eavesdropping of a reader transponder connection according to the ISO/IEC 14443 type A standard at a default bitrate of 106 kbit/s. In the data transfer from the reader to the transponder (downlink) the standard specifies a 100 % Amplitude Shift Keying (ASK) with Modified Miller coding. To ensure a continuous power supply of the transponder, the width of the Miller glitches is limited to 2–3 µs. For the transponder to reader communication (uplink) the transponder’s chip impedance is keyed by a modulated 848 kHz subcarrier, usually by switching a modulation resistor on and off in the transponder-IC. The subcarrier itself is ASK modulated with a Manchester coded data signal at the same bitrate (see figure 2). As we are interested in the maximum reading distance, we assume optimum receiver architecture with a matched filter and a synchronous detector using an optimum threshold. The matched filter maximises the SNR in presence of stochastic noise, while the synchronous detector with optimum threshold minimises the BER. For a binary ASK signal corrupted with additive white Gaussian noise (AWGN) the probability of bit errors reads as [7] BER = 1 2 erfc 1 2 p SNRBB  , (4) where SNRBB is the baseband SNR. For a coherent demodu- lation of the amplitude modulated (AM) signal the baseband SNR is twice as high as the high frequency SNR. At high frequencies the noise power is divided equally into in-phase and quadrature (I&Q) components. Assuming the desired signal as in-phase, half of the noise power can be removed after down conversion. For coherent demodulation the BER reads as BER = 1 2 erfc 1 2 p 2SNRHF  (5) and for non-coherent demodulation BER = 1 2 erfc 1 2 p SNRHF  . (6) Figure 8 shows the BER in dependence of the SNR for coherent and non-coherent demodulation. Fig. 8. Bit error rate in dependence of SNR for binary ASK signal corrupted with AWGN The required BER depends on the amount of information bits that are intended to be eavesdropped. It is obvious that the eavesdropping of a transponder-ID of only 4 bytes allows a higher BER for reliable detection as a complete data frame of 256 bytes. For security applications as identity verification (ePass, eID) the ISO/IEC standard allows generation of a random ID. Eavesdropping of such a randomly generated ID is completely worthless for every attacker. Therefore we concentrate on the eavesdropping of data frames containing up to 4096 bytes according to [8]. Assuming no error-correction code, the probability that a frame with N bits arrives without any bit error (1 −FER) is N times the product of the probability that a single bit arrives error: 1 −FER = (1 −BER)N (7) In security relevant applications the communication is usually encrypted where a single bit error would significantly complicate or even prevent an unauthorised decryption. Ta- ble II shows the probability of an error-free detected frame in dependence of BER and frame length. According to Table II, a BER of 0.1 % - as used in [9] - is not sufficient for a reliable error-free detection of a 64 or 256 byte frame. Therefore, we also use a BER of 0.01 % in our study which allows an error-free detection of a 256 byte long frame in 81.5 % of all attempts. TABLE II. PROBABILITY THAT A FRAME ARRIVES WITH NO BIT ERRORS (WITHOUT ANY ERROR-CORRECTION) Frame length BER 1 % 0.1 % 0.01 % 0.001 % 4 byte 72.5 % 96.6 % 99.7 % 100 % 16 byte 27.6 % 88.0 % 98.7 % 99.9 % 64 byte 0.6 % 59.9 % 95.0 % 99.5 % 256 byte 0 % 12.9 % 81.5 % 98.0 % A BER of 0.1 % implies a minimum SNRHF of 11.4 dB for coherent and 14.4 dB for non-coherent demodulation (see Figure 8). In our measurements we use an equivalent SNRBB threshold of 14.4 dB for successful reception of the signal. V. NEAR AND FAR FIELD COUPLING OF HIGH-ORDER HARMONICS As proof of concept, initial field strength measurements are carried out in the near and far field. 1) Near field Measurements: To determine the power of the generated harmonics we performed near field measurements using a small coil located on the surface of the smart card while reading the smart card. Since the impedance of the coil is dependent on the frequency, we measured the inductivity of the coil and compensated the measured values accordingly. jωL un R i uR Fig. 9. Equivalent circuit of the measurement setup Figure 9 shows the equivalent circuit of the measurement. R designates the 50 Ωinput of the used spectrum analyser, jωL the inductivity of the coil and un the source voltage. Because the impedance grows with increasing frequency, uR will decrease with constant source voltage. With this equivalent circuit one can easily derive equation 8. un = uR R + jωL R (8) For all our measurements we used a Mifare pegoda CL RD 701 reader from NXP and a 1K Mifare transponder card from Philips. The reader was connected to a laptop with the supplied 2 m long USB cable. Reader and laptop were placed at roughly the same distance so that the USB cable was about parallel to the ground. Table III shows the power of the harmonics after compen- sating the effect of the coil. According to the simulated results in chapter III, the odd harmonics are noticeably stronger than the even harmonics. The 3rd order harmonic is the strongest with 23 dB below the fundamental wave. TABLE III. COMPARISON OF THE GENERATED HARMONICS Harmonics 1 2 3 4 5 6 7 Frequency [MHz] 13.56 27.12 40.68 54.24 67.80 81.36 94.92 Power [dBc] 0 −54 −23 −58 −35 −56 −38 2) Far field Measurements: An crucial property for eaves- dropping higher order harmonics is the radiation of those into the far field. As the signal of the transponder is the limiting factor for eavesdropping an ISO/IEC 14443 Type A RFID communication [4], we conducted measurements at the frequency of the upper side band of the transponder at different order harmonics. In our measurements the Pegoda reader was connected to the laptop using a USB cable. The laptop was placed at a height of 0.5 m above ground, in a distance of about 2 m to the reader. The reader is about 1 m above ground. The complete setup is shown in figure 10. Fig. 10. Reader connected to a laptop via USB cable which acted as antenna (marked in red) in the EMC chamber It turned out that the field of the higher harmonic frequen- cies coupled to the USB cable and the cable acted as antenna. The best results could be achieved when the transponder card was placed eccentrically on the reader. Figure 11 shows the setup we used in our measurements. In case of locating the transponder card centrally to the reader, nearly no radiation occurred. Fig. 11. Exemplary positions of the transponder card on the reader for radiation of higher order harmonics into the far field Table IV shows the measured electrical field strength of the harmonics at a distance of about 2.3 m from the reader. The highest field strength could be measured at the 3rd and 7th order harmonics. As the spectrum of the 7th order harmonic TABLE IV. MEASURED ELECTRIC FIELD STRENGTH OF THE RADIATED HARMONICS AT THE UPPER SIDE BAND OF THE CARD SIGNAL Harmonic 2 3 4 5 Frequency [MHz] 27.9675 41.5275 55.0875 68.6475 el. field strength [dB µV/m] −1 22 −7 −21 Harmonic 6 7 8 9 Frequency [MHz] 82.2075 95.7675 109.3275 122.8875 el. field strength [dB µV/m] −14 17 −11 −5 lies in the FM broadcasting radio band and the signal at the 3rd order harmonic was stronger we decided to use this frequency for our further analysis. VI. EAVESDROPPING OF 3RD ORDER HARMONIC We conducted measurements at different locations with different measurement equipment. As the limiting factor for eavesdropping an ISO/IEC 14443 type A communication is the uplink signal we concentrated our analysis only on this signal. Since the mixing products at the harmonics carry the spectrum of both, the reader and transponder communication, extracting the reader data is not much additional effort. For our evaluation we made measurements in an exper- imental hall with a combined biconical and a log-periodic antenna from Rohde und Schwarz (HL562 ULTRALOG) as well as in a long corridor using a much smaller SB 30- 88-MU1 shortened quarter wavelength antenna from Procom. Both locations are at the Technische Universität München. We intentionally wanted to perform measurements in an normal environment to simulate realistic eavesdropping attacks. The measurements in the experimental hall were realised using a signal and spectrum analyser from Rohde und Schwarz. For the measurements in the corridor we used a self-developed receiver hardware consisting of a low noise amplifier, bandpass filter and a coherent receiver. The bandpass filter was tuned to the upper side band of the transponder signal at the 3rd order harmonic, the receiver used a low cost TDA2542 IC for demodulation the upper side band signal at 41.5275 MHz. The IQ baseband signal at the output of the receiver was quantised and sampled for further digital processing using an oscilloscope. Together with the much smaller antenna used in our measurement this setup is a more realistic example for an eavesdropping attack. Figure 12 shows the measurement setup at the corridor. Figure 13 displays the result of the measurements as SNRBB after matched filtering over distance. For comparison we also performed measurements at the fundamental wave. The measurements in the experimental hall were done for horizontal polarisation, in the corridor we measured horizontal and vertical polarisation. During the measurements we only captured the raw signal. Additional filtering and SNR calcula- tion was done later in the digital domain. For a threshold value of 14.4 dB, as it is necessary for bit error rates smaller 0.01 %, we achieved a maximal eavesdrop- ping distance of 2.4 m at the fundamental wave. In contrast at the 3rd order harmonic we were able to receive signals in as far as 18 m above this threshold. Noticeable are the SNR variations in the region up to 15 m for the measurements in the corridor Fig. 12. Measurement setup in the corridor. The laptop and reader can be seen in the background, in the foreground are the receiving antenna and the reception hardware. 0 5 10 15 20 25 30 10 15 20 25 30 14.4 dB Distance in m SNRBB in dB fund. wave 3rd order harmonic hall, H pol. corridor, V pol. corridor, H pol. Fig. 13. Measured SNR versus antenna-reader distance for the fundamental wave and the 3rd order harmonic. Measurement in the hall using horizontal polarisation and in the corridor for vertical and horizontal polarisation. in both polarisations. We explain this due to interference by multipath propagation of the signal. To rule out problems with only a specific transponder card we additionally conducted some tests with different transpon- der cards but achieved roughly the same results. In our case the radiation of the 3rd harmonic occurred through the USB cable connecting the reader to the laptop. After adding a snap- on ferrite core to the USB cable at the readers side, we were no longer able to receive any usable signal. VII. CONCLUSION Using higher harmonics for eavesdropping has obvious advantages compared to eavesdropping at the fundamental wave. In HF band the noise level decreases with increasing frequencies and the near to far field transistion is getting closer to the antenna. In the far field, the field strength decreases only linearly with distance compared to the inverse of distance to the power of three in the near field. In this paper, we explain how higher order harmonics are generated in a smartcard and how radiation can occur. We conducted measurements at the 3rd order harmonic for a exemplary ISO/IEC 14443 type A communication in different locations and achieved a maximal eavesdropping distance of 18 m. This is much higher than the distances published at the fundamental wave. Table V gives an overview over different published theoretical and experimental eavesdropping distances at the fundamental wave compared to our results. TABLE V. COMPARISON OF OUR RESULTS TO OTHER PUBLICATIONS, : THEORETICAL, ¹: PRACTICAL, : COUPLING? current Publications eavesdropping distance comment Fundamental wave ¹ Finke (2004) [10] 2 m ¹ BSI (2008) [11] 2.3 m reading ID ¹ Hanke (2008) [12] 1–3 m (different locations) reading ID ¹ Novotny (2008) [13] 8–15 m (different cards) reading ID  NXP (2007) [9] 2.4–38.6 m (different locations) BER < 0.1 %  Pfeiffer (2012) [4] 2.1–7.7 m (different locations) BER < 0.01 % ¹ Our results 2.2–2.4 m (different locations) BER < 0.01 % 3rd order harmonic ¹ Our results 18 m BER < 0.01 % Comparing the experimental studies, only the results of [13] with up to 15 m are close to our results at the 3rd harmonic. All other measurements - our own included - show maximum eavesdropping ranges between 1 m and 3 m at the fundamental wave. Therefore, we assume coupling effects (e.g. in wires) as reason for the excessive range of [13]. The phenomenon of coupling effects at the fundamental wave are mentioned in [14]. In contrast to the fundamental wave, there is no system antenna at the higher harmonics frequency. Therefore radiation is only possible if coupling to surrounding metal objects (e.g. cables, wires) which act as antennas occur. In our measurements, the USB cable between reader and laptop acted as antenna. The intensity of radiation depended on the location of the transponder on the reader. The best results could be achieved with an eccentrically position on the reader. By using a simple snap-on ferrite at the reader’s side of the USB cable a sufficient suppression of the radiation could be achieved. To avoid possible eavesdropping attacks with high ranges at higher harmonics, measures are needed to minimise har- monic generation or at least to prevent coupling to possible surrounding metal objects which can act as antennas. Typically bridge rectifiers are used in transponders to provide the power supply. At the input of these rectifiers, odd harmonics are generated and directly transformed in a magnetic field at the transponder coil. Therefore, there is a large risk that the magnetic field of the higher harmonics couples through the reader circuit to a surrounding "antenna" where the energy is transfered into the far field. The harmonic generation has to be suppressed at the bridge rectifier of the transponder card. At the reader’s side, the RF path to a surrounding "antenna" can be interrupted. This can be achieved, for example, by ferrite based isolators at connected cables or harmonic filters at critical spots in the reader circuit. In critical cases, on-side spectrum measurements might be useful as coupling strongly depends on the surrounding. REFERENCES [1] K. Finkenzeller, F. Pfeiffer, and E. Biebl, “Range extension of an ISO/IEC 14443 type A RFID system with actively emulating load modulation,” RFID SysTech 2011; 7th European Workshop on Smart Objects: Systems, Technologies and Applications; Proceedings of, pp. 1–10, may 2011. [2] I. Kirschenbaum and A. Wool, “How to build a low-cost, extended- range RFID skimmer,” in 15th Usenix Security Symposium, 2006, pp. 43–57. [3] K. Finkenzeller, RFID-Handbuch, 6th ed. München: Hanser, 2012, http://rfid-handbook.com. [4] F. Pfeiffer, K. Finkenzeller, and E. Biebl, “Theoretical limits of ISO/IEC 14443 type A RFID eavesdropping attacks,” in Smart SysTech 2012 - European Conference on Smart Objects, Systems and Technologies, 2012. [5] European Radiocommunications Committee (ERC), “Propagation model and interference range calculation for inductive systems 10 kHz – 30 MHz,” ERC report 69, 1999. [6] C. Bianchi and A. Meloni, “Natural and man-made terrestrial electro- magnetic noise: an outlook,” Annals of Geophysics, vol. 50, no. 3, June 2007. [7] D. M. Pozar, Microwave and RF Design of Wireless Systems. New York [u.a.]: Wiley, 2001. [8] “ISO/IEC 14443-4:2008 (2nd edition). identification cards - contactless integrated circuit(s) cards - proximity cards, part 4: Transmission protocol,” 2008. [9] “Application note AN200701: ISO/IEC 14443 eavesdropping and acti- vation distance,” NXP, 2007. [10] T. Finke and H. Kelter, “Radio frequency identification (RFID) – Abhör- möglichkeiten der Kommunikation zwischen Lesegerät und Transpon- der am Beispiel eines ISO 14443-Systems,” Bundesamt für Sicherheit in der Informationstechnik, 2004. [11] “Messung der Abstrahleigenschaften von RFID-Systemen (MARS), Teilbericht 1,” Bundesamt für Sicherheit in der Informationstechnik, 2008. [12] G. Hancke, “Eavesdropping attacks on high-frequency RFID tokens,” in 4th Workshop on RFID Security (RFIDSec), 2008. [13] D. Novotny, J. Guerrieri, M. Francis, and K. Remley, “HF RFID electromagnetic emissions and performance,” in Electromagnetic Com- patibility, 2008. EMC 2008. IEEE International Symposium on, aug. 2008, pp. 1–7. [14] P.-H. Thevenon, O. Savry, S. Tedjini, and R. Malherbi-Martins, “Attacks on the HF physical layer of contactless and RFID systems,” in Current Trends and Challenges in RFID. Cornel Turcu (Ed.), 2011. ABOUT THE AUTHORS Maximilian Engelhardt was born in Karlsruhe, Germany, in 1986. He is currently studying electrical engineering at the Technische Universität München, Munich, Germany. In 2012 he wrote his Bachelor Thesis at the Fachgebiet Höchstfrequenztechnik. He is now working towards completing his Diploma degree. Florian Pfeiffer was born in Starnberg, Germany, in 1976. He received the Dipl.- Wirtsch.-Ing. (FH) degree in industrial engineering from the Fachhochschule München, Munich, Germany, in 2001, the Dipl.-Ing. and Dr.-Ing. degrees in electrical engineering from the Technische Universität München, Munich, Germany, in 2005 and 2010, respectively. In 2009, together with Erwin M. Biebl, he founded an engineering company for high frequency electronics (perisens GmbH), where he is chief executive. Klaus Finkenzeller was born in Ingolstadt, Germany in 1962. He received his Dipl.-Ing. (FH) degree in electrical engineering from the Munich University of Applied Sciences (FH), Munich Germany. In 1989 he joined Giesecke & Devrient. Since 1994 he has been involved in the development of contactless smart cards and RIFD sys- tems. He is currently work- ing as a technology consultant for RFID/security, where he is involved in basic development and innovation projects. Since 1994 he has been engaged in the standardisation of contactless smartcards and RFID Systems (DIN NI 17.8, NI 31.4, SC17/WG8), where he has been vice chair of the German DIN NI 17.8 (ISO/IEC 14443) for more than 10 years now. Up to now he has published more than 130 individual patent applications, mainly in the RFID field of technology. In 1998 he published the RFID handbook, which now is available in its 6th edition and in 7 different languages. In 2008 Klaus Finkenzeller received the Fraunhofer SIT smartcard price for his work on RFID, especially the RFID handbook. Erwin M. Biebl was born in Munich, Germany, in 1959. He received the Dipl.-Ing., Dr.- Ing., and Habilitation degrees from the Technische Universität München, Munich, Germany, in 1986, 1990, and 1993, respec- tively. In 1986, he joined Ro- hde & Schwarz, Munich, Ger- many, where he was involved in the development of mobile ra- dio communication test sets. In 1988, he was with the Lehrstuhl für Hochfrequenztechnik, Tech- nische Universität München. In 1998, he became a Pro- fessor and Head of the Optical and Quasi-Optical Systems Group. Since 1999, he has been Head of the Fachgebiet Höchstfrequenztechnik, Technische Universität München. He has been engaged in research on optical communications, integrated optics, and computational electromagnetics. His current interests include quasi-optical measurement techniques, design and characterization of microwave and millimeter-wave devices and components, sensor and communication systems, and cooperative approaches to sensor and communication systems and networks. Dr. Biebl is a member of the Informa- tionstechnische Gesellschaft (ITG) in the Verband Deutscher Elektrotechniker (VDE), Germany, a senior member of the IEEE and an appointed member of the commission B of URSI, Germany.