Wireless Interception Distance Records

Don’t believe wireless distance limitations. Again and again they’re proven wrong.

At DefCon earlier this month, a group was able to set up an unamplified 802.11 network at a distance of 124.9 miles.

The record holders relied on more than just a pair of wireless laptops. The equipment required for the feat, according to the event website, included a “collection of homemade antennas, surplus 12 foot satellite dishes, home-welded support structures, scaffolds, ropes and computers”.

Bad news for those of us who rely on physical distance to secure our wireless networks.

Even more important, the world record for communicating with a passive RFID device was set at 69 feet. (Pictures here.) Remember that the next time someone tells you that it’s impossible to read RFID identity cards at a distance.

Whenever you hear a manufacturer talk about a distance limitation for any wireless technology—wireless LANs, RFID, Bluetooth, anything—assume he’s wrong. If he’s not wrong today, he will be in a couple of years. Assume that someone who spends some money and effort building more sensitive technology can do much better, and that it will take less money and effort over the years. Technology always gets better; it never gets worse. If something is difficult and expensive now, it will get easier and cheaper in the future.

Tags: , , , , ,

Posted on August 8, 2005 at 1:37 PM35 Comments

Comments

RvnPhnx August 8, 2005 3:12 PM

Being one of the amateur radio operators of the world I can say flat out that distance limitations have mostly to do with antennas and propagation conditions. A decent antenna can outdo a more sensitive receiver any day–it is easier to use a 3dB gain antenna than an amplifier or to make more sensitive circuitry (part of why the antenna was supposed to be part of the system to restrict an 802.11a/b/g connection to a limited region). I’ve heard of 200mW “connections” between ME and TX (on HF) before–if that says anything to those not well educated in the ways of RF.

Bob Dobolina August 8, 2005 3:32 PM

Being one of those “not well educated” maybe you can tell me something…

What effect should terrain have on distance? One of the applications we are developing using WiFi is restricted by terrain in mountainous regions. For physical security reasons, we can’t use repeaters. Simply boosting the power will not help, correct?

MattD August 8, 2005 4:13 PM

Antenna notwithstanding, why can’t I even get a decent signal from one room in my apartment to another? Do building materials have that much of an effect on signal strength?

mark August 8, 2005 4:38 PM

And what kind of blocking actually works for RFID? Should I be shopping for a lead wallet?

rjh August 8, 2005 5:01 PM

For routine easy protection, use static shield bags. They can be old and used, but avoid any with significant cuts or creases. Just put your RFID inside and fold over the opening.

This is not perfect, but it will add another 10-30db of loss. It’s enough to make a big difference in readability without significant inconvenience in use or expense in acquisition. For most purposes the bag from an add-on disk drive or card for a PC will be a suitable size.

Metal foil bags are better but they are harder to obtain and easier to damage.

Chris August 8, 2005 5:12 PM

Blocking RFID depends on the features of the system, including what antennas it is using, and what frequency it operates at.

Although not an all-round solution, here is my starting point – a shield for the car key RFID tags…

http://blog.mutatron.com/000035.html

As the frequency goes up, you will need more shielding. The good news for passive tag shielding is that shields work “twice as well”, forcing anyone trying to work through it to both generate higher powers to transmit in through the shield, and read even smaller return signals mostly blocked by the shield.

If you have a card and a reader, you are in a good position to experiment. Perhaps a simple foil lining for your exisiting wallet will be sufficient.

On a different topic – I’m curious that nobody has experimented with the power levels / gear needed to burn out an RFID tag. This could constitute an unusual DoS attack, particularly if you have a clustered population of users that depends on the RFID system.

rjh August 8, 2005 5:13 PM

On weather: at the frequencies and distances for normal RFID the attenuation from weather should be insignificant. (It might begin to matter for active RFID.) On the other hand, antenna flaws and shorts from wet antennas, multi-path reflection, etc. might happen. These are too complex to answer without real situations to analyze.

On terrain: the 802.11 frequencies (2.5Ghz and 5Ghz) are primarily line of sight. They do not reflect off the ionosphere like HF. They do not have a ground wave component. They do difract a little around barriers, but not much. They do reflect off metal reflectors and the like, but that probably doesn’t help with use in mountains. They are attenuated by rain and slightly by fog. Losses are up to a few db per kilometer of rain. They penetrate wood and most dry non-conducting materials adequately for their purpose as office networks. Conducting metal structures confuse everything with absorption, retransmission, and multi-path reflections.

Davi Ottenheimer August 8, 2005 5:39 PM

Here’s a look at the equipment used to set the record:
http://www.wifi-shootout.com/

Terrain is a major obstacle. The team said they believed their setup could theoretically reach 300 miles but they were limited by line-of-sight (fresnel zone) issues.

http://www.wired.com/news/wireless/0,1382,68395,00.html

“‘We tried to do a shot from where we were,’ Corrado said. ‘But our (topographic) map said we couldn’t do it, and (it was) right.'”

Interference is also a problem, which is perhaps why the tests are always done in areas unlikely to have any other signals in the way, such as between two remote desert mountain tops:
http://a1112.g.akamai.net/7/1112/492/2002091473/www.wired.com/news/images/full/mtn-top_f.jpg

In terms of weather, you might experience weird ducts/reflections in the fresnel zone from heat and moisture. For example, hot surfaces can distort radio waves in a manner similar to light waves and water absorbs waves in the 2.4 GHz band (ala microwave ovens). And that’s not to mention that 802.11 devices themselves have some basic temperature and moisture limitations.

Joe VK4TU August 8, 2005 6:26 PM

802.11b/g is 2.4GHz which I seem to remember is close to the resonant frequency of water molecules (that’s how microwave ovens work). Rain scatter is a significant problem at higher frequencies as is any water vapour – so a humid day will have a higher path loss than a very dry day. The received signal is Tx power + Tx ant gain + Rx ant gain – path loss -feedline loss (coax). If the received signal is below the minimum discernable signal (mds) level at the receiver you can’t demodulate (decode) it. The MDS can also be affected by noise (interference) either generated by man made devices or from outer space (solar radiation, etc). Any active device in the signal path will increase the noise as well as the signal, and so the 2 easiest places to increase the received signal are the antenna(s|e) and the feed line. A higher gain (more directional) antenna reduces the path loss by aiming the signal in one direction in the same way as a reflector in a car headlight. Better coax ( or wave guide) reduces the losses between the antenna and transceiver.
Other questions;
1) At these frequencies signals are line of sight so beaming over a mountain is not going to work. High power will get some scatter off objects in the atmosphere but power levels would have to be VERY high and received signals very weak.
2) Building materials can have a huge effect on microwaves. Silver foil heat insulation would be the worst offenders along with corrugated iron (although I can testify that 3ft of granite, blocks signals too). Wet wood would also be bad and concrete (especially reinforced) whereas dry lining (plasterboard) shouldn’t have too much effect.

Stephen August 8, 2005 9:08 PM

“Technology always gets better; it never gets worse.”

My Model M keyboard begs to differ.

Bob Dobolina August 8, 2005 9:48 PM

I appreciate the info re: terrain and weather. The next time some yahoo tells me he can give me WiFi coverage in across the mountains of Montana without a repeater, I’ll be armed with the knowledge to prove that he’s up in the night.

We’ve been able to go for good distances in relatively flat land (nowhere near the record) – but as you mentioned, line of sight is the name of the game.

Stu Savory August 8, 2005 10:46 PM

“the resonant frequency of water molecules (that’s how microwave ovens work).”

THAT is an urban legend AFAIK.
IT’s just regular molecular vibration, water not needed.

Ben August 8, 2005 11:44 PM

@Stu Savory

“A microwave oven works by passing microwave radiation, usually at a frequency of 2450 MHz (a wavelength of 12.24 cm), through the food. Water, fat, and sugar molecules in the food absorb energy from the microwave beam in a process called dielectric heating. Most molecules are electric dipoles, meaning that they have a positive charge at one end and a negative charge at the other, and is therefore twisted to and fro as it tries to align itself with the alternating electric field induced by the microwave beam. This molecular movement creates heat. Microwave heating is most efficient on liquid water, and much less so on fats, sugars, and frozen water. Microwave heating is sometimes incorrectly explained as resonance of water molecules, but this occurs only at much higher frequencies, in the tens of gigahertz.”

From http://en.wikipedia.org/wiki/Microwave_oven

(Water isn’t necessary, but something that forms a dipole is…)

ECMpuke August 9, 2005 8:35 AM

RFID tags come is self-powered and externally-powered flavors. Making conclusions about RFID range is stupid if you don’t know what kind you are dealing with. An EZpass is self-powered (with a battery) and it operates at UHF. It isn’t hard to trigger one from a distance. A Mobil SpeedPass is externally-powered and operates at 145 kiloHertz. I defy you to trigger one from more than a few inches.
All this crap about RFID is just that…

ECMpuke August 9, 2005 1:27 PM

For those interested in science rather than conjecture, baloney and the like, here are a few facts:
The wavelength corresponding to 2.4 GHz is about 4.5 inches…Therefore a dipole is in the order of a couple of inches in length. That’s a lot bigger than
a water molecule.
The major absorption lines in the microwave spectrum are around 26 GHz and 60 GHz, corresponding to the water vapor line and the oxygen absorption line.
Absorption at 2.4 GHz is negligible.
Most of the older satellite links are in the S-band (2-3 GHz) region. If there were a lot of absorption, they wouldn’t be there, would they?
As to range of radio waves, nothing is going to beat the laws fo physics. Read and absorb the basics here:
https://ewhdbks.mugu.navy.mil/one-way.htm

Former Military Microwave Jock August 9, 2005 2:50 PM

Over the horizion microwave is a doable do, but you gotta have a bit of muscle:

Start with Google for:

microwave troposcatter

Then find Comtech Telecommunications Corp.

http://www.comtechsystems.com/pr.htm

Then, the press release:

Comtech Telecommunications Corp. Receives Contract to Provide AN/TRC-170 Troposcatter Modem Upgrade Kits to the U.S. Military

Then Google for

AN/TRC-170 specifications

Then read about it.

As you’ll see:

“These digital radio terminals have been designed for tactical field operation and provide line of sight, diffraction and tropospheric scatter multichannel communication links up to 250 km long.

The V2 version of the AN/TRC-170(V) is mounted in an S-280 shelter, is quadruple diversity (space and frequency), uses two 2.9 m parabolic antennas and two 2 kW power amplifiers and operates in the band 4.4 to 5 GHz.

“The V3 version is mounted in an S-250 shelter, is dual diversity (space), uses dual 1.8 m parabolic antennas and a single 2 kW power amplifier. The V3 also operates in the 4.4 to 5 GHz band.

“Each terminal includes dual antennas for space diversity operation, radio, multiplex equipment and order-wire/service channel capabilities. Both versions meet full military specifications for tactical deployment. They may be shipped by military or commercial transport. The terminals are shelter mounted, can be operated on their transport vehicles and site preparation is generally not necessary. Emplacement or march-order pack-up does not involve special tools, and the time required for set up ranges from 1 to 5 hours. High wind and lightning protection kits can be supplied. Heating and cooling of the equipment is independent of environmental control of the personnel area and permits system operation over the full range of climatic conditions likely to be encountered in worldwide deployment.

“The AN/TRC-170(V) was originally designed to operate with the US Department of Defense Tri-Tac multiplex. A multiplex conversion appliqué has been developed so that the equipment will also operate with NATO, EUROCOM, CEPT 30+2 PCM and North American DSI PCM at various data rates. …”

Etc, etc, etc…

OK, OK, this is 2KW per antenna. Still, would be interesting to see what could be done with 802.11b/g using similar techniques, sans the power of course.

The WiFi record set is building on interesting stuff that many practice (plus, of course, the team’s wonderful work!):

Google for

100 milliwatt club microwave

as a start.

Former Military Microwave Jock August 9, 2005 2:53 PM

I tend to believe things that “ECMpukes” say about what is doable and what is not – at least, I think that they have the experience, gear, motivation, funding, and franchise that most of us lack in the realm of “signals”…

Martin August 9, 2005 3:07 PM

Troposcatter is pretty inefficient. The main advantage is that the scattering centers are always there. Hams have found that aiming at mutually visible thunderstorms can be much more effective over 100s of km — but you need the storm to be there. People also use aurora and meteor trails for long distance scattering.

These communications are of pretty low quality for data. There is lots of multipath, which is bad news for wideband data.

ECMpuke August 9, 2005 6:16 PM

Troposcatter is, as correctly stated, very inefficient, but pretty reliable. You will need loads of power to make an acceptable link work.
You can propagate WiFi over the horizon using meteor scatter…but you had better hurry…the Perseids meteor shower happens on August 12…early.
There are lots of anomalous propagation modes for microwaves including tropospheric ducting, scatter, meteor scatter, e-layer ionospheric propagation, temperature-inversion effects…. Most of them were explored in 1943-45 by the MIT Radiation Lab and immortalized in the 23-volume RadLab set. They were investigated in an effort to understand some out-of-ordinary behavior of radar.
There really isn’t much about radio propagation that is not already known and exploited.
But you can aways believe in Santa Claus and the Easter Bunny.
Meanwhile, reality will prevail.

Davi Ottenheimer August 10, 2005 3:11 AM

@ ECMpuke

“The major absorption lines in the microwave spectrum are around 26 GHz and 60 GHz, corresponding to the water vapor line and the oxygen absorption line. Absorption at 2.4 GHz is negligible.”

Funny you should say that…I seem to remember something about K Band Radar in WWII (22.24 GHz) running into major interference from moisture. That being said, most people here (myself included) were talking about microwave ovens based on a radio wave frequency of roughly 2450 MHz, which clearly demonstrates that energy is in fact “absorbed” by water, fats and sugars. Or, if you’d prefer, the radio waves agitate the water molecules, which bump into the other molecules, which create heat from friction…and so on.

Vapor/clouds as you point out are a different story, due to low density (especially when compared to metal obstacles). While the vapor won’t absorb as much energy as a giant bowl of soup or huge slice of meatloaf in the sky I think moisture is still a factor to consider if you’re operating at 2.4 GHz.

But don’t take my word for it. Here’s an interesting map of moisture and X to S band microwave energy:
http://metsys.weathersa.co.za/RadarInfo.htm

Paul O August 10, 2005 3:18 AM

I don’t know of any cards which are battery-powered. My understanding is that they make use of the Wiegand effect, or similar (proximity) properties from the realm of physics. The specs from HID offer solutions which can easily be read at 2.5m (8′); extending that to 69 feet under certain conditions is certainly not beyond the realm of the conceivable.

http://www.hidcorp.com/products/wiegand/
http://www.hidcorp.com/pdfs/appnote_4.pdf
http://www.hidcorp.com/pdfs/readrange_chart.pdf

Clive Robinson August 10, 2005 6:37 AM

Just to upset the apple cart, the stuff you should be looking for is on TEMPEST or it’s European equivalent.

Essentially TEMPEST is about bandwidth and energy limiting, a usefull signal will escape you if there is sufficient of either and an appropriate conducting medium to carry it. This applies to all form of energy radiation (sound, gravity) not just RF.

As far as the physics go with RF the limiting factor is the noise floor at your receiver input which is around -174db for a 1 hertz bandwidth. An antenna improves the sensitivity, the feed line decreases it (a bit like trying to focus the sun into a light pipe 😉

NASA for instance receives a signal from Voyager that is around +46dBm from a considerable distance away to quote them,

” The sensitivity of our deep-space tracking antennas located around the world is truly amazing. The antennas must capture Voyager information from a signal so weak that the power striking the antenna is only 10 exponent -16 watts (1 part in 10 quadrillion). A modern-day electronic digital watch operates at a power level 20 billion times greater than this feeble level. ”

Any conducting medium can and will behave as a transmission line providing it is non negligable with respect to the wavelength (about an 1/8th lambda and up). Interestingly all transmission lines also have an upper frequency of operatiion for a desired mode (see stuff on Wave guides and G Wires for more info). If your signal couples into say overhead power lines it might travel thousands of Km without dificulty.

Conductors also act as reflectors and it is well known that when conductors are placed in favourable positions a signal will be focused in a direction (Yagi TV antennas are an example of this).

The atmosphear is a poorly conducting medium at the earths surface and improves with hight, as the preasure dropes it is more easily ionized, and starts to look like a fairly good transmission line (ducting). This is why you get bad telivision interferance at certain times of the year. It also reflects well so can be used as reliable reflector for over the horizon communications (troposcator). Amature radio enthusiasts used to use meteors and the moon to do similar things.

In reality the only effective way of keeping information to yourself is by limiting the bandwidth available below any information you are sending, and then limit the energy as much as possible.

It is netoriously difficult to do either effectivly, which is why the US and UK goverments had TEMPEST knowledge clasified many many years ago. As a method of intelegence gathering it was and still is one of the best.

ECMpuke August 10, 2005 10:04 AM

Attenuation due to water vapor at 2.4 GHz is negligible. That’s simple fact. If it weren’t, all the S-band radars in the world wouldn’t work and none of the S-band satellite systems would either.
Attenuation due to water droplets is a different story. The primary mechanism there is backscatter, and the backscatter begins to increase as the droplet size approaches a large fraction of a wavelength. It’s small at 2.4 GHz, a lot more at 10, more at 15 (in the order of several dB per kilometer at 10 mm/hr rainfall) and really large above that (a brick wall).
The idea that a microwave oven transfers energy because of water interaction is correct…except it’s a pretty inefficient process. A typical oven generates about a kilowatt, and a very small amount of that is absorbed by the target.

Regarding sensitivity and antennas…antennas do not increase sensitivity. They only capture electromagnetic waves. The noise seen by a receiver attached to an antenna depends on where the antenna is pointed.
174 dBm per Hz is true of an earth environment (at 300 degrees Kelvin), but an antenna pointed at deep space can see a temperature significantly lower than 300 degrees K (assuming the sidelobes are sufficiently attenuated). Therefore, if a receiver is designed to be sufficiently quiet (sometimes requiring components to be cooled well below 300K) it’s possible to see signals well below a noise density of -174 dBm/Hz…but only if they are immersed in a low-noise background…something we do not have on the earth.
Radio telescopes essentially map thermal noise. Grote Reber discovered that back in the 30s when he more or less inadvertently invented the radio telescope.

ECMpuke August 10, 2005 10:25 AM

Paul O.

The EZ Pass transponder contains a battery. There are millions of them in the northeast today.

Lots of others do, too.

Many (like the Mobil speedPass) are powered by absorbing energy from the interrogator. The smaller they are, the more the interrogator energy density has to be for them to work (usually meaning closer).

They work in a few major frequency ranges…typically around 150 kHz, 13 MHz and some (like EZPass) up in the UHF region.

Interrogators are quite complex. They use space and polarization diversity to assure a “hit” in a short time regardless of the location and orientation of the target. FCC limits interrogation power, although that does not apply inside a building where the interrogation signal is prevented from radiating outside.

In any case, it is a simple matter to detect an interrogator at a distance well beyond that at which a chip will be activated. An interrogator detector can easily be embedded into a cell phone.
With the right smarts, an interrogator can be located as well as detected.

Major RFID chip manufacturers include TI, NEC and Fujitsu.

daajaa August 14, 2005 5:43 AM

ECMpuke> The wavelength corresponding to 2.4 GHz is about 4.5 inches…Therefore a dipole is in the
ECMpuke> order of a couple of inches in length. That’s a lot bigger than
ECMpuke> a water molecule.

In a microwave oven, each water molecule is surrounded by an oscillating electical field. Due to polar properties, the field acts as a force term on the movement. The resonance frequency of this forced oscillatory movement is at 2.4 Gz.
Hence it is not the wavelength but the period of oscillation in time which matters.

ECMpuke> A Mobil SpeedPass is externally-powered and operates at 145 kiloHertz. I defy you to trigger
ECMpuke> one from more than a few inches.
ECMpuke> All this crap about RFID is just that…

Have you heard of directionnal interogator, which only works at a specific angle, but with higher gain ? It would work a lot farther “than a few inches”.

Former Military Microwave Jock> I tend to believe things that “ECMpukes” say about what is doable and what is not […]

You have better read all opinions. [and sorry for my english]

daajaa August 14, 2005 5:59 AM

The scattering problems (mountains, reinforced concrete walls) is a problem for directional and oomnidirectional antennas. But, given the emission point, the recieving point, the walls and the mountains, it is possible to construct a special antenna which works only for this case, BUT which works greats. It is a sort of deconvolution.
Mail me, and I will add here a reference to an article of journal IEEE Transactions in Antennas and propagation.

Note that this special antenna would not cope with moving scattering problems (bag from an add-on disk drive, or weather).

daajaa August 14, 2005 6:04 AM

I think that, in a matter of months, it would be possible to intercept the signal of a monitor from miles, given the monitor is in a room with a window. Think now this room belongs to a secret service.

[My e-mail is daajaa@gmail.com.]

JonETC August 12, 2007 1:00 PM

Looking for EMCPuke….I’d like to know if there is a way to block the signal of an ezpass unit. Basically, I want to turn it and off. Also, does metal increase the antenna or decrease.

Anonymous November 25, 2007 3:33 AM

I am trying to find out the distance limitation of network connections (or please confirm the following):
Thinnet coaxial: 200m (before needing a repeater)
Thicknet coaxial: 500m (before needing a repeater)
Fibre-optics: The only limitations on distance are the size of the optical mux and the power of the laser. General applications optical fibres can be 10 times longer, than metallic cables – like copper, before requiring a repeater and it is not unusual for optical systems to go over 100km.
Wireless:
WPAN: 10m (without amplification)
WLAN: 10kms (without amp)
WWAN: 60kms (without repeater)

CHUCK April 16, 2008 5:57 PM

CAN YOU TELL ME WHAT THE LAWS SAY ABOUT ANT.LOCATION
I LIVE IN A CONDO THEY SAY NO ANT.
BUT I UNDEERSTAND IF I OWN THE PROPERTY AROUND THE CONDO I CAN PUT UP A ANT.
WHAT DO YOU SAY?

WHT September 24, 2009 1:50 AM

Quoting…
“CAN YOU TELL ME WHAT THE LAWS SAY ABOUT ANT.LOCATION
I LIVE IN A CONDO THEY SAY NO ANT.
BUT I UNDEERSTAND IF I OWN THE PROPERTY AROUND THE CONDO I CAN PUT UP A ANT.
WHAT DO YOU SAY?

The FCC says there cannot be any restrictions.
http://www.fcc.gov/mb/facts/otard.html

However there are several other ways you can be restricted. The National Electric Code recommendations are almost always codified into local ordinances (electrical codes) and those recommendations become law. There are several requirements about running ground wires, and a property owner can restrict you from running such wires if they compromise the building or structure’s integrity.

some body October 11, 2011 6:42 AM

will standing in front of an open microwave oven (2450) burn out a Implanted Rectifier rfid diode? if so how long and how close would that exposure needto be. also would the waves be life threatening?

Clive Robinson October 11, 2011 10:17 AM

@ Some Body,

“will standing in front of an open microwave oven(2450) burn out a Implanted Rectifier rfid diode”

Irespective of if it is implanted or not there are two main modes of failure that will kill a diode. The first is two large a forward current, the second is to large a reverse voltage. As with ordinary axial diodes you are looking at a minimum of 500mA or 300V you are looking at significalt EM levels. However these levels normaly only need to be maintained for very short periods of time.

But 2.5GHz does not penetrate very far into flesh so it would be easier and safer to use a scalpel and cut out an embeded RFID.

some body October 11, 2011 7:52 PM

@clive

thank you for the quick response.

let me ask you another question.
other then cutting what would you suggest as the poor mans method of burning out one of these implanted diodes? is there easily accessible equipment that will generate large a reverse voltage or large a forward current that would penetrate as far as the center of a human body?

Give me a hypothetical set of instructions, like “go stand next to a broadcast tower for five minutes” or something like that.

also, what is the maximum range a rf diode could be powered by a Horizontal antenna hidden in the length of a flatbed trailer?

will hf focused radio waves cause a tingling sensation on the skin?

last question, can standard electrical wiring in a home be used as a hf antenna? if so, would a standard am/fm radio be able to pick up the pulse?

I am not very educated on the subject matter and appoliogize for any blatant ignorance posed in my questions, more concerned with practical application then technical details.

Thank you very much for your time and expertise. Information on this technology is not so easy to come by.

Thanks again.
Some Body

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.