On October 23rd, 2014, we updated our
By continuing to use LinkedIn’s SlideShare service, you agree to the revised terms, so please take a few minutes to review them.
Article Title | Article Author Voice of Information Security
ISSA The Global ISSA Journal | February 2007
RFID Security Concerns
By Michael Grimaila
Radio Frequency Identification (RFID) technologies have garnered significant interest due to
the benefits RFID can provide across a wide variety of applications.
R adio Frequency Identifica-
tion (RFID) technologies
have garnered significant
interest due to the benefits RFID can
provide across a wide variety of ap-
Query / Write / Power
plications. Large organizations, such System Memory
as the Department of Defense (DoD)
and Walmart, have embraced RFID LAN to Controller
technologies and proven their value in DB Server
improving inventory control. Chanc- Antenna Transceiver
es are that at some point in the fu- Host Computer
ture, your organization will consider
deploying RFID technology in some
form. However, before implementing Figure 1 – Components of a typical RFID system implementation.
any technology, one needs to be aware of the implications and con-
sequences of using the technology. In this article, RFID technology RFID readers can be either fixed or mobile. Fixed readers are used
is introduced, a brief history of the evolution of RFID applications when tags are known to pass within range of the reader. Examples
is presented, and security concerns and countermeasures when us- include toll booths, warehouses, point of sale, checkout stands, and
ing RFID technologies are examined. other choke points. Mobile readers are usually hand-held devices
used for inventory control applications, requiring the reader to be
What is RFID? frequently moved.
Radio Frequency Identification (RFID) is a technology used to iden- RFID tags can be attached or embedded into anything of value. For
tify, categorize, and track physical items. An RFID system typically example, tags have been placed in shipping pallets and cases, and in-
consists of RFID interrogators (hereafter called readers), RFID tags dividual items ranging from apparel, automobiles, books, electronic
(hereafter called tags), and an information system. The reader con- devices, livestock, luggage, to human beings. Tags are available in a
tains antennas and electronics necessary to communicate with the variety of configurations and vary in cost, size, speed, and storage
tags and is responsible for initiating a read operation, transmitting capacity based upon intended application.
a message to all tags. All tags within range of the reader respond Since RFID uses radio waves to transfer data between the reader
with their individual identification number and possibly other data and tags, it does not require physical contact or line-of-sight between
contained within the tag. The reader passes the received informa- the reader and the tag. This is an enormous benefit over competing
tion collected from the tags to the information system where it is technologies such as bar codes in that an RFID system can operate
collected, processed, and transformed into knowledge based upon in environmental conditions that provide physical barriers (e.g., box-
the specific application. es, containers, wrapping paper) and optical barriers (e.g., rain, fog,
RFID Security Concerns | Michael Grimaila ISSA Journal | February 2007
Figure 4 –
A passive RFID tag used in
retail DVD cases for loss
Figure 2 – Figure 3 – prevention Figure 5 –
A handheld RFID reader A stationary RFID reader A syringe and RFID tag for injecting humans
paint, dirt) between the reader and the tag. For these reasons, RFID quires a powered transmitter in the aircraft to send signals back to
has become increasingly popular in a large number of data collection the ground station.
and identification applications.
Commercial applications of RFID technology
A brief RFID history lesson Commercial use of RFID technology began in the 1960s with the
Contrary to popular belief, RFID is not a new technology. The first introduction of the Electronic Article Surveillance (EAS) system. At
recorded use of RFID has been attributed to the German military the core of the EAS system is a small, inexpensive, passive, one-bit
during World War II. Specifically, the German military had been RFID tag. When the tag is passed in proximity to an active EAS
exploring the use of RAdio Detection And Ranging (RADAR) to monitor, the tag responds with a coded signal, indicating the pres-
track distant aircraft. Radar operators soon encountered a problem: ence of the tag. The EAS system was designed as an inexpensive
it was not possible to discriminate whether the blips on their radar means to detect theft. When legitimately purchased, the tag attached
screens were friendly aircraft returning from a mission or enemy to merchandise is disabled, allowing the item to pass by the EAS
bombers seeking to destroy their cities and factories. This dilemma monitor without responding. An obvious shortcoming is that the tag
was solved when it was discovered that by moving the wings of their can be removed from the merchandise and the item stolen without
aircraft up and down – known as a roll maneuver – the reflected the EAS system detecting it. Despite this limitation, EAS has proven
radar signal changed in a unique distinguishable manner. By equip- to be very effective and is the first and most widespread commercial
ping friendly aircraft with a means to detect when they entered radar use of RFID technology.
range, the pilot would initiate the roll maneuver, enabling the radar The 1970s was a period of development for several new RFID appli-
operator to recognize the aircraft as friendly. While this was a very cations. Significant system development occurring during this time
crude passive RFID implementation, it proved very effective and al- include animal tracking, factory automation, and vehicle tracking.
lowed German radar operators to dispatch their fighter interceptor
aircraft only when they detected non-German aircraft. This passive In the 1980s, application domains continued to expand but varied
system did not require any power source for the German aircraft somewhat by geographic location. In the United States, development
to signal the radar operators. It is interesting to note that this first was focused primarily upon transportation and personal identifica-
recorded use of RFID was for a military security application. tion applications, while in Europe the focus was upon short range
systems for animal tracking, business, and industrial applications.
British pilots soon began to notice that German aircraft occasionally Also, the first RFID toll collection systems entered operation in the
exhibited the unusual behavior of simultaneously conducting a roll United States and Norway.
maneuver. The fact that the German aircraft acted in synchroniza-
tion led British military analysts to question why this was occurring. The 1990s ushered in the widespread deployment of RFID across a
After studying this behavior, British analysts detected a coded signal large number of applications including automobile alarms, fuel dis-
transmitted from the ground that always preceded the maneuver. pensing systems, gaming checks, remote vehicle starting systems, ski
The analysts determined that the German pilots were signaling to lift passes, and vehicle access systems. During this decade, virtually
the radar operators that they were German aircraft. all toll roads in the United States were equipped to allow toll col-
lection using RFID system. Standardization of RFID systems for
Once the British learned of this application, they established a secret toll collection allowed a single RFID tag to operate on multiple toll
project in order to develop their own automated system. The goal of roads. By 1999, a group of manufactures proposed a set of standards
the project was to provide their radar operators with the capability that would help insure product interoperability and help drive down
of discriminating between friendly and unfriendly aircraft without cost.
requiring any pilot action. This project resulted in the development
of the Identify Friend or Foe (IFF) active RFID system. The IFF In 2004, the Department of Defense announced a requirement that
system requires that each friendly aircraft be equipped with a pow- all of their suppliers would soon be required to use RFID tags for
ered transmitter and receiver pair, known collectively in this applica- tracking of purchased items1. RFID inventory control applications
tion as a transponder. The IFF system was designed so that it can have yielded enormous benefits in logistics. A number of organiza-
either continuously transmit an identification signal or it can broad- tions are pilot-testing new RFID applications before mass deploy-
cast the signal only in response to a coded signal sent from a ground
station. The IFF system is now standard equipment for all civilian 1 Feder, B. J. (2006). Out of consumers’ sight, radio tags gain ground. Retrieved April 4, 2006 from
and military aircraft. It is classified as an active system because it re- http://www.nytimes.com/2006/04/04/technology/techspecial4/05radio.html?_r=1
RFID Security Concerns | Michael Grimaila ISSA Journal | February 2007
ment. In 2005, Wal-Mart ran a pilot study using RFID tags in all A Sniffing attack can be characterized as either passive or active. A
its Texas distribution centers to track more than ten million cases passive attack requires only a radio receiver tuned to the frequency
of goods. The success of these tests has led Wal-Mart to double the band of interest and the ability of the attacker to get within proxim-
number of their own stores using RFID – over 1,000 by January of ity of the tag when it communicates with the reader. The passive
2007. Over 1,800 RFID related patents had been issued by the US sniffer can not only collect data transmitted by a tag but can also
Patent office and more RFID related patent applications are being capture the coded message transmitted by the reader to query the
invented each year. tag. An active sniffing attack is more sophisticated. It requires both
a transmitter and a receiver tuned to the frequency band of interest,
RFID security concerns as well as the knowledge of how a legitimate reader queries a tag. In
the active attack, the attacker does not need to be in proximity of a
The proliferation of the use of RFID technology incurs some securi- legitimate reader. One can locate their illegitimate reader anywhere
ty risk. In this section, the potential security concerns that may occur their may be RFID tags. In this case, the attacking reader sends a
when using RFID technologies are examined; examples of RFID special coded message and all tags tuned to that frequency within
applications that are particularly vulnerable are presented; and po- range of the receiver respond with their data.
tential countermeasures that can be used to mitigate the threats are
enumerated. It should be noted that the focus is on the security con- Sniffing attacks corrupt the confidentiality of the data transmitted
cerns, and not privacy concerns, of RFID technology. from the tag to the reader and can undermine the integrity of the
The architecture of any system using RFID technology is the
most important determinate for overall system security. Failing
to properly secure the underlying computers, middleware, and
application code can undermine all the benefits of RFID. One
weakness typically found in RFID systems is the lack of strong
encryption protecting the content of the messages passed be-
tween reader and tag. If the design of the overall system ar-
chitecture is secure, RFID still has inherent vulnerabilities to
eavesdropping, interruption (e.g., jamming), and fabrication
(e.g., man-in-the-middle attacks).
The major threats to an RFID system can be divided into four
general categories: Sniffing, Spoofing, Replay, and Denial of
Service attacks. These categories are not mutually exclusive. Figure 6 – A readily available hobbyist device
The attacks are presented in order of sophistication to provide
the background necessary to understand each successive type of at- whole RFID system by revealing details of the encoding scheme
tack. Figure 6 shows a readily available hobbyist device that can be used to query tags. Sniffing is usually not a significant threat in retail
used to perpetrate many of these attacks. inventory control where a simple single bit tag is used to indicate the
presence or absence of an item. However, other applications that use
Sniffing attacks tags to uniquely identify individuals or items can be exploited in a
Sniffing attacks represent one of the greatest threats to an RFID variety of ways: a terrorist could place a bomb containing an illegiti-
system. Sniffing attacks are not unique to RFID technology – ev- mate reader that detonates when a specific RFID enhanced passport
ery wireless communication medium suffers from this vulnerabil- or vehicle with an RFID enhanced license plate comes within prox-
ity. Any antenna within range of the transmission can intercept imity2; movement of a specific tag over time could be tracked with
communications between an RFID tag and reader. The frequency illegitimate readers placed in various locations.
bands used by standard RFID systems are public knowledge and One countermeasure to the sniffing attack places the tag in a shield-
can be easily obtained on the Internet. Non-standard systems using ed enclosure when not in use, preventing information leakage to un-
proprietary frequency bands can easily be characterized by a skilled authorized readers. The shielded enclosure acts as a Faraday cage
person using a spectrum analyzer. In either case, it is easy to obtain which effectively blocks all electromagnetic radiation into and out of
or build equipment to detect and store these transmissions. Further, the enclosure. Such a protection mechanism prevents a hidden read-
such equipment no longer requires a large physical space or large er from querying the tag and blocks all tag emissions rendering the
power source as can be seen with the evolution of cellular telephones. sniffing attack ineffective. While this countermeasure is effective, it
One can easily hide a receiver on their person and capture transmis- is not feasible if the tag must always be able for legitimate queries.
sions between a tag and a reader without the consent or knowledge
of the tag holder. While other wireless communication systems can Spoofing attacks
employ encryption to defeat the possibility of such an attack, the lim- Spoofing attacks program blank tags with the correct encoded data
ited power and processing capabilities of existing RFID tags often so they appear legitimate. The information required to perpetrate
eliminates this as a viable option. Recent advancements in technol- this attack can easily be gathered as discussed in the previous sec-
ogy, however, are enhancing tag capabilities, such as read-write capa- tion. This type of attack could be used to retag items in a point of
bility, increased computational power, longer battery life, and larger sale application where RFID tags are used to uniquely identify the
memory storage. These enhancements do significantly increase the product and its cost. For example, in an RFID enhanced supermar-
tag cost – when compared to simple, mass manufactured tags – and ket one could remove the tag applied to a frozen lobster and retag
can only be used in special cases when the additional cost can be
2 Juels, A. (2006). RFID security and privacy: A research survey. Selected Areas in Communica-
tions, IEEE Journal on, 24(2), 381-394
RFID Security Concerns | Michael Grimaila ISSA Journal | February 2007
the item with a tag that corresponds to significantly lower cost items any readers undetected. A denial of service countermeasure might
such as a pack of mints. Another use of this attack is tag cloning: a include prohibiting individually owned bags to be carried into retails
legitimate tag is cloned and used to steal services or gain access to a stores, but this is often expensive in manpower to enforce and can be
restricted area. For example, researchers at John Hopkins University defeated if an individual fabricates a Faraday cage in their clothing.
were able to clone an existing legitimate tag and use it to buy gasoline This attack became so prevalent that in 2001, the state of Colorado
and unlock an automobile. Spoofing attacks compromise the integ- make it a criminal offense to make or wear aluminum underwear to
rity of the RFID system by making it impossible to uniquely identify help reduce theft in convenience stores.
a physical object. Countermeasures to these types of spoofing attacks Another type of denial of service attack involves pulling tags off of
include shielding tags when not used for legitimate reading, using their intended items and relocating them on other items. In automat-
strong encryption, or embedding non-standard response schemes ic payment scenarios found in retail stores, a thief can swap tags from
that are difficult characterize. low value items with those located high value items. In this case, the
thief will appear to be properly paying for items when in fact they
Replay attacks are defrauding the retail store. In certain applications, such an attack
Replay attacks combine sniffing and spoofing types of attacks. The will corrupt the database stored on the information system and can
attacker queries a tag, receives the information sent by the tag, and cause significant loss of trust and integrity of an RFID system. If a
retransmits this information at a later time. Replay attacks compro- warehouse was using an RFID system to maintain a product inven-
mise the confidentiality and integrity of the RFID system. This type tory, an attacker could relocate tags from on pallet to another and
of attack is especially troubling in applications involved with authen- cause a complete loss of integrity of the inventory stored on the infor-
tication. For example, suppose that an employee carries an RFID en- mation system3. A possible countermeasure to this type of attack is
hanced identification badge to access a secured facility. In this case, to manufacturer the tag into the item, make the tag inaccessible, or
the badge is manufactured so that it contains an RFID tag. When cause destruction to the item if the tag is removed. The risks of this
the individual is within proximity of a legitimate badge reader, the type of attack are growing everyday due to the widespread availabil-
reader queries the tag, which responds with a code representing the ity and low cost of RFID equipment and information.
employee’s access credentials. The individual’s facility access is au-
thenticated or denied. Now, consider the same employee at a local Conclusions
deli, passing by someone with a hidden badge reader. The attacker
triggers an illegitimate reader to send a query and then records the RFID technology is unique in its ability to identify physical items
responses from any badges within its proximity. The attacker can in a wide range of harsh environments which are problematic for
now program a blank RFID enhanced badge and gain access to the other types of identification technologies, such as bar coding. How-
secured facility. ever, RFID technology also suffers from a large number of inher-
ent security vulnerabilities which must be accounted for in a formal
One countermeasure to this type of attack is to utilize the read-write risk assessment before deploying the technology. There are multiple
capability present in newer tags. In this case, when someone accesses attack vectors and inherent vulnerabilities which may be found in
the secured facility, their code is authenticated and a new code is up- RFID systems. The key to success in this endeavor is to first gain
loaded into the tag. This reduces the amount of time that a captured a grounded understanding of the technology before analyzing the
code can be used and dramatically increases the likelihood that they system as a whole.
will be exposed when using the captured code. Despite these pre-
cautions, there are systems still being proposed that are vulnerable.
For example, in the UK trials are underway to test battery operated
RFID enhanced license plates capable of transmitting their signals The views expressed in this paper are those of the authors and do not
more than three hundred feet. The system was designed to be simple reflect the official policy or position of the United States Air Force,
and low cost and as a result does not address the security issues pre- the Department of Defense, or the U.S. Government.
Denial of service attacks Borriello, G. (2005). Introduction. Communications of the ACM, 48(9),
A denial of service attack against an RFID system attacks the avail- 34-37.
ability or usability of the system and can be perpetrated in many The Dean Boys. (2005). Identification friend or foe (IFF) systems: IFF
different ways. One can attack any combination of the reader, the questions and answers. Retrieved March 20, 2006 from http://www.
tags, or information system that processes the data received from the dean-boys.com/extras/iff/iffqa.html
RFID tags. Since the reader only detects the presence of the tags,
one possible attack involves the removal of the tag before it passes Eckfeldt, B. (2005). What does RFID do for the consumer? Com-
in proximity of the reader. This attack is commonly employed by munications of the ACM, 48(9), 77-79.
thieves attempting to steal tagged items from retail stores. By remov- Juels, A., Molnar, D., & Wagner, D. (2005). Security and privacy is-
ing the tag from an item, they can hide the item from view and pass sues in E-passports. 74-88.
by the reader undetected. Countermeasures to this type of attack
Karthikeyan, S., & Nesterenko, M. (2005). RFID security without
include hiding the tag in the item, making the removal of the tag
extensive cryptography. SASN ‘05: Proceedings of the 3rd ACM Work-
difficult, or designing the tag such that its removal causes irreparable
shop on Security of Ad Hoc and Sensor Networks, Alexandria, VA,
damage to the item. Another attack involves placing the tagged item
USA, 63-67. from http://doi.acm.org/10.1145/1102219.1102229
into a foil-lined bag or enclosure which acts as a Faraday cage. In this
case, the thief does not need to remove the tag but instead simply
places the whole tagged item into the foil-lined bag and can pass by 3 Neumann, P. G. (2003). Risks to the public in computers and related systems. SIGSOFT
Softw.Eng.Notes, 28(6), 6-14
RFID Security Concerns | Michael Grimaila ISSA Journal | February 2007
Le-Pong Chin, & Chia-Lin Wu. (2004). The role of electronic con- Stajano, F. (2005). RFID is x-ray vision. Communications of the ACM,
tainer seal (E-seal) with RFID technology in the container security 48(9), 31-33.
initiatives. 116-120. Vacherand, F., & ois. (2005). New technologies for contactless micro-
Libicki, M. (2005). Are RFIDs coming to get you? Security & Privacy systems. SOc-EUSAI ‘05: Proceedings of the 2005 Joint Conference on
Magazine, IEEE, 3(6), 6-6. Smart Objects and Ambient Intelligence, Grenoble, France, 13-17. from
McCoy, T., Bullock, R. J., & Brennan, P. V. (2005). RFID for airport http://doi.acm.org/10.1145/1107548.1107556
security and efficiency. Xingxin Gao, Zhe Xiang, Hao Wang, Jun Shen, Jian Huang, &
Molnar, D., & Wagner, D. (2004). Privacy and security in library Song Song. (2004). An approach to security and privacy of RFID
RFID: Issues, practices, and architectures. CCS ‘04: Proceedings of system for supply chain. 164-168.
the 11th ACM Conference on Computer and Communications Security,
Washington DC, USA, 210-219. from http://doi.acm.org/10.1145/10 About the Author
30083.1030112 Michael Grimaila, PhD, CISSP, CISM, GSEC Gold, is an Assistant
Ohkubo, M., Suzuki, K., & Kinoshita, S. (2005). RFID privacy issues Professor at the Air Force Institute of Technology. His research interests
and technical challenges. Communications of the ACM, 48(9), 66-71. focus on the Management of Information Assurance. He is a member of
the ACM, AIS, IEEE, ISACA, ISSA and ISSEA. Dr. Grimaila serves
Phillips, T., Karygiannis, T., & Kuhn, R. (2005). Security standards
on the Editorial Advisory Board of the ISSA and is an active member
for the RFID market. Security & Privacy Magazine, IEEE, 3(6), 85-
of the ISSEA Metrics Working Group. He can be reached at Michael.
QED Systems. (2002). Active and passive RFID. Retrieved March
18, 2006 from http://www.autoid.org/2002_Documents/sc31_wg4/
RFID Journal. (2005). The history of RFID technology. Retrieved
March 20, 2006 from http://www.rfidjournal.com/article/articlev-
iew/1338/1/129/Rieback, M. R., Crispo, B., & Tanenbaum, A. S.
(2006). The evolution of RFID security. Pervasive Computing, IEEE,