RFID Privacy & Security Issues
Upcoming SlideShare
Loading in...5
×
 

RFID Privacy & Security Issues

on

  • 1,730 views

Paper discussing InfoSec and privacy risks associated with RFID technologies. Looks at implications of using ePassports and MiFare transit cards.

Paper discussing InfoSec and privacy risks associated with RFID technologies. Looks at implications of using ePassports and MiFare transit cards.

Statistics

Views

Total Views
1,730
Views on SlideShare
1,729
Embed Views
1

Actions

Likes
0
Downloads
15
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

RFID Privacy & Security Issues RFID Privacy & Security Issues Document Transcript

  • Radio Frequency Identification: Privacy & Security Issues Brent Muir 2009
  • Executive Summary This report examines the privacy and security issues surrounding RFID implementations in a real-world context. A discussion of the history and development of RFID systems, from its origins in the military to its increasing pervasive nature, allows the reader to better understand the motivations involved if organisations wish to implement RFID. A brief overview of the technical parameters of RFID is then explained. Practical uses of RFID from supply-chain management to health care services are briefly mentioned highlighting the diverse usages of this technology. Potential privacy and security issues relating to RFID are analysed, including the ability to track individuals via RFID tags and the cloning of RFID tags. These privacy and security issues are further highlighted through an in-depth examination of two case studies: the Mifare Classic, and ePassports. Both these case studies bring to light the vulnerabilities involved when implementing RFID systems, in particular whether or not there is a need to store personal information on the RFID tags as well as the strength of the cryptographic security methods utilised to protect this information. MUIR RFID: Privacy & Security 2009
  • Table of contents Introduction.......................................................................................................... 4 What is RFID ......................................................................................................... 5 How RFID Works ................................................................................................... 7 Implementations of RFID ...................................................................................... 8 Privacy Issues.......................................................................................................12 Security Issues .....................................................................................................18 Case Studies:........................................................................................................23 Translink - Mifare Classic ................................................................................. 23 US/AUS ePassports .......................................................................................... 32 Conclusion ...........................................................................................................36 Reference List ......................................................................................................37 MUIR RFID: Privacy & Security 2009
  • Introduction Since its development, Radio Frequency Identification (RFID) has evolved to a point where the technologies can be embedded under the skin of humans and, more likely, to a point where people in developed nations carry at least one RFID implementation in their wallet or purse. RFID has replaced many ageing technologies such as barcodes and magnetic swipe cards, and this advancement of pervasive technology has led to many security and privacy concerns. This paper will examine these concerns and analyse the risks involved with using RFID technologies. Before discussing the security and privacy concerns, the paper will give a brief description of the history of RFID technology. This will be followed by a detailed examination into the electronic components that compose RFID technologies. Thirdly a brief mention of current RFID implementations across various fields will be discussed. Then the privacy and security issues will be able to be examined, focusing on the potential and real-world issues at hand. Lastly, two case studies will be analysed: Translink's “Mifare Classic” RFID system (aka the “GO Card”); and a critical analysis of the US and Australian ePassports (“Enhanced Identification”) RFID systems. These two case studies will highlight the potential security and privacy issues related to RFID implementations. Before delving into the security and privacy issues, RFID technology needs to be explained in greater detail. 4 MUIR RFID: Privacy & Security 2009
  • What is RFID Radio Frequency Identification (or RFID) has evolved from its infancy where it had limited usage in the military into a ubiquitous technology found in everyday goods and products. Dating back to World War II, RFID technology originated when “the British put radio transponders in Allied aircraft to help early radar system crews detect good guys from bad guys”1. The use of radio frequencies to assist in the identification process was a novel idea but it wasn’t until 1973 that it became patented2. In fact, “these early devices usually employed a one-bit system, which only indicated the presence or absence of the tag”3. Peslak described RFID as “an inexpensive passive electronic device that allows for the transmission of a distinctive signal from any product or artifact in which it is embedded or attached”4. This is, a device that is “turned-on” by receiving certain signals or frequencies, but is otherwise “switched-off”. RFID tags have also been described as being “essentially microchips” which, coupled with their minute size and cost to develop, have become increasingly “commercially and technologically viable”5. The development of RFID in the last half-century has reached a point where the technology is accessible for minimal cost, in fact the RFID tags can be purchased for under $0.20 each6. This reduction in manufacturing costs has led to the adoption of RFID technologies in a range of industries for a variety of purposes. The development of RFID over the last half-century can be seen in table 1 below. 1 Newitz, A. (2006) The RFID Hacking Underground Wired 2 Granneman, S. (2003) RFID Chips Are Here. 3 Cardullo, M. (2005). Genesis of the versatile RFID tag. RFID Journal, 2(1), 13–15. 4 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 5 Granneman, S. (2003) RFID Chips Are Here. 6 Roberti, M. (2004). Tag Cost and ROI [Electronic Version]. RFID Journal. Retrieved 02/08/2009, from http://www.rfidjournal.com/article/articleview/796/ 5 MUIR RFID: Privacy & Security 2009
  • Decade Event 1940 - 1950 Radar refined and used, major World War II development effort. RFID invented in 1948. 1950 - 1960 Early explorations of RFID technology, laboratory experiments. 1960 - 1970 Development of the theory of RFID. Start of applications field trials. 1970 - 1980 Explosion of RFID development. Tests of RFID accelerate. Very early adopter implementations of RFID. 1980 - 1990 Commercial applications of RFID enter mainstream. 1990 - 2000 Emergence of standards. RFID widely deployed. RFID becomes a part of everyday life. Table 1 - The Decades of RFID 7 7 Landt, J., & Catlin, B. (2001). Shrouds of Time: The history of RFID. Pittsburgh, PA, AIM Global. 6 MUIR RFID: Privacy & Security 2009
  • How RFID Works The technology behind RFID is fairly basic, although many implementations of RFID have improved upon its security and communication mechanisms to suit their own needs. As stated by the Association for Automatic Identification and Mobility (AIM), RFID is consisted of three separate components: “an antenna; an RFID tag (programmed transponder with unique information); and a transceiver (a reader to receive and decode the signal)”8. The RFID tags can come in two varieties: a transponder-only tag which only allows one-way communication to the transceiver and are often referred to as “passive” tags; and “active” tags which allow information to be read as well as written to the tags. The reader or transceiver is usually the source of power and generates a low power radio signal broadcast through an antenna when in use. The RFID tag receives the signal through its own internal antenna and powers a computer chip. The chip will then exchange information with the reader.9 To facilitate a transmission, these components (the antenna, the transponder and the transceiver) communicate with one-another and produce a transaction that results in the sending of data across the radio frequency. Glasser et. al have explained the RFID communication process as follows: Typically, a reader transmits radio signals that are received by an antenna to the tag. The tag sends a unique reply signal back to the reader, which is then decoded into an identification number. This ID number is unique to the tag. Ideally, a global set of standards will dictate how these ID numbers are assigned and ensure that there are no repetitions or duplications.10 These transmissions are often encrypted to provide additional security mechanisms for the RFID systems. 8 AIM, in Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 9 AIM, in Ibid. 10 Glasser, Goodman, & Einspruch (2007) p. 101 7 MUIR RFID: Privacy & Security 2009
  • Implementations of RFID There are numerous implementations of RFID in all facets of modern society. Many of these implementations follow in the footsteps of the original purpose of RFID; that is to determine whether an object is present or not, for example supply-chain management. However, as RFID has developed new uses for the technology have emerged. These advanced implementations, coupled with the emergence of new uses, have led to new privacy and security issues arising. Toll Booths One area where RFID technology has increased productivity and decreased potential bottlenecks is in automated toll both payment services. Instead of manually paying for a toll at a toll booth, commuters can now drive their vehicles straight through the toll booth without lining up to conduct a financial transaction. This is facilitated by RFID through the use of tags that are located inside vehicles and receivers located in the physical toll booth, so when the vehicles drive through the toll is automatically deducted from the person's account11. However the usage of RFID in these transactions is not without risk, Wood writes that “users of this system are leaving a trail of data behind them... divorce courts have used highway transponder information to find out where spouses have been traveling”12. Financial Transactions In addition to the toll booth implementation stated above, RFID technology has been integrated into other financial transactions as well. In fact Glasser et. al notes that “one of the significant potential uses of RFID is to provide a vehicle for exchanging money without requiring people to make physical contact”13. Bray estimates that in 11 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 12 Wood in Glasser, Goodman, & Einspruch (2007) p. 105 13 Glasser, Goodman, & Einspruch (2007) p. 104 8 MUIR N2753006 RFID: Privacy & Security October 2009
  • 2006 there were “20 million RFID-enabled credit cards and 150,000 vendor readers... already deployed in the U.S.”14. Supply Chain Management One of the biggest adopters of RFID technology has been in supply-chain management in retail. Glasser et. al speculate that “one of the most anticipated applications of RFID is using tags to replace or supplement bar codes on manufactured products”15. Retail giant Wal-Mart in the United States has been pushing RFID in this area since the early 2000s. In fact Peslak notes that “Wal-Mart reemphasized its commitment to RFID over the long term by having its top 100 suppliers include tags on pallets and cases by 2005”16. Apart from the perceived increase in productivity in their warehouses, Wal-Mart envisaged a “savings of 10– 20% in labor (sic) costs at their distribution centers (sic) through RFID”17. RFID has not only been adopted by huge retail chains such as Wal-Mart: One retailer who is actively using RFID is Prada, which reads tags in their clothes and displays accessories or other information about the clothes when someone tries them on in their display equipped dressing rooms.18 By utilising RFID technologies in this way, organisations are hoping to improve supply-chain activities and in particular, inventory management19. One major improvement over barcodes is that RFID tags can be individually programmed, not just one number per product code, but one unique identifier per item. As Glasser et. explains: 14 In Heydt-Benjamin, T. S., D. V. Bailey, et al. (2008). "Vulnerabilities in first-generation RFIDenabled credit cards." Lecture notes in computer science 4886: 2. 15 Glasser, Goodman, & Einspruch (2007) p. 102 16 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 17 Ibid 18 Cox, 2003b in Ibid 19 Ibid 9 MUIR N2753006 RFID: Privacy & Security October 2009
  • An RFID tag... can be associated with the history of an individual item: where it was manufactured, the date it was sold, when it was destroyed. It is also able to identify the location of an object as well as properties such as temperature.20 Healthcare Another important advancement utilising RFID can be seen in the healthcare industry. Dorschner states: Further, RFID can, at least in principle, reduce medical error by tracking surgical tools to prevent them from being left in patients, to mark surgical sites to identify the procedure needed and prevent wrong-sided surgery and by preventing drug dispensing errors.21 By introducing such RFID services, the public, and the healthcare industry as a whole, could benefit from a reduction in medical malpractice and careless mistakes. Animal Tracking Another important implementation of RFID is in livestock tracking. “RFID chips have for years been implanted in animals to track livestock, locate missing pets and study wildlife behavior”22. However it is just as easy to utilise this technology in the tracking of humans as it is to track livestock and other animals. This has raised a few privacy concerns. One such implementation can be found in a United Kingdom's theme park. Visitors to Alton Towers who purchase the service will receive an RFID band to wear around their wrist, “marking” them to the park-wide video-capture system.23 This video surveillance system is an opt-in service that allows visitors to capture their days' adventure in the theme park and receive a DVD movie of the fun times they had.24 20 21 22 23 24 Glasser, Goodman, & Einspruch (2007) p. 102 Dorschner, in Ibid Ibid Tucker, P. 2006. "Fun with Surveillance." Futurist 40. Ibid 10 MUIR N2753006 RFID: Privacy & Security October 2009
  • Other privacy concerns of human tracking have arisen out of manufacturers' integration of RFID into their products. Michelin, which manufactures 800,000 tires a day, is going to insert RFID tags into its tires. The tag will store a unique number for each tire, a number that will be associated with the car's VIN (Vehicle Identification Number).25 This could lead to a scenario where your vehicle is tracked from point A to point B without your knowledge. 25 Granneman, S. (2003) RFID Chips Are Here. 11 MUIR N2753006 RFID: Privacy & Security October 2009
  • Privacy Issues As touched on briefly in the previous section, RFID implementations are not without their share of privacy issues. By examining potential and real-world RFID privacy issues a greater understanding of the possible risks associated with RFID implementations can be established. The main privacy concerns with RFID are the tracking of people and their location, and the tracking of customers and their habits by retail giants. Tracking of People Similar to the tracking of livestock or vehicles, the tracking of people through the use of RFID technologies is a real threat to the privacy of individuals. RFID tags are now small enough to be embedded under the skin of humans, or with more devious intent, slipped into their clothing without the individual realising. Glasser et. al note that “RFID chips intended to track humans come in two main forms: sub-dermal implants which are injected and external tags which are worn or carried”26. In order for the effective tracking of people through RFID to take place, governments would have to encourage or demand that people carry certain RFID tags on their person. An example of this has been highlighted by Garfinkel who notes that “the Massachusetts Turnpike Authority is giving discounts to residents who pay using EZPass, a transponder system relying on radio tags”27. It is then speculated that this decision is ‘‘discriminatory and coercive’’28. Another example of governments pushing for RFID can be seen in the European Union (EU) where it was suggested that the European Central Banks were investigating the placing of RFID tags into the Euro 29. In this case the suggested reason behind the use of RFID was not to track citizens and their use of the currency, but to stem the counterfeiting of the Euro. It is implementations such as these that although may be altruistic in nature are easy to manipulate for more sinister motives by people with not so friendly purposes. 26 Glasser, Goodman, & Einspruch (2007) p. 105 27 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 28 Ibid 29 The Economist, 2002 in Peslak, 2005, p. 328 12 MUIR RFID: Privacy & Security 2009
  • The above example of RFID technology being utilised in the Euro never eventuated, yet that does not mean that there aren't other RFID implementations that are already being used to track individuals. In fact Peslak describes a scenario where RFID is currently used to track individuals by a government body: RFID is already being used to track and coordinate movements of people between the U.S. and Canada. A program called NEXUS allows U.S. and Canadian citizens to register their fingerprints, photo, and other personal data and, if approved, receive a card with an RFID tag. When individuals wish to travel between the U.S. and Canada, they display their cards near the inspection booth.30 Use of RFID in identification cards is not a new idea. Many governments around the world have begun implementing RFID technologies into drivers’ licenses, passports and even citizenship cards. Glasser et. al describe this as a major privacy concern, “since drivers’ licenses are nearly always carried by individuals, there exists a threat that anyone could be tracked anonymously”31. With governments adopting RFID in official documentation, the average citizen is powerless to protect their own personal details and privacy from being transmitted across the radio frequencies. Indeed it has been speculated that society “may one day need to inquire whether use of RFID technology by a government is itself grounds for identifying it as repressive”32. Many citizens value their privacy and the United Nations “codified the fundamental human right of privacy in 1948 within their Universal Declaration of Human Rights”33. What this means is that any breaches by governments of the UN's declaration can be seen as a sign of a potential totalitarian move in order to control the masses. Tracking of Customers and their habits Due to the pervasiveness of the technology, RFID tracking can also be carried out through the goods that people have purchased. The organisations which implement 30 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 31 Glasser, Goodman, & Einspruch, 2007, p. 104 32 Ibid 33 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 13 MUIR RFID: Privacy & Security 2009
  • RFID into their products are not always trying to increase productivity in their warehouses; more often than not the motive is to study the behaviour of their customers. As stated by Peslak, “the privacy concerns of electronic commerce include collection of information without user’s knowledge, sales of collected personal information, and receipt of unsolicited information, as in spamming”34. Like electronic commerce RFID technology can be used in this way. The use of RFID in retail has been described as providing customers with better, more intuitive, shopping experiences by the organisations which implement it. What it really amounts to is an incredible customer database monitoring buying habits and other personal data. Peslak sums up this situation by noting that “tags allow the potential for aggregation of massive amounts of personal data based on purchases and ownership, making personal profiling possible”35. Peslak effectively describes the various potential privacy issues related to RFID in the retail sector, as seen below in table 2. Table 2 – RFID Privacy Category Framework36 An example of a breach of privacy through the use of RFID in the retail sector was noted by Hildner: 34 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 35 Ibid 36 Ibid 14 MUIR RFID: Privacy & Security 2009
  • One breach of privacy through RFID became known as the Broken Arrow Affair where Wal-Mart along with Proctor and Gamble used this technology in tracking consumers in the Oklahoma store when they removed Max Factor Lipfinity lipsticks Once the item was taken from the shelf a video monitor evaluated how consumers handled the product without their knowledge.37 Currently in the United States, where this example occurred, there is no legislation in place requiring that labels indicate the presence of an RFID chip is in a product 38. Other countries have introduced legislation governing the use of RFID tags in retail products, for example Hariton et. al observed: Canada on the other hand has implemented the Personal Information Protection and Electronic Documents Act that requires retailers to seek consent of customers for using RFID tags in monitoring their shopping patterns.39 However although the US lacks the legislation to monitor the use of RFID in the retail sector, the privacy issue has not gone unnoticed. Even as far back as 2000 the Federal Trade Commission (FTC) made recommendations into creating legislation to govern such privacy concerns. “The FTC concluded that self-regulation was insufficient and recommended federal legislation to ensure adequate protection of consumer privacy online”40. Another privacy aspect is the decommissioning of the RFID tags used in retail. Peslak states that “perhaps the most insidious of RFID uses is the potential for post-sales monitoring... technically; all RFID tags can be permanently read through active readers”41. Currently there are no systems or checks in place for deactivating the RFID tags once items are purchased. This may lead to the situation where not only is the initial purchase monitored, but whenever the tagged item is near a transceiver subsequent monitoring can take place. Peslak further posits: 37 Hildner, 2006 in Ibid. 38 In Ibid 39 In Ibid. 40 Federal Trade Commission, 2000 in Peslak, 2005, p. 337 41 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 15 MUIR RFID: Privacy & Security 2009
  • At present, the tags remain in a working condition after the items to which they are attached are purchased. The tags could subsequently be read when they encounter an RFID transceiver. Thus, if you were to walk into a store with an RFID tagged item, an active transceiver could activate a signal from the tag and through a series of steps identify you, your location, and any other information about you such as criminal history, shopping records, or credit history.42 As unlikely as this may seem, the potential for the abuse of the RFID tags that lack decommissioning protocols is present. It has been stated that the “costs of a national or worldwide tracking system to monitor RFID tags to individuals would be cost prohibitive and uneconomic”, but this does not mean that it is not a possibility in the near future43. One solution for this privacy issue could be adopted by implementing decommissioning protocols into the RFID tags. One such method has been proposed that involves “a deactivation or 'kill' switch for RFID tags once items enter the retail realm”44. In this proposal the products would have an RFID tag for the supply-chain management (manufacturing, warehousing, and delivery) phase of their existence but upon arrival in their final destination (retail store) the RFID tag is deactivated so that no personally identifiable information can be gained through its use. Another option is the inclusion of an “on–off switch that could allow benefits if the consumer wishes but could but eliminated for those who do not want to use the benefits” 45. In this solution the consumer could decide whether or not to opt-in to having their personal information stored when purchasing goods. Other examples of privacy solutions in the retail sector include a type of RFID tag developed by IBM known as the 'Clipped Tag'. This RFID tag allows consumers to tear a portion of the tag off thus “allowing information to be transmitted just a few 42 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 43 Ibid 44 Ibid 45 Ibid 16 MUIR RFID: Privacy & Security 2009
  • centimeters rather than 100 feet”46. Another development in RFID technology is to have RFID tags embedded with a 'privacy bit' as stated by Niemelä: An alternative is to set aside a logical bit on the RFID tag. This bit is initially off when items are in the shop. The bit is flipped to the on position to deactivate a tag at the point of sale. If RFID readers in shops refrain from scanning private tags, i.e., those tags whose privacy bit is turned on, then a good measure of consumer privacy will already be in place. Tags belonging to consumers in this case will be invisible to shops. At the same time, tags on items on shelves.47 The potential privacy breaches imposed by not deactivating RFID tags are severe. Glasser et. al state: There is consequently a fear that one could remotely scan a home, purse or car and then construct an inventory of everything inside: videos, medications, fine jewelry, etc. The person scanning could then identify the owner of the items and gain personal information about him or her. 48 Indeed it has been noted that the “use of RFID can potentially provide a plethora of new information about individuals if not properly safeguarded”49. However, there are some organisations that believe “RFID tags present no more of a threat to privacy than cell phones, toll tags, credit cards, ATM machines, and access control badges50. To counter potential privacy breaches it has been suggested that organisations should be made to “obtain written consent from an individual before any personally identifiable information is acquired... obtain written consent before RFID data is shared with a third party”51. Nabil et. al speculates that “privacy laws will 46 Ibid. 47 Niemelä, O. P. a. M. (2009). "Humans and emerging RFID Systems: Evaluating Data Protection law on the User scenario basis." International Journal of Technology and Human Interaction Volume 5(Issue 2): 85-95. 48 Glasser, Goodman, & Einspruch (2007) p. 103 49 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 50 AIM in Ibid 51 Glasser, Goodman, & Einspruch (2007) p. 103 17 MUIR RFID: Privacy & Security 2009
  • continue to change as society evolves and changes” and in the case of RFID the legislation will not come soon enough52. 52 Nabil Y. Razzouk, V. S., Maria Nicolaou (2008). "CONSUMER CONCERNS REGARDING RFID PRIVACY: AN EMPIRICAL STUDY." Journal of Global Business and Technology Volume 4(Number 1, Spring ): 69-78. 18 MUIR RFID: Privacy & Security 2009
  • Security Issues Many of the privacy issues related to RFID are compounded by the addition of the security risks associated with RFID implementations. By exploring the potential and real-world RFID security issues a greater understanding of the possible risks associated with RFID implementations can be established. The main security concerns with RFID are: the cloning of RFID devices; the tempering of RFID devices; and the cryptographic means to protect RFID devices. As noted by Kaminsky, “the problem is that RFID technology, although good for inventory tracking as a replacement for barcodes, is not well suited for security”53. It is this proposition that is demonstrated by the amount of potential security issues that exist in reference to RFID. Although it has been stated that RFID security is only relevant if the information stored on the tags is considered valuable54. Following on from this security issue, “one solution is to limit the technology itself – by restricting data stored in a chip to an ID number and storing all other data in a secure database”55. Indeed, “technical difficulties have been reported with RFID including tag collisions, tag failure, and tag detuning” with each of these issues causing potential security risks in the use of RFID56. Cloning RFID devices One of the greatest improvements of RFID technologies over other forms of technology is due to the ability to assign unique identifiers into every tag, thereby instantly being able to uniquely identify an object or a person. However this feature is also seen as a potentially major security issue with RFID. The security issue arises out of the fact that the physical presence of an RFID tag does not necessarily correspond with the authorised user having possession of that tag. Hijacking or cloning RFID tags posses a great risk when using RFID as a security mechanism. Ghai gives a simple definition of RFID hacking: 53 K aminsky in Ibid 54 Garretson, C. (2007) RFID holes create security concerns Network World Volume, DOI: 55 Glasser, Goodman, & Einspruch (2007) p. 107 56 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 19 MUIR RFID: Privacy & Security 2009
  • Similar to credit card or identity theft... card hacking refers to an imposter using someone's personal identity information to obtain physical access to privileged areas and information.57 Just like in other forms of identity theft, RFID hacking or cloning is using someone else's credentials to allow that person to assume the identity of someone else, except that with RFID cloning only the radio waves from the original tag are needed. In this respect RFID cloning is much simpler than traditional forms of identity theft which require much more information about, and from, the individual before the assumed identity can be used. Even though organisations are aware of this potential risk many are still implementing RFID as a security mechanism, in particular to replace other physical access proximity card systems. Ibid details an example of this where a “...company has long been aware that its proximity cards are vulnerable to hacking but does not believe that the cards are... vulnerable”58. The lack of concern from some organisations is in itself a potential security risk. The cloning of RFID tags is not fictional, in fact Roberts describes one system where the integrity of the RFID tags had been compromised: His RFID cloner was on display at the recent RSA Security Conference in San Francisco, where he demonstrated for InfoWorld how the device could be used to steal access codes from HID brand proximity cards, store them, then use the stolen codes to fool a HID card reader.59 Two solutions to this security risk have been suggested, one is to use other forms of protection alongside the physical possession of the RFID tags, such as PINs or biometric means, and the other solution is to employ a behavioural monitoring 57 Ghai, V. (2008). "An Automation ANSWER." Retrieved 04/08/2009, from http://govtsecurity.com/federal_homeland_security/mirfare_classic_card_hacked/. 58 Roberts, P. F. (2007). "Battle brewing over RFID chip-hacking demo " InfoWorld Retrieved 04/08/2009, from http://www.networkworld.com/news/2007/022707-battle-brewing-over-rfid-chiphacking.html 59 Roberts, P. F. (2007). "Battle brewing over RFID chip-hacking demo " InfoWorld Retrieved 04/08/2009, from http://www.networkworld.com/news/2007/022707-battle-brewing-over-rfid-chiphacking.html 20 MUIR RFID: Privacy & Security 2009
  • system that can lock down RFID tags is abuse is detected. Both solutions are described by Ghai; A system should be put in place to check current physical access permissions in realtime across multiple points (picture identification, biometric data, cryptographic keys, PIN) while simultaneously checking logical systems activity before allowing access. Taking a page from what credit card companies and banks are doing to fight credit/ debit card abuse, an automatic “fraud protection” system can watch for uncharacteristic or unusually high card usage (swipes, etc.). Using pre-set, policybased rules, the system takes a rapid course of action when multiple card swipes are noticed for one person, multiple swipes are detected from one card over a short period of time across different locations or there are multiple rejects for one card.60 Broache and McCullagh agree with the inclusion of additional security mechanisms, stating that many organisations “are also exploring using a card that would have to be activated by the user, through a fingerprint or some other biometric method, before any information could be read remotely”61. Either of these suggestions would eliminate the ability for someone to clone a RFID tag and be able to gain access to systems or premises as another person. However neither of these suggestions deal with the underlying security issue, which is the weak cryptographic protection utilised by these RFID tags. Tampering of data embedded in RFID devices Another security risk associated with RFID tags is the ability to manipulate the data stored on the tags, either by a third party who is cloning the tag or by the authorised tag holder. 60 Ghai, V. (2008). "An Automation ANSWER." Retrieved 04/08/2009, from http://govtsecurity.com/federal_homeland_security/mirfare_classic_card_hacked/. 61 A. Broache and D. McCullagh (2006) New RFID travel cards could pose privacy threat. CNET News Volume, DOI: 21 MUIR RFID: Privacy & Security 2009
  • As highlighted by Muir, “RFID is a wireless technology and is therefore subject to third-party interception unless the signal is secured”62. This creates a scenario where “Man-In-The-Middle” attacks are possible against RFID systems and tags. This risk is further compounded “if the chip has a writable memory area, as many do, to data tampering”63. Data tampering occurs when the integrity of the data stored on the RFID tags is compromised. Generally this type of security risk is associated with RFID tags that are used in financial transactions, such as RFID transport cards which store amounts of money on the tag itself rather than in a centralised database. One solution to card tampering is to store the RFID tags out of radio signal range to eliminate the potential for the signal to be cloned or altered, for example via the use of a Faraday cage. A Faraday cage is a physical cover that assumes the form of a metal sheet or mesh that is opaque to certain radio waves. Consumers can today purchase Faraday cages in the form of wallets and slipcases to shield their RFID-enabled cards against unwanted scanning.64 Again this solution is only a temporary one as it does not address the real security risk facing the RFID tags and systems, that is, the weak cryptographic protection utilised by RFID systems. Cryptographic Functions Probably the most detrimental security issue with RFID is the type of encryption mechanisms in place within the RFID systems and tags. This issue is in part due to the constraints in the RFID chips used in the tags. As stated by Schwartz, “chip limitations make it difficult to incorporate sophisticated encryption algorithms”65. These limitations have led to the previous two security issues: the cloning, and tampering of RFID tags. 62 Muir, S. (2007). "RFID security concerns." Library Hi Tech 25(1): 95-107. 63 Newitz, A. (2006) The RFID Hacking Underground Wired Volume, DOI: 64 Heydt-Benjamin, T. S., D. V. Bailey, et al. (2008). "Vulnerabilities in first-generation RFIDenabled credit cards." Lecture notes in computer science 4886: 2. 65 Schwartz in Glasser, Goodman, & Einspruch (2007) p. 107 22 MUIR RFID: Privacy & Security 2009
  • One cause of the use of weak cryptographic mechanisms in the RFID tags has been surmised as poor foresight by the RFID system designers when initially implementing cryptographic mechanisms. Kaminsky explains this situation by noting: They [the organisations which build RFID systems] didn't want to change to a more secure implementation because of backwards compatibility issues, and they had a lot of sites that use these cards...66 Apart from the lack, or inability, to upgrade cryptographic standards in RFID systems, organisations which build RFID systems face another problem, which is many of these organisations choose to use proprietary encryption standards instead of utilising well recognised encryption standards. Thus the organisations are assuming that because their encryption standard is not publicised it will remain unbroken. This philosophy goes against “Kerckhoffs’ Principle” which states “the cryptanalyst has complete knowledge of the cipher (i.e. the decryption key is the only thing unknown to the cryptanalyst)”67. By keeping encryption standards proprietary organisations are not allowing their cryptosystems to be peer reviewed by cryptographic experts, and therefore the standards chosen are often easily breakable. In the case studies below it will be shown that this exact security issue has been encountered and overcome by hackers. 66 67 Kaminsky in Ibid. Boyd (2009) 23 MUIR RFID: Privacy & Security 2009
  • Case Studies Through conducting a critical analysis of two real-world implementations of RFID technology the potential privacy and security issues already discussed can be further explained. Two different RFID systems have been chosen to be examined: the Mifare Classic, which is used all around the world in transportation networks, including in Queensland through Translink; and enhanced identification RFID systems, such as ePassports. Translink - Mifare Classic Translink in conjunction with Queensland Transport have implemented the Mifare Classic RFID system to facilitate a cashless ticketing system, where it is locally known as the “Go” card. The Mifare Classic is an ISO 14443-A compliant RFID system which was first launched overseas in 199568. According to NXP, the creators of this system, the Mifare Classic has to date sold more than 1 billion cards, equating to “more than 70% of the contactless smart card market”69. The Mifare Classic RFID system has been deployed in countries such as Korea, China, the United Kingdom, and now Australia70. Garcia describes the Mifare Classic tags as more advanced than traditional RFID tags: Such cards contain a slightly more powerful IC than classical RFID chips (developed for identification only), equipping them with modest computational power and making them suitable for applications beyond identification, such as access control and ticketing systems.71 The inclusion of an integrated circuit (IC) means that the Mifare Classic tags are actually “active” RFID tags, being able to contain more information than just a 68 NXP, S. (2009). "Mifare Classic - More Information." Retrieved 04/08/2009, from http://www.nxp.com/#/pip/pip=[pfp=41863]|pp=[t=pfp,i=41863]. 69 Ibid. 70 NXP, S. (2009). "Mifare Classic - More Information." Retrieved 04/08/2009, from http://www.nxp.com/#/pip/pip=[pfp=41863]|pp=[t=pfp,i=41863]. 71 Garcia, F. D., P. van Rossum, et al. (2009). Wirelessly Pickpocketing a Mifare Classic Card. 24 MUIR RFID: Privacy & Security 2009
  • unique serial number. However this increased ability to store more information is also a reason why it is a greater security risk than traditional passive RFID tags. Due to its market share the Mifare Classic has come under increasing scrutiny over the security mechanisms that are in place to protect the data stored on these RFID tags. Having such a market dominance has brought the Mifare Classic to the attention of hackers. Successful attacks on the Mifare Classic date back as far as 2007, where it was demonstrated that the RFID tags could be cloned, this was well before the Mifare Classic system was deployed in Queensland72. Security issues are not the only problem facing this RFID system, as the Mifare Classic is also subject to privacy concerns. Privacy Issues The most prevalent privacy issue facing the Mifare Classic RFID system is in the potential tracking of passengers. Each RFID tag in the “Go” card implementation of the Mifare Classic system contains a Global Unique Identifier (GUID), or a serial number of the card. This GUID is used to register the card and to track the journeys undertaken on the card. There are two types of “Go” card, registered and unregistered. Anyone may purchase a “Go” card, which comes as an unregistered card containing no personally identifiable information about the card holder. By registering the “Go” card Translink claims that the user is more “protected” in case their card is stolen or lost by allowing the balance of the card to be transferred to a new card and by blocking the GUID of the old card73. This may indeed be the case if you get your “Go” card stolen, but this “protection” comes at a high cost to the users' privacy. Other incentives to register “Go” cards include the ability to manage the cards online; including toppingup credit and accessing the journey history. In order to register a “Go” card a user must provide Translink with additional personally identifiable information including: name, address, phone numbers, bank 72 73 Diodati (2008) Translink (2008) 25 MUIR RFID: Privacy & Security 2009
  • account details, and credit card numbers74. This sounds more like a customer database for a retail chain than a transportation system. This information is stored on a database maintained by Translink, and it must be stated that even once registered, “your physical smart card will not hold any personal information”75. Although Translink's privacy policy complies with Information Privacy Act 2009 there is no immediate explanation why this information is necessary. This requirement for additional information is surplus to the functioning of the system and just facilitates the development of a massive customer database which can then be sold off to third-parties. In fact, Translink states that the information supplied by the customers can be provided to third parties as approved by Translink as long as they comply with Translink’s privacy policy; “where personal information is shared with other parties, requiring those parties to comply strictly with our privacy requirements”76. This may be fine in theory, but no organisation has the ability to monitor the use of personal information once it has been disclosed outside of their control. It also raises the question as to which third-parties Translink are able to share the personal information from their customer database. According to their privacy policy these include: financial institutions; service providers such as call centres; and research organisations77. The last two are some of the worst offenders when it comes to the abuse of personal information. The ability to track passengers in the “Go” card system is facilitated by the requirement for passengers to swipe on at the beginning of their journey and swipe off again at the conclusion of their journey78. This journey information is stored by the RFID system and can be accessed by “authorised” users, including the registered card holder, or for that matter anyone in physical possession of that card, and people who have access to the secure database maintained by Translink. The ability to track and monitor passengers’ raises many privacy concerns, and storage of this information is in turn a major security issue. 74 75 76 77 78 Translink (2009) Go Privacy Policy Ibid Ibid Ibid Translink (2008) 26 MUIR RFID: Privacy & Security 2009
  • Security Issues As stated previously, the Mifare Classic is based on ISO 14443-A: ...the Mifare Classic complies with parts 1 to 3 of the ISO standard 14443-A, specifying the physical characteristics, the radio frequency interface, and the anticollision protocol. The Mifare Classic does not implement part 4 of the standard, describing the transmission protocol, but instead uses its own secure communication layer. In this layer, the Mifare Classic uses the proprietary stream cipher CRYPTO1 to provide data confidentiality and mutual authentication between card and reader.79 The inclusion of a proprietary encryption algorithm is the first security issue evident in the Mifare Classic RFID system. By ignoring Kerckhoffs’ Principle the designers were testing fate, and eventually the encryption ciphers become broken. Put bluntly by de Koning and Verdult, “the Mifare system relied on security by obscurity and now the secrets are revealed there is no card-level security left”80. The authentication system used by the Mifare Classic can be seen in the diagrams below. Diagram 1 - Authentication Protocol 81 79 Garcia, van Rossum, Verdult, & Schreur (2009) 80 Gerhard de Koning Gans and R. Verdult. (2007). "Proxmark." Retrieved 04/08/2009, from http://www.proxmark.org/proxmark. 81 Garcia, van Rossum, Verdult, & Schreur (2009) 27 MUIR RFID: Privacy & Security 2009
  • Diagram 2- Mifare Classic Protocol 82 Through numerous attempt the Crypto-1 cipher was finally reverse-engineered, and “the heart of the cipher is a 48-bit linear feedback shift register and a filter function” 83 (as depicted in diagram 3). This cipher consists of a 48-bit linear feedback shift register (LFSR) with generating polynomial x48+x43+x39+x38+x36+x34+x33+x31+x29+x24+x23 + x21 + x19 + x13 + x9 + x7 + x6 + x5 + 1 and a non-linear filter function f. 84 82 Courtois, N. T. (2009). Differential Attack on MiFare Classic or How to Steal Train Passes and Break into Buildings Worldwide…. Eurocrypt 2009 Rump Session, University College London. 83 Dayal, G. (2008). "How they hacked it: The MiFare RFID crack explained A look at the research behind the chip compromise." Retrieved 02/08/2009, from http://www.computerworld.com/s/article/9069558/How_they_hacked_it_The_MiFare_RFID_crack_e xplained?pageNumber=1. 84 Garcia, van Rossum, Verdult, & Schreur (2009) 28 MUIR RFID: Privacy & Security 2009
  • Diagram 3 - Structure of CRYPTO1 Algorithm85 Armed with this information attacks against the Mifare Classic began to emerge. In fact there are numerous methods available to recover the encryption key from a Mifare Classic tag, one of the ways utilises a side-channel attack. Garcia notes that the Mifare Classic mixes the data link layer and the secure communication layer of the RFID tag which results in the parity bits computed over plaintext during the transmission of data86. Garcia states: During the authentication protocol, if the reader sends wrong parity bits, the card stops communicating. However, if the reader sends correct parity bits, but wrong authentication data, the card responds with an (encrypted) error code. This breaks the confidentiality of the cipher, enabling an attacker to establish a side channel.87 Another method exists where the attacker uses a constant challenge, changing only the challenge of the tag, “ultimately obtaining a special internal state of the cipher”88. The issue with this method is that the special states have to be precomputed which means that the attack isn't as portable as some other methods89. The Digital Security Group of the Radboud University Nijmegen (DSG), who assisted in originally reverse-engineering the Crypto-1 cipher have also devised a method that requires a small amount of data be collected from a genuine Mifare reader. According to the DSG: 85 86 87 88 89 Garcia, van Rossum, Verdult, & Schreur (2009) Ibid Ibid Ibid Ibid 29 MUIR RFID: Privacy & Security 2009
  • With this data we can compute, off-line, the secret key within a second. There is no precomputation required, and only a small amount of RAM. Moreover, when one has an intercepted a "trace" of the communication between a card and a reader, we can compute all the cryptographic keys from this single trace, and decrypt it.90 These methods discussed do not require advanced hardware and can be conducted for less than a few hundred dollars which poses a real security threat to any systems based on the Mifare Classic. “With minimal effort, hackers are proving that it is possible for these cards to be cracked, copied and used to impersonate someone else's identity...”91. Before Queensland Transport implemented the Mifare Classic RFID system they had been made well aware of the security breaches in the underlying infrastructure, "Translink is aware of the testing academics in Europe have undertaken on the Mifare smart card...” 92. The group which originally cracked the cipher stated that “Queensland's “Go” card system was already obsolete” because the card's security encryption had already been cracked93. Translink's response to this threat was very dismissive, claiming that: Translink's Go card system uses multiple layers of security and these academics have only demonstrated an ability to gain access to one of these layers. Translink also has in place systems to detect and reject smart cards that may have been manipulated fraudulently.94 In fact NXP, the creator of the Mifare Classic RFID system, have since moved to a new standard incorporating AES encryption algorithms to address this security vulnerability95. 90 Digital Security Group of the Radboud University Nijmegen. (2008). "Security Flaw in Mifare Classic." Retrieved 04/08/2009, from http://www.ru.nl/ds/research/rfid/. 91 Ghai (2008) 92 Casey, S. (2008 ) Go cards 'doomed' over security. 93 Ibid 94 Ibid 95 NXP, S. (2009). "Mifare Classic - More Information." Retrieved 04/08/2009, from http://www.nxp.com/#/pip/pip=[pfp=41863]|pp=[t=pfp,i=41863]. 30 MUIR RFID: Privacy & Security 2009
  • Other methods to address this security issue, as suggested by Garcia, would be for the system integrators to; “diversify all keys in the card; or cryptographically bind the contents of the card to the GUID, for instance by including a MAC”96. Another way to protect one's “Go” card would be to “keep it inside an RFID blocker that emits spurious signals to confuse RFID scanners, a form of electronic warfare against snoopers”97. In the case of Translink's “Go” card the biggest threat would be to clone a card, in particular one which has just been recharged with a large amount of money, thus a hacker could keep a cloned copy of the tag and re-use the same clone whenever he/she ran out of money on their card. Another potential security issue with Translink's “Go” card system relates to the card registration process. Currently the registration form and login page use the GUID of the card as the username, because it is a unique identifier; however if a user forgets their password for their account they will be prompted with a security question in order to verify their identity. This security question cannot be manually changed and it has to be one of three default questions offered by Translink in their registration process (as seen in Diagram 5). This poses a security risk as it limits the possibilities and the answers to two of the questions (maiden name and the city you were born in) can be located through public databases. 96 97 Garcia, van Rossum, Verdult, & Schreur (2009) Gualtieri, D. M. (2004). Technology's Assault on Privacy. Phi Kappa Phi Forum. 31 MUIR RFID: Privacy & Security 2009
  • Security question (please answer one of Your mother's maiden name the following security Name of your first pet question for City or town where you were born identification purposes) (Required) Answer: Diagram 5 – Security Question from Registration Form98 98 Translink (2009) https://forms.translink.com.au/go_registration.php 32 MUIR RFID: Privacy & Security 2009
  • Case Studies US/AUS Enhanced Identification As technology advances it brings with it more secure methods of hindering the counterfeiting of identification. This too can be said of RFID technologies. Many governments around the world are now issuing these “enhanced identification” documents which are embedded with RFID tags to assist in correctly processing identities and speed up queues at airports99. Both Australia and the United States of America (US) have introduced ePassports which are designed to facilitate this goal. Fontana describes the US ePassport as: ...a contact-less smartcard with a secure microprocessor that employs a passive radio frequency to transmit data over an encrypted wireless link to a reader.100 The passive nature of the RFID tag is to ensure that the tags cannot be “skimmed” (read) from a distance and require the proper reader to power the chip101. As well as standard encryption techniques being used in the RFID tags embedded in ePassports, these documents contain a technology called Basic Access Control (BAC). This technology utilises digital signature to ensure that only proper readers can access the personally identifiable data stored on the chip as well as ensuring integrity of the data102. The Australian Department of Foreign Affairs and Trade (DFAT) explains the process of BAC as follows: ...Basic Access Control (BAC) to prevent the chip from being accessed until the Machine Readable Zone (MRZ) on the data page has been read. In addition, the new series incorporates Active Authentication (AA) which offers an additional level of 99 Department of Foreign Affairs and Trade. (2009). "The Australian ePassport." from http://www.dfat.gov.au/dept/passports/. 100 Fontana, J. (2006). Storm building over RFID-enabled passports [Electronic Version]. Network World. Retrieved 04/08/2009, from http://www.networkworld.com/news/2006/092106-rfidpassports.html 101 Ibid 102 Ibid 33 MUIR RFID: Privacy & Security 2009
  • confidence to passport holders that their personal details contained on the chip are secure and protected.103 Privacy Issues Unlike the previous case study where personally identifiable information was not stored on the RFID tags, ePassports contain all the users' personally identifiable information stored on the RFID chip. Therefore storage of this information can be deemed as a potential privacy issue. Before the final design of the US ePassport was decided upon it was suggested that the ePassports only contain an RFID embedded with a GUID that links it to a secure database containing the users' personal information104. Unfortunately this idea was not accepted and instead all of the users' personal information is stored on the device, “a unique ID number along with a name, address, date and place of birth and digital photo”105. There is no research to date indicating that the digital signature used to protect the personal information on the ePassports, either here in Australia or in the US, has been broken. However, it has been demonstrated that it is possible to skim the GUID of ePassports. This poses a serious privacy issue: ...It may be possible to determine the nationality of a passport holder by "fingerprinting" the characteristics of the RFID chip... Taken to an extreme, this could make it possible to craft explosives that detonate only when someone from the US is nearby...106 Mahaffey agrees noting that although the actual data on the chip can't be read, "the simple ability for an attacker to know that someone is carrying a passport is a dangerous security breach"107. One suggested method for overcoming the privacy 103 Department of Foreign Affairs and Trade, 2009 104 Glasser, Goodman, & Einspruch (2007) p. 104 105 Ibid 106 Evers, J., & McCullagh, D. (2006). Researchers: E-passports pose security risk [Electronic Version]. CNET News. Retrieved 04/08/2009, from http://news.cnet.com/Researchers-E-passportspose-security-risk/2100-7349_3-6102608.html 107 In Ibid 34 MUIR RFID: Privacy & Security 2009
  • issue related to carrying ePassports is “hitting the chip with a blunt, hard object to disable it. A nonworking RFID doesn’t invalidate the passport, so you can still use it”108. Security Issues The security of the ePassport RFID tags in the United Kingdom was broken back in 2007, which resulted in the ability to read and copy the personally identifiable information stored on the tag109. This is a major security breach, however the digital signatures and encryption of the US and Australian ePassports have yet to be broken. Also, in Germany Grunwald demonstrated in 2006 that he could clone the RFID chip from his passport and write it to another RFID tag110. The data stored on the FRID chip could not be altered, just copied, which could possibly be used in a forged passport, although the holder of the passport would need to physically resemble the owner of the original ePassport for this forgery to succeed. Security researchers have not, however, figured out how to alter the personal information, which is protected with a digital signature designed to enable unauthorized changes to be detected. Creating a fake passport therefore would be most useful to anyone who can forge the physical document and resembles the actual passport holder.111 Another security feature of the US ePassports is the fact that they contain antiskimming material on the front cover “which greatly complicates the capture of data when the book is fully or mostly closed112. State Department officials claim that a layer of metallic anti-skimming material in the front cover and spine of the book can prevent information from being read from a distance, provided that the book is fully closed113. 108 109 110 111 112 Wortham, J. (2007) How To: Disable Your Passport's RFID Chip Wired Volume, DOI: Garretson, C. (2007) RFID holes create security concerns Network World Volume, DOI: Evers, J. and D. McCullagh (2006) Researchers: E-passports pose security risk. CNET News Broache A. and M. D. (2006) New RFID travel cards could pose privacy threat. CNET News Ibid 35 MUIR RFID: Privacy & Security 2009
  • A major security issues has been highlighted by Fontana: ...many security experts are still questioning whether e- passports, which have a 10year life span, have enough security built in to survive a decade of hackers and technology advancements while protecting e-passports users from data theft, identity theft and other security and privacy intrusions.114 This is an important point as many countries’ ePassports to date have had their encryption standards broken already. A possible solution to this scenario is to update the encryption standard used in ePassports whenever a security breach is identified, however, this method is costly as replacing all current passports would pose a huge financial burden. It is much more likely that any identified breaches in security would be kept from the public for as long as possible to deter a potential backlash. 113 114 Ibid Fontana, J. (2006) Storm building over RFID-enabled passports Network World 36 MUIR RFID: Privacy & Security 2009
  • Conclusion It is clear that RFID systems are here to stay, at least in the foreseeable future, however as this report has highlighted there are many potential privacy and security concerns facing these systems. For any organisation contemplating implementing an RFID system they should first identify the real business need. If personally identifiable information is not needed to be stored on the RFID tags then it should not be included as it could present an attractive reason for hackers to attempt to breach RFID system. The security standards of these systems must be robust, and if possible, upgradeable if the need presents itself. It is unacceptable for any organisation implementing such an RFID system to rely solely on the anonymity of the encryption cipher to act as the RFID tags' only safeguard. Such archaic thinking will only result in breaches of security, and probably privacy as well, and be the reason that the RFID system needs upgrading sooner rather than later. As highlighted by the ePassport example, a 10 year lifespan may be detrimental to the integrity of the RFID security mechanisms in place. These considerations need to be made and all associated risks need to be discussed if an organisation is considering deploying an RFID system, whether it’s for retail or other purposes. 37 MUIR RFID: Privacy & Security 2009
  • Reference List Anonymous. (2004). RFID: good or bad. International Journal of Productivity and Performance Management, 53(5/6). Anonymous. (2005). Tiny Trackers: protecting privacy in an RFID world. Newsletter on Intellectual Freedom(November). Boyd, C. (2009). Lecture 2: Historical Ciphers (Part 1). INB355/INN355, School of Information Technology Queensland University of Technology. Broache, A. (2006). RFID passports arrive for Americans [Electronic Version]. CNET News Retrieved 04/08/2009, from http://news.cnet.com/RFID-passports-arrive-forAmericans/2100-1028_3-6105534.html Broache A., & D., M. (2006). New RFID travel cards could pose privacy threat [Electronic Version]. CNET News. Retrieved 04/08/2009, from http://news.cnet.com/New-RFIDtravel-cards-could-pose-privacy-threat/2100-1028_3-6062574.html Cardullo, M. (2005). Genesis of the versatile RFID tag. RFID Journal, 2(1), 13–15. Casey, S. (2008 ). Go cards 'doomed' over security [Electronic Version]. Retrieved 02/08/2009, from http://www.brisbanetimes.com.au/news/queensland/go-cards-doomedover-security/2008/04/11/1207856789056.html Courtois, N. T. (2009). Differential Attack on MiFare Classic or How to Steal Train Passes and Break into Buildings Worldwide…. Paper presented at the Eurocrypt 2009 Rump Session. Dayal, G. (2008). How they hacked it: The MiFare RFID crack explained A look at the research behind the chip compromise. Retrieved 02/08/2009, from http://www.computerworld.com/s/article/9069558/How_they_hacked_it_The_MiF are_RFID_crack_explained?pageNumber=1 Department of Foreign Affairs and Trade. (2009). The Australian ePassport. from http://www.dfat.gov.au/dept/passports/ Digital Security Group of the Radboud University Nijmegen. (2008). Security Flaw in Mifare Classic. Retrieved 04/08/2009, from http://www.ru.nl/ds/research/rfid/ Diodati, M. (2008). The MIFARE Classic Card is Hacked [Electronic Version]. Retrieved 04/08/2009, from http://identityblog.burtongroup.com/bgidps/2008/03/the-mifareclas.html Doggs, A. (2008). RFID SmartCard encryption cracked by researchers [Electronic Version]. Retrieved 04/08/2009, from http://www.networkworld.com/community/node/25754 Evers, J., & McCullagh, D. (2006). Researchers: E-passports pose security risk [Electronic Version]. CNET News. Retrieved 04/08/2009, from http://news.cnet.com/Researchers-E-passports-pose-security-risk/2100-7349_36102608.html Fontana, J. (2006). Storm building over RFID-enabled passports [Electronic Version]. Network World. Retrieved 04/08/2009, from http://www.networkworld.com/news/2006/092106-rfid-passports.html Garcia, F. D., van Rossum, P., Verdult, R., & Schreur, R. W. (2009). Wirelessly Pickpocketing a Mifare Classic Card. Garretson, C. (2007). RFID holes create security concerns [Electronic Version]. Network World. Retrieved 04/08/2009, from http://www.networkworld.com/news/2007/032207-rfid-security.html Gerhard de Koning Gans, & Verdult, R. (2007). Proxmark. Retrieved 04/08/2009, from http://www.proxmark.org/proxmark 38 MUIR RFID: Privacy & Security 2009
  • Ghai, V. (2008). An Automation ANSWER. Retrieved 04/08/2009, from http://govtsecurity.com/federal_homeland_security/mirfare_classic_card_hacked/ Glasser, D. J., Goodman, K. W., & Einspruch, N. G. (2007). Chips, tags and scanners: Ethical challenges for radio frequency identification. Ethics and Information Technology, 9(2), 101-109. Granneman, S. (2003). RFID Chips Are Here [Electronic Version]. Retrieved 04/08/2009, from http://www.securityfocus.com/columnists/169 Gualtieri, D. M. (2004). Technology's Assault on Privacy. Paper presented at the Phi Kappa Phi Forum. Günther, O., & Spiekermann, S. (2005). RFID and the perception of control: the consumer's view. Heydt-Benjamin, T. S., Bailey, D. V., Fu, K., Juels, A., & O Hare, T. (2008). Vulnerabilities in first-generation RFID-enabled credit cards. Lecture notes in computer science, 4886, 2. Kearns, D. (2009). Verayo claims its RFID is unclonable [Electronic Version]. Network World. Retrieved 04/08/2009, from http://www.networkworld.com/newsletters/dir/2009/010509id2.html Kelly, E. P., & Erickson, G. S. (2005). RFID tags: commercial applications v. privacy rights. Industrial Management and Data Systems, 105(6), 703. Krim, J. (2005). U.S. Passports to Receive Electronic Identification Chips [Electronic Version]. Washington Post. Retrieved 04/08/2009, from http://www.washingtonpost.com/wpdyn/content/article/2005/10/25/AR2005102501624.html Landt, J., & Catlin, B. (2001). Shrouds of Time: The history of RFID. Pittsburgh, PA, AIM Global. Lawson, S. (2008). Researchers find problems with RFID passport cards [Electronic Version]. IDG News Service. Retrieved 04/08/2009, from http://www.networkworld.com/news/2008/102408-researchers-find-problemswith-rfid.html?hpg1=bn McGinity, M. (2004). Staying connected: RFID: is this game of tag fair play? Communications of the ACM, 47(1), 15-18. Messmer, E. (2007). Plan to use RFID in border control draws fire [Electronic Version]. Network World. Retrieved 04/08/2009, from http://www.networkworld.com/news/2007/090707-dhs.html?fsrc=rss-security Muir, S. (2007). RFID security concerns. Library Hi Tech, 25(1), 95-107. Nabil Y. Razzouk, V. S., Maria Nicolaou. (2008). CONSUMER CONCERNS REGARDING RFID PRIVACY: AN EMPIRICAL STUDY. Journal of Global Business and Technology, Volume 4(Number 1, Spring ), 69-78. Naone, E. (2009). RFID's Security Problem. Technology Review, 112(1). Neumann, P. G., & Weinstein, L. (2006). Risks of RFID. COMMUNICATIONS OF THE ACM, 49,(5). Newitz, A. (2006). The RFID Hacking Underground [Electronic Version]. Wired. Retrieved 04/08/2009, from http://www.wired.com/wired/archive/14.05/rfid.html Niemelä, O. P. a. M. (2009). Humans and emerging RFID Systems: Evaluating Data Protection law on the User scenario basis. International Journal of Technology and Human Interaction, Volume 5(Issue 2), 85-95. NXP, S. (2009). Mifare Classic - More Information. Retrieved 04/08/2009, from http://www.nxp.com/#/pip/pip=[pfp=41863]|pp=[t=pfp,i=41863] Ohkubo, M., Suzuki, K., & Kinoshita, S. (2005). RFID privacy issues and technical challenges. Communications of the ACM, 48(9), 66-71. 39 MUIR RFID: Privacy & Security 2009
  • Peslak, A. R. (2005). An ethical exploration of privacy and radio frequency identification. Journal of Business Ethics, 59(4), 327-345. Roberti, M. (2004). Tag Cost and ROI [Electronic Version]. RFID Journal. Retrieved 02/08/2009, from http://www.rfidjournal.com/article/articleview/796/ Roberts, P. F. (2007). Battle brewing over RFID chip-hacking demo InfoWorld Retrieved 04/08/2009, from http://www.networkworld.com/news/2007/022707-battlebrewing-over-rfid-chip-hacking.html Spiekermann, S. (2008). RFID and privacy: what consumers really want and fear. Personal and Ubiquitous Computing, 1-12. Tucker, P. (2006). Fun with Surveillance. Futurist, 40. van Deursen, T., & Radomirovic, S. (2008). Security of RFID Protocols–A Case Study. Westhues, J. (2003). Proximity Cards. Retrieved 04/08/2009, from http://cq.cx/prox.pl Westhues, J. (2006). Demo: Cloning a Verichip. Retrieved 04/08/2009, from http://cq.cx/verichip.pl Wortham, J. (2007). How To: Disable Your Passport's RFID Chip [Electronic Version]. Wired. Retrieved 02/08/2009, from http://www.wired.com/wired/archive/15.01/start.html?pg=9 40 MUIR RFID: Privacy & Security 2009