RFID Security Concerns


Published on

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

RFID Security Concerns

  1. 1. Article Title | Article Author Voice of Information Security ISSA The Global ISSA Journal | February 2007 RFID Security Concerns By Michael Grimaila Radio Frequency Identification (RFID) technologies have garnered significant interest due to the benefits RFID can provide across a wide variety of applications. CPU Interface Interface Antenna Application Transceiver R adio Frequency Identifica- tion (RFID) technologies have garnered significant interest due to the benefits RFID can provide across a wide variety of ap- Middleware Drivers RFID Reader RF Signals Query / Write / Power Operating Read plications. Large organizations, such System Memory as the Department of Defense (DoD) and Walmart, have embraced RFID LAN to Controller NIC technologies and proven their value in DB Server improving inventory control. Chanc- Antenna Transceiver es are that at some point in the fu- Host Computer ture, your organization will consider deploying RFID technology in some RFID Tag form. However, before implementing Figure 1 – Components of a typical RFID system implementation. any technology, one needs to be aware of the implications and con- sequences of using the technology. In this article, RFID technology RFID readers can be either fixed or mobile. Fixed readers are used is introduced, a brief history of the evolution of RFID applications when tags are known to pass within range of the reader. Examples is presented, and security concerns and countermeasures when us- include toll booths, warehouses, point of sale, checkout stands, and ing RFID technologies are examined. other choke points. Mobile readers are usually hand-held devices used for inventory control applications, requiring the reader to be What is RFID? frequently moved. Radio Frequency Identification (RFID) is a technology used to iden- RFID tags can be attached or embedded into anything of value. For tify, categorize, and track physical items. An RFID system typically example, tags have been placed in shipping pallets and cases, and in- consists of RFID interrogators (hereafter called readers), RFID tags dividual items ranging from apparel, automobiles, books, electronic (hereafter called tags), and an information system. The reader con- devices, livestock, luggage, to human beings. Tags are available in a tains antennas and electronics necessary to communicate with the variety of configurations and vary in cost, size, speed, and storage tags and is responsible for initiating a read operation, transmitting capacity based upon intended application. a message to all tags. All tags within range of the reader respond Since RFID uses radio waves to transfer data between the reader with their individual identification number and possibly other data and tags, it does not require physical contact or line-of-sight between contained within the tag. The reader passes the received informa- the reader and the tag. This is an enormous benefit over competing tion collected from the tags to the information system where it is technologies such as bar codes in that an RFID system can operate collected, processed, and transformed into knowledge based upon in environmental conditions that provide physical barriers (e.g., box- the specific application. es, containers, wrapping paper) and optical barriers (e.g., rain, fog, 30
  2. 2. RFID Security Concerns | Michael Grimaila ISSA Journal | February 2007 Figure 4 – A passive RFID tag used in retail DVD cases for loss Figure 2 – Figure 3 – prevention Figure 5 – A handheld RFID reader A stationary RFID reader A syringe and RFID tag for injecting humans paint, dirt) between the reader and the tag. For these reasons, RFID quires a powered transmitter in the aircraft to send signals back to has become increasingly popular in a large number of data collection the ground station. and identification applications. Commercial applications of RFID technology A brief RFID history lesson Commercial use of RFID technology began in the 1960s with the Contrary to popular belief, RFID is not a new technology. The first introduction of the Electronic Article Surveillance (EAS) system. At recorded use of RFID has been attributed to the German military the core of the EAS system is a small, inexpensive, passive, one-bit during World War II. Specifically, the German military had been RFID tag. When the tag is passed in proximity to an active EAS exploring the use of RAdio Detection And Ranging (RADAR) to monitor, the tag responds with a coded signal, indicating the pres- track distant aircraft. Radar operators soon encountered a problem: ence of the tag. The EAS system was designed as an inexpensive it was not possible to discriminate whether the blips on their radar means to detect theft. When legitimately purchased, the tag attached screens were friendly aircraft returning from a mission or enemy to merchandise is disabled, allowing the item to pass by the EAS bombers seeking to destroy their cities and factories. This dilemma monitor without responding. An obvious shortcoming is that the tag was solved when it was discovered that by moving the wings of their can be removed from the merchandise and the item stolen without aircraft up and down – known as a roll maneuver – the reflected the EAS system detecting it. Despite this limitation, EAS has proven radar signal changed in a unique distinguishable manner. By equip- to be very effective and is the first and most widespread commercial ping friendly aircraft with a means to detect when they entered radar use of RFID technology. range, the pilot would initiate the roll maneuver, enabling the radar The 1970s was a period of development for several new RFID appli- operator to recognize the aircraft as friendly. While this was a very cations. Significant system development occurring during this time crude passive RFID implementation, it proved very effective and al- include animal tracking, factory automation, and vehicle tracking. lowed German radar operators to dispatch their fighter interceptor aircraft only when they detected non-German aircraft. This passive In the 1980s, application domains continued to expand but varied system did not require any power source for the German aircraft somewhat by geographic location. In the United States, development to signal the radar operators. It is interesting to note that this first was focused primarily upon transportation and personal identifica- recorded use of RFID was for a military security application. tion applications, while in Europe the focus was upon short range systems for animal tracking, business, and industrial applications. British pilots soon began to notice that German aircraft occasionally Also, the first RFID toll collection systems entered operation in the exhibited the unusual behavior of simultaneously conducting a roll United States and Norway. maneuver. The fact that the German aircraft acted in synchroniza- tion led British military analysts to question why this was occurring. The 1990s ushered in the widespread deployment of RFID across a After studying this behavior, British analysts detected a coded signal large number of applications including automobile alarms, fuel dis- transmitted from the ground that always preceded the maneuver. pensing systems, gaming checks, remote vehicle starting systems, ski The analysts determined that the German pilots were signaling to lift passes, and vehicle access systems. During this decade, virtually the radar operators that they were German aircraft. all toll roads in the United States were equipped to allow toll col- lection using RFID system. Standardization of RFID systems for Once the British learned of this application, they established a secret toll collection allowed a single RFID tag to operate on multiple toll project in order to develop their own automated system. The goal of roads. By 1999, a group of manufactures proposed a set of standards the project was to provide their radar operators with the capability that would help insure product interoperability and help drive down of discriminating between friendly and unfriendly aircraft without cost. requiring any pilot action. This project resulted in the development of the Identify Friend or Foe (IFF) active RFID system. The IFF In 2004, the Department of Defense announced a requirement that system requires that each friendly aircraft be equipped with a pow- all of their suppliers would soon be required to use RFID tags for ered transmitter and receiver pair, known collectively in this applica- tracking of purchased items1. RFID inventory control applications tion as a transponder. The IFF system was designed so that it can have yielded enormous benefits in logistics. A number of organiza- either continuously transmit an identification signal or it can broad- tions are pilot-testing new RFID applications before mass deploy- cast the signal only in response to a coded signal sent from a ground station. The IFF system is now standard equipment for all civilian 1 Feder, B. J. (2006). Out of consumers’ sight, radio tags gain ground. Retrieved April 4, 2006 from and military aircraft. It is classified as an active system because it re- http://www.nytimes.com/2006/04/04/technology/techspecial4/05radio.html?_r=1 31
  3. 3. RFID Security Concerns | Michael Grimaila ISSA Journal | February 2007 ment. In 2005, Wal-Mart ran a pilot study using RFID tags in all A Sniffing attack can be characterized as either passive or active. A its Texas distribution centers to track more than ten million cases passive attack requires only a radio receiver tuned to the frequency of goods. The success of these tests has led Wal-Mart to double the band of interest and the ability of the attacker to get within proxim- number of their own stores using RFID – over 1,000 by January of ity of the tag when it communicates with the reader. The passive 2007. Over 1,800 RFID related patents had been issued by the US sniffer can not only collect data transmitted by a tag but can also Patent office and more RFID related patent applications are being capture the coded message transmitted by the reader to query the invented each year. tag. An active sniffing attack is more sophisticated. It requires both a transmitter and a receiver tuned to the frequency band of interest, RFID security concerns as well as the knowledge of how a legitimate reader queries a tag. In the active attack, the attacker does not need to be in proximity of a The proliferation of the use of RFID technology incurs some securi- legitimate reader. One can locate their illegitimate reader anywhere ty risk. In this section, the potential security concerns that may occur their may be RFID tags. In this case, the attacking reader sends a when using RFID technologies are examined; examples of RFID special coded message and all tags tuned to that frequency within applications that are particularly vulnerable are presented; and po- range of the receiver respond with their data. tential countermeasures that can be used to mitigate the threats are enumerated. It should be noted that the focus is on the security con- Sniffing attacks corrupt the confidentiality of the data transmitted cerns, and not privacy concerns, of RFID technology. from the tag to the reader and can undermine the integrity of the The architecture of any system using RFID technology is the most important determinate for overall system security. Failing to properly secure the underlying computers, middleware, and application code can undermine all the benefits of RFID. One weakness typically found in RFID systems is the lack of strong encryption protecting the content of the messages passed be- tween reader and tag. If the design of the overall system ar- chitecture is secure, RFID still has inherent vulnerabilities to eavesdropping, interruption (e.g., jamming), and fabrication (e.g., man-in-the-middle attacks). The major threats to an RFID system can be divided into four general categories: Sniffing, Spoofing, Replay, and Denial of Service attacks. These categories are not mutually exclusive. Figure 6 – A readily available hobbyist device The attacks are presented in order of sophistication to provide the background necessary to understand each successive type of at- whole RFID system by revealing details of the encoding scheme tack. Figure 6 shows a readily available hobbyist device that can be used to query tags. Sniffing is usually not a significant threat in retail used to perpetrate many of these attacks. inventory control where a simple single bit tag is used to indicate the presence or absence of an item. However, other applications that use Sniffing attacks tags to uniquely identify individuals or items can be exploited in a Sniffing attacks represent one of the greatest threats to an RFID variety of ways: a terrorist could place a bomb containing an illegiti- system. Sniffing attacks are not unique to RFID technology – ev- mate reader that detonates when a specific RFID enhanced passport ery wireless communication medium suffers from this vulnerabil- or vehicle with an RFID enhanced license plate comes within prox- ity. Any antenna within range of the transmission can intercept imity2; movement of a specific tag over time could be tracked with communications between an RFID tag and reader. The frequency illegitimate readers placed in various locations. bands used by standard RFID systems are public knowledge and One countermeasure to the sniffing attack places the tag in a shield- can be easily obtained on the Internet. Non-standard systems using ed enclosure when not in use, preventing information leakage to un- proprietary frequency bands can easily be characterized by a skilled authorized readers. The shielded enclosure acts as a Faraday cage person using a spectrum analyzer. In either case, it is easy to obtain which effectively blocks all electromagnetic radiation into and out of or build equipment to detect and store these transmissions. Further, the enclosure. Such a protection mechanism prevents a hidden read- such equipment no longer requires a large physical space or large er from querying the tag and blocks all tag emissions rendering the power source as can be seen with the evolution of cellular telephones. sniffing attack ineffective. While this countermeasure is effective, it One can easily hide a receiver on their person and capture transmis- is not feasible if the tag must always be able for legitimate queries. sions between a tag and a reader without the consent or knowledge of the tag holder. While other wireless communication systems can Spoofing attacks employ encryption to defeat the possibility of such an attack, the lim- Spoofing attacks program blank tags with the correct encoded data ited power and processing capabilities of existing RFID tags often so they appear legitimate. The information required to perpetrate eliminates this as a viable option. Recent advancements in technol- this attack can easily be gathered as discussed in the previous sec- ogy, however, are enhancing tag capabilities, such as read-write capa- tion. This type of attack could be used to retag items in a point of bility, increased computational power, longer battery life, and larger sale application where RFID tags are used to uniquely identify the memory storage. These enhancements do significantly increase the product and its cost. For example, in an RFID enhanced supermar- tag cost – when compared to simple, mass manufactured tags – and ket one could remove the tag applied to a frozen lobster and retag can only be used in special cases when the additional cost can be justified. 2 Juels, A. (2006). RFID security and privacy: A research survey. Selected Areas in Communica- tions, IEEE Journal on, 24(2), 381-394 32
  4. 4. RFID Security Concerns | Michael Grimaila ISSA Journal | February 2007 the item with a tag that corresponds to significantly lower cost items any readers undetected. A denial of service countermeasure might such as a pack of mints. Another use of this attack is tag cloning: a include prohibiting individually owned bags to be carried into retails legitimate tag is cloned and used to steal services or gain access to a stores, but this is often expensive in manpower to enforce and can be restricted area. For example, researchers at John Hopkins University defeated if an individual fabricates a Faraday cage in their clothing. were able to clone an existing legitimate tag and use it to buy gasoline This attack became so prevalent that in 2001, the state of Colorado and unlock an automobile. Spoofing attacks compromise the integ- make it a criminal offense to make or wear aluminum underwear to rity of the RFID system by making it impossible to uniquely identify help reduce theft in convenience stores. a physical object. Countermeasures to these types of spoofing attacks Another type of denial of service attack involves pulling tags off of include shielding tags when not used for legitimate reading, using their intended items and relocating them on other items. In automat- strong encryption, or embedding non-standard response schemes ic payment scenarios found in retail stores, a thief can swap tags from that are difficult characterize. low value items with those located high value items. In this case, the thief will appear to be properly paying for items when in fact they Replay attacks are defrauding the retail store. In certain applications, such an attack Replay attacks combine sniffing and spoofing types of attacks. The will corrupt the database stored on the information system and can attacker queries a tag, receives the information sent by the tag, and cause significant loss of trust and integrity of an RFID system. If a retransmits this information at a later time. Replay attacks compro- warehouse was using an RFID system to maintain a product inven- mise the confidentiality and integrity of the RFID system. This type tory, an attacker could relocate tags from on pallet to another and of attack is especially troubling in applications involved with authen- cause a complete loss of integrity of the inventory stored on the infor- tication. For example, suppose that an employee carries an RFID en- mation system3. A possible countermeasure to this type of attack is hanced identification badge to access a secured facility. In this case, to manufacturer the tag into the item, make the tag inaccessible, or the badge is manufactured so that it contains an RFID tag. When cause destruction to the item if the tag is removed. The risks of this the individual is within proximity of a legitimate badge reader, the type of attack are growing everyday due to the widespread availabil- reader queries the tag, which responds with a code representing the ity and low cost of RFID equipment and information. employee’s access credentials. The individual’s facility access is au- thenticated or denied. Now, consider the same employee at a local Conclusions deli, passing by someone with a hidden badge reader. The attacker triggers an illegitimate reader to send a query and then records the RFID technology is unique in its ability to identify physical items responses from any badges within its proximity. The attacker can in a wide range of harsh environments which are problematic for now program a blank RFID enhanced badge and gain access to the other types of identification technologies, such as bar coding. How- secured facility. ever, RFID technology also suffers from a large number of inher- ent security vulnerabilities which must be accounted for in a formal One countermeasure to this type of attack is to utilize the read-write risk assessment before deploying the technology. There are multiple capability present in newer tags. In this case, when someone accesses attack vectors and inherent vulnerabilities which may be found in the secured facility, their code is authenticated and a new code is up- RFID systems. The key to success in this endeavor is to first gain loaded into the tag. This reduces the amount of time that a captured a grounded understanding of the technology before analyzing the code can be used and dramatically increases the likelihood that they system as a whole. will be exposed when using the captured code. Despite these pre- cautions, there are systems still being proposed that are vulnerable. For example, in the UK trials are underway to test battery operated Disclaimer RFID enhanced license plates capable of transmitting their signals The views expressed in this paper are those of the authors and do not more than three hundred feet. The system was designed to be simple reflect the official policy or position of the United States Air Force, and low cost and as a result does not address the security issues pre- the Department of Defense, or the U.S. Government. sented. References Denial of service attacks Borriello, G. (2005). Introduction. Communications of the ACM, 48(9), A denial of service attack against an RFID system attacks the avail- 34-37. ability or usability of the system and can be perpetrated in many The Dean Boys. (2005). Identification friend or foe (IFF) systems: IFF different ways. One can attack any combination of the reader, the questions and answers. Retrieved March 20, 2006 from http://www. tags, or information system that processes the data received from the dean-boys.com/extras/iff/iffqa.html RFID tags. Since the reader only detects the presence of the tags, one possible attack involves the removal of the tag before it passes Eckfeldt, B. (2005). What does RFID do for the consumer? Com- in proximity of the reader. This attack is commonly employed by munications of the ACM, 48(9), 77-79. thieves attempting to steal tagged items from retail stores. By remov- Juels, A., Molnar, D., & Wagner, D. (2005). Security and privacy is- ing the tag from an item, they can hide the item from view and pass sues in E-passports. 74-88. by the reader undetected. Countermeasures to this type of attack Karthikeyan, S., & Nesterenko, M. (2005). RFID security without include hiding the tag in the item, making the removal of the tag extensive cryptography. SASN ‘05: Proceedings of the 3rd ACM Work- difficult, or designing the tag such that its removal causes irreparable shop on Security of Ad Hoc and Sensor Networks, Alexandria, VA, damage to the item. Another attack involves placing the tagged item USA, 63-67. from http://doi.acm.org/10.1145/1102219.1102229 into a foil-lined bag or enclosure which acts as a Faraday cage. In this case, the thief does not need to remove the tag but instead simply places the whole tagged item into the foil-lined bag and can pass by 3 Neumann, P. G. (2003). Risks to the public in computers and related systems. SIGSOFT Softw.Eng.Notes, 28(6), 6-14 33
  5. 5. RFID Security Concerns | Michael Grimaila ISSA Journal | February 2007 Le-Pong Chin, & Chia-Lin Wu. (2004). The role of electronic con- Stajano, F. (2005). RFID is x-ray vision. Communications of the ACM, tainer seal (E-seal) with RFID technology in the container security 48(9), 31-33. initiatives. 116-120. Vacherand, F., & ois. (2005). New technologies for contactless micro- Libicki, M. (2005). Are RFIDs coming to get you? Security & Privacy systems. SOc-EUSAI ‘05: Proceedings of the 2005 Joint Conference on Magazine, IEEE, 3(6), 6-6. Smart Objects and Ambient Intelligence, Grenoble, France, 13-17. from McCoy, T., Bullock, R. J., & Brennan, P. V. (2005). RFID for airport http://doi.acm.org/10.1145/1107548.1107556 security and efficiency. Xingxin Gao, Zhe Xiang, Hao Wang, Jun Shen, Jian Huang, & Molnar, D., & Wagner, D. (2004). Privacy and security in library Song Song. (2004). An approach to security and privacy of RFID RFID: Issues, practices, and architectures. CCS ‘04: Proceedings of system for supply chain. 164-168. the 11th ACM Conference on Computer and Communications Security, Washington DC, USA, 210-219. from http://doi.acm.org/10.1145/10 About the Author 30083.1030112 Michael Grimaila, PhD, CISSP, CISM, GSEC Gold, is an Assistant Ohkubo, M., Suzuki, K., & Kinoshita, S. (2005). RFID privacy issues Professor at the Air Force Institute of Technology. His research interests and technical challenges. Communications of the ACM, 48(9), 66-71. focus on the Management of Information Assurance. He is a member of the ACM, AIS, IEEE, ISACA, ISSA and ISSEA. Dr. Grimaila serves Phillips, T., Karygiannis, T., & Kuhn, R. (2005). Security standards on the Editorial Advisory Board of the ISSA and is an active member for the RFID market. Security & Privacy Magazine, IEEE, 3(6), 85- of the ISSEA Metrics Working Group. He can be reached at Michael. 89. Grimaila@afit.edu. QED Systems. (2002). Active and passive RFID. Retrieved March 18, 2006 from http://www.autoid.org/2002_Documents/sc31_wg4/ docs_501-520/520_18000-7_WhitePaper.pdf RFID Journal. (2005). The history of RFID technology. Retrieved March 20, 2006 from http://www.rfidjournal.com/article/articlev- iew/1338/1/129/Rieback, M. R., Crispo, B., & Tanenbaum, A. S. (2006). The evolution of RFID security. Pervasive Computing, IEEE, 5(1), 62-69. www.issa.org 34