The purpose of this project was to research the security vulnerabilities of RFID, ways to guard against those vulnerabilities, and how the security solutions impact business processes. With the recent increase in use of RFID technologies, businesses need to be aware of the security threats and associated risks.

1. RFID and Security Vulnerabilities
Aaron Britton, David Cole, Zachary Farr, Travis Waltrip, Michael Brockly, Stephen Elliott
The purpose of this project was to research the security vulnerabilities of RFID, ways to guard against those
vulnerabilities, and how the security solutions impact business processes. With the recent increase in use of
RFID technologies, businesses need to be aware of the security threats and associated risks.
RFID Cloning
Overview
RFID Denial of Service
RFID Eavesdropping and Skimming
Prevention
http://www.t4f.org/archives/OpenRFIDTagLite/schematics/OpenRFIDTagLiteversion03.pdf
A method of capturing data from an RFID tag and then creating an
unauthorized copy of the captured data onto a new chip.
Access control cards are very easily cloned. Tech for Fun published
schematics and firmware for a hardware cloner.
Physically Unclonable Functions – Circuit based challenge and response mechanism that
forces each RFID chip to provide a unique response.
Public Key Cryptography – Using a key to encrypt the plaintext and then a separate key
to decrypt the data.
Reduce Range – Lower the threshold on how far cards can be read
Semi-Randomized Control – Type of Encryption in which readers need multiple modes to
gain access of the information
Faraday Cage - A Faraday cage is a metallic enclosure that prevents the entry or escape
of an electromagnetic field. Can be used in large or small environments
Injection is malicious or harmful code inserted into an RFID tag that is used to alter or corrupt
data in a radio frequency identification system.
Code Injection – Uses scripting languages (php, xml or sql)
Examples: ;shutdown or ;drop table <tablename>
Airport Scenario:
• Infected luggage with an RFID tag is checked in at an airport.
• Luggage is scanned at the check-in counter and the data is processed.
• The payload is then released into the system and executed.
• Comprised data is now moving throughout the system and can be released onto new tags.
Abawajy, J., Fernando, Harinda.:Securing RFID Systems from SQLIA.
RFID Virus Injection
An unauthorized access of information from the victims RFID information.
• Eavesdropping – Unauthorized access of information from the transaction between the
Reader and token
• Attack Types - Personal Debit/Credit Cards, Industrial Inventory, Personal
Information
• Example - Perpetrator “listens” to information being transmitted from a
contactless debit card to retailers point of sale
• Type of Equipment Used - Antenna, Amplifier, Mixer, Oscillator
Hancke, Gerhard. "Practical eavesdropping and skimming attacks
." Journal of Computer Security . 2011.19 (2011): 259-288. Print.
A denial of service attack prevents or damages the availability or usability of the RFID
system.
Blocker Tags - RFID tag that can simulate a multitude of legitimate tags
• Tag simulates both a 0 and a 1 when read.
• 0 and 1 simulation is an error to reader and forces the reader to try and read the entire
binary tree.
• As entire binary tree is very large, the reader will timeout before completion.
Juels, A., Rivest, R., Szydlo, M.: The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy.
RFID Retail
• A thief enters a store and removes the RFID tag from a product.
• Can place onto another product to reduce price.
• Thief can steal item since RFID tag was removed.
• Faraday cage used to prevent an RFID tag from being scanned.
Loss prevention - Retail must maintain traditional loss prevention methods to prevent
faraday cage thefts.
Attach RFID to products in such a way that removal damages product.
Use an observer with automated systems to ensure that products are not switched.
Detect blocker tag attack when an unreasonable number of RFID tags is detected at a
location.
Use limited size tags such as the EPC tag that has a limited size of 96 bits.
Conduct independent code audits of the middleware that’s used in conjunction with the
tag readers.
• Skimming – A direct attack on the victims token in which
information is received without consent
• Attack Types – Passports, Secure Access
Passes , Personal Information
• Perpetrator “pings” a victims RFID token, using
both a “power source” and receiver.
• Type of Equipment Used – Coil Antenna, RF
Antenna, Power Amplifier, RFID receiver