25-02-2013, 03:25 PM
A Framework for Assessing RFIDSystem Security and Privacy Risks
A Framework for Assessing.pdf (Size: 1.07 MB / Downloads: 30)
INTRODUCTION
Radio Frequency Identification
systems use radio waves sent
between tags and readers to
automatically identify physical
objects.1 Passive tags, which
have no battery and simply use the energy of a
reader’s emitted radio waves, are so small as
to be almost invisible: tags that are 0.4 × 0.4
millimeter are currently on the market. RFID
is becoming quite popular in logistics and the
supply chain,2 where vendors use it as a kind
of improved bar code. Unlike
printed bar codes, for example,
RFID tags don’t require
line-of-sight readings. RFID
also enables multiple scanning—
readers can scan an
entire truckload or shopping basket at once,
which allows for further automation in many
industry processes. Also, bar codes replicate
only an ID number, while RFID tags can contain
other information, such as product details.
When combined with sensors, RFID tags can
store the history of storing conditions, mechanical
shocks, and so on. Increasingly, developers
are commercializing RFID technology beyond
logistics and the supply chain, offering applications
for various domains, including medicine
and agriculture.3,4
Threats to RFID systems
Like all information systems, RFID-based
systems are subject to generic attacks
that threaten system security and user
privacy. However, there are also many
attacks that specifically target RFID
system technologies.
Eavesdropping
In eavesdropping, hackers secretly
monitor data sent from an RFID tag
to a reader, or vice versa, via the air
interface (the communication channel
between the reader and tag). Because
eavesdropping is passive—that is, the
attacker doesn’t emit any signal—it’s
highly difficult to detect. The most
common countermeasures are to encrypt
the data (so eavesdropping hackers
can’t understand the signal) and to
use a metal screen to shield the tag and
reader during information exchange
(such as at border checkpoints). It’s also
important to limit the distance between
the tag and reader by using the standard
with the smallest communication
range sufficient for a given application.
However, developers must also bear in
mind that, using a nonstandard reader,
hackers can extend a standard communication
range several times.
Unauthorized tag reading
Attackers can use a fake reader to read
tag information. They can extend a
fake reader’s range by several times that
of the standard communication distance.
5,8 Moreover, it’s relatively cheap
to build an extended range reader.
A specific countermeasure against
unauthorized tag reading is reader authentication.
Another is initialization of
transmission after the user activates the
tag (by pressing a button, for example),
so the possibility of unauthorized reading
is limited to moments when the user
demands a legitimate communication.
Developers can also reduce risk by moving
sensitive information to a protected
database in the system’s back end, as in
VeriMed (see www.verimedinfo.com),
a medical information system.
Tag cloning
In tag cloning, attackers make a duplicate
RFID tag, which might either be
quite similar in size or much larger than
the original but have the same functionality.
Attackers can use duplicates to
access a restricted area, abuse private
data, or make an electronic transaction
on the victim’s behalf.
Tag authentication prevents cloning;
if developers use a challenge-response
protocol, the information that attackers
can obtain through the air interface
(such as by eavesdropping) is insufficient
to duplicate the tag. Also, developers
can apply appropriate measures
at the circuit manufacturing stage to
protect tags from duplication by reverse
engineering.
People tracking
In people tracking, attackers follow tag
carriers’ movements using various techniques,
including placing fake readers
in doors or deploying eavesdropping
devices near legitimate readers.
Replay attacks
In replay attacks, attackers abuse authorized
tag carriers’ identities by repeating
their authentication sequences.
To do this, attackers might use a clone
of a legitimate tag or resend the eavesdropped
signal from a PC equipped
with an appropriate card and antenna.
To perform replay attacks, attackers
must obtain information sent by
the tag during normal communication.
Here, countering eavesdropping
and unauthorized tag reading offers a
first line of defense. A specific replayattack
countermeasure is to authenticate
tags using, for example, the challengeresponse
protocol.
System deployment range
Here, I consider three basic types of
RFID systems: those with local, restricted
operations; those distributed
within a single organization; and those
distributed across different organizations.
In locally operated systems—
such as those used in some manufacturing
processes or local access-control
applications—the readers and back-end
system use a local network to exchange
information in a restricted area. Rather
than exchanging information over a
network, it’s also possible to connect an
RFID reader to a single computer that
contains the whole back end (database
and software).
Demand for security
Security demands depend mostly on
two factors:
The size of the potential damage,
which might include loss of money,
loss of customers, or disclosure of
privacy-sensitive information.
The attackers’ motivation level—that
is, how much attackers stand to gain
if they’re successful.
Because these factors often correlate, I
aggregate them into a single criterion.
However, the factors aren’t always
linked: in medical information systems,
for example, incorrect treatment
can cause serious damage, but potential
attackers have far less incentive here
than they do with payment systems or
e-passports.
E-passports
Many countries—including the US
and all European Union members—recently
introduced e-passports containing
RFID chips. When interrogated by
the reader, these chips transmit personal
and biometric data; in the latter
case, the data is only a digital photo of
the owner but in the near future, countries
are planning to use fingerprints
and possibly iris data.
Personal and biometric data are particularly
sensitive. Also, attackers might
be highly motivated to copy e-passports
or use their data for identity theft. The
consequences of an attack could be serious,
including personal and biometric
data theft, tracking of the e-passport’s
owner, illegal border crossings or even
detonating a bomb designed for a specific
country of origin or for a specific
individual, based on information emitted
by the chip in his or her passport.20