Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.7 A Structured Collection on Information and Literature on Technological and Usability Aspects of Radio Frequency Identification (RFID)
As already explained in chapter RFID tags can be of different types. Consequently not all of the following threats and corresponding measures can be applied to all types of tags. As most of today’s tags are used in supply chain management and follow the EPC standards (see chapter ), threats relevant for these tags are listed in a separate chapter. This does not mean that these threats are not relevant for other types of tags – for example destruction or detaching can be done with all types of tags.
Deployment of copied tags
Since basic RFID tag is a device which sends ID number when requested, it is relatively easy to build a duplicate of it, especially if an attacker does not have any constraints related to physical size.
Security measures for deployment of copied tags
Security measure to reduce the risks of deployment of falsified tags are the use of authentication protocols (not mandatory in basic EPC tag) in combination with key management procedures and management of issued tag numbers. Also measurements of properties of signal sent by the tag may help to discriminate the proper tag from the fake, but not in case of a high quality falsification.
Related costs
Building falsified tag is not expensive, however requires some basic knowledge and skill. Protocols with tag authentication which can be applied as a measure require more sophisticated tags (and must be also supported by readers), therefore they cannot be applied in lowest cost solutions.
Deactivation
These types of attack render the tag useless through the unauthorized application of delete or kill (Auto-ID 2006) commands. Depending on the type of deactivation, the reader can either no longer detect the identity of the tag, or it cannot even detect the presence of the tag in the reading range.
Security measures for deactivation
Unauthorized application of delete commands or kill commands can be prevented by using an authentication method for the reader (when available).
Related costs
A deactivation by means of a kill command requires a dedicated device and usually a password. When the tag has an authentication method available, the costs of switching it on are low and most expenses would go in the management of tags and readers which have to be loaded with cryptographic keys. This would prevent unauthorized usage of the kill command.
Destruction
Tags could be physically destroyed by chemical or mechanical means, or by using strong electromagnetic fields (like in a microwave oven). Active tags could also be shut down by removing or discharging the battery.
Security measures for destruction
A countermeasure for destruction of the tag would be a close mechanical connection between the tag and the tagged item to make it difficult to destroy the tag without damaging the item. To prevent discharging the battery of an active tag one could implement a sleep mode in the tag.
Related cost
To physically deactivate a tag is easy by means of chemicals or exposure to an electromagnetic field, or to destroy the antenna. To prevent physical deactivation one could introduce a tight mechanical bond between the tag and the tagged item to ensure that removing the tag will also damage the product.
Detaching the tag
A tag is separated physically from the tagged item and may subsequently be associated with a different item, in the same way that price tags are "switched". Since RFID systems are completely dependent on the unambiguous identification of the tagged items by the transponders, this type of attack poses a fundamental security problem, even though it may appear trivial at first sight.
Security measures for detaching the tag
A countermeasure for detaching the tag from the tagged item would be a tight mechanical bond between the tag and the tagged item to ensure that removing the tag will also damage the product. In case of active tags, an alarm function is conceivable: a sensor determines that the tag has been manipulated and transmits the alarm to a reader as soon as it comes within range. For high value items an option would be to manually check whether the tag is attached to the correct item.
Related costs
In general a tag can be easily detached from the tagged item, unless some mechanical bond is placed between the tag and the tagged item. Alarm functions in which tag manipulation is detected by a sensor are only available in more expensive active tags.
Falsification of contents and/or tag ID
Data can be falsified by unauthorized write access to the tag. This type of attack is suitable for targeted deception only if, when the attack is carried out, the ID (serial number) and any other security information that might exist (e.g. keys) remain unchanged. This way the reader continues to recognize the identity of the tag correctly. This kind of attack is possible only in the case of RFID systems which, in addition to ID and security information, store other information on the tag.
The attacker obtains the ID and any security information of a tag and uses these to deceive a reader into accepting the identity of this particular tag. This method of attack can be carried out using a device that is capable of emulating any kind of tag or by producing a new tag as a duplicate of the old one (cloning). This kind of attack results in several tags with the same identity being in circulation.
Security measures to prevent unauthorized modification of tag data (contents and ID)
An obvious security measure to prevent modification of tag data is to use read-only tags for which unauthorized modification is intrinsically impossible. Another effective measure, also recommended for reasons of data management, is to shift all data except the ID to the backend. Some types of tags dispose of an authentication method (like the ISO 9798 standard), through which the reader can be authenticated by the tag such that only authorized readers can modify the tag’s contents. In addition the data stored on the tag can be signed electronically.
Related costs
To perform an unauthorized modification of data in case of re-writable tags, the attacker would have to acquire a reader that is capable of writing on the tag. Due to the short range involved the possibility of this attack is limited. The longer the range of the reader, the more expensive the attack would be.
In general, a read-only tag is less expensive than a re-writable tag, so in case the application allows, a replacement by read-only tags would be a fine countermeasure. When the tag has an authentication method available, the costs of switching it on are low, most expenses would go in the management of tags and readers which have to be loaded with cryptographic keys. To shift all data on the tag to the backend requires a new infrastructure (in the backend and for provisioning of the tags and readers) which brings high initial costs, but will fade out later.
If there is no authentication mechanism, the data placed on the tag can be read by an unauthorized reader, often from much bigger distance than foreseen for standard communication. For example data from e-passport, where standard 14443 is used have standard range 10 cm but it can be extended to 50 cm or even several meters.
Security measures for unauthorised data access
A simple, effective and low-cost security measure against unauthorised data access is shielding, i.e. wrapping the tag in metal foil or by placing it in an aluminium-coated bag. Shielding is a good solution for e.g. identity documents but for some applications is not appropriate because it does not allow for full automation of the process. More advanced solution is authentication of reader: the tag sends data to the reader only after checking its electronic signature.
Related costs
Unauthorized access to the tag can be obtained by relatively low cost, if no measures are applied. Reading data from shielded tags is practically impossible. Spoofing strong authentication procedure (challenge-response) can be done by reverse engineering of legitimate reader but is quite difficult and expensive.
A cost of shielding is low while appropriate authentication procedure cannot be done with a low-cost tag.
|
|
|
Denis Royer | 14 / 46 |