Chapter 24. RFID Security

24.1. Introduction

In a broad context, radio transmissions containing some type of identifying information are considered Radio Frequency Identification (RFID).This can be a cab driver using his unit number over the air, or the call sign of a radio station. This chapter discusses the tools, applications, and security of RFID.

RFID is about devices and technology that use radio signals to exchange identifying data. In the usual context, this implies a small tag or label that identifies a specific object. The action receives a radio signal, interprets it, and then returns a number or other identifying information. (e.g., “What are you?” answered with “I am Inventory Item Number 12345”).

Alternatively, it can be as complex as a series of cryptographically encoded challenges and responses, which are then interpreted through a database, sent to a global satellite communications system, and ultimately influence a backend payment system.

Some of the current uses of RFID technology include:

• Point of Sale (POS)
• Automated Vehicle Identification (AVI) systems
• Restrict access to buildings or rooms within buildings
• Livestock identification
• Asset tracking
• Pet ownership identification
• Warehouse management and logistics
• Product tracking in a supply chain
• Product security
• Raw material tracking/parts movement within factories
• Library books check-in/check-out
• Railroad car tracking
• Luggage tracking at airports

24.2. RFID Security in General

The multitude of questions regarding RFID applications are influenced by the policy decisions of implementing certain applications, and by the philosophical and religious outlook of the parties involved. Generally, those matters are not discussed, except where a security decision directly influences a privacy policy.

We often embrace new technology without understanding the security issues. We tend to cast a cynical eye at marketers’ hyperbole concerning performance. Even so, sometimes we fail to be cynical regarding security claims (or lack thereof) surrounding new technology.

Security is often considered secondary to other issues of certain technologies. RFID is being used in multiple areas where little or no consideration was given to security issues.

Although RFID is a young technology, the security of some RFID systems has already been compromised. In January 2005, the encryption of ExxonMobil’s SpeedPass and the RFID POS system was broken by a team of students (as an academic exercise at Johns Hopkins University), because common rules concerning strong encryption were not followed.

In February 2006, Adi Shamir, professor of Computer Science at the Weizmann Institute, reported that he could monitor power levels in RFID tags using a directional antenna and an oscilloscope. He said that patterns in the power levels can be used to determine when password bits are correctly and incorrectly received by an RFID device. Using that information, an attacker can compromise the Secure Hashing Algorithm 1 (SHA-1), which is used to cryptographically secure some RFID tags.

According to Shamir, a common cell phone can conduct an attack on RFID devices in a given area. (Shamir coauthored the Rivest, Shamir, & Adleman (RSA) public-key encryption in 1977.) Recently, a group at Amsterdam’s Free University in the Netherlands created RFID viruses and worms as a “proof of concept.” This group fit a malicious program (malware) onto the memory area of a programmable RFID chip (i.e., a tag). When the chip was queried by the reader, the malware passed from the chip to the backend database, from where the malware could be passed to other tags or used to carry out malevolent actions. The exploits employed, including Structured Query Language (SQL) and buffer overflow attacks, are generally used against servers.

Because RFID is based on radio waves, there is always the potential for unintended listeners. Even with the lowest powered radios, the distance that a signal travels can be many times more than considered the maximum (e.g., at the DefCon 13 security convention in Las Vegas, Nevada, in July 2005, some consultants received a response from an RFID device from 69 feet away, which is a considerable distance for a device designed to talk to its reader at less than 10 feet).

Additionally, radio waves can move in unexpected ways; they can be reflected off of some objects and absorbed by others. This unpredictability can cause information from an RFID tag to be read longer than intended, or it can prevent the information from being received.

The ability to receive RFID data further away than expected opens RFID to sniffing and spoofing attacks.

Being able to trigger a response from a tag beyond the expected distance makes RFID systems susceptible to denial-of-service (DOS) attacks, where radio signals are jammed with excessive amounts of data that overload the RFID reader.

Radio jamming, where the frequency is congested by a noisy signal, is still a destructive force to be considered when using modern RFID systems.

Much of the increased visibility of RFID within the last few years has been influenced by two things:

• In June 2003, Wal-Mart announced that it would begin using RFID in its supply chain by January 2005. A group of approximately 100 Wal-Mart vendors were selected to use RFID at the company’s distribution centers. Those companies will use RFID-enabled cases and pallets, which will be scanned at the point of reception and departure from a given distribution center.
• The decision by the United States Department of Defense (DoD) to use RFID to improve data quality and management of inventories. In October 2003, the U.S. Acting Under-Secretary of Defense, Michael W. Wynne, issued a memo requiring military suppliers to use RFID tags on shipments to the military by January 2005.The goal is to have a real-time view of all materials.

The DoD has been using RFID to track freight containers since 1995. With a reported inventory of over $80 billion spread over much of the world, the ability to have a real-time view of the location of materials is a requirement.

The widespread use of RFID by both Wal-Mart and the DoD will make other people, companies, and groups aware of the benefits of using RFID. Also, their combined demand ensures that there will be an increase in RFID research and development, and a lowering of the overall prices of RFID equipment. Figure 24.1 shows various types of RFID tags.

Figure 24.1. Various RFID tags

As costs are driven down, other large retailers (e.g., Best Buy and Target) are starting to use RFID at the pallet level, or have RFID systems in the planning stage. The costs are low enough so that smaller RFID units are attainable to hobbyists. Figure 24.2 is a photo of an RFID reader.

Notes from the Underground…

Identification Friend or Foe (IFF)

The concept of automatic identification using a radio transponder originated in World War II as a way to distinguish friendly aircraft from the enemy; hence, the name Identification Friend or Foe (IFF). The “friendly” planes responded with the correct identification, while those that did not respond were considered “foes.”

In principle, IFF operates much the same as RFID. A coded interrogation signal is sent out on a particular RF, which the transponder receives and decodes. The transponder then replies with encrypted identification information. Each transponder has a unique identifier; however, some secondary information can be manually set by the pilot.

IFF has expanded since WWII, and now includes several different identification modes for both civilian and military aircraft. These expanded modes add various additional pieces of information, such as the aircraft’s altitude. Even though its modern role now includes civilian aircraft, the system is still commonly known as IFF.

Figure 24.2. RFID reader including the antenna and electronics package

24.3. RFID Radio Basics

The following section is a primer on radio waves. If you do not know much about radio, you are encouraged to read it. If you are a radio aficionado, it will seem simplistic; feel free to skip over it.

Radio is a small piece of the “electromagnetic spectrum” that covers all forms of radiation. Other parts of the electromagnetic spectrum that you may be familiar with are cosmic-ray photons, gamma rays, x-rays, and visible light. The Radio Frequency (RF) area is broken down into a number of “bands” (i.e., grouped frequencies) (e.g., the Very High Frequency (VHF) band covers from 30 megahertz (MHz) to 300 MHz. In the United States, using these bands is governed by the Federal Communications Commission (FCC), including who may use a given band, the power level they may transmit at, and how they modulate the signals. Most other countries have a similar regulatory body. Many European Union countries are regulated by the European Telecommunications Standards Institute (ETSI).

Tools and Traps…

It Hertz So Good

RFs are measured in hertz (Hz). Most of the measurements of radio waves for RFID occur in thousands of cycles per second (kilohertz [kHz]); millions of cycles per second (MHz); or billions of cycles per second (gigahertz [GHz]).

The term hertz is in honor of German physicist Heinrich Rudolf Hertz (1857–1894), who was a pioneer in electromagnetism. Hertz proved that electricity is transmitted in electromagnetic waves, and his discoveries helped lead to the development of radio.

For RFID, most systems utilize one of three general bands: low frequency (LF) at 125 kHz to 134 kHz, high frequency (HF) at 13.56 MHz, and ultra HF at 860 to 930 MHz. There may be some variation of frequency use, depending on the regulations in a particular locale. Manufacturers of RFID equipment usually choose a given band based on the physics of the band (e.g., how well the signal propagates in a specific environment).The properties of the band also influence the physical size of the antennas and what power transmission levels can be used. Conversely, physical limitations may influence which frequencies and RF bands are used for a given application. Figure 24.3 shows two different RFID tags and a reader.

Figure 24.3. Two different RFID tags and reader with integral antenna

24.4. Why Use RFID?

In the past few years, RFID has been largely seen as the next technology for pricing at the POS in retail stores. However, it has not replaced bar codes, mainly because the cost of individual tags is expensive. However, with the increased flexibility of being able to perform complete inventory tracking from manufacturer to warehouse to retailer, and with the economic influence of large retail chains, the cost of individual tags will soon become affordable.

Tools and Traps…

RFID Microchips for Pets

The act of placing a passive RFID tag under a pets skin, called “chipping” or “microchipping,” has become more prevalent in recent years. A chip the size of a grain of rice is implanted via injection into the skin between the shoulders of the cat or dog. The chip is designed to supplement information used on traditional dog tags.

If a pet is lost and subsequently picked up by the animal control officer, it can be scanned at the animal shelter. If a chip is detected in the animal, shelter personnel obtain the owner information via a database provided by the microchip manufacturer. The owner is then notified that their pet has been impounded.

While excellent in theory, in practice it is not without its pitfalls. Since there are no industry standards for pet tags and readers, different manufacturers are using the same frequencies and encoding techniques. As a result, a scanner that reads chips from a given manufacturer cannot read a different brand of chip. Because of a lack of standardization, a pet was euthanized because the shelter could not read the tags. The detection failed because the shelter used a different brand of scanner than that used by the implanted chip.

Due to concerns about this type of event occurring again, “universal” readers that can read several different brands of chips are being developed and implemented. (For more information go to www.npr.org/templates/story/story.php?storyId=4783788.)

24.5. RFID Architecture

The RFID system architecture consists of a reader and a tag (also known as a label or chip).The reader queries the tag, obtains information, and then takes action based on that information. That action may display a number on a hand held device, or it may pass information on to a POS system, an inventory database, or relay it to a backend payment system thousands of miles away.

Let’s look at some of the basic components of a typical RFID system.

24.5.1. Tag/Label

RFID units are in a class of radio devices known as transponders. A transponder is a combination transmitter and receiver, which is designed to receive a specific radio signal and automatically transmit a reply. In its simplest implementation, the transponder listens for a radio beacon, and sends a beacon of its own as a reply. More complicated systems may transmit a single letter or digit back to the source, or send multiple strings of letters and numbers. Finally, advanced systems may do a calculation or verification process and include encrypted radio transmissions to prevent eavesdroppers from obtaining the information being transmitted.

Transponders used in RFID are commonly called tags, chips, or labels, which are fairly interchangeable, although “chip” implies a smaller unit, and “tag” is used for larger devices. The designator label is mainly used for the labels that contain an RFID device. (The term “tag” is used for the purposes of this book.)

As a general rule, an RFID tag contains the following items:

• Encoding/decoding circuitry
• Memory
• Antenna
• Power supply
• Communications control

Tags fall into two categories: active and passive (see Figure 24.4).

Figure 24.4. Passive and active tag processes

24.5.1.1. Passive vs. Active Tags

Passive RFID tags do not contain a battery or other power source; therefore, they must wait for a signal from a reader. The tag contains a resonant circuit capable of absorbing power from the reader’s antenna. Obtaining power from the reader device is done using an electromagnetic property known as the Near Field. As the name implies, the device must be relatively near the reader in order to work. The Near Field briefly supplies enough power to the tag so that it can send a response.

In order for passive tags to work, the antenna and the tag must be in close proximity to the reader, because the tags do not have an internal power source, and derive their power to transmit from coupling to the Near Field of the antenna. The Near Field takes advantage of electromagnetic properties and generates a small, short-lived electrical pulse with the passive tag that can power a tag long enough for it to respond.

Tools and Traps…

Near Field

The Near Field is a phenomenon that occurs in a radio transmission, where the magnetic portion of the electromagnetic field is strong enough to induce an electrical field in a coil. As the name implies, the Near Field occurs in an area near to the antenna. Just how big the Near Field is, depends on the wavelength of the radio signal being used.

where λ is the wavelength.

For example, a common RFID frequency is 13.56 MHz and the wavelength of 13.56 MHz is approximately 22 meters. Therefore:

The Near Field for an RFID device operating at 13.56 MHz is 3.5 meters or 11.5 feet. Passive tags requiring the Near Field have to be within that area in order to operate correctly.

The alternative to a passive tag is an active tag. Active tags have their own power source, usually an internal battery. Since they contain a battery to power the radio circuitry, they can actively transmit and receive on their own, without having to be powered by the Near Field of the reader’s antenna. Because they do not have to rely on being powered by the reader, they are not limited to operating within the Near Field. They can be interrogated and respond at further distances away from the reader, which means that active tags (at a minimum) are able to transmit and receive over longer distances.

Semi-passive tags have a battery to power the memory circuitry, but rely on the Near Field to power the radio circuits during the receiving and sending of data.

24.5.2. Reader

The second component in a basic RFID system is the interrogator or reader. The term “reader” is a misnomer; technically, reader units are transceivers (i.e., a combination transmitter and receiver). But, because their usual role is to query a tag and receive data from it, they are seen as “reading the tag”; hence, the term “reader.” Readers can have an integrated antenna, or the antenna can be separate. The antenna can be an integral part of the reader, or it can be a separate device. Handheld units are a combination reader/antenna, while larger systems usually separate the antennas from the reader.

Other parts that a reader typically contains are a system interface such as an RS-232 serial port or Ethernet jack; cryptographic encoding and decoding circuitry; a power supply or battery; and communications control circuits.

The reader retrieves the information from the RFID tag. The reader may be self-contained and record the information internally; however, it may also be part of a localized system such as a POS cash register, a large Local Area Network (LAN), or a Wide Area Network (WAN). Readers that send data to a LAN or other system do so using a data interface such as Ethernet or serial RS-232.

Readers, and in particular their antenna arrays, can be different sizes, from postage stamp-sized to large devices with panels that are several feet wide and high.

24.5.3. Middleware

Middleware software manages the readers and the data coming from the tags, and passes it to the backend database system. Middleware sits in the middle of the data flow between the readers and the backend, and manages the flow of information between the readers and the backend. In addition to extracting data from the RFID tags and managing data flow to the backend, middleware performs functions such as basic filtering and reader integration and control.

As RFID matures, middleware will add features such as improved and expanded management capabilities for both readers and devices, and extended data management options.

The backend can be a standard commercial database such as SQL, My SQL, Oracle, Postgres, or similar product. Depending on the application, the backend database can run on a single PC in an office, to multiple mainframes networked together via global communications systems.

24.6. Data Communications

In the next few sections we’ll look in detail at the data the tags are carrying, and how some of the more popular protocols work when they communicate the data to the reader. We’ll also talk about the physical format of the cards, and how physical form can be adapted to the particular job.

24.6.1. Tag Data

Depending on the type of tag, the amount of data it can carry is anything from a few bytes up to several megabytes. The amount of data carried by a tag depends on the application and the individual tag.

The data carried in a tag can be in most formats, as long as both the tag and the reader agree on it. Many formats are proprietary, but standards are emerging. In the next section, we look at the Electronic Product Code™ (EPC™). The EPC™ is considered the RFID replacement for the Universal Product Code (UPC) barcode and, as such, will have a huge impact on retail sales in the future.

The UPC bar code has been the accepted means of conveying pricing at the POS in retail stores since the 1970s (see Figure 24.5).This particular UPC is from Syngress Publishing’s WarDriving: Drive, Detect, Defend. Each UPC bar code contains basic information about the bar coding system, the manufacturer, the item, and a check digit. Because 5 digits are used for both the manufacturer and the item, the total number of manufacturers is limited to 100,000, each limited to 100,000 items. While this allows for 10,000,000,000 products, it is more restrictive than is obvious. As manufacturers add new items and close out old product lines, UPC numbers are quickly being used up. The UPC does not allow serial numbers to be encoded into the bar code.

Figure 24.5. Typical UPC bar code

24.6.1.1. Electronic Product Code

The new Electronic Product Code uses the EPCglobal organization’s General Identifier (GID-96) format. GID-96 has 96 bits (12 bytes) of data. Under the GID-96 standard, every EPC™ consists of three separate fields: the 28-bit General Manager Number that identifies the company or organization; the 24-bit Object Class that breaks down products into groups; and the 36-bit serial number that is unique to the individual object. A fourth field consisting of an 8-bit header is used to guarantee the uniqueness of the EPC™ code (see Table 24.1). EPCglobal is a not-for-profit worldwide organization that assigns EPC™ to subscribers.

Table 24.1. EPC™ Fields

	Header	General Manager Number (Company)	Object Class (Groups)	Serial Numbers
Number of Bits:	8	28	24	36
Total numbers:		268,435,455	16,777,215	68,719,476,735

Each company or manufacturer is assigned a General Manager Number from EPCglobal. Each manufacturer assigns an Object Class number to each product line. Each individual item is identified by a Serial Number. Manufacturers can assign the product number and the serial number in any way they deem desirable. Potentially, this allows the manufacturer the ability to uniquely identify every single item.

This allows for a total of 30,939,155,745,879,204,468,201,375 unique items under the EPC™ system.

The EPC™ standards for data tags can be downloaded from:

www.epcglobalinc.org/standards_technology/EPC_Tag%20Data%20Specification%201.1Rev%201.27.pdf.

24.6.2. Protocols

RFID systems work when a reader antenna transmits radio signals. Those signals are picked up by the tag, which answers with a responding radio signal (see Figure 24.6).That signal is then read by the reader’s receiver. Depending on the tag’s computational power (if any), the tag may perform some encryption or decryption functions.

Figure 24.6. Reader and tag interaction

Some tags are “read-only,” while other tags have data “written” to them and “read” from them. Using a process similar to the “read” cycle, the reader can “write” data to the tag if it a data “write” operation is needed.

Some tag protocols are proprietary, but EPCglobal and the International Organization for Standardization (ISO) have defined several protocols (see Table 24.2).

Table 24.2. RFID Tag Protocols

Protocol	Capabilities
EPC™ Generation 1	“Read Only,” preprogrammed
Class 0
EPC™ Generation 1	“Write” Once, “Read” Many
Class 1
EPC™ Generation 2.0	“Write” Once, “Read” Many;
Class 1	A more globally accepted version of the Generation 1, Class 1 protocol.
ISO 18000 Standard	“Read-Only” tag identifier; may also contain rewritable memory available for user data. ISO 18000 has different subsections depending on the frequency used and the intended application.
ISO 15963	Unique Tag ID
ISO 15961	Data protocols: data encoding rules and logical memory functions
ISO 15962	Data protocols: application interface

ISO also has standards for supply chain applications, tag and reader performance and conformance, and product packaging tagging standards.

24.7. Physical Form Factor (Tag Container)

A tag can take almost any form desired to perform required functions. The design may be influenced by the type of antenna, which in turn may be dependant on the frequency used for the system. The tags may be standalone devices, or integrated into another object such as a car ignition key. Systems parameters, such as whether active or passive tags are required and whether a battery is on a tag, can also influence the design.

Figure 24.1 shows that tags can be put into packages of almost every conceivable shape. The rule is: The larger the tag, the further distance it may be “read.”

The following sections discuss some typical tags.

24.7.1. Cards

RFID tags in a “credit card” physical format are usually used for purposes such as building access. This type typically involves security. Personnel that are allowed to enter, or restricted from entering, certain areas of the building are a given encoded cards. Readers are typically mounted next to a door where access is controlled. The reader relays the cardholder information to a database and the database determines whether the cardholder has line access to that particular area. If access is allowed, an electronic door lock is disengaged, allowing access to the building or to a particular room.

Some of the first commercial RFID applications were card-controlled entry systems using “proximity cards.” Proximity cards do not carry as much information as newer RFID units and are about double or triple the thickness of a credit card. Newer RFID cards are the same thickness as a credit card.

The white rectangles seen in Figures 24.1 and 24.3 are RFID cards, each containing an electronic microchip with a serial number encoded.

Credit cards are seen as potential RFID tags. In late 2005, television viewers saw new credit card commercials showing the PayPass system and their “Tap ‘N’ Go” Tag line. The credit card becomes a tag, because it has an integral RFID chip. Instead of swiping the card through a traditional magnetic card reader, the user holds the credit card containing the RFID chip near the reader at the POS. The transaction is completed in a matter of seconds. According to the RFID Gazette, the tag conforms to the International Organization for Standardization (ISO)/IEC 14443 standard, uses Triple Data Encryption Standard (DES) and SHA-1 cryptography, and operates at 13.56 MHz.

The RFID technology is being pushed to the extent that the latest “dummy” cards used for American Express advertising show a fake RFID chip and antenna. The newest design calls for the card plastic to be clear. Figure 24.7 depicts a replica card recently received in a credit card application. The fake RFID chip and antenna are pointed out with arrows.

Figure 24.7. Fake credit card showing the RFID chip and antenna

24.7.2. Key Fobs

Key fobs are also popular for POS systems. The RFID tip is encapsulated in a small cylinder or other container designed to use on a key ring. This allows the tag to be conveniently located (e.g., the passive key fobs used as part of the ExxonMobil SpeedPass system are approximately 1-1/2” long and 3/8” in diameter).The internal electronics are even smaller; the glass-encased RFID chip and antenna assembly is approximately 7/8” long by 5/32” in diameter. Figure 24.8 shows an example of a passive tag’s internal components.

Figure 24.8. A passive tag’s internal components

The ExxonMobil SpeedPass is a passive tag, designed to be held in the user’s hand, and waved within close proximity (>1”) in front of the gas pump’s integral reader. ExxonMobil also makes active SpeedPass tags designed to be vehicle mounted.

24.7.3. Other Form Factors

In contrast to key fob tags, other tags may be designed very small to mount onto retail packages, or very large to mount onto vehicles (e.g., the tags used by the E-ZPass system, a toll .collection system used in the Northeast US, is a plastic box approximately 3-/2” wide×3” high×5/8” thick (see Figure 24.9). The E-ZPass tag is active, and designed to be carried on the windshield of a subscriber’s vehicle. The reader antennas are either mounted on a tollbooth 6 to 10 feet from the vehicle, or on a gantry approximately 20 feet above the roadway (see Figure 24.10).

Notes from the Underground…

How the ExxonMobil SpeedPass and E-ZPass Systems Work

The ExxonMobil SpeedPass employs RFID to speed customers through fuel purchases. Here’s how it works:

1. An RFID tag mounted on the vehicle or attached to the consumer’s key chain is activated by the reader. The reader is connected to the pump. The reader handshakes with the tag and reads the encrypted serial number.
2. Cables connect the reader and pump to a satellite transceiver in the gas station.
3. The transceiver sends the serial number from the RFID tag up to a Very Small Aperture Terminal Satellite (VSAT). The VSAT, in turn, relays the serial number to the earth station.
4. The serial number is sent to the ExxonMobil data center from the earth station. The data center verifies the serial number, and checks for authorization on the credit card that is linked to the account.
5. The authorization is sent back to the pump following the above route in reverse.
6. The pump turns once it receives the authorization, and allows the customer to gas up their vehicle.

ExxonMobil has extended the reader inside service stations and convenience stores. By placing a reader near the cash register, a customer can charge purchases made at an ExxonMobil store on the same charge system as their gasoline purchases.

The E-ZPass toll system works in a similar manner as the SpeedPass:

1. As the car enters the toll plaza, the car-mounted tag is activated by the reader antenna for that lane. Tags can be mounted on the windshield or the license plate.
2. An encoded number is sent from the tag back to the reader.
3. The reader transfers that information to the E-ZPass database.
4. The amount of the toll is deducted from the prepaid account, which is usually a fixed amount. However, on some highways such as the NY Thruway, the toll is based on the distance traveled, in which case the database tracks the entry and exit points, and the toll is computed based on those locations.
5. The database time- and date stamps the transaction, assigns a transaction number, and records the location of the tollbooth.
6. A green light, open gate, or text message (sometimes all three) tells the driver that they can pass through the toll booth. Other lights or messages may indicate errors or account problems.

Figure 24.9. E-ZPass windshield-mounted tag

Figure 24.10. E-ZPass high-speed toll plaza–antenna array

24.8. Threat and Target Identification

So far, we have learned how Radio Frequency Identification (RFID) works and how it is applied in both theory and real-world operations. This chapter discusses how security is implemented in RFID, and the possible attacks that can occur on RFID systems and applications.

Before we can analyze possible attacks, we have to identify potential targets. A target can be an entire system (if the intent is to completely disrupt a business), or it can be any section of the overall system (from a retail inventory database to an actual retail item).

Those involved in information technology security tend to concentrate solely on “protecting the data.” When evaluating and implementing security around RFID, it is important to remember that some physical assets are more important than the actual data. The data may never be affected, even though the organization could still suffer tremendous loss.

Consider the following example in the retail sector. If an individual RFID tag was manipulated so that the price at the Point of Sale (POS) was reduced from $200.00 to $19.95, the store would suffer a 90 percent loss of the retail price, but with no damage to the inventory database system. The database was not directly attacked and the data in the database was not modified or deleted, and yet, a fraud was perpetrated because part of the RFID system had been manipulated.

In many places, physical access is controlled by RFID cards called “proximity cards.” If a card is duplicated, the underlying database is not affected, yet, whoever passes the counterfeit card receives the same access and privileges as the original cardholder.

24.8.1. Attack Objectives

To determine the type of an attack, you must understand the possible objectives of that attack, which will then help determine the possible nature of the attack.

Someone attacking an RFID system may use it to help steal a single object, while another attack might be used to prevent all sales at a single store or at a chain of stores. An attacker might want misinformation to be placed in a competitor’s backend database so that it is rendered useless. Other people may want to outmaneuver physical access control, while having no interest in the data. Therefore, it is necessary for anyone looking at the security of an RFID system to identify how their assets are being protected and how they might be targets.

Just as there are several basic components to RFID systems, there are also several methods (or vectors) used for attacking RFID systems. Each vector corresponds to a portion of the system. The vectors are “on-the-air” attacks, manipulating data on the tag, manipulating middleware data, and attacking the data at the backend. The following sections briefly discuss each of these attacks.

24.8.1.1. Radio Frequency Manipulation

One of the simplest ways to attack an RFID system is to prevent the tag on an object from being detected and read by a reader. Since many metals can block radio frequency (RF) signals, all that is needed to defeat a given RFID system is to wrap the item in aluminum foil or place it in a metallic-coated Mylar bag. This technique works so well that New York now issues a metallic-coated Mylar bag with each E-ZPass.

From the standpoint of over-the-air attacks, the tags and readers are seen as one entity. Even though they perform opposite functions, they are essentially different faces of the same RF portion of the system.

An attack-over-the air-interface on tags and readers typically falls into one of four types of attacks: spoofing, insert, replay, and Denial of Service (DOS) attacks.

Spoofing

Spoofing attacks supply false information that looks valid and that the system accepts. Typically, spoofing attacks involve a fake domain name, Internet Protocol (IP) address, or Media Access Code (MAC). An example of spoofing in an RFID system is broadcasting an incorrect Electronic Product Code™ (EPC™) number over the air when a valid number was expected.

Insert

Insert attacks insert system commands where data is normally expected. These attacks work because it is assumed that the data is always entered in a particular area, and little to no validation takes place.

Insert attacks are common on Web sites, where malicious code is injected into a Web-based application. A typical use for this type of attack is to inject a Structured Query Language (SQL) command into a database. This same principle can be applied in an RFID situation, by having a tag carry a system command rather than valid data in its data storage area (e.g., the EPC number).

Replay

In a replay attack, a valid RFID signal is intercepted and its data is recorded; this data is later transmitted to a reader where it is “played back.” Because the data appears valid, the system accepts it.

DOS

DOS attacks, also known as flood attacks, take place when a signal is flooded with more data than it can handle. They are well known because several large DOS attacks have impacted major corporations such as Microsoft and Yahoo. A variation on this is RF jamming, which is well known in the radio world, and occurs when the RF is filled with a noisy signal. In either case, the result is the same: the system is denied the ability to correctly deal with the incoming data. Either variation can be used to defeat RFID systems.

24.8.1.2. Manipulating Tag Data

We have learned how blocking the RF might work for someone attempting to steal a single item. However, for someone looking to steal multiple items, a more efficient way is to change the data on the tags attached to the items. Depending on the nature of the tag, the price, stock number, and any other data can be changed. By changing a price, a thief can obtain a dramatic discount, while still appearing to buy the item. Other changes to a tag’s data can allow users’ to buy age-restricted items such as X- or R-rated movies.

When items with modified tags are bought using a self-checkout cash register, no one can detect the changes. Only a physical inventory would reveal that shortages in a given item were not matching the sales logged by the system.

In 2004, Lukas Grunwald demonstrated a program he had written called RF Dump. RF Dump is written in Sun’s Java language, and runs on either Debian Linux or Windows XP operating systems for PCs. The program scans for RFID tags via an ACG brand reader attached to the serial port of a computer. When the reader recognizes a card, the program presents the card data in a spreadsheet-like format on the screen. The user can then enter or change data and reflect those changes on the tag (see Figure 24.11). RF Dump also makes sure that the data written is the correct length for the tag’s fields, by either padding zeros or truncating extra digits as needed.

Figure 24.11. RF dump changing a retail tag’s data

Alternately, a personal digital assistant (PDA) program called RF Dump-PDA is available for use on PDAs such as the Hewlett-Packard iPAQ Pocket PC. RF Dump-PDA is written in Perl, and will run on Pocket PCs running the Linux operating system. Using a PDA and RF Dump-PDA, a thief can walk through a store and change the data on items with the ease of using a handheld Pocket PC.

Grunwald demonstrated the attack using the same EPC-based RFID system that the Future Store in Rheinberg, Germany, uses (see www.futurestore.org).The Future Store is designed to be a working supermarket and a live technology-demonstration store, and is owned and run by Metro AG, Germany’s largest retailer and the fifth largest retail chain in the world.

24.8.1.3. Middleware

Middleware attacks can happen at any point between the reader and the backend. Let’s look at a theoretical attack on the middleware of the Exxon Mobil SpeedPass system.

• The customer’s SpeedPass RFID tag is activated by the reader over the air. The reader is connected to the pump or a cash register. The reader handshakes with the tag and reads the encrypted serial number.
• The reader and pump are connected to the gas station’s data network, which in turn is connected to a very small aperture terminal (VSAT) satellite transceiver in the gas station.
• The VSAT transceiver sends the serial number to an orbiting satellite, which in turn, relays the serial number to a satellite earth station.
• From the satellite earth station, the serial number is sent to ExxonMobil’s data center. The data center verifies the serial number and checks for authorization on the credit card that is linked to the account.
• The authorization is sent back to the pump following the above route, but in reverse.
• The cash register or pump receives authorization and allows customers to make their purchases.

At any point in the above scenario, the system may be vulnerable to an outside attack. While requiring sophisticated transmitters systems, attacks against satellite systems have happened from as far back as the 1980s.

However, the weakest point in the above scenario is probably the local area network (LAN).This device could be sniffing valid data to use in a replay attack, or it could be injecting data into the LAN, causing a DOS attack against the payment system. This device could also be allowed unauthorized transmissions.

Another possibility might be a technically sophisticated person taking a job in order to gain access to the middleware. Some “social engineering” attacks take place when someone takes a low paying job that permits access to a target system.

Further along the data path, the connection between the satellite’s earth station and the data center where the SpeedPass numbers are stored, is another spot where middleware can be influenced. The connections between the data center and the credit card centers are also points where middleware data may be vulnerable.

24.8.1.4. Backend

Because the backend database is often the furthest point away from the RFID tag, both in a data sense and in physical distance, it may seem far removed as a target for attacking an RFID system. However, it bears pointing out that they will continue to be targets of attacks because they are, as Willy Sutton said, “where the money is.”

Databases may have some intrinsic value if they contain such things as customers’ credit card numbers. A database may hold valuable information such as sales reports or trade secrets, which is invaluable to a business competitor.

Businesses that have suffered damage to their databases are at risk for losing the confidence of consumers and ultimately their market share, unless they can contain the damage or quickly correct it. The business sections of newspapers and magazines have reported many stories regarding companies suffering major setbacks because consumer confidence dropped due to an IT-related failure.

Manipulated databases can also have real-world consequences beyond the loss of consumers’ buying power. It is conceivable that changing data in a hospital’s inventory system could literally kill people or changing patient data on the patient records database could be deadly. A change of one letter involving a patient’s blood type could put that person at risk if they received a transfusion. Hospitals have double and triple checks in place to combat these types of problems; however, checks will not stop bad things from happening due to manipulated data; they can only mitigate the risk.

24.8.2. Blended Attacks

Attacks can be used in combinations. The various attacks seen in opposition to RFID systems have also been made against individual subsystems. However, the increased cleverness of those who attack RFID systems will probably lead to blended attacks. An attacker might attack the RF interface of a retailer with a custom virus tag, which might then tunnel through the middleware, ultimately triggering the backend to dump credit card numbers to an unknown Internet site via an anonymous server.

24.9. Management of RFID Security

While sitting at your desk one morning, your boss walks in and announces that the company is switching to a new Radio Frequency Identification (RFID) setup for tracking products, which will add new equipment to the network and make it more secure. Your boss expects you to evaluate the new RFID equipment and devise an appropriate security plan.

The first thing you need to do is determine your security needs. You may be a position to influence the evaluations and purchasing of RFID applications and equipment; however, more than likely, you will be given a fixed set of parameters for applications and equipment.

In either case, the first thing you need to do is assess the vulnerabilities of the proposed RFID system. After you have assessed the RFID system it in detail, you can devise plans on how to manage system security.

24.9.1. Risk and Vulnerability Assessment

The assessment of risks and vulnerabilities go hand in hand. You have to make sure the obvious things are covered.

To begin evaluating your system, you need to ask questions regarding the assessment and tolerance of the risks: what types of information are you talking about at any given point in the system and what form is it in? How much of that information can potentially be lost? Will it be lost through the radio portion of the system, someplace in the middleware, or at the backend? Once these risks are evaluated, you can begin to plan how to secure it.

A good way to evaluate the risk is to ask the newspaper reporter’s five classic investigative questions: “who?,” “what?,” “when?,” “where?,” and “how?”

• Who is going to conduct the attack or benefit from it? Will it be a competitor or an unknown group of criminals?
• What do they hope to gain from the attack? Are they trying to steal a competitor’s trade secret? If it is a criminal enterprise, are they seeking customers’ credit card numbers?
• When will the attack happen? When a business is open 24 hours a day, 7 days a week, it is easy to forget that attacks can occur when you are not there. If a business is not open 24 hours per day, some of the infrastructure (e.g., readers) may still be on during off-business hours and vulnerable to attack.
• Where will it take place? Will the attack occur at your company’s headquarters or at an outlying satellite operation? Is the communications link provided by a third party vulnerable?
• How will they attack? If they attack the readers via an RF vulnerability, you need to limit how far the RF waves travel from the reader. If the attacker is going after a known vulnerability in the encryption used in the tag reader communications, you have to change the encryption type, and, therefore, also change all of the tags.

Asking these questions can help you focus and determine the risks of protecting your system and data.

The US military uses the phrase “hardening the target,” which means designing a potential target such as a command bunker or missile silo to take hits from the enemy. The concept of hardening a target against an attack in the Information Technology (IT) sector is also valid, and further translates into the RFID area.

Basically, hardening the target means considering the types of specific attacks that can be brought against specific targets. When securing RFID systems, specific targets have specific attacks thrown at them.

Consider the following scenario. A warehouse has a palette tracking system where an RFID reader is mounted on a gantry over a conveyor belt. As pallets pass down the conveyor belt, they pass through the gantry, the reader’s antennas activate the tags on each pallet, the tags are read, and the reader passes the information to the backend database.

In this situation, if you are concerned about potential attackers gleaning information from the radio waves emitted by the RFID reader station and the tags, you should harden it by limiting the RF waves from traveling beyond the immediate area of the reader. The easiest way is to lower the transmit power of the reader to the absolute minimum for triggering the tags. If that solution does not work or is not available, other options may include changing the position or orientation of the reader’s antennas on the gantry, or constructing a Faraday cage around the reader. (A Faraday cage is an enclosure designed to prevent RF signals from entering or exiting an area, usually made from brass screen or some other fine metallic mesh.)

Consider whether other issues with the tags might cause problems. Is there is a repetition level for information hard coded into the tags? If you are using the codes for proximity entry control combined with a traditional key (e.g., in the Texas Instruments DST used with Ford car keys), a repeat of the serial numbers every 10,000 keys may be an acceptable risk. However, if it is being used as a pallet counting system, where 2000 pallets are processed daily, the same numbers will be repeated weekly, which may pose the risk of placing a rogue tag into a counting system. In this case, repeating a serial number every 10,000 times is probably not acceptable for that business model.

If you are concerned about attacks among the middleware and information being intercepted by an attacker, make sure that the reader’s electronics or communications lines are not open to those who should not have access to them. In this case, hardening the target may be as simple as placing equipment (e.g., Ethernet switches) in locked communications closets, or performing a source code software review to ensure that an overloading buffer does not crash the reader.

Finally, hardening the target for the backend means preventing an attack on the database. In this regard, the security of a new RFID system should not cause anything new to a security professional, with the possible exception of a new attack vector in the form of a new communications channel.

A new channel may provide a challenge for securing previously unused Transmission Control Protocol (TCP) ports in the backend, by reexamining the database for the possibility of Structured Query Language (SQL) injection attacks. However, nothing at the backend is new to seasoned security professionals; therefore, standard risk evaluation practices for backend systems should prevail.

Notes from the Underground…

Defaults Settings: Change Them!

Default passwords and other default security settings should be changed as soon as possible. This bears repeating, because many people do not make the effort to change their defaults.

You may think that your Acme Super RFID Reader 3000 is protected simply because no one else owns one; however, default settings are usually well known by the time new equipment is placed on the market. Most manufacturers place manuals on their Web sites in the form of either Web pages or Adobe Portable Document Format (PDF) files. Other Web sites contain pages full of default settings, ranging from unofficial tech support sites to sites frequented by criminals intent on cracking other people’s security.

To learn how much of this information is available, type the name and model of a given device into your favorite search engine, followed by the words “default” and “passwords.”

When evaluating the risks and vulnerabilities, the bottom line is this: Once you have determined the point of an attack and how it happened, you can decide what options are available for mitigating the attack. When these options are identified, you can begin formulating the management and policies that will hopefully minimize your exposure to an attack.

24.9.2. Risk Management

Once the risks and vulnerabilities are identified, begin managing the risks. Start by validating all of your equipment, beginning with the RFID systems and working down to the backend. At each stage, you should observe how a particular item works (both individually and in combination with other items), and how it fits into your proposed security model.

Let’s look back at the warehouse example. A 900 MHz RFID tag is needed for tracking, because its RF properties work with the materials and products that are tracked to the warehouse. You need to decide if those same RF properties will cause a disruption in the security model. Will the 900 MHz signal travel further than expected compared to other frequencies? Can the signals be sniffed from the street in front of the warehouse? Managing this potential problem can be as simple as changing to a frequency with a shorter range, or as complicated as looking at other equipment with different capabilities.

Middleware management ensures that ensuing data is valid as it moves through the system. Receiving a text string instead of a numeric stock number may indicate that an attacker is attempting to inject a rogue tag command into the system. Checksums are also a common way to verify data, and may be required as part of the ongoing need to ensure that the data traveling through middleware applications is valid.

Managing middleware security usually involves using encryption to secure data, in which case, you need to consider the lifespan of the information in light of how long it would take an attacker to break the encryption. If your information becomes outdated within a week (e.g., shipment delivery information), it will probably take an attacker six months to break the encryption scheme. However, do not forget that increases in computing power and new encryption cracking techniques continually evolve. A strong encryption technique today may be a weak encryption tomorrow.

Managing a system also involves establishing policies for the users of that system. You can have the most secure encryption used today, but if passwords are posted on monitors, security becomes impossible. Make sure that the policies are realistic, and that they do not defeat security instead of enhancing it.

Notes from the Underground…

Bad Policies May Unintentionally Influence Security

Do not assume that RFID security is just about databases, middleware, and radio transmissions. Policy decisions also have an impact on the security of an RFID system. Bad policies can increase risks (e.g., not patching a server against a known vulnerability).

In other areas, bad policies can directly affect security without being obvious. One state agency uses proximity cards as physical access control to enter its building and to enter different rooms within the building. Like most of these types of systems, the card number is associated with the database containing the cardholder’s name and the areas they are allowed to access. When the cardholder passes the card over the reader antenna associated with each door, the system looks in the database and makes a decision based on the privileges associated with that card.

Proximity cards are issued when an employee begins a new job, and are collected when the employee leaves the company. At this particular agency, the personnel department is responsible for issuing and collecting cards. Therefore, they implemented a policy that imposes a fine on employees that lose their card.

In one case, an employee lost a card, but did not report it to his superiors because he did not want to pay a fine. As a relatively low-level employee, reporting the loss and paying the fine would create a financial hardship.

The proximity card is the least costly part of the RFID-controlled entry system. However, because of a policy designed to discourage losing the cards, the entire building security could easily be compromised if someone found that particular card. The goal of securing physical access to the building was forgotten when the cost of the card replacement began to drive the policy. The people who wrote the policy assumed that if an employee lost a card, they would pay the fine.

At another agency, the people using the system issue the cards and control physical access to the building, taking great effort to password-protect the workstations that access the database. However, sometimes they forget to physically protect the control system. The RS-232 serial ports that directly control the system and the cables to each controlled door are accessible by anyone who wanders into the room. The room itself is accessible via an unlocked door to a room where visitors are allowed to roam unescorted.

This particular agency lacks policies regarding installing security equipment, the areas to secure, and the inability to fully understand the system, which all add up to a potential failure.

Review your policies and keep focused on the goal. Remember to asked questions like, “Are we trying to secure a building, or are we concerned about buying new cards?” “Are we leaving parts of a system vulnerable just because they are out of sight?” “Will people follow or evade this policy?”

24.9.3. Threat Management

When conducting threat management for RFID systems, monitor everything, which will help with any difficulties.

If you are performing information security, you may be overwhelmed by the large amount of data and communications that must be monitored. As a matter of routine, you should confirm the integrity of your systems via login access and Dynamic Host Configuration Protocol (DHCP) logs, and perform physical checks to make sure that new devices are not being added to the network without your knowledge.

Adding RFID systems to the list of systems to be monitored will increase the difficulty. In addition to physically checking the Ethernet connections, you will also have to perform RF sweeps for devices attempting to spoof tags, and keep an eye out for people with RF equipment who may attempt to sniff data from the airways.

You will need new equipment and training for the radio side of the system, since radio systems are usually outside the experience of most network professionals. You will also have new middleware connections that will add new channels, thus, introducing possible new threats and adding new vectors for the more routine threats such as computer viruses and spyware.

Notes from the Underground…

Monitoring Isn’t Just for Logs

Monitoring and tracking changes in files rather than logs is just as important. For example, suppose you have a program with the following RFID proximity cards and associated names:

Card1 DATA “8758176245”

Card2 DATA “4586538624”

Card3 DATA “7524985246”

Name1 DATA “George W. Bush”, CR, 0

Name2 DATA “Dick Cheney”, CR, 0

Name3 DATA “Condoleeza Rice”, CR, 0

…

LOOKUP tagNum, [Name1, Name2, Name3]

If we make three small additions, it becomes easy to add a previously unauthorized user.

Card1 DATA “8758176245”

Card2 DATA “4586538624”

Card3 DATA “7524985246”

Card4 DATA “6571204348” ‘■

Name1 DATA “George W. Bush”, CR, 0

Name2 DATA “Dick Cheney”, CR, 0

Name3 DATA “Condoleeza Rice”, CR, 0

Name4 DATA “Maxwell Smart”, CR, 0 ‘ ■

…

LOOKUP tagNum, [Name1, Name2, Name3, Name4] ■

With the addition of 63 bytes of data, the security of this RFID card access system has been compromised. However, an increase of 63 bytes of data might not be noticed in a large database of cards comprising thousands of users.

Remember to periodically review the contents of databases with those people who know what the contents should be. Do not assume that all of data is valid.

*Code derived from the RFID.BS2 program written by Jon Williams, Parallax, Inc. www.parallax.com

When you are done securing your new RFID system and you think you have all the threats under control, go back to the beginning and start looking for new vulnerabilities, new risks, and new attacks. As previously mentioned, things such as increases in computing power and new encryption cracking techniques are constantly evolving, and may break a security model in short order. Keeping up with new security problems and the latest attack methods is an ongoing process—one that demands constant vigilance.

24.10. Summary

In this chapter, we discussed how RFID systems work; the various types of RFID tags, data formats, and tag protocols; and some typical applications. We also discussed some of the potential attacks that RFID systems are susceptible to. We learned that some of the attacks that are well known to IT professionals can also be applied to RFID.

With new technologies, we are often seduced by the grand vision of what “it” promises. Currently, RFID is one of the newest technologies offering this a grand vision. While RFID holds great promise in many applications, the last several years have proven that many aspects of RFID systems are insecure and new vulnerabilities are found daily.

The driving idea behind this chapter is applying information security (InfoSec) principles to RFID applications. What we [the authors] have attempted to do is show you some common pitfalls and their solutions, and get you started thinking about the security implications of installing and running an RFID system in your organization.

24.11. Links to Sites

• RFID Gazette—www.rfidgazette.org
• EPCglobal—www.epcglobalus.org
• ISO—www.iso.org
• RFID Buzz—www.rfidbuzz.com
• RFID Viruses—www.rfidvirus.org