RF-ID: Radio Frequency Identification
RF-ID solutions are generally perceived as the future of automated supply chain information technology, though they were already in use in the nineties. Essentially, an RF-ID system comprises of two main components: The transponder (RF-ID tag) is capable of storing information and is attached to the object that is supposed to be identified. An RF-ID reader on the other hand is designed to read and, depending on the technology used, write the information in the tag remotely by radio transmission. RF-ID tags (or Smart Labels) are the technological successor of the well-known bar codes and will gradually replace those.
In contrast to bar code stickers which are read optically, RF-ID tags do not have to be placed in front of a reader one by one sequentially but may instead be processed almost simultaneously within a certain range, thanks to an anti-collision mechanism. The maximum distances between tags and reader ranges from a few inches to several feet depending on equipment used. The information stored on the tags also varies greatly and may range from a single-bit signal (anti-theft device) to a product identification code to even larger data structures. There are different tag types for different purposes. Depending on the application at hand one may choose between read-only and read/write tags. Depending on the tag type the cost per tag can be surprisingly low.
The challenge in implementing am RF-ID system is the design of working tag concept with careful security considerations. Typical business cases for RF-ID solutions are supply chain and logistics.
Depending on the application suitable tag types should be chosen to precisely solve the task defined in an earlier design phase. With a large variety of tag types and tag manufactures it is essential to understand the criteria to distinguish and assess the available solutions.
1. Power supply
- Passive transponders do not have their own power supply and need to draw their energy from the electromagnetic field of the tag reader.
- Active transponders come with their own battery to power the chip as well as data transmission.
2. Operation mode
- Full- and half-duplex: The transponder sends its information when the HF field is powered by the reader. Specific strategies are required to handle weak transpinder signals and distinguish them from the readerīs own signal.
- Sequential transmission: The transponder submits its data during periodic power-down phases of the reader. In this operation mode power supply can be an issue and additional batteries or capacitors are required.
3. Data load
- A 1-bit-transponder is only capable of submitting to different states. This is sufficient for certain security tasks (surveillance) and advantageous because of relatively low costs.
- Other transponders are capable of storing several kilobytes of data.
- Read-only tags are usually assigned a unique ID number by the tag manufacturer.
- Read/write tags may be over-written by the reader. These tag types are more expensive and require a reliable security concept.
- Low frequency: 125KHz
Common frequency for low-cost passive transponder solutions.
- High frequency: 13,56MHz
Manly used for product labels.
- High frequency: 860-956MHz
For labels with read/write access up to a range of about 10 feet.
- Ultra high frequency: 2,4GHz
For tags with greater range.
- Primarily, range is dependent on the application and tag frequency. 100-135kHz: 200cm, 13,56 MHz: up to 100cm, 868 (915) MHz passive: 2m, 868 (915) MHz active: 6-8m, 2,45 GHz: up to 12m
- Tag prices vary from cents for low-frequency passive tags to $100 for active high-frequency tags.
8. Physical design
Tags come in different forms and shapes. Among them are the frequently used coin-shape or plastic/glass chassis in different variations. Tags may be integrated directly into watches or key chains. Smart Labels are flexible enough to be integrated into credit-card size stickers. These can then be attached directly to individual products, palettes or containers.
RF-ID solutions can be used in many different areas, most prominently identification and accounting systems.
- Containers / product identification: Tags can be attached to store general information about an item. Origin, destination and content can therefore be processed automatically.
- Retail: Products in a store can be equipped with price tags. The customer simply carries the items through a sensor. The system recognizes the price and charges against a customer account or demands payment. Finally the tags are removed or deactivated.
- Anti-theft devices for cars: The transponder is attached to the key and initialized with a special identification code. The owner of the vehicle has to be inside the car with his key to deactivate the protective device.
- Ticketing / access control: Often consumers require access to designated areas. A chip card contains the identification technology and opens a door for example as soon as the card is in close proximity to the reader. Therefore ID cards do not need to be checked manually. Advantages are low costs and speed (think of an event in a sports stadium with 30,000 visitors).
- Automation: When attaching transponders to objects on an assembly line there are advantages in supervising and adjusting production processes. By placing readers at key points in the assembly process, production flow and status may be monitored centrally.
- Decentralized control: In addition it is possible to store additional information on the tag, e.g. color or other optional choices before production begins. This way it is possible to paint the object with the correct color during the production process without accessing a central database through a network.
RFID Security Risks
RFID enabled applications have significant benefits over applications based on barcodes, but the technology also introduces a number of new business risks. Flawed designs are not uncommon in today's RIFD systems and best practices and security policies are still emerging. Considering the potential vulnerabilities of backend systems attached to an RFID infrastructure the problem becomes even bigger.
RFID tags are always an integral part of a larger IT system and should be seen in this context. Typically, RFID tags contain a unique ID (for example an EPC product code or any other unique ID). Often this ID can be altered on the tag. In addition, many tags come with user data, a separate memory area that can be used to store additional information directly on the tag, for example, expiration dates for perishable goods, or the dollar value of tickets used in public transport systems. High Frequency (HF) tags traditionally come with sizable user memory, but now we see a similar development with Ultra High Frequency (UHF) tags: Major players in the EPC arena are about to release new versions of their RFID chips containing 512 bits of extra memory.
Given a compatible RFID reader device, anyone can freely read and modify data stored on these RFID tags without the legitimate owner even being aware of it. RFID auditing tools like RFDump (released as free software by the founders of NeoCatena in 2004) can be used to explore the weaknesses of existing RFID infrastructures.
On-tag encryption, if used at all, is typically proprietary and weak due to physical limitations and cost constraints. Once the encryption features of an RFID tag are broken, the tag becomes nothing more than an ordinary data tag that can easily be manipulated with tools like RFDump. For example, the security features of the Mifare Classic chip, which is used in public transport systems and building access control world-wide today, has recently been compromised. At the Chaos Computer Congress 2007 Karsten Nohl from the University of Virginia presented the results of his research. Nohl had analyzed the Mifare chip layer by layer under an electron microscope and reverse engineered significant parts of its proprietary encryption logic revealing major design flaws showing how easy it is to break the chip's security features. With the dollar amount of the ticket directly stored on the tag, ticketing systems based on this chip, like the Oyster Card in London or the Charlie Card in Boston, are at risk. An attacker could attempt to either clone a ticket or change its value to gain illegal access to the service provided. Similar cloning and tampering scenarios apply to other open loop applications as well, including hotel key cards, ski lift and event tickets, electronic payment systems and the electronic passport.
The Mifare Classic chip is the dinosaur among the RFID crypto chips - it was first released in 1994 and its proprietary crypto design has major flaws and well known weaknesses. In recent years, however, several researchers and companies have started working on so-called "light-weight cryptography" solutions for RFID. The idea is to re-evaluate existing crypto primitives and invent new algorithms specifically designed to achieve reasonable levels of security for low-cost passive RFID tags. This is a major challenge considering the limited computational resources as well as power and timing constraints on these chips. For example, chips used in today's low-cost EPC tags contain up to 15,000 gates. Only a fraction of these are available to implement crypto functionality, the rest is required to implement the tag's state machine, memory etc. Strong private key crypto systems on the other hand require at least 20,000 - 30,000 gates alone when implemented in hardware. Still there are a number of new cryptosystems available that can operate under these restrictions and their inventors claim security levels comparable to RSA and other well-known strong crypto systems. The jury is still out on whether these claims are true. It remains an open question whether it is possible to deliver strong security with such limited resources at all.
Storage capability on RFID tags is limited but sufficient to carry attacks commonly known in the IT security world (e.g. SQL injection, buffer overflow, string format attacks etc.). Even RFID based Malware is possible, as demonstrated by Tanenbaum, Rieback et al. in their paper "Is Your Cat Infected with a Computer Virus". Essentially we see the same attack patterns and exploits that have been studied in the network security community for a long time emerging in a new domain.
Protecting Internet communication channels using firewalls has become standard, but in today's typical RFID implementations very little is done to protect the edge of the network. This opens the door for various kinds of attacks using the RFID communication channel as an attack vector. Often RFID systems are perceived as closed loop applications with no exposure to the outside world. However, in a digital supply chain scenario, what happens after items or packages have been labeled at the manufacturing site and before they reach distribution centers or warehouses? While in transit, tags can easily be accessed and then altered or exchanged. Fake products and tags could be injected into the supply chain, a serious concern in the pharmaceutical industry. In addition, the possibility of an inside attack should not be underestimated.
Attacks Against RFID Applications
In summary, today's RFID applications are exposed to numerous technical risks with direct consequences for the business such as revenue loss, customer safety, fraud, brand damage, business continuity and liability. In addition, these risks affect legal and regulatory requirements as defined by SOX and Basel-2. These and similar legislation in various countries require the operator of an RFID application to integrate RFID into their risk management process and analyze RFID specific risk scenarios and their effect on business continuity.
Some of the technical risks and their implications are listed here:
- Cloning: Duplicating or manipulating RFID tag data to create identical copies or variations of RFID tags that will be accepted by an RFID application as valid. Goals could be to gain illegal access to a restricted area, inject counterfeit products into a digital supply chain or change price tags at the Point of Sale (Cyber Shop Lifting).
- Code Injection Attack: Manipulating RFID tag data so that it contains malicious code or code fragments (RFID Virus) with the intention to change the course of execution of backend systems or databases processing the RFID data. This Malware attempts to exploit vulnerabilities caused by sloppy software implementations bringing the system into an undefined state, or crash it otherwise (e.g. because of missing error handlers, vulnerability to buffer overflow, string format or other injection attacks). In particular SQL injection attacks may be used to alter any record in a SQL database. The goal could be to gain illegal access to backend systems, or to disable or destroy it entirely.
- Denial-of-Service Attack (DoS): Almost all resources in an RFID system can become target of a DoS attack, including tag, reader, or back end system / edge server. Attacks on the air interface include shielding tags, flooding the reader field with a multitude of tags or selectively jamming the reader field. The goal is usually to sabotage specific resources of an RFID system, such a digital supply chain, effectively making the system unavailable to its intended users.
- Man-in-the-Middle Attack: Impersonating either a legitimate reader or tag to collect RFID data and metadata, or actively manipulate data sent between tag and backend system e.g. to perform code injection attacks, gain illegal access to a restricted area etc.
- Eavesdropping / Scanning on the RF channel using special reader devices and sensitive antennas to collect RFID data, e.g. to collect information about a business (corporate espionage) or individual (profiling, tracking tracing, privacy violations). This type of attack is often used as a helper attack serving as prerequisite to perform further attacks such as a man-in-the-middle attack etc.
- Physical Attack: The simplistic architecture of low-cost RFID makes these types of attacks feasible once again. There are invasive physical attacks (microprobing, focus ion beam editing etc.) and non-invasive attacks (power / timing analysis, radio finger printing etc.). The goal of these types of attack could be to reverse engineer proprietary crypto algorithms and extract keys.
Some of the attack types listed above, the physical attacks for example, are costly and time consuming and require a high degree of technical expertise. These attacks are often impractical and only performed as a proof-of-concept in the research community. Other attacks only make sense in combination with other attacks. An eavesdropping attack, for example, could be performed to learn about the communication protocol between tag and reader to later perform a code injection attack.
Different industries use different RFID technology and face different kinds of business risks. For each vertical industry a careful analysis is required. A good starting point is a detailed threat model identifying possible incidents as well as the probability and cost associated with their occurrence. Risks can then be coupled with recommended countermeasures and solutions providing an adequate level of security can be tailored specific to an industry's or even and individual user's need.