RFID Security Risks
RFID enabled applications have significant benefits over applications based on barcodes, but the technology also introduces a number of new business risks. Flawed designs are not uncommon in today's RIFD systems and best practices and security policies are still emerging. Considering the potential vulnerabilities of backend systems attached to an RFID infrastructure the problem becomes even bigger.
RFID tags are always an integral part of a larger IT system and should be seen in this context. Typically, RFID tags contain a unique ID (for example an EPC product code or any other unique ID). Often this ID can be altered on the tag. In addition, many tags come with user data, a separate memory area that can be used to store additional information directly on the tag, for example, expiration dates for perishable goods, or the dollar value of tickets used in public transport systems. High Frequency (HF) tags traditionally come with sizable user memory, but now we see a similar development with Ultra High Frequency (UHF) tags: Major players in the EPC arena are about to release new versions of their RFID chips containing 512 bits of extra memory.
Given a compatible RFID reader device, anyone can freely read and modify data stored on these RFID tags without the legitimate owner even being aware of it. RFID auditing tools like RFDump (released as free software by the founders of NeoCatena in 2004) can be used to explore the weaknesses of existing RFID infrastructures.
On-tag encryption, if used at all, is typically proprietary and weak due to physical limitations and cost constraints. Once the encryption features of an RFID tag are broken, the tag becomes nothing more than an ordinary data tag that can easily be manipulated with tools like RFDump. For example, the security features of the Mifare Classic chip, which is used in public transport systems and building access control world-wide today, has recently been compromised. At the Chaos Computer Congress 2007 Karsten Nohl from the University of Virginia presented the results of his research. Nohl had analyzed the Mifare chip layer by layer under an electron microscope and reverse engineered significant parts of its proprietary encryption logic revealing major design flaws showing how easy it is to break the chip's security features. With the dollar amount of the ticket directly stored on the tag, ticketing systems based on this chip, like the Oyster Card in London or the Charlie Card in Boston, are at risk. An attacker could attempt to either clone a ticket or change its value to gain illegal access to the service provided. Similar cloning and tampering scenarios apply to other open loop applications as well, including hotel key cards, ski lift and event tickets, electronic payment systems and the electronic passport.
The Mifare Classic chip is the dinosaur among the RFID crypto chips - it was first released in 1994 and its proprietary crypto design has major flaws and well known weaknesses. In recent years, however, several researchers and companies have started working on so-called "light-weight cryptography" solutions for RFID. The idea is to re-evaluate existing crypto primitives and invent new algorithms specifically designed to achieve reasonable levels of security for low-cost passive RFID tags. This is a major challenge considering the limited computational resources as well as power and timing constraints on these chips. For example, chips used in today's low-cost EPC tags contain up to 15,000 gates. Only a fraction of these are available to implement crypto functionality, the rest is required to implement the tag's state machine, memory etc. Strong private key crypto systems on the other hand require at least 20,000 - 30,000 gates alone when implemented in hardware. Still there are a number of new cryptosystems available that can operate under these restrictions and their inventors claim security levels comparable to RSA and other well-known strong crypto systems. The jury is still out on whether these claims are true. It remains an open question whether it is possible to deliver strong security with such limited resources at all.
Storage capability on RFID tags is limited but sufficient to carry attacks commonly known in the IT security world (e.g. SQL injection, buffer overflow, string format attacks etc.). Even RFID based Malware is possible, as demonstrated by Tanenbaum, Rieback et al. in their paper "Is Your Cat Infected with a Computer Virus". Essentially we see the same attack patterns and exploits that have been studied in the network security community for a long time emerging in a new domain.
Protecting Internet communication channels using firewalls has become standard, but in today's typical RFID implementations very little is done to protect the edge of the network. This opens the door for various kinds of attacks using the RFID communication channel as an attack vector. Often RFID systems are perceived as closed loop applications with no exposure to the outside world. However, in a digital supply chain scenario, what happens after items or packages have been labeled at the manufacturing site and before they reach distribution centers or warehouses? While in transit, tags can easily be accessed and then altered or exchanged. Fake products and tags could be injected into the supply chain, a serious concern in the pharmaceutical industry. In addition, the possibility of an inside attack should not be underestimated.
Attacks Against RFID Applications
In summary, today's RFID applications are exposed to numerous technical risks with direct consequences for the business such as revenue loss, customer safety, fraud, brand damage, business continuity and liability. In addition, these risks affect legal and regulatory requirements as defined by SOX and Basel-2. These and similar legislation in various countries require the operator of an RFID application to integrate RFID into their risk management process and analyze RFID specific risk scenarios and their effect on business continuity.
Some of the technical risks and their implications are listed here:
- Cloning: Duplicating or manipulating RFID tag data to create identical copies or variations of RFID tags that will be accepted by an RFID application as valid. Goals could be to gain illegal access to a restricted area, inject counterfeit products into a digital supply chain or change price tags at the Point of Sale (Cyber Shop Lifting).
- Code Injection Attack: Manipulating RFID tag data so that it contains malicious code or code fragments (RFID Virus) with the intention to change the course of execution of backend systems or databases processing the RFID data. This Malware attempts to exploit vulnerabilities caused by sloppy software implementations bringing the system into an undefined state, or crash it otherwise (e.g. because of missing error handlers, vulnerability to buffer overflow, string format or other injection attacks). In particular SQL injection attacks may be used to alter any record in a SQL database. The goal could be to gain illegal access to backend systems, or to disable or destroy it entirely.
- Denial-of-Service Attack (DoS): Almost all resources in an RFID system can become target of a DoS attack, including tag, reader, or back end system / edge server. Attacks on the air interface include shielding tags, flooding the reader field with a multitude of tags or selectively jamming the reader field. The goal is usually to sabotage specific resources of an RFID system, such a digital supply chain, effectively making the system unavailable to its intended users.
- Man-in-the-Middle Attack: Impersonating either a legitimate reader or tag to collect RFID data and metadata, or actively manipulate data sent between tag and backend system e.g. to perform code injection attacks, gain illegal access to a restricted area etc.
- Eavesdropping / Scanning on the RF channel using special reader devices and sensitive antennas to collect RFID data, e.g. to collect information about a business (corporate espionage) or individual (profiling, tracking tracing, privacy violations). This type of attack is often used as a helper attack serving as prerequisite to perform further attacks such as a man-in-the-middle attack etc.
- Physical Attack: The simplistic architecture of low-cost RFID makes these types of attacks feasible once again. There are invasive physical attacks (microprobing, focus ion beam editing etc.) and non-invasive attacks (power / timing analysis, radio finger printing etc.). The goal of these types of attack could be to reverse engineer proprietary crypto algorithms and extract keys.
Some of the attack types listed above, the physical attacks for example, are costly and time consuming and require a high degree of technical expertise. These attacks are often impractical and only performed as a proof-of-concept in the research community. Other attacks only make sense in combination with other attacks. An eavesdropping attack, for example, could be performed to learn about the communication protocol between tag and reader to later perform a code injection attack.
Different industries use different RFID technology and face different kinds of business risks. For each vertical industry a careful analysis is required. A good starting point is a detailed threat model identifying possible incidents as well as the probability and cost associated with their occurrence. Risks can then be coupled with recommended countermeasures and solutions providing an adequate level of security can be tailored specific to an industry's or even and individual user's need.