RFID: Security and Privacy

RFID (Radio Frequency Identification) technology is increasingly entering many domains on the grounds of improving efficiency and security. This paper aims to survey the issues associated with RFID security, current state of security techniques, their advantages and weaknesses, as well as potential implications with respect to privacy. INTRODUCTION Radio Frequency Identification (RFID) is an emerging technology with significant potential benefits to domains requiring automatic retrieval of information about objects, such as packages, people, store merchandise, books in libraries, spare parts in repair depots, histories of objects through the manufacturing process, and many other applications. As a wireless technology, RFID is inherently susceptible to issues regarding security and authentication since electromagnetic transmissions through the air are likely to be intercepted by unintended adversaries. Not only are the capabilities of intercepting live communication a possibility, but also could remote information retrieval, alteration, or otherwise malicious activity. Furthermore, as RFID is increasingly used for purposes of security and theft prevention, care must be exercised to not create more serious vulnerabilities in the system than already exist. Naturally various applications and domains have differing requirements for security and efficiency in processing, budgeting constraints, and many other factors affecting the overall design of the system, and hopefully his paper will illustrate some of the related risks and benefits of using RFID. SECURITY vs. PRIVACY These terms require an explanation since their differences are critical. Security is a condition resulting from protective measures designed to guarantee inviolability of sensitive content and communications; essentially, protection from unwanted adversaries extracting critical information. Privacy, is the ability of an entity to stop information about itself from becoming known to entities other than those authorized. Privacy is often related to anonymity however that is not a requisite. Authentication, in this context, is the ability to confirm the identity of another wirelessly. It may be uni-directional or mutual. LEGAL FRAMEWORK AND POLICY While this paper addresses mostly the technical issues, and does not cover the broader implications for privacy due to RFID. It is important to note, that there is a great need for establishment of legal and policy guidelines with respect to determining acceptable practices in the area of security and privacy (in general not just with regard to RFID). Just standards are developed on a technical level, so should a framework outlining standard practices with respect to these issues. Some of these have been raised in the House of Representatives [HR04] and mainstream publications [GR05], however, the results have yet to materialize. FACTORS OF SECURITY AND PRIVACY Below is a list of factors that are generally used to asses the desirable characteristics of security. They are used throughout the paper, and will be briefly introduced here for clarity, particularly in the context of RFID. These are some of the key factors that should be accounted for when making system design decisions with RFID security in mind. Tracking. Tracking is the ability to uniquely identify a tag. While the particular information on the tag may not be readable or meaningful, just the ability to uniquely identify a tag allows an adversary to keep a trail of the tag’s whereabouts. Depending on the circumstances this may be a serious threat to privacy. Cloning. A potential compromise of the system, occurs when a tag is cloned, and poses as the original item. Depending on the application this may facilitate theft, identity spoofing, physical access to buildings, cars, etc. Hot-listing. This is similar to tracking, but focused on particular information gathered previously. For example, one can go to a library which now uses RFID, and obtain the ID’s of certain books. Anytime afterwards the adversary can be alerted when they are in proximity of anyone possessing the hot-listed items. Generally types of objects can be hot-listed when the designating identifier contains object type information as opposed to a random identifier. Inventorying. Inventorying is a process of associating a group (cloud or constellation) of tags as a single entity, and building up inferences based on the collected information. An individual possessing some products containing RFID tags would be represented by such a cloud with a particular combination signature. Blocking. This is a low level strategy for interfering with the operation of an RFID reader. Conceptually, a blocker tag emits responses aimed to break the typical communication protocol of the reader. Tag and reader hardware have physical and computational limitations on available resources. This has significant implications on the complexity of computation possible (hash functions, random number generation) and on the ranges of communication. Further federal rules impose limitations on power emitted by RFID devices (something that does not apply to rogue adversaries). Scalability. Any scheme considered my fit within scale requirements of the design. This generally means a requirement of performance at least linear in the number of tags. Ideally it would be a constant, although O(n log n) is also acceptable. Cost. Clearly with more money one can purchase more computational power (e.g. TI’s Digital Signature Transponder) or communicational power (active tags, semi-active tags). What is the importance of the post-sale value to customer. Some applications claim significant post-sale benefits of RFID to the consumer, however caution must be exercised when implementation is considered. If keys are required to read/authenticate tags, then how should they be managed and transferred to third parties? Physical disablement and destruction. Certain systems that rely on RFID security can potentially be completely circumvented by the physical destruction or electromagnetic shielding of the antenna (e.g. microwaving the chip, or using aluminum foil shielding). Permanent connectivity of readers. This is a very important factor in design, particularly when multiple levels of analysis are used for system security. Issues of synchronicity, database access, and content analysis (e.g. detection of potential presence of two identical tags in different locations) must be addressed with respect to the actual network topology and connectivity properties. Side channels. These are techniques of using non-primary properties of the RFID tags and readers to obtain more information about the primary. For example, due to the manufacturing process each chip contains very minor imperfections, which may result in slight modulations of timing or signal strengths. Although they are not noticeable to the reader, one can determine unique signatures from them, or try to induce more information about the content of communication. Replay attack. When an adversary intercepts reader tag communication, this information may be used again at a later time to compromise the system. Adversary positions. The system must be analyzed from various potential adversarial attacks, and their merits accounted for. What are the consequences of a reader impersonation, cloning, blocking, partial blocking, physically removing or disabling of tags. What level of authentication is required reader to tag, tag to reader or both. Man in the middle attack. This is an attack method based on interception of legitimate communication and modulation thereof to breach the system. Well documented examples in RFID security include a breach of an ISO 14443 system at 50 meters [Ha05] and the breach of HB+ protocol [GRS05].