te

ch

no

lo

gy

35In

fosecu

rity Tod

ayM

ay/June 2006

It's infinitely useful, has a wide range of applications and is goingin at a gallop. But has anybody really thought through the securityimplications of radio frequency identification (RFID)?

RFID – another technology, another securitymess?

William Knightwilliam@wordsafari.co.uk

Is your cat infected with a computervirus?

You can't blame the researchers atthe Vrije Universiteit of Amsterdamfor choosing the above headline fortheir RFID security paper.After all, re-porters seem obsessed with horrorstories about the cute and cuddly, sosuggesting that your furry friendmight be carrying a dreaded virus is asure way to grab attention, especiallywith bird 'flu raging.

But does it invalidate their find-ings? No, says Ari Joules, principal re-search scientist with RSA Labs.

Joules believes an essential principlewas lost in the media storm.“RFIDwill extend network perimeters inways that open up new vectors ofattack,” he says.

In the paper, PhD student, RFID pri-vacy activist and lead author MelanieRieback warned that data from RFIDtags can be used to exploit back-endsoftware systems. Her conclusion wasbased on the creation of a contrivedpiece of malware installed on anRFID tag and delivered to the middle-ware via a reader. (See box out,‘RFIDbuzzwords’).

RFID's time has yet to come.Before the technology becomesubiquitous, rather than an efficientsupply chain technology, tag costsmust come down, applications mustbe developed and business modelscreated.This will not happen soon,says Joules. Robust business tech-nology and business processes arenot happening.“It could easily be adecade until it really becomesprevalent,” he says.

No shockWe've been here before.There is nophilosophical difference between anRFID tag and a floppy disk, saysJoules; they are both carriers of datato be written and read by machines.Therefore, nobody in information

security was shocked that RFID tagscould deliver malware.“RFID tagsbelong in the same category as PDAdevices or any of the other wirelessdevices that are stretching the net-work in new ways and will continueto do so.”

So far, the limited memory capacityof RFID tags and their short operatingdistances have cast an invulnerabilityspell over RFID projects. But experi-mental threats are slowly dispellingthe magic.

The cryptographers' panel atFebruary's RSA conference offeredsome depressing insights into RFIDvulnerabilities.Ari Shamir, RSAfounder and a professor at theWeizmann Institute of Science, out-lined how a directional antenna andoscilloscope could measure differ-ences in power consumption to de-termine when an encrypted tag re-ceived correct or incorrect pass-word bits.

"We tested thebiggest brand;

it is totally unprotected."

RSA’s Ari Joules: RFID extends network perimeters

te

ch

no

lo

gy

36In

fosecu

rity Tod

ayM

ay/June 2006

Reflections“The reflected signals contain a lotof information,” Shamir said.“We cansee the point where the chip is unhappy if a wrong bit is sent. Ihaven't tested all RFID tags, but wedid test the biggest brand, and it istotally unprotected.”

Shamir concluded that someonecould use similar techniques via acellphone. It has “all the ingredientsyou need to conduct an attack andcompromise all the RFID tags in thevicinity.”

RSA also cracked the code on a vehi-cle immobilizer key shipped with manycurrent models, including 2005 Fords.The keys use Texas Instruments' low-frequency RFID transponders.These areprotected by a 40-bit key

encryption algorithm designed in the1990s that is now vulnerable to bruteforce (guessing) attacks.

The same RFID tag is used in pay-ment devices in the US for paymentat the petrol pump.“We stole gas us-ing our own tag and stole our ownautomobile, all within the boundariesof the law.This showed that otherscould do the same, but without suchmunificent intentions,” says Joules.

"It's more cost-effective tobuild in the right

protective measuresfrom the start."

RFID threats explored SniffingAny compliant reading device canread RFID tags without the knowl-edge of the tag bearer. This raises es-pionage and privacy issues, as infor-mation from multiple tags may bepieced together to build up a pictureof the tag holder that an individualtag may not provide.

TrackingRFID readers can record passing per-sonal tags. Individuals may be trackedwith their knowledge as a legitimateapplication (e.g. school children, com-pany employees) but involuntary track-ing is an invasion of privacy.

SpoofingAttackers can copy authentic RFID tagsby writing cloned data to blank tags.

Replay attacksUsing relay devices attackers can in-tercept and retransmit RFID queries.Retransmissions may fool digital pass-port readers, contact-less paymentsystems, and building access controlsystems.

Denial of ServiceMalefactors can block readers' re-quests by using physical barriers e.g.a Faraday cage, or by jamming.Blocking may prove disastrous inmedical emergencies or search andrecovery operations.

Buffer OverflowCarefully crafted RFID attacks mayexploit software faults and overruninternal buffers. Tags themselves mayhold little data, but attackers can usetag-simulation devices with unlimiteddata transfer capabilities.

Code insertionPerhaps by exploiting a buffer over-flow, executable code may be trans-mitted via a tag and executed on thehost.

SQL injectionRFID-attached databases may respondto hidden commands embedded instandard SQL. Data from the tag pass-es to the back-end database, butmight include unexpected commandsfor the database application to revealsensitive data or database structure.

Source: Is your cat infected with acomputer virus?, Melanie Rieback,http://www.cs.vu.nl/~melanie/rfid_guardian/papers/percom.06.pdf

TI RFid_HF-1_Family

Y0604 TI RFID_EPC_inlay

te

ch

no

lo

gy

37In

fosecu

rity Tod

ayM

ay/June 2006

These attacks are warnings of things to come. But they areprobably little more than academiccuriosity at present because themost serious installations of RFIDare in the supply chain. But for applications that target consumergoods privacy worries far outweigh-ing other concerns.

“Retail surveillance devices are mere-ly the opening volley of the marketers'war against consumers. Our long-termprospects look like something from adystopian science fiction novel,” saysCASPIAN, a consumer pressure group.There is even a book calling Christiansto arms: The Spychips Threat:WhyChristians Should Resist RFID andElectronic Surveillance.

Middle wayJoules says there should be a middleway between business advantage andpublic concerns. He feels the issuesmust be debated while the infrastruc-ture is young enough to be changed.“RFID tags do pose some privacy risksbut at the same time they can bringbenefits. It's important for the industryto think carefully about how to bal-ance the pros and cons.”

EPCglobal is responsible for globalRFID standards. It proposed a kill func-tion that requires tags can be disabledat the checkout. Joules reckons thismight be counter-productive.“Industrytalks about smart appliances: refrigera-tors that know when the milk hasgone bad; washing machines that willnot wash silk in hot water, that type ofthing.You have RFID bringing ubiqui-tous benefits, but on the other handyou've got this privacy mechanismthat is going to deliver dead tags to theconsumer.Those things obviouslydon't mesh well.”

Benefits or not, trampling con-sumers' privacy is a sure way for anyself-respecting retailer to damage thebrand.And the threats will only in-crease as smaller, cheaper, more pow-erful RFID systems become available.

“Everyone expects RFID tags to behuge; they're everywhere,” saidShamir,“They're going to protect ouridentities, our passwords, they're go-ing to protect items in stores.The factis the first generation is very weak.”

And Joules agrees.“TexasInstruments is to be lauded for

putting cryptography in their tags tobegin with, but it's not strongenough.That's the problem.”

Bolt-onBut it may be a law of IT that prod-ucts start out unprotected and securi-ty is bolted on later. It happened withthe internet, with operating systemsand applications like SQL databases.Why not with RFID?

“One would hope that lessonswe've learnt from deploying so manytechnologies would point out thebenefit of thinking through thesequestions in advance. Ultimately it'smore cost-effective to build in theright protective measures and flexiblepolicy from the start. It's just goodbusiness sense,” says Joules.

Gartner, the market analyst firmagrees. Commenting on Rieback's pa-per it said:“This new research high-lights the need to ensure that RFIDprojects are deployed with enter-prise-class security and manageability- not the 'deploy now, secure later' ap-proach that Gartner believes is mostcommon today.”

So, for the enterprise, asking if thecat has a computer virus is the wrongquestion. Far better to ask if the ex-pansion of the perimeter causes extrasecurity concerns. Of course the an-swer is yes.•William Knight is a technology writer

with 18 years experience in Software

Development and IT consulting. He

writes for titles that include: Computing,

JavaPro and Gantthead.com.

"The fact is the firstgeneration is very

weak."

RFID buzzwords

RFIDRadio Frequency Identification: anautomated data collection technolo-gy that uses radio waves to transferdata between a reader and a tag.

TagAkin to a barcode, tags are attachedto objects in order to report object-specific information. Tags respond toan RFID reader's requests with arange of information, anything froma serial number, to product detail andhistory, or environmental data.

ReaderA radio frequency transmitter sends"Are you there," requests. Tags inrange may respond and data is usual-ly conveyed to middleware for inte-gration with business processes.Readers may be fixed, such as a trainstation ticket reader, be hand-heldfor stock taking, or be mounted onmobile assets such as forklifts orfreight pallets.

Passive RFIDPassive tags have no battery and usethe reader's radio-request to provideenough power to respond. This limitscapability but reduces manufacturingcosts.

Active RFIDActive tags have their own powersource. Active Tags are more expen-sive, but the range is superior andtags may collect and process data, aswell as report it.

Sensing RFIDTags can convey information gath-ered by nearby sensors measuringtemperature, taking photographs ortaking other environmental meas-urements.

New book

RFID Security reveals the motives ofRFID hackers and then explains howto protect systems. Coverage includeshow to prevent attackers from ex-ploiting security breaches for mone-tary gain; how to protect the supplychain; and how to protect personalprivacy. To find out more about thistitle visitwww.books.elsevier.com/syngress

Syngress publishing, ISBN:1597490474, £27.99, �40.95, May2006