RFID Security and Privacy Simson L. Garfinkel, Ph.D. Center for Research on Computation and Society Harvard University October 5, 2005 1
RFID: The Industry s Vision. Distribution Center Consumer Docks Store Factory Docks. 2
RFID: Privacy and Security Concerns. Consumer Privacy Invasion Distribution Center Consumer Docks Store Factory Docks Chip IDs stolen and resold Surveillance by Competitors Cloned Chips Diverted. 3
One vision of the privacy problem The consumer privacy problem Here s Mr. Jones in 2020 Replacement hip medical part #459382 Wig model #4456 (cheap polyester) Das Kapital and Communistparty handbook 30 items of lingerie 1500 Euros in wallet Serial numbers: 597387,389473 Source: Ari Juels, RSA Security 4
Another vision of the privacy problem.. 5
Another vision of the privacy problem.. Hidden tags transmit to hidden receivers in the house. 6
The problem is visibility and transparency. Barcodes must be visible to work. Radio waves are invisible and penetrate; RFID tags can be hidden This is both a privacy and security problem. Security Threats Jamming Replay attacks Covert reading Privacy Threats Covert reading Tracking over time Individual profiling 7
The threat realized: a prox-card cloner. Source: Jonathan Westhues 8
Proposed industry solutions At the tag: Kill Encryption At the ONS: EPC Trust Services EPC-IS provide fine-grained access control. How does one provide fine-grained control with 10 million players? 9
First problem with the industry solution: Managing the keys. K 10 K 4 K 3 K 6 K 7 K 5 K 1 K2 K 13 K 9 K 8 K 11 K 12 If all of the keys are different, how are they managed? 10
First problem with the industry solution: Managing the keys. K 10 1 K 41 K 31 K 61 K 71 K 51 K 1 K2 K1 K 13 1 K 91 K 81 K 11 1 K 12 1 If all of the keys are the same, how is it protected? 11
Kill is a simple solution that works today, but not tomorrow. Post-consumer use of RFID? (Refridgerators, Closets, Washing Machines) Recycling? Returns? How do you verify a kill? What about blind people? Kill unreasonably limits RFID. 12
There are several proposals from outside the industry: Sure Kill Foil-lined bags The Blocker Tag Randomization Switches RFID Bill of Rights Abstinence 13
Sure Kill This is kill a Biblical Sense. Sanjay Sarma 14
Foil-lined bags These are better known as Booster Bags. Checkpoint s MetalPoint detects them. 15
The Blocker Tag is a single that that looks like billions: 765 441 334 007 993 443 007 334 553 993 553 765 334 441 443 553 007 443 993 441 765 Consumers need to get and trust the tag. Blockers could be made illegal. (Attacks on anti-theft systems.) Juels proposes polite blocking as a compromise. 16
A switch could be used to turn the RFID chip on and off RFID Inactive RFID Active 17
Randomization Pseudorandom rotation: Random Assignment 123 356 934 334 765 553 441 007 443 993 877 531 987 If the ONS is going to be tightly controlled, randomization poses no additional overhead. 18
Randomization breaks the traditional ONS model 96 bits 1 Manufacturer Item SN Instead, you get this: 96 bits 2 Large Random Number 19
Policy-based Solutions: The RFID Bill of Rights MIT put an RFID chip in my ID card! 20
I have many questions about my chip... Does it have my name on it? Who has access to the database? How far can my card be read? What s the security? What about cash purchases? Where are the readers? What s done with all of this data? 21
The RFID Bill of Rights addresses the most obvious RFID abuses Users of RFID systems and purchasers of products containing RFID tags have: 1. The right to know if a product contains an RFID tag. 2. The right to have embedded RFID tags removed, deactivated, or destroyed when a product is purchased. 3. The right to first class RFID alternatives: consumers should not lose other rights (e.g. the right to return a product or to travel on a particular road) if they decide to opt-out of RIFD or exercise an RFID tag s kill feature. 4. The right to know what information is stored inside their RFID tags. If this information is incorrect, there must be a means to correct or amend it. 5. The right to know when, where and why an RFID tag is being read. 22
EPCglobal s Guidelines fall short. 1. Consumer Notice of tags, not readers. 2. Consumer Choice consumers are allowed to discard or remove or in the future disable the tags. 3. Consumer Education consumers will have the opportunity easily to obtain accurate information about EPC and its applications. 4. Record Use, Retention and Security Companies will follow existing privacy legislation for their databases. These guidelines: Assume that no information is stored in the tags. No opt-out. Little transparency, no accountability http://www.epcglobalinc.org/public policy/public policy guidelines.html http://tinyurl.com/b9r2t 23
Abstinence If we don t solve these security and privacy issues, RFID may be rejected by business and consumers. That would be a pity. Questions? 24