RFID Security: Threats, solutions and open challenges Bruno Crispo Vrije Universiteit Amsterdam crispo@cs.vu.nl 1
Table of Content RFID technology and applications Security Issues Privacy Proposed (partial) Solutions Technical Open Issues Conclusions 2
What is RFID? RFID: Radio Frequency IDentification Not new, first introduced in 1959 Passive tag patented in 1973 RFID Tags Store up to 1KB Cost ~25c Range up to 6m RFID Readers 3
How RFID works? Reader acts as a transmitter (of energy and data) Tag (passive) is powered by this energy and at the same time recieve the data Tag (process) and trasmits data to the reader Reader tag Reader receive the data 4
Tag Class taxonomy Class 0/1 Basic capability, passive identity Class 0 factory programmed Class1 user programmable Class 2 Additional functionality Encryption, Limited R/W memory Class 3 Battery to power logic portion of the circuit Longer range More bandwidth Class 4 Active tag Battery powered Acquiring sensing capability 5
RFID Applications (Class 0/1) Applications Supply chain management Object tracking (e.g., pallets) Cattle and people tracking Reducing counterfeits (e.g., drugs) Library systems Post-purchase consumer services (e.g., laundry checks) Healthcare (e.g., voice tracking for blind people) 6
RFID Applications (Class 2) Applications Physical access control Anti-theft (car key) Fuel payment Transport card Banknotes Passports Visas 7
RFID Security Contactless RFID smart card smart-card security issues such as side channel, etc. Active tag, battery powered and sensing security of sensor networks Expensive passive tag with cryptography key management Cheap tags with no crypto EPC tags 8
Security issues with passive tags Unauthorized tag reading Eavesdropping Tag cloning Tag tracing Privacy both location and information Tag modification Denial of Service Key management 9
Lightweight RFID Crypto Protocol Tassos Dimitriou. "A Lightweight RFID protocol to protect against Traceability and Cloning attacks", IEEE SECURECOMM 2005. Against traceability and tag cloning. Forward privacy R T: request T R: h(id i ), N, h IDi (N) R DB: h(id i ), N, h IDi (N) DB: verifies that C[index=h(ID i )]= ID i, N, h IDi (N) verifies h IDi (N) then updated ID i+1 = SHA-1(ID i ) T updates ID, ID i+1 = SHA-1(ID i ) 11
Lightweight RFID Crypto Protocol R T: request T R: h(id i ), N, h IDi (N) N cannot be a timestamp or a counter (side channel attack). It must be a random number Old N and ID must be erased Hash is HMAC ID (N)= SHA-1[(ID pad 0 ) SHA-1((ID pad 1 ) N))] 12
Lightweight RFID Crypto Protocol Replay attack to spoof a tag M(R) T: request1 T M(R): h(id i ), N, h IDi (N) R M(T): request2 M(T) R: h(id i ), N, h IDi (N) 13
Lightweight RFID Crypto Protocol Database Desynchronization M(R) T: request1 T M(R): h(id i ), N, h IDi (N) T updates its ID to ID i+1 R T: request2 T R: h(id i+1 ), N, h IDi+1 (N) But the DB expect to receive ID i 14
Lightweight RFID Crypto Protocol Add reader authentication R T: request, N R T R: h(id i ), N T, h IDi (N T,N R ) R T: h IDi+1 (N T,N R ) Still open to man-in-the-middle attacks Desynch by blocking last message Attack on tag Attack on reader Attack to communication User privacy Location privacy Physical attack possible but forward privacy 15
Lightweight? Random number generator HMAC Memory (the padding for HMAC is already 1024 bits!) Secure deletion R/W storage...not really or not enough for many tags 16
Tag Deactivation Permanent Tag Deactivation Tag removal/destruction SW-based killing Temporary Tag Deactivation Faraday cages SW-based sleep/wake 17
Better Solutions Blocker tags Selective jamming Intermediary Device (e.g. RFID Guardian) Fine-gained selective and flexible jamming 18
Tree-walk Singulation Depth-first search Tags Present: 001, 011, 110 0? 1 00 01 10 11 000 001 010 011 100 101 110 111 19
Tree-walk Singulation Depth-first search Tags Present: 001, 011, 110 0? Collision! 1 00 01 10 11 000 001 010 011 100 101 110 111 20
Tree-walk Singulation Depth-first search Tags Present: 001, 011, 110 0? 1 00 01 Collision! 10 11 000 001 010 011 100 101 110 111 21
Tree-walk Singulation Depth-first search Tags Present: 001, 011, 110 0? 1 00 01 10 11 000 001 010 011 100 101 110 111 22
Tree-walk Singulation Depth-first search Tags Present: 001, 011, 110 0? 1 00 01 10 11 000 001 010 011 100 101 110 111 23
Tree-walk Singulation Depth-first search Tags Present: 001, 011, 110 0? 1 00 01 10 11 000 001 010 011 100 101 110 111 24
How the Blocker tag works? The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy. In V. Atluri, ed. 8th ACM CCS, pp. 103-111. ACM Press. 2003. Tags Present: 011, 010, 100 *** = (blocker)? 0 1 * = 0 1 0 1 0 1 0 1 0 1 0 1 0 1 25
How the Blocker tag works? Tags Present: 011, 010, 100? *** = (blocker) Collision! 0 1 * = 0 1 2 64 attempts 0 Collision! Collision! 0 1 1 0 1 0 1 0 1 0 1 27
Selective Blocker (Private zones) Tags Present: 011, 010, 100 1** = (blocker)? * = 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 29
RFID Guardian "RFID Guardian: A Battery-Powered Mobile Device for Personal RFID Privacy Management, M. Rieback, B. Crispo and A.S. Tanenbaum, ACISP 2005 Blocker tag subjects to differential power analysis while the guardian uses randomly modulated jamming signal Fine granularity and flexible definition of privacy zones Access Control Lists allow rich privacy policies Guardian is mobile and battery powered 30
RFID Guardian - ACL Example ACL Action Source Target Command Comment block * MYTAGS * Suppress all queries targeting user's tags allow Home MYTAGS * Home system can query user's tags allow Wal-Mart MYTAGS Read data block Wal-Mart can read (not write) data from user's tags allow * * * All queries to other RFID tags are OK 31
RFID Guardian Other functionality Cryptographic helper. Perform crypto operation on behalf of tags (e.g., authentication) Key management Works as reader as well as a tag so can query environment for tags Auditing 32
Usage scenario Going Shopping Step 1: RFID Guardian and RFID Reader perform mutual authentication 33
Usage scenario Going Shopping Step 1: RFID Guardian and RFID Reader perform mutual authentication Step 2: RFID Reader issues queries to tagged items 34
Usage scenario Going Shopping Step 1: RFID Guardian and RFID Reader perform mutual authentication Step 2: RFID Reader issues queries to tagged items Step 3: RFID Guardian listens to queries, and adds tags to an ownership list 35
Usage scenario Going Shopping Step 4: RFID Reader sends encrypted sleep/quiet mode keys to RFID Guardian 36
Usage scenario Going Shopping Step 4: RFID Reader sends encrypted sleep/quiet mode keys to RFID Guardian Step 5: RFID Guardian uses the sleep/ quiet mode keys immediately to deactivate some of the RFID tags 37
Key Management Tags may change owner several time during their lifetime Wal-Mart Alice Alice s boyfriend Readers that will be authorized to query a tag are not always known in advance How to lookup the right key without knowing tag ID? Sleep/wake passwords Hard to update key material after deployment Revocation (e.g., passport) 44
Denial of Service Jamming Tag destruction EPC Networks create all series of critical dependencies (e.g., ONS) 45
Conclusions Key management is still the biggest problem to solve Need of a security framework that works with different types of tags User interfaces. Still not clear how people interact with tags when they will be really ubiquitous Malware. Tightly coupling cyber word with real world can have disastrous consequences 46
Acknowledgements Melanie Rieback and Andrew Tanenbaum VU http://www.rfidguardian.org Kaspersen VU (Law Dept.) Georgi Gaydadjiev TU Delft Philips... 47
48