RFID Security - Part 1: RFID radio basics & architecture

The multitude of questions regarding RFID applications are influenced by the policy decisions of implementing certain applications, and by the philosophical and religious outlook of the parties involved. Generally, those matters are not discussed, except where a security decision directly influences a privacy policy.

We often embrace new technology without understanding the security issues. We tend to cast a cynical eye at marketers' hyperbole concerning performance. Even so, sometimes we fail to be cynical regarding security claims (or lack thereof) surrounding new technology.

Security is often considered secondary to other issues of certain technologies. RFID is being used in multiple areas where little or no consideration was given to security issues.

Although RFID is a young technology, the security of some RFID systems has already been compromised. In January 2005, the encryption of ExxonMobil's SpeedPass and the RFID POS system was broken by a team of students (as an academic exercise at Johns Hopkins University), because common rules concerning strong encryption were not followed.

In February 2006, Adi Shamir, professor of Computer Science at the Weizmann Institute, reported that he could monitor power levels in RFID tags using a directional antenna and an oscilloscope. He said that patterns in the power levels can be used to determine when password bits are correctly and incorrectly received by an RFID device. Using that information, an attacker can compromise the Secure Hashing Algorithm 1 (SHA-1), which is used to cryptographically secure some RFID tags.

According to Shamir, a common cell phone can conduct an attack on RFID devices in a given area. (Shamir coauthored the Rivest, Shamir, & Adleman (RSA) public-key encryption in 1977.)

Recently, a group at Amsterdam's Free University in the Netherlands created RFID viruses and worms as a "proof of concept." This group fit a malicious program (malware) onto the memory area of a programmable RFID chip (i.e., a tag). When the chip was queried by the reader, the malware passed from the chip to the backend database, from where the malware could be passed to other tags or used to carry out malevolent actions. The exploits employed, including Structured Query Language (SQL) and buffer overflow attacks, are generally used against servers.

Because RFID is based on radio waves, there is always the potential for unintended listeners. Even with the lowest powered radios, the distance that a signal travels can be many times more than considered the maximum (e.g., at the DefCon 13 security convention in Las Vegas, Nevada, in July 2005, some consultants received a response from an RFID device from 69 feet away, which is a considerable distance for a device designed to talk to its reader at less than 10 feet).

Additionally, radio waves can move in unexpected ways; they can be reflected off of some objects and absorbed by others. This unpredictability can cause information from an RFID tag to be read longer than intended, or it can prevent the information from being received.

The ability to receive RFID data further away than expected opens RFID to sniffing and spoofing attacks.

Being able to trigger a response from a tag beyond the expected distance makes RFID systems susceptible to denial-of-service (DOS) attacks, where radio signals are jammed with excessive amounts of data that overload the RFID reader.

Radio jamming, where the frequency is congested by a noisy signal, is still a destructive force to be considered when using modern RFID systems.

Much of the increased visibility of RFID within the last few years has been influenced by two things:

• In June 2003, Wal-Mart announced that it would begin using RFID in its supply chain by January 2005. A group of approximately 100 Wal-Mart vendors were selected to use RFID at the company's distribution centers. Those companies will use RFID-enabled cases and pallets, which will be scanned at the point of reception and departure from a given distribution center.

• The decision by the United States Department of Defense (DoD) to use RFID to improve data quality and management of inventories. In October 2003, the U.S. Acting Under-Secretary of Defense, Michael W. Wynne, issued a memo requiring military suppliers to use RFID tags on shipments to the military by January 2005. The goal is to have a real-time view of all materials. The DoD has been using RFID to track freight containers since 1995. With a reported inventory of over $80 billion spread over much of the world, the ability to have a real-time view of the location of materials is a requirement.

The widespread use of RFID by both Wal-Mart and the DoD will make other people, companies, and groups aware of the benefits of using RFID. Also, their combined demand ensures that there will be an increase in RFID research and development, and a lowering of the overall prices of RFID equipment. Figure 24.1 shows various types of RFID tags.

As costs are driven down, other large retailers (e.g., Best Buy and Target) are starting to use RFID at the pallet level, or have RFID systems in the planning stage. The costs are low enough so that smaller RFID units are attainable to hobbyists. Figure 24.2 is a photo of an RFID reader.