Upload
nathaniel-coaker
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Defence Research andDevelopment Canada
Recherche et développementpour la défense Canada Canada
RFID Security and Privacy Issues and Countermeasures
Dr. Qinghan Xiao
Defence R&D Canada – Ottawa
November 13, 2009
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Deference R&D Canada
• Defense R&D Canada is an agency of the Canadian Department of National Defense responding to the scientific and technological needs of the Canadian Forces
• The agency is made up of seven research centres located across Canada
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Network Information Operations Section
• Attack Detection and Analysis
– Situational awareness of the information technology infrastructure
– Network traffic analysis
• Secure Mobile Networking– Secure Ad-hoc Peer-to-Peer Networking– Secure Wireless LANs
• Information Protection and Assurance– Secure access control capability
– Biometrics
– RFID
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Outline
• Overview of Security Risks with RFID– Three areas of concern
• RFID Vulnerabilities– Unauthorized reading/writing, trigger device, etc.
• Type of Attacks– Reverse engineering, eavesdropping, etc.
• Privacy Issues– Tracking and tracing, profile a person’s habits, etc.
• Countermeasures– Authentication, encryption, etc.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Contactless Technologies
RFID Class Description Applications Memory Types Range
Proprietary (125kHz) Basic RFID
Passive
Access, Inventory ROM, EPROM ~ 1 meter
EPC Global/ISO18000
(900MHz – 2.45GHz)
Basic RFID
Passive
Tolling, Inventory
ROM, EPROM ~ 10 meters
ISO/IEC 15693
(13.56MHz)
Smart Label
Passive
Access, Inventory, Electronic Ticketing
ROM, RAM, EEPROM,
FRAM
~ 1 meter
ISO/IEC14443 A/B (13.56MHz)
Microcontroller
Passive
Access, Payment ROM, RAM, EEPROM,
FRAM
~ 10 cm
Active RFID
(303Mhz – 2400MHz)
Microcontroller
Active
Inventory, Tolling
ROM, RAM, EEPROM
~ 100 meters +
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Security Risks with RFID
Information Attacks (malicious virus introduction)
Network-Based Risks are related to traditional network security risks need to be addressed by the IA community
Tag cloning risks become important as the government and companies increasingly take the advantage of automatic identification technologies
Attack risks introduced by adopting RFID technology
Networked Reader Attacks
RFID-Induced Network Risks
Monitoring the Air Interface
Data Integrity on the Tag (encryption of data on tags)
Blocking Access to Tags
Permanently Disabling Tags (kill tags)
System Interface (Hospital)
RF Saturation and Jamming
Targeting (Trigger device)
Tracking
RFID Security
Risks
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
High Level Security Vulnerabilities
1. Unauthorized Reading of Tag Data
2. Unauthorized Writing of Tag Data
3. Insertion of Rogue/Counterfeit Tags
4. Tag Destruction/Disabling
5. Degradation of Tag Data Collection
6. Electromagnetic Interference from RFID Tags
7. Tags Leak Electronic Information
8. RFID Reader as a Platform for Attack
9. RFID Tag used as a Trigger Device
10. Destructive Electromagnetic Emission
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
RFID Security ‘The Dark Side’
Reference [1]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
The Dark Side
RFDUMP — is a tool that allows you to not only read RFID tags within range, but more worryingly, you can actually change and alter the data stored in the RFID tag
Spectrum Interference — not only degrades the read range between a reader and an object, but also corrupts data packets being sent back and forth
RFID Washer — finds RFID tags and “electronically washes” it
RFID Blocking System — is originally developed to protect user privacy. For example, RSA Blocker Tag is a specially designed RFID tag build into shopping bags that launches a denial-of-service attack to prevent RFID readers from reading any tags that might be attached to items in the bag
Tag Hacking Systems — use different methods to defeat RFID based systems
Example 1: RFDUMP has been demonstrated to change the book price, and even upload a hotel room key card data to the price chip on a box of cream cheese from the Future Store in Germany
Example 2: The Johns Hopkins lab has successfully performed a “brute-force” attack on TI’s RFID cipher in only 30 minutes
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Attack Points
Denial of service
Transmission attack
Reverse engineeringPower attack
Deliver virus to compromise middleware and backend systems
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Type of Attacks on RFID Tags
Internal Attacks• Direct physical attacks
• Reverse engineering
• Physical modification
• Direct data observation
Information Leakage•Power analysis
•Electromagnetic analysis
Device Malfunction• Operational range and
sensor range
Fault Injection • Voltage manipulation
• Optical fault injection
Software Attacks•Viruses
•Trojan horses
Eavesdropping•Wireless transmission
•Monitoring of reader
Device Destruction•Physical destruction
•EM destruction
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
RFID Threat Categories
System security is compromised
Make the tags not detectable by reader
Denial of Service
DoSUnauthorised killing of tagJamming/shielding
Gather Mimic
SkimmingEavesdroppingData tampering
EavesdroppingSpoofingCloningMalicious code
? ? ? ?
Tag Reader
Reference [2]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
RFID Physical Elements
Logic
Bonding Pads RF Front End Memory
Reference [3]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Reverse Engineering
• Reverse engineering is the process of taking something apart to discover how it works
• Reverse engineering an integrated circuit can be rated as three different levels:
– Level I: A knowledgeable individual with low cost and easily available tools to analyze end user products such as phone cards, debit cards and set top boxes
– Level II: A highly knowledgeable individual (often with inside knowledge) with access to expensive lab equipment
– Level III: A government backed lab with unlimited resources
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
An Example of Reverse Engineering — Circuit Images
Reference [4]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Reverse Engineer Circuit
Reference [4]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Logic Gates
Reference [3]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Countermeasures
• A FIPS standard refers to chip coatings as an anti-reverse engineering method to prevent attacks
• Various tamper proof techniques have been developed to defend against reverse engineering attacks
– For instance, by adding a tamper-release layer to RFID tags, operations personnel can be alerted if a tag has been tampered with
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Information Leakage
• All electronic devices ‘leak’ information through side channels such as power consumption or Electromagnetic emissions
• Monitoring these side channels and performing differential analysis can reveal sensitive information
• Power analysis is a form of side-channel attack that is intended to retrieve information by analyzing changes in the power consumption of a device
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Power Analysis
Power consumption signal
Hamming weight
W1 = 7
W2 = 5W3 = 4 W4 = 4
…
…
876543210
• It has been proven that the power emission patterns are different when the card received correct and incorrect password bits or cryptographic keys
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Fault Injection
• By introducing a fault, most likely a voltage pulse, it is possible to cause the device to malfunction in an undesirable way
• Faults can cause devices to dump memory contents or jump over security features
• Fault injection is a very powerful attack if correct fault parameters are discovered
• The method can be also used to exploit any number of vulnerabilities
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Countermeasures
• The common methods used to defeat power analysis attacks are filtering or adding an element of randomness
– Filtering power signals or delaying the computation randomly can increase the difficulty for the attacker to identify the power consumption patterns
• Another method implemented in some smart card designs is adding an element that simply consumes a random amount of power
– Unfortunately, this approach may cause a problem for RFID systems where minimizing power consumption is a priority
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Device Destruction
• Physical destruction or disabling of the device
– Cut antennae from chip, disable in microwave
– Passive RFID tags can be destroyed in a high electric field
– RFID-Zapper is an easy-to-build electronic device that can permanently deactivate passive RFID tags
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Software Attacks
• Types of software attack include:
– Virus: can steal data and damage RFID system
– Trojan Horse: can allow someone to take control of the RFID system
• Software attack is not very applicable to a basic RFID tag. but focuses more on systems or higher functioning mobile devices
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
The World's First Virally-Infected RFID Tag Vrije Universiteit Amsterdam
Reference [5]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Eavesdropping
Forward rangeBackward range
Reader
Eavesdropper
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Passive Eavesdropping
• Listen to communication between a tag and reader
• Works when the tag is already being powered by a legitimate reader
• Performed by a third party in either the operating range, backward channel eavesdropping range or the forward channel eaves dropping range
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Active Eavesdropping (Scanning)
• Power the tag and analyze the response
• This can be performed at an extended read range
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Eavesdropping is Simple but Efficient
• Credit Cards
– Reported cases of personal information sent in the clear
• e-Passports
– Some issues surrounding the entropy of the key
• Travel/Ticketing
– Mifare Classic Crypto-1 reverse engineered
• Access Control
– When using simple IDs or minimal crypto
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Countermeasures
• Countermeasures against eavesdropping include establishing a secure channel and/or encrypting the communication between tag and reader
• Another approach is to only write the tag with enough information to identify the object
– The identity is used to look up relevant information about the object in a back end database, thus requiring the attacker to have access to both the tag and the database to succeed in the attack
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Man-in-the-Middle Attack
Message
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Message
Alice Sends Message to Bob
Reference [6]
Alice Bob
Eve
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Eve Eavesdropped the Message
Alice Bob
Message
Eve
Eavesdropping
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Eve Interrupts the Communication Path and Manipulate the Information
Alice Bob
Message
Eve
EavesdroppingDisturb
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Countermeasures
• Several technologies can be implemented to reduce MITM threats
– Encrypting communications
– Sending information through a secure channel
– Providing an authentication protocol
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Relay Attack
• Wireless communication
• No link between authenticating object (tag) and service receiver (tag holder)
– Attacker A initiates service
– Attacker A relays queries to tag to attacker B
– Attacker B sends queries to victim’s tag
– Attacker B relays answers back to attacker A
– Attacker A answers queries
Reference [7]
?
!
!
?
?
!
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Replay Attack
• Intercept communication between a reader and a tag to capture a valid RFID signal
• At a later time, the recorded signal is re-played into the system when the attacker receives a query from the reader
• Since the data appears valid, it will be accepted by the system
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Countermeasures
• The most popular solution is the use of a challenge and response mechanism to prevent replay attacks
• Time-based and counter-based schemes can also be used as countermeasures against replay attacks
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Cloning
• Cloning is defined as duplicating the data of one tag to another tag
• Data acquired from a tag, by whatever means, is written to an equivalent tag
• Normally only digital properties (e.g. EPC, transponder ID number, PIN code, secret keys etc.) are considered
• This tag is then used to simulate the identity of the original tag
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Countermeasures
• Cloning Resistance is the property of a tag that defines the amount of effort that has to be expended in order to clone the tag. It can consist of a combination of logical obstacles (e.g. breaking of an encrypted message) and physical obstacles (e.g. reading a certain part of the tag memory)
• Tags can be made hard to clone by using read protected memories or factory programmed unique transponder ID numbers
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
A Prox-card Cloner
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Tracking Attack
• Tracking the movement of the people
• Monitoring and profiling people’s belongings
• Used for identification
– Attacker can recognize people based on the RFID tags they are carrying
– Attacker could trace RFID enabled packages
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Tracking People via Their Objects
Reference [8]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Countermeasures
• An easy method to disable tracking is to deactivate the RFID tags, which is known as “killing” the tag
• Blocker Tag
– Cover RFID tags with protective mesh or foil
• Clipper Tag
– Allow consumers to tear off the antenna of an RFID tag
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Cracking Crypto-enabled RFID
• Reverse engineering: The encryption algorithm can be reverse engineered through flawed authentication attempts by sending RFID devices carefully chosen electronic queries and recording the responses of the devices
• Post-processing: Analyze the response information to get clues as to what is happening inside the microchip, and therefore makes it possible to reconstruct the encryption algorithm
• Key cracking: Once the algorithm is known, the keys can be figured out by brute force attack, i.e. simply trying all possible keys
• Simulation: After obtaining the key (and serial number), it is possible to create a clone tag
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Supply Chain vs. Passport RFID
• Supply Chain RFID
– simple
– cheap
– no support for cryptography
– single identifier (kill command-render tag inoperable)
– range read ≥ 1 meter
• Passport RFID
– tamper resistance
– Cryptography
– shorter intended read range
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
UK ePassport
• The cover of the ePassport looks only slightly different
• This chip will be put on the back of the personal information page
• It will hold the scan of the holder’s facial features embedded in the chip
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Is Passport Card Secure?
• The first video created by Chris Paget demonstrates how to use a low-cost mobile device to read and clone RFID tags embedded in United States passport cards and enhanced drivers' licenses
• The second video is a story by David Reid for BBC World showing how to clone Europe's new “secure” e-passport
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Trigger Attack
• Trigger attack can be carried out by sensing the presence of RFID device
• It is not about the identity theft, but the possibility of using RFID as trigger of weapons/explosives
Reference [9]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Protest at Texas Wal-MartPhoto by Bill Bryant
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Privacy Diamond
Reference [10]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Tracking and Tracing
Reference [8]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Major Threats to Privacy through RFID
• Unauthorized readout of one’s belongings by others
• Tracking people via their objects over time
• Retrieving social networks
• Individual profiling
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
A Technical Perspective
Tag interpretation
Immediate response
RFID technology
Reference [11]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Tag interpretation
Data accumulation
Delayed response
Database technology
A Technical Perspective (cont.)
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Data mining / data sharing
A Technical Perspective (cont.)
Tag interpretation
Data accumulation
Shared databases
Response may be out of context
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
A Data Protection Perspective
Tag interpretation
Doesn’t necessarily involve personal
data…
… though it may trigger the creation of personal data…
… and there might be other privacy
implications as well.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
A Data Protection Perspective (cont.)
Tag interpretation
Data accumulation
Identifier
Personal data
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
A Data Protection Perspective (cont.)
Tag interpretation
Data accumulation
Data mining / data sharing
Identifier
Personal data
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
An “Application” Perspective
Tag interpretation
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
An “Application” Perspective (cont.)
Tag interpretation
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
An “Application” Perspective (cont.)
Tag interpretation
…card-carrying communist…
…works at animal testing lab…
…expensive watch…
… ‘gold’ credit card…
Profiling based on combination of tags… … combination of tags
may identify the individual…
… and some tags might say the darndest things.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Countermeasures: Faraday Cage
RFID Shield
Reference [12]
Tin Foil Cloth
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Threat-Countermeasure Mapping
Reverse Engineering
Power Analysis
Eavesdropping
Man-in-the-Middle
Cloning
Unauthorized Reading
Unauthorized writing/modification
Jamming Transmitters
Spoofing
Reply
Virus
Tracking
Misuse Kill Command
Blocking tag
Bounds Checking & Parameter Binding
Detaching Tag from Tagged Item
Optical Tamper Sensor
Chip Coating
Randomization
Encryption
Authentication
Recognizing Duplicates
Install Field Detectors
Use Read-only Tags
Frequency Division/Hopping
Shift Data to the Backend
Challenge and Response
Kill Function
Alarm Function for Active Tags
Mechanical Connection
Can be detected, but no countermeasure method
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Authentication/Authorization Using Secrets
Who are you?
ID=#5187230
Prove it by encrypting rGenerate randomnumber r
Computex=EK(r) x
Checkx=EK(r)
Reference [4]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Encryption
• E is an encryption function: algorithm for scrambling bits in a way that depends on K
• K is a secret key shared between card and reader (backend database)
x = EK(r)
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Encryption as A Solution
• If all of the keys are different, how are they managed?
Reference [13]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Encryption as A Solution (cont.)
• If all of the keys are the same, how is it protected?
Reference [13]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
NIST Guidelines on RFID Security
• NIST SP800-98: Guidelines for Securing Radio Frequency Identification Systems
• Goals and Objectives:
– Assist organizations in understanding RFID security risks and what security controls can help mitigate those risks
– Provide real world guidance on how to initiate, design, implement, and operate RFID systems that mitigate risks
– Provide security controls that are currently available on today’s market
– The document does not address the advanced authentication and cryptographic features that are incorporated in many smart card RFID systems
Reference [14]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
RFID Guardian
• A mobile battery-powered device that offers personal RFID security and privacy management
• The goals of the project are to:
– Investigate the security and privacy threats faced by RFID systems
– Design and implement real solutions against these threats
– Investigate the associated technological and legal issues
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Building Security into RFID
Consumer Device Reader RFID
Hash Function
Shared secretLast date stamp
Response: Hash (RK + SS + DT)
Date stamp as nonce : DTOne-time-pad shield: RK + Hash (DT + SS)Validation: Hash (RK + SS)
Reference [9]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Building Security into RFID (cont.)
• Each RFID holds multiple digital keys (typically 3-5)
• RFID have multiple modes determining response type to a request
• Consumer control new OWNER key (used for Privacy Mode)
• Manufacturer keep Authenticity Key for verifying originality etc.
• Using group keys to narrow in on context – dynamically customised
• Each key can be verified transparently without leaking identifiers
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Advantages
• Full virtualisation of both verifier and RFID
– RFID can operate without leaking information
• Consumer get control at purchase
• Strong anti-counterfeit even post-purchase
• Can maintain business confidentiality
• Solving “RFID as trigger” problem
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Evaluating Security Risks
• To assess the risk of security threats, the Open Web Application Security Project (OWASP) identifies other factors to security threat levels that include:
– Damage Potential
– Reproducibility
– Exploitability
– Affected users and
– Discoverability (DREAD)
• Although the DREAD model is targeted towards software security threats, it can be applicable for RFID security.
Reference [2]
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
The DREAD Model
For instance, the definition of RFID DREAD model is:
• Damage Potential: How much damage will be caused if a threat occurs?
• Reproducibility: How easy is it to reproduce the threat exploit?
• Exploitability: What is needed to exploit this threat?
• Affected Users: How many users will be adversely affected?
• Discoverability: How easy is it to discover this threat?
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Risk Evaluation Algorithm
• The risk evaluation algorithm of DREAD model is defined as:
RiskDREAD = (D + R + E + A + D) / 5
and is used to compute a risk value, which is an average of all five categories
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
A Few Concluding Points
• RFID is a technology, not a specific device
• Security and privacy are subtle and application dependent
• Security challenge often a function not of on-board security features
• Security and privacy are important issues in RFID applications
– 2002-2004:
About 35 papers
Mostly on privacy
– 2005-2009:
About 350 papers
Ad-hoc privacy, Tag-Reader communication, Lightweight authentication protocol, etc.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
References
[1] Mark Norton, “RFID Security Issues”, Wireless/RFID Conference, Feb. 27-March 1, 2006.
[2] Jin Soon Tan, Tieyan Li, “RFID Security”, The Synthesis Journal 2008, Pages. 33-48, published by Information Technology Standards Committee (ITSC), Singapore. Nov. 2008.
[3] G. MacGillivray and C. Sheehan, “RFID security”, Semiconductor Insights, RFID Security Issues Briefing to CANOSCOM, July 27, 2006.
[4] David Evans, “What Every Computer Scientist Should Know About Security”, University of Virginia. 2008.
[5] M.R. Rieback, B. Crispo, and A.S. Tanenbaum, “Is Your Cat Infected with a Computer Virus?,” Proc. 4th Ann. IEEE Int’l Conf. Pervasive Computing and Comm., IEEE CS Press, 2006, pp. 169–179.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
References (cont.)
[6] Ernst Haselsteiner and Klemens Breitfuss, “Security in Near Field Communication: Strengths and Weaknesses”, RFIDSec 06, July 13, 2006.
[7] Peter van Rossum, “Mifare Classic Troubles”, Invited Talks at the RFIDSec09, June 30 - July 2, 2009, Leuven.
[8] Sarah Spiekermann, “A Privacy Impact Assement for RFID - A Proposal”, RFIDSec09, June 30 - July 2, 2009, Leuven.
[9] K. Mahaffey, “RFID Passport Shield Failure Demo – Flexilis”, http://www.youtube.com/watch?v=-XXaqraF7pI.
[10] Stephan J. Engberg, “The Changing Security Paradigm from Central Command & Control to Distributed Dependability & Empowerment”, at EU From RFID to the Internet of Things, Mar 6, 2006.
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
References (cont.)
[11] “RFID and Privacy”, Lorentz Center, 26-28 March 2008.
[12] David Evans, “Feasible Privacy for Lightweight RFID Systems”, SPAR Seminar, Johns Hopkins University, 17 October 2007
[13] Simson Garfinkel, “RFID Security and Privacy”, October 5, 2005, http://www.oecd.org/dataoecd/18/53/35473108.pdf.
[14] Ajit Jillavenkatesa, “NIST, RFID Standards and Interoperability”, GRIFS Forum Meeting, June 30, 2009.
Thank you very much for your attention.
Mike Meranda, President of EPCglobal US: “You learn by doing, even though the technology is not perfect.”
Defence R&D Canada – Ottawa • R & D pour la défense Canada – Ottawa
Common RFID Attacks - Summary
• No clock, weak randomness
– replay attacks
• Low computational capacity
– cryptanalytic attacks
• Attacker controls tag
– side-channel attacks
• Wireless
– relay attacks
• Used for identification
– tracing attacks