|RFID Security issues - Generation2 Security|
RFID data security is important—Security is a critical issue that must be addressed correctly—from both a technical and business process point of view—to ensure widespread ubiquity of RFID technology.
RFID must meet the public demand for data security—The general public must perceive RFID technology as safe and secure to alleviate legitimate concerns about data security and personal privacy.
Today’s EPC security is acceptable for now—Current levels of data protection provided by the EPCglobal Generation 2 protocol represent an advance over previous protocols—and are acceptable for today’s limited RFID deployments within the supply chain.
The key security threats are to front-end RF communication—IP communication between RFID readers and the network is secure, thanks to standard IP network security solutions. The real threat is RF communication between tags and readers. These issues must be addressed by future protocols and additional research and development.
Data security threats take different forms—Rogue/clone tags, rogue/unauthorized readers, and side-channel attacks (interception of reader data by an unauthorized device) all threaten data security.
Future deployments will need new security and a new protocol—As deployment of RFID reaches the consumer-item level, new security enhancements will be needed, triggering a need for a new Generation 3 protocol.
Security comes at a cost—New security measures must balance effectiveness with cost and complexity implications.
Data security is an evolving story—Future generations of tag protocols will enable RFID to take security to a new level.
1. RFID Security: An Introduction
Identity theft, stolen credit card information, viruses, hackers, and other threats have raised data security—once an arcane topic relevant only to programmers—to high levels of public awareness. Keeping data secure is a vital concern for individuals, corporations, and governments. Data security is an issue that has broad implications for business practices and technology. And it’s a highly emotional issue—what could be more personal than your Social Security number, address, or personal preferences?
Increasing adoption of Radio Frequency Identification (RFID) technology opens a new frontier for data threats and data security measures. Broadly speaking, RFID includes a full spectrum of wireless devices of varying capabilities, power, and sophistication—including ExxonMobil SpeedPasses, vehicle immobilizers, Electronic Product Code (EPC) tags, and more. RFID tags are small, wireless devices that emit unique identifiers upon interrogation by RFID readers, which emit powerful electromagnetic fields and “read” tag information.
This white paper focuses on the simpler, low-cost EPC tags that are used increasingly to bring new efficiency to commercial supply chains—serving as a 21st-century evolution of bar codes. As implementations of RFID technology of this type become more widespread, ambitious, and ubiquitous, they create new potential data security threats, new concerns among consumers, and new misconceptions.
This white paper explores the key types of data security threats raised by RFID and highlights possible solutions using the capabilities defined by the EPCglobal (the RFID industry standards group) Class 1 Generation 2 standard, known as Generation 2. It explores the current data security needs and suggests best practices for optimizing the capabilities of Generation 2. It also looks beyond Generation 2 to envision new data security capabilities. And it highlights and evaluates several recent news stories about RFID data security.
i. Defining Data Security
It’s important to have a clear idea of what data security means right from the start. Only then can you truly measure whether an RFID implementation is truly secure. Here are three qualities that define data security in an RFID context:
ii. Levels of Data Security
Every communication system has its own appropriate level of data security—from wireless devices to the Internet. Not every type of data merits the highest level of security. Escalating levels of security tend to introduce extra cost and technological complexity, and RFID is no exception. It’s critical to balance security threats against security costs.
iii. Public Perception of Data Security
At some point, Internet users became confident enough in online commerce that they would participate in potentially risky processes—such as buying products or trading stocks. Why? Because the level of data protection—and the perception of it—had reached a high enough level that the general public had confidence and trust in the system. For widespread acceptance, RFID technology must achieve a similar level of confidence and trust.
iv. Stakeholders in RFID Data Security
Who is concerned about RFID data security?
2. Where Security Matters
Security is only as strong as its weakest link. In your home, the most powerful locks on your door will do nothing to keep your house secure if your windows are open. So it is with RFID security. All elements of an RFID system need to be secure, and the links between each element must be carefully considered with data security in mind.
i: The Importance of the Tag Reader
In RFID systems, tag readers are the communications crossroads—and pivotal junctures in the security of the entire system. Tag readers communicate in two directions, and each must be secure:
ii: Back-End Network Security
The key threat on the back-end communication side is unauthorized access to the network. No company wants to implement a system that leaves a clear opening for rogue devices (or just plain rogues) to access their network. Again, it would be like leaving all the windows open in a house—not good for security.
Fortunately, network security is a highly evolved, mature technology, one that brings plenty of powerful tools and technologies to bear on the challenge of keeping networks safe. RFID reader makers can implement standard, proven security technologies, such as Secure Sockets Layer (SSL) and Secure Shell (SSH). They can close ports that are not secure (e.g., with Telnet). And they can implement secure processes, such as certificates for authentication, which keep out unauthorized readers, competitors, hackers, and other potential threats.
In short, the data security story for back-end communication is simple and strong. Security at this juncture is controlled by RFID reader manufacturers (e.g., ThingMagic), which have plenty of powerful, standard tools available to ensure data security. These proven, widely used security capabilities—de facto standard features of today’s IP networks—exist to support data security, and should be an essential feature of any RFID reader and RFID implementation. They are not yet common in RFID products, however. So users should be diligent in ensuring that the RFID readers they select conform to industry-standard security practices.
iii: Front-End RF Security
The front-end side of the RFID reader is a different story—one that is more challenging, complex, and evolving. The vital connection between tags and readers occurs in the air via RF communication. This connection enables of the powerful capabilities of RFID, but it also leaves the window open to several key threats:
These threats are explored in more detail in the following sections. However, it’s important to point out that front-end RF security is the weakest link in today’s RFID systems.
This area, controlled by the tag protocol standards process, has evolved in the latest standard introduced by EPCglobal, Generation 2. But there is still plenty of research and development and innovative thinking necessary before the front-end is as secure as the back-end. Today, front-end RF communication is vulnerable—the Achilles’ heel of RFID systems.
3: Key Front-End RFID Security Issues
Most of the front-end threats to RFID security involve deception, manipulation, or misuse of the RF communication between tag and reader. Here we explore three common threats—unauthorized access to tags, rogue and clone tags, and side channel attacks.
i: Unauthorized Access to Tags
Tags are evolving quickly in complexity, power, and flexibility. However, all types of tag share a critical vulnerability to rogue RFID readers. A rogue reader can read a tag, recording information that may be confidential. It can also write new, potentially damaging information to the tag. Or it can kill the tag. In each of these cases, the tags respond as if the RFID reader was authorized, since the rogue reader appears like any other RFID reader. This capability has broad implications, since tags may contain data that should not be shared with unauthorized devices.
Example: Unauthorized Access to Tags
A rogue RFID reader might be able to measure the inventory on a store shelf and chart sales of certain items—providing critical sales data to a rival product manufacturer. This unauthorized information could play a key role in developing a competitive strategy informed by corporate espionage—e.g., negotiating more shelf space or better product placement.
ii: Rogue and Clone TagsOn the other end of the tag-reader connection, consider the threat of rogue and clone tags. Rogue tags are tags from unauthorized sources, while clone tags are unauthorized copies of real tags. These tags connect with the RFID reader via RF and send false data.
Example: Rogue and Clone TagsA bootleg product could appear to be an actual product if it bears a clone tag. A rogue tag placed within proximity to a RFID reader could contribute false data to the reader. In both cases, these tags affect the integrity of the system, and undermine security for both consumers and the companies that rely on RFID.
iii: Side Channel Attacks
The biggest vulnerability in today’s RFID systems occurs when interloper RFID readers or other rogue devices eavesdrop on authentic transactions and RF communications between authorized tags and readers. The rogue device can access passwords or data using standard, inexpensive lab equipment. Like wiretapping (without the wires) this capability exposes confidential information to others who may put it to new and nefarious uses.
Example: Side Channel Attack
A rogue device outside a large retail store might gather confidential data—such as who’s buying anti-depressants—that could conceivably be sold to competitors, the tabloid press, or others.
4. An Assessment of Generation 2 Security
RFID security is an evolving story, driven by the needs of the marketplace, the technological ingenuity of engineers engaged in developing next-generation solutions—and above all, the tag protocol standards process.
i. Evaluating Current Security Levels
The Generation 2 protocol is an improvement on Generation 1 and previous tag protocols. It includes key capabilities that companies implementing RFID can leverage to help ensure security:
Does Generation 2 provide sufficient security? Yes and no—yes given current deployments, and no for next-generation, broader deployments that will take RFID into more public environments. The current security features add up to an acceptable level of security given the current state of the market. In a time when RFID is still evolving, deployment levels are relatively low. And the focus of most implementations is on the back-end of the supply chain—primarily case and pallet-level tagging—where security risks are inherently lower, since physical access to the system is limited to employees and therefore somewhat controlled.
ii: Shortcomings of Generation 2
Simply killing tags isn’t enough to cure all security issues inherent in RFID. Under the Generation 2 protocol, there are several clear issues that serve as potential roadblocks to more ubiquitous deployments at the consumer level:
Clearly, the level of security in Generation 2 is not sufficient to meet the original criteria of data security discussed at the outset of this white paper. Access to the data is not tightly controlled. Access to the RFID system is similarly open to manipulation and attack via the three main types of front-end threats. And most importantly, security levels are not high enough to generate the high levels of consumer trust that will enable widespread acceptance of RFID at the item level.
iii: Current Best Practices
Given the current level of data security provided by Generation 2, what can companies using RFID technology do to help achieve maximum security? Here are some basic considerations and best practices to consider:
iv: Impact of Ubiquity on Security
As RFID moves toward great ubiquity in the marketplace—such as widespread item-level tagging—it will become more and more vulnerable to attack. The key contexts for EPC tags represent an evolving progression toward ubiquity via three general phases:
As deployments move through these phases, tags become more widely used. More tags (item-level tagging will result in many more tags than case- or pallet-level tagging) and more RFID readers (ubiquitous tags will result in wider deployment of readers) mean new opportunities for attack, and new threats designed to exploit security shortcomings. Side channel attacks are a particular risk once tags are deployed at the item level. And new threats will emerge as RFID becomes more of a target for espionage and hacking.
The success of RFID in the marketplace will place new security demands on it—and an increased need for robust security in emerging tag protocols.
5. Beyond Generation 2
From this examination of security threats to Generation 2, it’s clear that a future EPC Generation 3 protocol will need to add higher security levels to RF front-end communication to ensure broader use of RFID technology. New technical and policy approaches will have to solve the real privacy and security concerns identified by industry analysts, technologists, and public watchdogs. If not, restrictive legislation or public backlash could thwart widespread acceptance—and limit the powerful benefits that RFID offers businesses and consumers.
i: Technologies that Enhance Security
Possible technological approaches that can enhance security in future protocols include:
These are just some of the approaches that can help bring new security to RFID implementations.
6. Next Steps Toward Greater Data Security
Careful consideration and investigation by key players in the RFID technical community, as well as an open and rational public debate, will help identify the approach that provides the right level of security—without introducing burdensome computational demands, technological complexity, or manufacturing cost increases.
Future generations of the EPCglobal protocol will lead the way to greater data RFID security—and broader acceptance of RFID technology in the marketplace. It is clear that while EPC Generation 2 technology represents a step forward in RFID security, it is not the end of the journey. We should not try to force-fit security into the existing Generation 2 protocol. Item-level tagging will require a higher level of security that can only really be attained with new, Generation 3 technology.
RFID Security in the News
As a controversial new technology, RFID security issues often get attention in the press. Here we summarize some of the latest stories and evaluate the real level of threat.
1. RFID Virus1
A group of Dutch scientists from the Faculty of Sciences in Amsterdam wrote recently in a joint paper that RFID systems were vulnerable to viruses because RFID tags could be compromised and infected with viruses by hackers. In short, they claimed that viruses could be transmitted via tags, breaching the security of the RFID systems.
Level of Risk: Very low
2. Cell Phone Side Channel Attack2
At the 2006 RSA Security annual conference, cryptographers and data security specialists described a side channel attack on a Generation 1 RFID tag using “power-analysis” of the system’s energy consumption. The attack required an oscilloscope and directional antenna. However, the group predicted that similar power analysis attacks could be performed using common devices, such as a cell phone. These devices could be modified to eavesdrop on an RFID system, infer passwords, gain access, and send inappropriate “kill” messages.
Level of Risk: Low
3. ExxonMobil SpeedPass Hack3
Researchers at Johns Hopkins University recently performed a successful hack of the Texas Instruments RFID Digital Signature Transponder (DST) used in ExxonMobil SpeedPass systems. In a detailed academic paper, the authors highlighted the steps they took to crack the key from a deployed DST device using advanced, but widely available equipment, and some very smart thinking. They used the information gathered to access the ExxonMobil system and purchase gasoline.
Level of Risk: Real
ThingMagic-powered Generation 2 RFID readers are available from a number of qualified partners. Cisco, Cisco Systems, the Cisco Systems logo, and the Cisco Square Bridge logo are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. Other marks may be protected by their respective owners. ThingMagic, Mercury4 and ‘Reads Any Tag’ are protected marks of Trimble.
Industry Leading Support
"It's not often that one gets good support worldwide. I've been unable to find any other RFID module comparing to ThingMagic's, or getting any other company to support us."
-- Ben Burger, MaxID Group