On Mitigating Covert Channels in RFID-Enabled Supply Chains

Kirti Chawla, Gabriel Robins, and Westley Weimer

{kirti, robins, weimer}@cs.virginia.edu

School of Engineering and Applied ScienceDepartment of Computer Science

University of Virginia, CharlottesvilleVirginia, USA

Web: www.cs.virginia.edu

This work is supported by U.S. National Science Foundation (NSF) grant: CNS-0716635 (PI: Gabriel Robins)

For more details, visit: www.cs.virginia.edu\robins

RFID Technology Overview

01 / 21

RFID Technolo

gy

Parameters

Some Applications

Components

Tag/Transponder

Reader

Backend System

Frequency

Form Factor

Type

Aerospace

Chip Timing

Supply Chain

Motivating Example – Supply Chains

02 / 21

Factory

Warehouse

Store

Raw Materials

YOU

A Supply Chain

Reduce Cost

Enhance Competitiveness

Motivating Example – Supply Chains

03 / 21

Target Supply Chain

Adversary Supply Chain

Market

Passive Competitiveness

Active Competitiveness

How ?

Supply Chain Attacks – Tag Tracking

04 / 21

Adversary Supply Chain

Tracked tag serves dual-purpose and is a source of covert channel

Supply Chain Attacks – Tag Duplication

05 / 21

Injected duplicated tag as source of covert channel

Supply Chain Attacks – Tag Modification

06 / 21

Injected modified tag as source of covert channel

M

Supply Chain Attacks – Tag Modification

07 / 21

Writeable banks conceal information

Access Password

Kill Password

USER

TID

EPC

RESERVED

CRC-16

PC

EPC Number

XPC

ISO/IEC 15963 Class Identifier

Tag Capability

User Specific Data

EPC Length

UMI

XPC_W1I

NSI

TB

AFIVendor Specific Data

Memory Layout of the RFID Tag

EPC Compliant RFID Tag

#

Supply Chain Attacks – Reader Compromise

08 / 21

C

C

Compromised readers as source of covert channel

M

Evaluation I – Implications(1)

09 / 21

Pre-attack Scenario Post-attack scenario

Brand Loyalty Switch

Attacks subtly persuading consumers to switch brands

Evaluation I – Implications(2)

10 / 21

Brand Aversion

Attacks subtly persuading retailers to prefer brands

Pre-attack Scenario Post-attack scenario

Mitigating Approach – Model of Supply Chain

11 / 21

Supply Chain

Purchase Phase

Production Phase

Distribution Phase

1. Item flow = tag flow2. Multiple Phases3. Flow verification

A

P

Q

R

Purchase Phase: GUP

Production Phase: GPP

Distribution Phase: GDP

Mitigating Approach – Model of Supply Chain

12 / 21

1. Item flow = tag flow2. Multiple Phases3. Flow verification

Global Source Global Sink

Phase Sink

Phase Source

C(Q, R) > 0

C(P, Q) = 0

C2

C1

NMOF(A) = max(C1, C2)

C: E +

Mitigating Approach – Taint Checkpoints

13 / 21

GUPGPP GDP

1. Item flow = tag flow2. Multiple Phases3. Flow verification

Taint Checkpoint

Supply Chain Flow Graph: G = GUP GPP GDP

How ?

Mitigating Approach – Taint Check Cover

14 / 21

GD

Given a graph G and no. of taint checkpoints T, determine the existence of taint check cover: TCC G, T

GU

Polynomial Time ReductionVC P TCC

Taint Check Cover

Vertex Cover

NP-Complete

TCC NP

Mitigating Approach – Heuristics(1)

15 / 21

GD

Use approximate algorithm of VC for TCC

From the set of edges E, pick an arbitrary edge , save its endpoints and remove all edges from E that are covered by those endpoints

Time complexity: O(V+E)

Solution size: 2OPT

Mitigating Approach – Heuristics(2)

16 / 21

Use cuts to partition graph

GUP

GPPGDP

1. Cuts based on topology2. Cuts based on flow

properties3. Random cuts

Algorithm dependent time-complexity

Solution size: OPT to |V|

Mitigating Approach – Heuristics(3)

17 / 21

GUP

GPPGDP

Use underlying business requirements

1. No. of taint checkpoints2. Coverage Vs Efficiency

Tradeoff

(1) TNR = |VT| |V|

(2) CER =

TNR, CER +, |V| 0

Algorithm dependent time-complexity

Solution size: OPT to |V|

Mitigating Approach – Local Verification Algorithm

18 / 21

GUPGPP GDP

Verifying flow locally at every taint checkpoints

1. Check flag enables check for duplicate tags

2. Tag data verification enables check for modified tags

Mitigating Approach – Global Verification Algorithm

19 / 21

GUPGPP GDP

Verifying flow globally along a path or at central site

Heuristics combined with global verification enables check for compromised readers

Evaluation II – Cost

20 / 21

Local verification time cost as a function of no. of taint

checkpoints

Cost of solution

Local, and global (with constant and variable link cost)

verification time cost as a function of no. of taint

checkpoints

1. Supply Chain flow graph nodes = 20002. No. of taint checkpoints = 10 to 10003. Workload = 100 items per case 1000 cases

per time interval

Countermeasures to Covert Channels

21 / 21

Suggested Countermeasures

Re-encryptionPseudonyms Direct mitigation PUFPasswords

References Hokey Min and Gengui Zhou, Supply Chain Modeling: Past, Present and Future,

Journal of Computer and Industrial Engineering, Elsevier Science Direct, Volume 43, Issue 1-2, pp. 231-249, July 2002.

Rebecca Angeles, RFID Technologies: Supply-Chain Applications and Implementation Issues, Information Systems Management, 22:1, pp. 51-65, 2005.

David Molnar, Andrea Soppera and David Wagner, A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of RFID Tags, Selected Areas in Cryptography, Ontario, Canada, 2005.

Daniel V. Bailey, Dan Boneh, Eu-Jin Goh and Ari Juels, Covert Channels in Privacy-Preserving Identification Systems, 14th ACM International Conference on Computer and Communication Security, Alexandria, Virginia, pp. 297-306, 2007.

Simson L. Garfinkel, Ari Juels and Ravi Pappu, RFID Privacy: An Overview of Problems and proposed Solutions, IEEE Security and Privacy, Volume 3, Issue 3, pp. 34-43, May 2005.

Aikaterini Mitrokotsa, Melanie R. Rieback and Andrew S. Tanenbaum, Classification of RFID Attacks, International Workshop on RFID Technology, Barcelona, Spain, pp. 73-86, June 2008.

Melanie R. Rieback, Bruno Crispo and Andrew S. Tanenbaum, RFID Guardian: A Battery-Powered Mobile Device for RFID Privacy Management, Lecture Notes in Computer Science, Springer, Volume 3574, pp. 184-194, July 2005.

Ira S. Moskowitz and Myong H. Kang, Covert Channels - Here to Stay, In 9th IEEE International Conference on Computer Assurance, pp. 235-243, July 1994.

Leonid Bolotnyy and Gabriel Robins, Physically Unclonable Function-Based Security and Privacy in RFID System, 5th International Conference on Pervasive Computing and Communications, New York, USA, pp. 211-128, March 2007.

Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest and Clifford Stein, Introduction to Algorithms – Third Edition, MIT Press, Cambridge, 2009.

EPCGlobal, UHF C1 G2 Air Interface Protocol Standard, http://www.epcglobalinc.org/standards/uhfc1g2/uhfc1g2_1_1_0-standard-20071017.pdf

EPCGlobal, Tag Data Standards Version 1.4, Revision June 11, 2008, http://www.epcglobalinc.org/standards/tds/tds_1_4-standard- 20080611.pdf

Anylogic Professional 6, AB-SD Supply Chain Model Simulator, http://www.xjtek.com

Gildas Avoine, Cedric Lauradoux, and Tania Martin, When Compromised Readers Meet RFID, Workshop on RFID Security, Leuven, Belgium, 2009.

Mike Burmester and Jorge Munilla, A Flyweight RFID Authentication Protocol, Workshop on RFID Security, Leuven, Belgium, 2009.

Khaled Oua, and Serge Vaudenay, Pathchecker: A RFID Application for Tracing Products in Supply-Chains, Workshop on RFID Security, Leuven, Belgium, 2009.

A. Karygiannis, T. Phillips, and A. Tsibertzopoulos, RFID Security: A taxonomy of Risks, Conference on Communications and Networking in China (ChinaCom), Beijing, China, pp. 1-8, 2006.

References

Questions