Privacy Preserving Payments on Computational RFID Devices with
RFID Privacy & Security Issues
-
Upload
brent-muir -
Category
Technology
-
view
2.882 -
download
4
description
Transcript of RFID Privacy & Security Issues
Radio Frequency Identification:
Privacy & Security Issues
Brent Muir
2009
MUIR RFID: Privacy & Security 2009
Executive Summary
This report examines the privacy and security issues surrounding RFID
implementations in a real-world context. A discussion of the history and
development of RFID systems, from its origins in the military to its increasing
pervasive nature, allows the reader to better understand the motivations involved if
organisations wish to implement RFID. A brief overview of the technical parameters
of RFID is then explained. Practical uses of RFID from supply-chain management to
health care services are briefly mentioned highlighting the diverse usages of this
technology. Potential privacy and security issues relating to RFID are analysed,
including the ability to track individuals via RFID tags and the cloning of RFID tags.
These privacy and security issues are further highlighted through an in-depth
examination of two case studies: the Mifare Classic, and ePassports. Both these case
studies bring to light the vulnerabilities involved when implementing RFID systems,
in particular whether or not there is a need to store personal information on the
RFID tags as well as the strength of the cryptographic security methods utilised to
protect this information.
MUIR RFID: Privacy & Security 2009
Table of contents
Introduction.......................................................................................................... 4
What is RFID ......................................................................................................... 5
How RFID Works ................................................................................................... 7
Implementations of RFID ...................................................................................... 8
Privacy Issues ....................................................................................................... 12
Security Issues ..................................................................................................... 18
Case Studies:........................................................................................................ 23
Translink - Mifare Classic ................................................................................. 23 US/AUS ePassports .......................................................................................... 32
Conclusion ........................................................................................................... 36
Reference List ...................................................................................................... 37
4
MUIR RFID: Privacy & Security 2009
Introduction
Since its development, Radio Frequency Identification (RFID) has evolved to a point
where the technologies can be embedded under the skin of humans and, more
likely, to a point where people in developed nations carry at least one RFID
implementation in their wallet or purse. RFID has replaced many ageing technologies
such as barcodes and magnetic swipe cards, and this advancement of pervasive
technology has led to many security and privacy concerns. This paper will examine
these concerns and analyse the risks involved with using RFID technologies.
Before discussing the security and privacy concerns, the paper will give a brief
description of the history of RFID technology. This will be followed by a detailed
examination into the electronic components that compose RFID technologies.
Thirdly a brief mention of current RFID implementations across various fields will be
discussed. Then the privacy and security issues will be able to be examined, focusing
on the potential and real-world issues at hand. Lastly, two case studies will be
analysed: Translink's “Mifare Classic” RFID system (aka the “GO Card”); and a critical
analysis of the US and Australian ePassports (“Enhanced Identification”) RFID
systems. These two case studies will highlight the potential security and privacy
issues related to RFID implementations. Before delving into the security and privacy
issues, RFID technology needs to be explained in greater detail.
5
MUIR RFID: Privacy & Security 2009
What is RFID
Radio Frequency Identification (or RFID) has evolved from its infancy where it had
limited usage in the military into a ubiquitous technology found in everyday goods
and products. Dating back to World War II, RFID technology originated when “the
British put radio transponders in Allied aircraft to help early radar system crews
detect good guys from bad guys”1. The use of radio frequencies to assist in the
identification process was a novel idea but it wasn’t until 1973 that it became
patented2. In fact, “these early devices usually employed a one-bit system, which
only indicated the presence or absence of the tag”3.
Peslak described RFID as “an inexpensive passive electronic device that allows for the
transmission of a distinctive signal from any product or artifact in which it is
embedded or attached”4. This is, a device that is “turned-on” by receiving certain
signals or frequencies, but is otherwise “switched-off”. RFID tags have also been
described as being “essentially microchips” which, coupled with their minute size
and cost to develop, have become increasingly “commercially and technologically
viable”5.
The development of RFID in the last half-century has reached a point where the
technology is accessible for minimal cost, in fact the RFID tags can be purchased for
under $0.20 each6. This reduction in manufacturing costs has led to the adoption of
RFID technologies in a range of industries for a variety of purposes. The development
of RFID over the last half-century can be seen in table 1 below.
1 Newitz, A. (2006) The RFID Hacking Underground Wired 2 Granneman, S. (2003) RFID Chips Are Here. 3 Cardullo, M. (2005). Genesis of the versatile RFID tag. RFID Journal, 2(1), 13–15. 4 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 5 Granneman, S. (2003) RFID Chips Are Here. 6 Roberti, M. (2004). Tag Cost and ROI [Electronic Version]. RFID Journal. Retrieved 02/08/2009, from http://www.rfidjournal.com/article/articleview/796/
6
MUIR RFID: Privacy & Security 2009
Decade Event
1940 - 1950 Radar refined and used, major World War
II development effort.
RFID invented in 1948.
1950 - 1960 Early explorations of RFID technology,
laboratory experiments.
1960 - 1970 Development of the theory of RFID.
Start of applications field trials.
1970 - 1980 Explosion of RFID development.
Tests of RFID accelerate.
Very early adopter implementations of
RFID.
1980 - 1990 Commercial applications of RFID enter
mainstream.
1990 - 2000 Emergence of standards.
RFID widely deployed.
RFID becomes a part of everyday life.
Table 1 - The Decades of RFID 7
7 Landt, J., & Catlin, B. (2001). Shrouds of Time: The history of RFID. Pittsburgh, PA,
AIM Global.
7
MUIR RFID: Privacy & Security 2009
How RFID Works
The technology behind RFID is fairly basic, although many implementations of RFID
have improved upon its security and communication mechanisms to suit their own
needs. As stated by the Association for Automatic Identification and Mobility (AIM),
RFID is consisted of three separate components: “an antenna; an RFID tag
(programmed transponder with unique information); and a transceiver (a reader to
receive and decode the signal)”8.
The RFID tags can come in two varieties: a transponder-only tag which only allows
one-way communication to the transceiver and are often referred to as “passive”
tags; and “active” tags which allow information to be read as well as written to the
tags.
The reader or transceiver is usually the source of power and generates a low power
radio signal broadcast through an antenna when in use. The RFID tag receives the
signal through its own internal antenna and powers a computer chip. The chip will
then exchange information with the reader.9
To facilitate a transmission, these components (the antenna, the transponder and
the transceiver) communicate with one-another and produce a transaction that
results in the sending of data across the radio frequency. Glasser et. al have
explained the RFID communication process as follows:
Typically, a reader transmits radio signals that are received by an antenna to the tag.
The tag sends a unique reply signal back to the reader, which is then decoded into an
identification number. This ID number is unique to the tag. Ideally, a global set of
standards will dictate how these ID numbers are assigned and ensure that there are
no repetitions or duplications.10
These transmissions are often encrypted to provide additional security mechanisms
for the RFID systems.
8 AIM, in Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 9 AIM, in Ibid. 10 Glasser, Goodman, & Einspruch (2007) p. 101
8
MUIR N2753006 RFID: Privacy & Security October 2009
Implementations of RFID
There are numerous implementations of RFID in all facets of modern society. Many
of these implementations follow in the footsteps of the original purpose of RFID;
that is to determine whether an object is present or not, for example supply-chain
management. However, as RFID has developed new uses for the technology have
emerged. These advanced implementations, coupled with the emergence of new
uses, have led to new privacy and security issues arising.
Toll Booths
One area where RFID technology has increased productivity and decreased potential
bottlenecks is in automated toll both payment services. Instead of manually paying
for a toll at a toll booth, commuters can now drive their vehicles straight through the
toll booth without lining up to conduct a financial transaction. This is facilitated by
RFID through the use of tags that are located inside vehicles and receivers located in
the physical toll booth, so when the vehicles drive through the toll is automatically
deducted from the person's account11. However the usage of RFID in these
transactions is not without risk, Wood writes that “users of this system are leaving a
trail of data behind them... divorce courts have used highway transponder
information to find out where spouses have been traveling”12.
Financial Transactions
In addition to the toll booth implementation stated above, RFID technology has been
integrated into other financial transactions as well. In fact Glasser et. al notes that
“one of the significant potential uses of RFID is to provide a vehicle for exchanging
money without requiring people to make physical contact”13. Bray estimates that in
11 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 12 Wood in Glasser, Goodman, & Einspruch (2007) p. 105 13 Glasser, Goodman, & Einspruch (2007) p. 104
9
MUIR N2753006 RFID: Privacy & Security October 2009
2006 there were “20 million RFID-enabled credit cards and 150,000 vendor readers...
already deployed in the U.S.”14.
Supply Chain Management
One of the biggest adopters of RFID technology has been in supply-chain
management in retail. Glasser et. al speculate that “one of the most anticipated
applications of RFID is using tags to replace or supplement bar codes on
manufactured products”15. Retail giant Wal-Mart in the United States has been
pushing RFID in this area since the early 2000s. In fact Peslak notes that “Wal-Mart
reemphasized its commitment to RFID over the long term by having its top 100
suppliers include tags on pallets and cases by 2005”16. Apart from the perceived
increase in productivity in their warehouses, Wal-Mart envisaged a “savings of 10–
20% in labor (sic) costs at their distribution centers (sic) through RFID”17.
RFID has not only been adopted by huge retail chains such as Wal-Mart:
One retailer who is actively using RFID is Prada, which reads tags in their clothes and
displays accessories or other information about the clothes when someone tries
them on in their display equipped dressing rooms.18
By utilising RFID technologies in this way, organisations are hoping to improve
supply-chain activities and in particular, inventory management19. One major
improvement over barcodes is that RFID tags can be individually programmed, not
just one number per product code, but one unique identifier per item. As Glasser et.
explains:
14 In Heydt-Benjamin, T. S., D. V. Bailey, et al. (2008). "Vulnerabilities in first-generation RFID-enabled credit cards." Lecture notes in computer science 4886: 2. 15 Glasser, Goodman, & Einspruch (2007) p. 102 16 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 17 Ibid 18 Cox, 2003b in Ibid 19 Ibid
10
MUIR N2753006 RFID: Privacy & Security October 2009
An RFID tag... can be associated with the history of an individual item: where it was
manufactured, the date it was sold, when it was destroyed. It is also able to identify
the location of an object as well as properties such as temperature.20
Healthcare
Another important advancement utilising RFID can be seen in the healthcare
industry. Dorschner states:
Further, RFID can, at least in principle, reduce medical error by tracking surgical
tools to prevent them from being left in patients, to mark surgical sites to identify
the procedure needed and prevent wrong-sided surgery and by preventing drug
dispensing errors.21
By introducing such RFID services, the public, and the healthcare industry as a whole,
could benefit from a reduction in medical malpractice and careless mistakes.
Animal Tracking
Another important implementation of RFID is in livestock tracking. “RFID chips have
for years been implanted in animals to track livestock, locate missing pets and study
wildlife behavior”22. However it is just as easy to utilise this technology in the
tracking of humans as it is to track livestock and other animals. This has raised a few
privacy concerns. One such implementation can be found in a United Kingdom's
theme park.
Visitors to Alton Towers who purchase the service will receive an RFID band to wear
around their wrist, “marking” them to the park-wide video-capture system.23
This video surveillance system is an opt-in service that allows visitors to capture their
days' adventure in the theme park and receive a DVD movie of the fun times they
had.24
20 Glasser, Goodman, & Einspruch (2007) p. 102 21 Dorschner, in Ibid 22 Ibid 23 Tucker, P. 2006. "Fun with Surveillance." Futurist 40. 24 Ibid
11
MUIR N2753006 RFID: Privacy & Security October 2009
Other privacy concerns of human tracking have arisen out of manufacturers'
integration of RFID into their products.
Michelin, which manufactures 800,000 tires a day, is going to insert RFID tags into
its tires. The tag will store a unique number for each tire, a number that will be
associated with the car's VIN (Vehicle Identification Number).25
This could lead to a scenario where your vehicle is tracked from point A to point B
without your knowledge.
25 Granneman, S. (2003) RFID Chips Are Here.
12
MUIR RFID: Privacy & Security 2009
Privacy Issues
As touched on briefly in the previous section, RFID implementations are not without
their share of privacy issues. By examining potential and real-world RFID privacy
issues a greater understanding of the possible risks associated with RFID
implementations can be established. The main privacy concerns with RFID are the
tracking of people and their location, and the tracking of customers and their habits
by retail giants.
Tracking of People
Similar to the tracking of livestock or vehicles, the tracking of people through the use
of RFID technologies is a real threat to the privacy of individuals. RFID tags are now
small enough to be embedded under the skin of humans, or with more devious
intent, slipped into their clothing without the individual realising. Glasser et. al note
that “RFID chips intended to track humans come in two main forms: sub-dermal
implants which are injected and external tags which are worn or carried”26.
In order for the effective tracking of people through RFID to take place, governments
would have to encourage or demand that people carry certain RFID tags on their
person. An example of this has been highlighted by Garfinkel who notes that “the
Massachusetts Turnpike Authority is giving discounts to residents who pay using EZ-
Pass, a transponder system relying on radio tags”27. It is then speculated that this
decision is ‘‘discriminatory and coercive’’28. Another example of governments
pushing for RFID can be seen in the European Union (EU) where it was suggested
that the European Central Banks were investigating the placing of RFID tags into the
Euro 29. In this case the suggested reason behind the use of RFID was not to track
citizens and their use of the currency, but to stem the counterfeiting of the Euro. It is
implementations such as these that although may be altruistic in nature are easy to
manipulate for more sinister motives by people with not so friendly purposes.
26 Glasser, Goodman, & Einspruch (2007) p. 105 27 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 28 Ibid 29 The Economist, 2002 in Peslak, 2005, p. 328
13
MUIR RFID: Privacy & Security 2009
The above example of RFID technology being utilised in the Euro never eventuated,
yet that does not mean that there aren't other RFID implementations that are
already being used to track individuals. In fact Peslak describes a scenario where
RFID is currently used to track individuals by a government body:
RFID is already being used to track and coordinate movements of people between
the U.S. and Canada. A program called NEXUS allows U.S. and Canadian citizens to
register their fingerprints, photo, and other personal data and, if approved, receive a
card with an RFID tag. When individuals wish to travel between the U.S. and Canada,
they display their cards near the inspection booth.30
Use of RFID in identification cards is not a new idea. Many governments around the
world have begun implementing RFID technologies into drivers’ licenses, passports
and even citizenship cards. Glasser et. al describe this as a major privacy concern,
“since drivers’ licenses are nearly always carried by individuals, there exists a threat
that anyone could be tracked anonymously”31. With governments adopting RFID in
official documentation, the average citizen is powerless to protect their own
personal details and privacy from being transmitted across the radio frequencies.
Indeed it has been speculated that society “may one day need to inquire whether
use of RFID technology by a government is itself grounds for identifying it as
repressive”32. Many citizens value their privacy and the United Nations “codified the
fundamental human right of privacy in 1948 within their Universal Declaration of
Human Rights”33. What this means is that any breaches by governments of the UN's
declaration can be seen as a sign of a potential totalitarian move in order to control
the masses.
Tracking of Customers and their habits
Due to the pervasiveness of the technology, RFID tracking can also be carried out
through the goods that people have purchased. The organisations which implement
30 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 31 Glasser, Goodman, & Einspruch, 2007, p. 104 32 Ibid 33 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345.
14
MUIR RFID: Privacy & Security 2009
RFID into their products are not always trying to increase productivity in their
warehouses; more often than not the motive is to study the behaviour of their
customers. As stated by Peslak, “the privacy concerns of electronic commerce
include collection of information without user’s knowledge, sales of collected
personal information, and receipt of unsolicited information, as in spamming”34. Like
electronic commerce RFID technology can be used in this way.
The use of RFID in retail has been described as providing customers with better,
more intuitive, shopping experiences by the organisations which implement it. What
it really amounts to is an incredible customer database monitoring buying habits and
other personal data. Peslak sums up this situation by noting that “tags allow the
potential for aggregation of massive amounts of personal data based on purchases
and ownership, making personal profiling possible”35. Peslak effectively describes the
various potential privacy issues related to RFID in the retail sector, as seen below in
table 2.
Table 2 – RFID Privacy Category Framework36
An example of a breach of privacy through the use of RFID in the retail sector was
noted by Hildner:
34 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 35 Ibid 36 Ibid
15
MUIR RFID: Privacy & Security 2009
One breach of privacy through RFID became known as the Broken Arrow Affair
where Wal-Mart along with Proctor and Gamble used this technology in tracking
consumers in the Oklahoma store when they removed Max Factor Lipfinity lipsticks
Once the item was taken from the shelf a video monitor evaluated how consumers
handled the product without their knowledge.37
Currently in the United States, where this example occurred, there is no legislation in
place requiring that labels indicate the presence of an RFID chip is in a product 38.
Other countries have introduced legislation governing the use of RFID tags in retail
products, for example Hariton et. al observed:
Canada on the other hand has implemented the Personal Information Protection and
Electronic Documents Act that requires retailers to seek consent of customers for
using RFID tags in monitoring their shopping patterns.39
However although the US lacks the legislation to monitor the use of RFID in the retail
sector, the privacy issue has not gone unnoticed. Even as far back as 2000 the
Federal Trade Commission (FTC) made recommendations into creating legislation to
govern such privacy concerns. “The FTC concluded that self-regulation was
insufficient and recommended federal legislation to ensure adequate protection of
consumer privacy online”40.
Another privacy aspect is the decommissioning of the RFID tags used in retail. Peslak
states that “perhaps the most insidious of RFID uses is the potential for post-sales
monitoring... technically; all RFID tags can be permanently read through active
readers”41. Currently there are no systems or checks in place for deactivating the
RFID tags once items are purchased. This may lead to the situation where not only is
the initial purchase monitored, but whenever the tagged item is near a transceiver
subsequent monitoring can take place. Peslak further posits:
37 Hildner, 2006 in Ibid. 38 In Ibid 39 In Ibid. 40 Federal Trade Commission, 2000 in Peslak, 2005, p. 337 41 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345.
16
MUIR RFID: Privacy & Security 2009
At present, the tags remain in a working condition after the items to which they are
attached are purchased. The tags could subsequently be read when they encounter
an RFID transceiver. Thus, if you were to walk into a store with an RFID tagged item,
an active transceiver could activate a signal from the tag and through a series of
steps identify you, your location, and any other information about you such as
criminal history, shopping records, or credit history.42
As unlikely as this may seem, the potential for the abuse of the RFID tags that lack
decommissioning protocols is present. It has been stated that the “costs of a national
or worldwide tracking system to monitor RFID tags to individuals would be cost
prohibitive and uneconomic”, but this does not mean that it is not a possibility in the
near future43.
One solution for this privacy issue could be adopted by implementing
decommissioning protocols into the RFID tags. One such method has been proposed
that involves “a deactivation or 'kill' switch for RFID tags once items enter the retail
realm”44. In this proposal the products would have an RFID tag for the supply-chain
management (manufacturing, warehousing, and delivery) phase of their existence
but upon arrival in their final destination (retail store) the RFID tag is deactivated so
that no personally identifiable information can be gained through its use. Another
option is the inclusion of an “on–off switch that could allow benefits if the consumer
wishes but could but eliminated for those who do not want to use the benefits”45. In
this solution the consumer could decide whether or not to opt-in to having their
personal information stored when purchasing goods.
Other examples of privacy solutions in the retail sector include a type of RFID tag
developed by IBM known as the 'Clipped Tag'. This RFID tag allows consumers to tear
a portion of the tag off thus “allowing information to be transmitted just a few
42 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 43 Ibid 44 Ibid 45 Ibid
17
MUIR RFID: Privacy & Security 2009
centimeters rather than 100 feet”46. Another development in RFID technology is to
have RFID tags embedded with a 'privacy bit' as stated by Niemelä:
An alternative is to set aside a logical bit on the RFID tag. This bit is initially off when
items are in the shop. The bit is flipped to the on position to deactivate a tag at the
point of sale. If RFID readers in shops refrain from scanning private tags, i.e., those
tags whose privacy bit is turned on, then a good measure of consumer privacy will
already be in place. Tags belonging to consumers in this case will be invisible to
shops. At the same time, tags on items on shelves.47
The potential privacy breaches imposed by not deactivating RFID tags are severe.
Glasser et. al state:
There is consequently a fear that one could remotely scan a home, purse or car and
then construct an inventory of everything inside: videos, medications, fine jewelry,
etc. The person scanning could then identify the owner of the items and gain
personal information about him or her. 48
Indeed it has been noted that the “use of RFID can potentially provide a plethora of
new information about individuals if not properly safeguarded”49. However, there
are some organisations that believe “RFID tags present no more of a threat to
privacy than cell phones, toll tags, credit cards, ATM machines, and access control
badges50. To counter potential privacy breaches it has been suggested that
organisations should be made to “obtain written consent from an individual before
any personally identifiable information is acquired... obtain written consent before
RFID data is shared with a third party”51. Nabil et. al speculates that “privacy laws will
46 Ibid. 47 Niemelä, O. P. a. M. (2009). "Humans and emerging RFID Systems: Evaluating Data Protection law on the User scenario basis." International Journal of Technology and Human Interaction Volume 5(Issue 2): 85-95. 48 Glasser, Goodman, & Einspruch (2007) p. 103 49 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345. 50 AIM in Ibid 51 Glasser, Goodman, & Einspruch (2007) p. 103
18
MUIR RFID: Privacy & Security 2009
continue to change as society evolves and changes” and in the case of RFID the
legislation will not come soon enough52.
52 Nabil Y. Razzouk, V. S., Maria Nicolaou (2008). "CONSUMER CONCERNS REGARDING RFID PRIVACY: AN EMPIRICAL STUDY." Journal of Global Business and Technology Volume 4(Number 1, Spring ): 69-78.
19
MUIR RFID: Privacy & Security 2009
Security Issues
Many of the privacy issues related to RFID are compounded by the addition of the
security risks associated with RFID implementations. By exploring the potential and
real-world RFID security issues a greater understanding of the possible risks
associated with RFID implementations can be established. The main security
concerns with RFID are: the cloning of RFID devices; the tempering of RFID devices;
and the cryptographic means to protect RFID devices.
As noted by Kaminsky, “the problem is that RFID technology, although good for
inventory tracking as a replacement for barcodes, is not well suited for security”53. It
is this proposition that is demonstrated by the amount of potential security issues
that exist in reference to RFID. Although it has been stated that RFID security is only
relevant if the information stored on the tags is considered valuable54. Following on
from this security issue, “one solution is to limit the technology itself – by restricting
data stored in a chip to an ID number and storing all other data in a secure
database”55. Indeed, “technical difficulties have been reported with RFID including
tag collisions, tag failure, and tag detuning” with each of these issues causing
potential security risks in the use of RFID56.
Cloning RFID devices
One of the greatest improvements of RFID technologies over other forms of
technology is due to the ability to assign unique identifiers into every tag, thereby
instantly being able to uniquely identify an object or a person. However this feature
is also seen as a potentially major security issue with RFID. The security issue arises
out of the fact that the physical presence of an RFID tag does not necessarily
correspond with the authorised user having possession of that tag. Hijacking or
cloning RFID tags posses a great risk when using RFID as a security mechanism. Ghai
gives a simple definition of RFID hacking:
53 K aminsky in Ibid 54 Garretson, C. (2007) RFID holes create security concerns Network World Volume, DOI: 55 Glasser, Goodman, & Einspruch (2007) p. 107 56 Peslak, A. R. (2005). "An ethical exploration of privacy and radio frequency identification." Journal of Business Ethics 59(4): 327-345.
20
MUIR RFID: Privacy & Security 2009
Similar to credit card or identity theft... card hacking refers to an imposter using
someone's personal identity information to obtain physical access to privileged areas
and information.57
Just like in other forms of identity theft, RFID hacking or cloning is using someone
else's credentials to allow that person to assume the identity of someone else,
except that with RFID cloning only the radio waves from the original tag are needed.
In this respect RFID cloning is much simpler than traditional forms of identity theft
which require much more information about, and from, the individual before the
assumed identity can be used.
Even though organisations are aware of this potential risk many are still
implementing RFID as a security mechanism, in particular to replace other physical
access proximity card systems. Ibid details an example of this where a “...company
has long been aware that its proximity cards are vulnerable to hacking but does not
believe that the cards are... vulnerable”58.
The lack of concern from some organisations is in itself a potential security risk. The
cloning of RFID tags is not fictional, in fact Roberts describes one system where the
integrity of the RFID tags had been compromised:
His RFID cloner was on display at the recent RSA Security Conference in San
Francisco, where he demonstrated for InfoWorld how the device could be used to
steal access codes from HID brand proximity cards, store them, then use the stolen
codes to fool a HID card reader.59
Two solutions to this security risk have been suggested, one is to use other forms of
protection alongside the physical possession of the RFID tags, such as PINs or
biometric means, and the other solution is to employ a behavioural monitoring
57 Ghai, V. (2008). "An Automation ANSWER." Retrieved 04/08/2009, from http://govtsecurity.com/federal_homeland_security/mirfare_classic_card_hacked/. 58 Roberts, P. F. (2007). "Battle brewing over RFID chip-hacking demo " InfoWorld Retrieved 04/08/2009, from http://www.networkworld.com/news/2007/022707-battle-brewing-over-rfid-chip-hacking.html 59 Roberts, P. F. (2007). "Battle brewing over RFID chip-hacking demo " InfoWorld Retrieved 04/08/2009, from http://www.networkworld.com/news/2007/022707-battle-brewing-over-rfid-chip-hacking.html
21
MUIR RFID: Privacy & Security 2009
system that can lock down RFID tags is abuse is detected. Both solutions are
described by Ghai;
A system should be put in place to check current physical access permissions in real-
time across multiple points (picture identification, biometric data, cryptographic
keys, PIN) while simultaneously checking logical systems activity before allowing
access.
Taking a page from what credit card companies and banks are doing to fight credit/
debit card abuse, an automatic “fraud protection” system can watch for
uncharacteristic or unusually high card usage (swipes, etc.). Using pre-set, policy-
based rules, the system takes a rapid course of action when multiple card swipes are
noticed for one person, multiple swipes are detected from one card over a short
period of time across different locations or there are multiple rejects for one card.60
Broache and McCullagh agree with the inclusion of additional security mechanisms,
stating that many organisations “are also exploring using a card that would have to
be activated by the user, through a fingerprint or some other biometric method,
before any information could be read remotely”61.
Either of these suggestions would eliminate the ability for someone to clone a RFID
tag and be able to gain access to systems or premises as another person. However
neither of these suggestions deal with the underlying security issue, which is the
weak cryptographic protection utilised by these RFID tags.
Tampering of data embedded in RFID devices
Another security risk associated with RFID tags is the ability to manipulate the data
stored on the tags, either by a third party who is cloning the tag or by the authorised
tag holder.
60 Ghai, V. (2008). "An Automation ANSWER." Retrieved 04/08/2009, from http://govtsecurity.com/federal_homeland_security/mirfare_classic_card_hacked/. 61 A. Broache and D. McCullagh (2006) New RFID travel cards could pose privacy threat. CNET News Volume, DOI:
22
MUIR RFID: Privacy & Security 2009
As highlighted by Muir, “RFID is a wireless technology and is therefore subject to
third-party interception unless the signal is secured”62. This creates a scenario where
“Man-In-The-Middle” attacks are possible against RFID systems and tags. This risk is
further compounded “if the chip has a writable memory area, as many do, to data
tampering”63. Data tampering occurs when the integrity of the data stored on the
RFID tags is compromised. Generally this type of security risk is associated with RFID
tags that are used in financial transactions, such as RFID transport cards which store
amounts of money on the tag itself rather than in a centralised database.
One solution to card tampering is to store the RFID tags out of radio signal range to
eliminate the potential for the signal to be cloned or altered, for example via the use
of a Faraday cage.
A Faraday cage is a physical cover that assumes the form of a metal sheet or mesh
that is opaque to certain radio waves. Consumers can today purchase Faraday cages
in the form of wallets and slipcases to shield their RFID-enabled cards against
unwanted scanning.64
Again this solution is only a temporary one as it does not address the real security
risk facing the RFID tags and systems, that is, the weak cryptographic protection
utilised by RFID systems.
Cryptographic Functions
Probably the most detrimental security issue with RFID is the type of encryption
mechanisms in place within the RFID systems and tags. This issue is in part due to the
constraints in the RFID chips used in the tags. As stated by Schwartz, “chip limitations
make it difficult to incorporate sophisticated encryption algorithms”65. These
limitations have led to the previous two security issues: the cloning, and tampering
of RFID tags.
62 Muir, S. (2007). "RFID security concerns." Library Hi Tech 25(1): 95-107. 63 Newitz, A. (2006) The RFID Hacking Underground Wired Volume, DOI: 64 Heydt-Benjamin, T. S., D. V. Bailey, et al. (2008). "Vulnerabilities in first-generation RFID-enabled credit cards." Lecture notes in computer science 4886: 2. 65 Schwartz in Glasser, Goodman, & Einspruch (2007) p. 107
23
MUIR RFID: Privacy & Security 2009
One cause of the use of weak cryptographic mechanisms in the RFID tags has been
surmised as poor foresight by the RFID system designers when initially implementing
cryptographic mechanisms. Kaminsky explains this situation by noting:
They [the organisations which build RFID systems] didn't want to change to a more
secure implementation because of backwards compatibility issues, and they had a
lot of sites that use these cards...66
Apart from the lack, or inability, to upgrade cryptographic standards in RFID systems,
organisations which build RFID systems face another problem, which is many of
these organisations choose to use proprietary encryption standards instead of
utilising well recognised encryption standards. Thus the organisations are assuming
that because their encryption standard is not publicised it will remain unbroken. This
philosophy goes against “Kerckhoffs’ Principle” which states “the cryptanalyst has
complete knowledge of the cipher (i.e. the decryption key is the only thing unknown
to the cryptanalyst)”67.
By keeping encryption standards proprietary organisations are not allowing their
cryptosystems to be peer reviewed by cryptographic experts, and therefore the
standards chosen are often easily breakable. In the case studies below it will be
shown that this exact security issue has been encountered and overcome by hackers.
66 Kaminsky in Ibid. 67 Boyd (2009)
24
MUIR RFID: Privacy & Security 2009
Case Studies
Through conducting a critical analysis of two real-world implementations of RFID
technology the potential privacy and security issues already discussed can be further
explained. Two different RFID systems have been chosen to be examined: the Mifare
Classic, which is used all around the world in transportation networks, including in
Queensland through Translink; and enhanced identification RFID systems, such as
ePassports.
Translink - Mifare Classic
Translink in conjunction with Queensland Transport have implemented the Mifare
Classic RFID system to facilitate a cashless ticketing system, where it is locally known
as the “Go” card. The Mifare Classic is an ISO 14443-A compliant RFID system which
was first launched overseas in 199568. According to NXP, the creators of this system,
the Mifare Classic has to date sold more than 1 billion cards, equating to “more than
70% of the contactless smart card market”69. The Mifare Classic RFID system has
been deployed in countries such as Korea, China, the United Kingdom, and now
Australia70.
Garcia describes the Mifare Classic tags as more advanced than traditional RFID tags:
Such cards contain a slightly more powerful IC than classical RFID chips (developed
for identification only), equipping them with modest computational power and
making them suitable for applications beyond identification, such as access control
and ticketing systems.71
The inclusion of an integrated circuit (IC) means that the Mifare Classic tags are
actually “active” RFID tags, being able to contain more information than just a
68 NXP, S. (2009). "Mifare Classic - More Information." Retrieved 04/08/2009, from http://www.nxp.com/#/pip/pip=[pfp=41863]|pp=[t=pfp,i=41863]. 69 Ibid. 70 NXP, S. (2009). "Mifare Classic - More Information." Retrieved 04/08/2009, from http://www.nxp.com/#/pip/pip=[pfp=41863]|pp=[t=pfp,i=41863]. 71 Garcia, F. D., P. van Rossum, et al. (2009). Wirelessly Pickpocketing a Mifare Classic Card.
25
MUIR RFID: Privacy & Security 2009
unique serial number. However this increased ability to store more information is
also a reason why it is a greater security risk than traditional passive RFID tags.
Due to its market share the Mifare Classic has come under increasing scrutiny over
the security mechanisms that are in place to protect the data stored on these RFID
tags. Having such a market dominance has brought the Mifare Classic to the
attention of hackers. Successful attacks on the Mifare Classic date back as far as
2007, where it was demonstrated that the RFID tags could be cloned, this was well
before the Mifare Classic system was deployed in Queensland72. Security issues are
not the only problem facing this RFID system, as the Mifare Classic is also subject to
privacy concerns.
Privacy Issues
The most prevalent privacy issue facing the Mifare Classic RFID system is in the
potential tracking of passengers. Each RFID tag in the “Go” card implementation of
the Mifare Classic system contains a Global Unique Identifier (GUID), or a serial
number of the card. This GUID is used to register the card and to track the journeys
undertaken on the card.
There are two types of “Go” card, registered and unregistered. Anyone may
purchase a “Go” card, which comes as an unregistered card containing no personally
identifiable information about the card holder. By registering the “Go” card Translink
claims that the user is more “protected” in case their card is stolen or lost by
allowing the balance of the card to be transferred to a new card and by blocking the
GUID of the old card73. This may indeed be the case if you get your “Go” card stolen,
but this “protection” comes at a high cost to the users' privacy. Other incentives to
register “Go” cards include the ability to manage the cards online; including topping-
up credit and accessing the journey history.
In order to register a “Go” card a user must provide Translink with additional
personally identifiable information including: name, address, phone numbers, bank
72 Diodati (2008) 73 Translink (2008)
26
MUIR RFID: Privacy & Security 2009
account details, and credit card numbers74. This sounds more like a customer
database for a retail chain than a transportation system. This information is stored
on a database maintained by Translink, and it must be stated that even once
registered, “your physical smart card will not hold any personal information”75.
Although Translink's privacy policy complies with Information Privacy Act 2009 there
is no immediate explanation why this information is necessary.
This requirement for additional information is surplus to the functioning of the
system and just facilitates the development of a massive customer database which
can then be sold off to third-parties. In fact, Translink states that the information
supplied by the customers can be provided to third parties as approved by Translink
as long as they comply with Translink’s privacy policy; “where personal information
is shared with other parties, requiring those parties to comply strictly with our
privacy requirements”76. This may be fine in theory, but no organisation has the
ability to monitor the use of personal information once it has been disclosed outside
of their control. It also raises the question as to which third-parties Translink are able
to share the personal information from their customer database. According to their
privacy policy these include: financial institutions; service providers such as call
centres; and research organisations77. The last two are some of the worst offenders
when it comes to the abuse of personal information.
The ability to track passengers in the “Go” card system is facilitated by the
requirement for passengers to swipe on at the beginning of their journey and swipe
off again at the conclusion of their journey78. This journey information is stored by
the RFID system and can be accessed by “authorised” users, including the registered
card holder, or for that matter anyone in physical possession of that card, and
people who have access to the secure database maintained by Translink. The ability
to track and monitor passengers’ raises many privacy concerns, and storage of this
information is in turn a major security issue.
74 Translink (2009) Go Privacy Policy 75 Ibid 76 Ibid 77 Ibid 78 Translink (2008)
27
MUIR RFID: Privacy & Security 2009
Security Issues
As stated previously, the Mifare Classic is based on ISO 14443-A:
...the Mifare Classic complies with parts 1 to 3 of the ISO standard 14443-A,
specifying the physical characteristics, the radio frequency interface, and the anti-
collision protocol. The Mifare Classic does not implement part 4 of the standard,
describing the transmission protocol, but instead uses its own secure communication
layer. In this layer, the Mifare Classic uses the proprietary stream cipher CRYPTO1 to
provide data confidentiality and mutual authentication between card and reader.79
The inclusion of a proprietary encryption algorithm is the first security issue evident
in the Mifare Classic RFID system. By ignoring Kerckhoffs’ Principle the designers
were testing fate, and eventually the encryption ciphers become broken. Put bluntly
by de Koning and Verdult, “the Mifare system relied on security by obscurity and
now the secrets are revealed there is no card-level security left”80. The
authentication system used by the Mifare Classic can be seen in the diagrams below.
Diagram 1 - Authentication Protocol 81
79 Garcia, van Rossum, Verdult, & Schreur (2009) 80 Gerhard de Koning Gans and R. Verdult. (2007). "Proxmark." Retrieved 04/08/2009, from http://www.proxmark.org/proxmark. 81 Garcia, van Rossum, Verdult, & Schreur (2009)
28
MUIR RFID: Privacy & Security 2009
Diagram 2- Mifare Classic Protocol 82
Through numerous attempt the Crypto-1 cipher was finally reverse-engineered, and
“the heart of the cipher is a 48-bit linear feedback shift register and a filter function”
83 (as depicted in diagram 3).
This cipher consists of a 48-bit linear feedback shift register (LFSR) with generating
polynomial x48+x43+x39+x38+x36+x34+x33+x31+x29+x24+x23 + x21 + x19 + x13 +
x9 + x7 + x6 + x5 + 1 and a non-linear filter function f. 84
82 Courtois, N. T. (2009). Differential Attack on MiFare Classic or How to Steal Train Passes and Break into Buildings Worldwide…. Eurocrypt 2009 Rump Session, University College London. 83 Dayal, G. (2008). "How they hacked it: The MiFare RFID crack explained A look at the research behind the chip compromise." Retrieved 02/08/2009, from http://www.computerworld.com/s/article/9069558/How_they_hacked_it_The_MiFare_RFID_crack_explained?pageNumber=1. 84 Garcia, van Rossum, Verdult, & Schreur (2009)
29
MUIR RFID: Privacy & Security 2009
Diagram 3 - Structure of CRYPTO1 Algorithm85
Armed with this information attacks against the Mifare Classic began to emerge. In
fact there are numerous methods available to recover the encryption key from a
Mifare Classic tag, one of the ways utilises a side-channel attack. Garcia notes that
the Mifare Classic mixes the data link layer and the secure communication layer of
the RFID tag which results in the parity bits computed over plaintext during the
transmission of data86. Garcia states:
During the authentication protocol, if the reader sends wrong parity bits, the card
stops communicating. However, if the reader sends correct parity bits, but wrong
authentication data, the card responds with an (encrypted) error code. This breaks
the confidentiality of the cipher, enabling an attacker to establish a side channel.87
Another method exists where the attacker uses a constant challenge, changing only
the challenge of the tag, “ultimately obtaining a special internal state of the
cipher”88. The issue with this method is that the special states have to be
precomputed which means that the attack isn't as portable as some other
methods89.
The Digital Security Group of the Radboud University Nijmegen (DSG), who assisted
in originally reverse-engineering the Crypto-1 cipher have also devised a method that
requires a small amount of data be collected from a genuine Mifare reader.
According to the DSG:
85 Garcia, van Rossum, Verdult, & Schreur (2009) 86 Ibid 87 Ibid 88 Ibid 89 Ibid
30
MUIR RFID: Privacy & Security 2009
With this data we can compute, off-line, the secret key within a second. There is no
precomputation required, and only a small amount of RAM. Moreover, when one has
an intercepted a "trace" of the communication between a card and a reader, we can
compute all the cryptographic keys from this single trace, and decrypt it.90
These methods discussed do not require advanced hardware and can be conducted
for less than a few hundred dollars which poses a real security threat to any systems
based on the Mifare Classic. “With minimal effort, hackers are proving that it is
possible for these cards to be cracked, copied and used to impersonate someone
else's identity...”91.
Before Queensland Transport implemented the Mifare Classic RFID system they had
been made well aware of the security breaches in the underlying infrastructure,
"Translink is aware of the testing academics in Europe have undertaken on the
Mifare smart card...” 92. The group which originally cracked the cipher stated that
“Queensland's “Go” card system was already obsolete” because the card's security
encryption had already been cracked93. Translink's response to this threat was very
dismissive, claiming that:
Translink's Go card system uses multiple layers of security and these academics have
only demonstrated an ability to gain access to one of these layers. Translink also has
in place systems to detect and reject smart cards that may have been manipulated
fraudulently.94
In fact NXP, the creator of the Mifare Classic RFID system, have since moved to a
new standard incorporating AES encryption algorithms to address this security
vulnerability95.
90 Digital Security Group of the Radboud University Nijmegen. (2008). "Security Flaw in Mifare Classic." Retrieved 04/08/2009, from http://www.ru.nl/ds/research/rfid/. 91 Ghai (2008) 92 Casey, S. (2008 ) Go cards 'doomed' over security. 93 Ibid 94 Ibid 95 NXP, S. (2009). "Mifare Classic - More Information." Retrieved 04/08/2009, from http://www.nxp.com/#/pip/pip=[pfp=41863]|pp=[t=pfp,i=41863].
31
MUIR RFID: Privacy & Security 2009
Other methods to address this security issue, as suggested by Garcia, would be for
the system integrators to; “diversify all keys in the card; or cryptographically bind the
contents of the card to the GUID, for instance by including a MAC”96. Another way to
protect one's “Go” card would be to “keep it inside an RFID blocker that emits
spurious signals to confuse RFID scanners, a form of electronic warfare against
snoopers”97.
In the case of Translink's “Go” card the biggest threat would be to clone a card, in
particular one which has just been recharged with a large amount of money, thus a
hacker could keep a cloned copy of the tag and re-use the same clone whenever
he/she ran out of money on their card.
Another potential security issue with Translink's “Go” card system relates to the card
registration process. Currently the registration form and login page use the GUID of
the card as the username, because it is a unique identifier; however if a user forgets
their password for their account they will be prompted with a security question in
order to verify their identity. This security question cannot be manually changed and
it has to be one of three default questions offered by Translink in their registration
process (as seen in Diagram 5). This poses a security risk as it limits the possibilities
and the answers to two of the questions (maiden name and the city you were born
in) can be located through public databases.
96 Garcia, van Rossum, Verdult, & Schreur (2009) 97 Gualtieri, D. M. (2004). Technology's Assault on Privacy. Phi Kappa Phi Forum.
32
MUIR RFID: Privacy & Security 2009
Diagram 5 – Security Question from Registration Form98
98 Translink (2009) https://forms.translink.com.au/go_registration.php
Security question
(please answer one of
the following security
question for
identification purposes)
(Required)
Your mother's maiden name
Name of your first pet
City or town where you were born
Answer:
33
MUIR RFID: Privacy & Security 2009
Case Studies
US/AUS Enhanced Identification
As technology advances it brings with it more secure methods of hindering the
counterfeiting of identification. This too can be said of RFID technologies. Many
governments around the world are now issuing these “enhanced identification”
documents which are embedded with RFID tags to assist in correctly processing
identities and speed up queues at airports99. Both Australia and the United States of
America (US) have introduced ePassports which are designed to facilitate this goal.
Fontana describes the US ePassport as:
...a contact-less smartcard with a secure microprocessor that employs a passive
radio frequency to transmit data over an encrypted wireless link to a reader.100
The passive nature of the RFID tag is to ensure that the tags cannot be “skimmed”
(read) from a distance and require the proper reader to power the chip101.
As well as standard encryption techniques being used in the RFID tags embedded in
ePassports, these documents contain a technology called Basic Access Control (BAC).
This technology utilises digital signature to ensure that only proper readers can
access the personally identifiable data stored on the chip as well as ensuring integrity
of the data102. The Australian Department of Foreign Affairs and Trade (DFAT)
explains the process of BAC as follows:
...Basic Access Control (BAC) to prevent the chip from being accessed until the
Machine Readable Zone (MRZ) on the data page has been read. In addition, the new
series incorporates Active Authentication (AA) which offers an additional level of
99 Department of Foreign Affairs and Trade. (2009). "The Australian ePassport." from http://www.dfat.gov.au/dept/passports/. 100 Fontana, J. (2006). Storm building over RFID-enabled passports [Electronic Version]. Network World. Retrieved 04/08/2009, from http://www.networkworld.com/news/2006/092106-rfid-passports.html 101 Ibid 102 Ibid
34
MUIR RFID: Privacy & Security 2009
confidence to passport holders that their personal details contained on the chip are
secure and protected.103
Privacy Issues
Unlike the previous case study where personally identifiable information was not
stored on the RFID tags, ePassports contain all the users' personally identifiable
information stored on the RFID chip. Therefore storage of this information can be
deemed as a potential privacy issue. Before the final design of the US ePassport was
decided upon it was suggested that the ePassports only contain an RFID embedded
with a GUID that links it to a secure database containing the users' personal
information104.
Unfortunately this idea was not accepted and instead all of the users' personal
information is stored on the device, “a unique ID number along with a name,
address, date and place of birth and digital photo”105.
There is no research to date indicating that the digital signature used to protect the
personal information on the ePassports, either here in Australia or in the US, has
been broken. However, it has been demonstrated that it is possible to skim the GUID
of ePassports. This poses a serious privacy issue:
...It may be possible to determine the nationality of a passport holder by
"fingerprinting" the characteristics of the RFID chip... Taken to an extreme, this could
make it possible to craft explosives that detonate only when someone from the US is
nearby...106
Mahaffey agrees noting that although the actual data on the chip can't be read, "the
simple ability for an attacker to know that someone is carrying a passport is a
dangerous security breach"107. One suggested method for overcoming the privacy
103 Department of Foreign Affairs and Trade, 2009 104 Glasser, Goodman, & Einspruch (2007) p. 104 105 Ibid 106 Evers, J., & McCullagh, D. (2006). Researchers: E-passports pose security risk [Electronic Version]. CNET News. Retrieved 04/08/2009, from http://news.cnet.com/Researchers-E-passports-pose-security-risk/2100-7349_3-6102608.html 107 In Ibid
35
MUIR RFID: Privacy & Security 2009
issue related to carrying ePassports is “hitting the chip with a blunt, hard object to
disable it. A nonworking RFID doesn’t invalidate the passport, so you can still use
it”108.
Security Issues
The security of the ePassport RFID tags in the United Kingdom was broken back in
2007, which resulted in the ability to read and copy the personally identifiable
information stored on the tag109. This is a major security breach, however the digital
signatures and encryption of the US and Australian ePassports have yet to be
broken. Also, in Germany Grunwald demonstrated in 2006 that he could clone the
RFID chip from his passport and write it to another RFID tag110. The data stored on
the FRID chip could not be altered, just copied, which could possibly be used in a
forged passport, although the holder of the passport would need to physically
resemble the owner of the original ePassport for this forgery to succeed.
Security researchers have not, however, figured out how to alter the personal
information, which is protected with a digital signature designed to enable
unauthorized changes to be detected. Creating a fake passport therefore would be
most useful to anyone who can forge the physical document and resembles the
actual passport holder.111
Another security feature of the US ePassports is the fact that they contain anti-
skimming material on the front cover “which greatly complicates the capture of data
when the book is fully or mostly closed112.
State Department officials claim that a layer of metallic anti-skimming material in
the front cover and spine of the book can prevent information from being read from
a distance, provided that the book is fully closed113.
108 Wortham, J. (2007) How To: Disable Your Passport's RFID Chip Wired Volume, DOI: 109 Garretson, C. (2007) RFID holes create security concerns Network World Volume, DOI: 110 Evers, J. and D. McCullagh (2006) Researchers: E-passports pose security risk. CNET News 111 Broache A. and M. D. (2006) New RFID travel cards could pose privacy threat. CNET News 112 Ibid
36
MUIR RFID: Privacy & Security 2009
A major security issues has been highlighted by Fontana:
...many security experts are still questioning whether e- passports, which have a 10-
year life span, have enough security built in to survive a decade of hackers and
technology advancements while protecting e-passports users from data theft,
identity theft and other security and privacy intrusions.114
This is an important point as many countries’ ePassports to date have had their
encryption standards broken already. A possible solution to this scenario is to update
the encryption standard used in ePassports whenever a security breach is identified,
however, this method is costly as replacing all current passports would pose a huge
financial burden. It is much more likely that any identified breaches in security would
be kept from the public for as long as possible to deter a potential backlash.
113 Ibid 114 Fontana, J. (2006) Storm building over RFID-enabled passports Network World
37
MUIR RFID: Privacy & Security 2009
Conclusion
It is clear that RFID systems are here to stay, at least in the foreseeable future,
however as this report has highlighted there are many potential privacy and security
concerns facing these systems. For any organisation contemplating implementing an
RFID system they should first identify the real business need. If personally
identifiable information is not needed to be stored on the RFID tags then it should
not be included as it could present an attractive reason for hackers to attempt to
breach RFID system.
The security standards of these systems must be robust, and if possible, upgradeable
if the need presents itself. It is unacceptable for any organisation implementing such
an RFID system to rely solely on the anonymity of the encryption cipher to act as the
RFID tags' only safeguard. Such archaic thinking will only result in breaches of
security, and probably privacy as well, and be the reason that the RFID system needs
upgrading sooner rather than later. As highlighted by the ePassport example, a 10
year lifespan may be detrimental to the integrity of the RFID security mechanisms in
place. These considerations need to be made and all associated risks need to be
discussed if an organisation is considering deploying an RFID system, whether it’s for
retail or other purposes.
38
MUIR RFID: Privacy & Security 2009
Reference List
Anonymous. (2004). RFID: good or bad. International Journal of Productivity and Performance Management, 53(5/6).
Anonymous. (2005). Tiny Trackers: protecting privacy in an RFID world. Newsletter on Intellectual Freedom(November).
Boyd, C. (2009). Lecture 2: Historical Ciphers (Part 1). INB355/INN355, School of Information Technology
Queensland University of Technology. Broache, A. (2006). RFID passports arrive for Americans [Electronic Version]. CNET News
Retrieved 04/08/2009, from http://news.cnet.com/RFID-passports-arrive-for-Americans/2100-1028_3-6105534.html
Broache A., & D., M. (2006). New RFID travel cards could pose privacy threat [Electronic Version]. CNET News. Retrieved 04/08/2009, from http://news.cnet.com/New-RFID-travel-cards-could-pose-privacy-threat/2100-1028_3-6062574.html
Cardullo, M. (2005). Genesis of the versatile RFID tag. RFID Journal, 2(1), 13–15. Casey, S. (2008 ). Go cards 'doomed' over security [Electronic Version]. Retrieved 02/08/2009, from http://www.brisbanetimes.com.au/news/queensland/go-cards-doomed-over-security/2008/04/11/1207856789056.html Courtois, N. T. (2009). Differential Attack on MiFare Classic or How to Steal Train Passes and Break into Buildings Worldwide…. Paper presented at the Eurocrypt 2009 Rump Session. Dayal, G. (2008). How they hacked it: The MiFare RFID crack explained A look at the research behind the chip compromise. Retrieved 02/08/2009, from
http://www.computerworld.com/s/article/9069558/How_they_hacked_it_The_MiFare_RFID_crack_explained?pageNumber=1
Department of Foreign Affairs and Trade. (2009). The Australian ePassport. from http://www.dfat.gov.au/dept/passports/
Digital Security Group of the Radboud University Nijmegen. (2008). Security Flaw in Mifare Classic. Retrieved 04/08/2009, from http://www.ru.nl/ds/research/rfid/
Diodati, M. (2008). The MIFARE Classic Card is Hacked [Electronic Version]. Retrieved 04/08/2009, from http://identityblog.burtongroup.com/bgidps/2008/03/the-mifare-clas.html
Doggs, A. (2008). RFID SmartCard encryption cracked by researchers [Electronic Version]. Retrieved 04/08/2009, from http://www.networkworld.com/community/node/25754
Evers, J., & McCullagh, D. (2006). Researchers: E-passports pose security risk [Electronic Version]. CNET News. Retrieved 04/08/2009, from http://news.cnet.com/Researchers-E-passports-pose-security-risk/2100-7349_3-6102608.html
Fontana, J. (2006). Storm building over RFID-enabled passports [Electronic Version]. Network World. Retrieved 04/08/2009, from http://www.networkworld.com/news/2006/092106-rfid-passports.html
Garcia, F. D., van Rossum, P., Verdult, R., & Schreur, R. W. (2009). Wirelessly Pickpocketing a Mifare Classic Card.
Garretson, C. (2007). RFID holes create security concerns [Electronic Version]. Network World. Retrieved 04/08/2009, from http://www.networkworld.com/news/2007/032207-rfid-security.html
Gerhard de Koning Gans, & Verdult, R. (2007). Proxmark. Retrieved 04/08/2009, from http://www.proxmark.org/proxmark
39
MUIR RFID: Privacy & Security 2009
Ghai, V. (2008). An Automation ANSWER. Retrieved 04/08/2009, from http://govtsecurity.com/federal_homeland_security/mirfare_classic_card_hacked/
Glasser, D. J., Goodman, K. W., & Einspruch, N. G. (2007). Chips, tags and scanners: Ethical challenges for radio frequency identification. Ethics and Information Technology, 9(2), 101-109.
Granneman, S. (2003). RFID Chips Are Here [Electronic Version]. Retrieved 04/08/2009, from http://www.securityfocus.com/columnists/169
Gualtieri, D. M. (2004). Technology's Assault on Privacy. Paper presented at the Phi Kappa Phi Forum.
Günther, O., & Spiekermann, S. (2005). RFID and the perception of control: the consumer's view.
Heydt-Benjamin, T. S., Bailey, D. V., Fu, K., Juels, A., & O Hare, T. (2008). Vulnerabilities in first-generation RFID-enabled credit cards. Lecture notes in computer science, 4886, 2.
Kearns, D. (2009). Verayo claims its RFID is unclonable [Electronic Version]. Network World. Retrieved 04/08/2009, from http://www.networkworld.com/newsletters/dir/2009/010509id2.html
Kelly, E. P., & Erickson, G. S. (2005). RFID tags: commercial applications v. privacy rights. Industrial Management and Data Systems, 105(6), 703.
Krim, J. (2005). U.S. Passports to Receive Electronic Identification Chips [Electronic Version]. Washington Post. Retrieved 04/08/2009, from http://www.washingtonpost.com/wp-dyn/content/article/2005/10/25/AR2005102501624.html
Landt, J., & Catlin, B. (2001). Shrouds of Time: The history of RFID. Pittsburgh, PA, AIM Global.
Lawson, S. (2008). Researchers find problems with RFID passport cards [Electronic Version]. IDG News Service. Retrieved 04/08/2009, from http://www.networkworld.com/news/2008/102408-researchers-find-problems-with-rfid.html?hpg1=bn
McGinity, M. (2004). Staying connected: RFID: is this game of tag fair play? Communications of the ACM, 47(1), 15-18.
Messmer, E. (2007). Plan to use RFID in border control draws fire [Electronic Version]. Network World. Retrieved 04/08/2009, from http://www.networkworld.com/news/2007/090707-dhs.html?fsrc=rss-security
Muir, S. (2007). RFID security concerns. Library Hi Tech, 25(1), 95-107. Nabil Y. Razzouk, V. S., Maria Nicolaou. (2008). CONSUMER CONCERNS REGARDING RFID PRIVACY: AN EMPIRICAL STUDY. Journal of Global Business and Technology, Volume
4(Number 1, Spring ), 69-78. Naone, E. (2009). RFID's Security Problem. Technology Review, 112(1). Neumann, P. G., & Weinstein, L. (2006). Risks of RFID. COMMUNICATIONS OF THE ACM,
49,(5). Newitz, A. (2006). The RFID Hacking Underground [Electronic Version]. Wired. Retrieved
04/08/2009, from http://www.wired.com/wired/archive/14.05/rfid.html Niemelä, O. P. a. M. (2009). Humans and emerging RFID Systems: Evaluating Data Protection
law on the User scenario basis. International Journal of Technology and Human Interaction, Volume 5(Issue 2), 85-95.
NXP, S. (2009). Mifare Classic - More Information. Retrieved 04/08/2009, from http://www.nxp.com/#/pip/pip=[pfp=41863]|pp=[t=pfp,i=41863]
Ohkubo, M., Suzuki, K., & Kinoshita, S. (2005). RFID privacy issues and technical challenges. Communications of the ACM, 48(9), 66-71.
40
MUIR RFID: Privacy & Security 2009
Peslak, A. R. (2005). An ethical exploration of privacy and radio frequency identification. Journal of Business Ethics, 59(4), 327-345.
Roberti, M. (2004). Tag Cost and ROI [Electronic Version]. RFID Journal. Retrieved 02/08/2009, from http://www.rfidjournal.com/article/articleview/796/
Roberts, P. F. (2007). Battle brewing over RFID chip-hacking demo InfoWorld Retrieved 04/08/2009, from http://www.networkworld.com/news/2007/022707-battle-brewing-over-rfid-chip-hacking.html
Spiekermann, S. (2008). RFID and privacy: what consumers really want and fear. Personal and Ubiquitous Computing, 1-12.
Tucker, P. (2006). Fun with Surveillance. Futurist, 40. van Deursen, T., & Radomirovic, S. (2008). Security of RFID Protocols–A Case Study. Westhues, J. (2003). Proximity Cards. Retrieved 04/08/2009, from http://cq.cx/prox.pl Westhues, J. (2006). Demo: Cloning a Verichip. Retrieved 04/08/2009, from
http://cq.cx/verichip.pl Wortham, J. (2007). How To: Disable Your Passport's RFID Chip [Electronic Version]. Wired.
Retrieved 02/08/2009, from http://www.wired.com/wired/archive/15.01/start.html?pg=9