RFID Middleware

Vlad KrotovVlad KrotovUniversity of HoustonUniversity of Houston

Bauer College of BusinessBauer College of BusinessSummer 2006Summer 2006

Source: Forrester, 2004; www.rfidvirus.org

Definition

• Middleware – software that connects two disparate applications, allowing them to communicate with each other and to exchange data (Laudon & Laudon, 2002)

Underlying Drivers of RFID Middleware

• Standards

• Integration

EPCglobal Network

• The EPCglobal Network is a set of global technical standards aimed at enabling automatic and instant identification of items in the supply chain and sharing the information throughout the supply chain

• The EPCglobal NetworkTM consists of five fundamental elements:– ID System (EPC Tags and Readers),– Electronic Product Code (EPC)– Object Name Service (ONS)– Physical Markup Language (PML)– Savant

Savant

• Savant is a middleware developed by Auto-ID to provide middleware between RFID reader and databases

• Savant sits between tag readers and enterprise applications in order to manage the vast amount of information retrieved from the tags

• Savant manages and moves information in a way that does not overload existing networks

• Savant has a hierarchical architecture that directs the flow of data by gathering, storing, and acting on information and communicating with other Savants

• In a Savant system, lower level Savants process, filter and direct information to the higher level ones and, consequently, massive flow of information and network traffic is reduced

Types of RFID Vendors

• RFID Pure Plays – offer products that integrate with RFID readers, filter and aggregate data, and may incorporate some business rules– ConnectTerra– GlobeRanger– OATSystems– RF Code

Types of RFID Vendors

• Application Vendors – offer software ranging from RFID-enabled applications for warehouse and asset management to more robust RFID middleware solutions for reader coordination, data filtering, and business logic capabilities– Povia Software– Manhattan Associates– RedPrairie– SAP

Types of RFID Vendors

• Platform Giants – extend their existing platforms and middleware to accommodate RFID– Sun Microsystems– IBM– Oracle– Microsoft

Types of RFID Vendors

• Integration Specialists – similar to platform giants, integration specialists are adding RFID features like reader coordination and edge-tier filtering go to their existing integration technology– webMethods– TIBCO– Ascential Software

Middleware Functionality

• Reader and device management. RFID middleware should allow users to configure, monitor, deploy, and issue commands directly to readers through a common interface.

• Data management. Once RFID middleware captures EPC data from readers, it must be able to intelligently filter and route it to the appropriate destinations. This capability should include both low-level logic like filtering out duplicate reads and more complex algorithms like content-based routing

Middleware Functionality

• Application integration. RFID middleware solutions should provide the messaging, routing, and connectivity features required to reliably integrate RFID data into existing SCM, ERP, WMS, or CRM systems

• Partner integration. Some of the most promising benefits of RFID will come from sharing RFID data with partners to improve collaborative processes like demand forecasting and vendor-managed inventory

Middleware Functionality

• Process management and application development. Instead of just routing RFID data to business applications, sophisticated RFID middleware platforms will actually orchestrate RFID-related end-to-end processes that touch multiple applications and/or enterprises, like inventory replenishment. Key process management and composite application development features include workflow, role management, process automation, and UI development tools.

Middleware Functionality

• Packaged RFID content. RFID middleware platforms that include packaged routing logic, product data schemas, and integration with typical RFID-related applications and processes like shipping, receiving, and asset tracking are major assets

• Architecture scalability and administration. This means that RFID middleware platforms must include features for dynamically balancing processing loads across multiple servers and automatically rerouting data upon server failure. These features should span all tiers of the architecture — even the edge devices

Single-Tier RFID Middleware Architecture

Multitier RFID Middleware Architecture

Forrester Research Conclusions

• Manhattan Associates, OAT, and SAP lead with strong mandate solutions

• Pure plays like GlobeRanger and ConnecTerra also offer viable solutions for early adopters. But unlike OATSystems, these vendor offer “pure” middleware solutions that provide strong reader integration capabilities and APIs for publishing RFID data to back-end applications and typically incorporate less packaged application logic like EPC track-and-trace tools.

Forrester Research Conclusions

• Both Savi Technology and RF Code have specialty capabilities and experience with active RFID tags

• Most platform and integration vendors lack generally available products

RFID Middleware

• Sun

• SAP

• Microsoft

• Oracle

Sun’s RFID Software Architecture

Sun’s Event Manager

Sun’s Information Server

SAP

Threats to RFID Middleware(Source: www.rfidvirus.org)

Why RFID systems are vulnerable to attacks

• Lots of source code

• Generic protocols

• Back-end databases

• High-value data

• False sense of security

RFID-Based Exploits

• Buffer Overflows– The life of a buffer overflow begins when an attacker

inputs data either directly (i.e. via user input) or indirectly (i.e. via environment variables).

– This input data is deliberately longer then the allocated end of a buffer in memory, so it overwrites whatever else happened to be there.

– Since program control data is often located in the memory areas adjacent to data buffers, the buffer overflow can cause the program to execute arbitrary code

RFID-Based Exploits

• Buffer Overflows– RFID tags are limited to 1024 bits or less.– However, commands like 'write multiple blocks' from ISO-15693

can allow a resource-poor RFID tag to repeatedly send the same data block, with the net result of filling up an application-level buffer.

– Meticulous formatting of the repeatedly sent data – An attacker can also use contactless smart cards, which have a

larger amount of available storage space. – An attacker can really blow RFID middleware's buffers away, by

using a resource rich actively-powered RFID tag simulating device, like the RFID Guardian

RFID-Based Exploits

• Code Insertion– Malicious code can be injected into an

application by an attacker, using any number of scripting languages including VBScript, CGI, Java, JavaScript, and Perl

RFID-Based Exploits

• SQL injection– SQL injection is a type of code insertion attack that

tricks a database into running SQL code that was not intended.

– Attackers have several objectives:• They might want to enumerate (map out) the database

structure. Then, the attackers might want to retrieve unauthorized data, or make equally unauthorized modifications or deletions.

• Databases also sometimes allow DB administrators to execute system commands. A system command can be used to attack the system

RFID-Based Worms

• Worm is a program that self-propagates across a network, exploiting security flaws in widely-used services

• A worm is distinguishable from a virus in that a worm does not require any user activity to propagate

• Worms usually have a payload, which performs activities ranging from deleting files, to sending information via email, to installing software patches

• One of the most common payloads for a worm is to install a “backdoor” in the infected computer, which grants hackers easy return access to that computer system in the future.

RFID-Based Viruses

• One can develop RFID based viruses using SQL language.

• The SQL data can be transmitted to a system via an RFID tag