Studying Next Generation RFID Applications in the Workplace
-
Upload
petersam67 -
Category
Documents
-
view
601 -
download
0
description
Transcript of Studying Next Generation RFID Applications in the Workplace
http://rfid.cs.washington.edu/The RFID Ecosystem Project
Studying Next GenerationRFID Applications in the Workplace
Evan Welbourne
University of Washington, CSEChips Ahoy?
The Legal Issues Associated with RFID in the WorkplaceMay 1, 2009 - Seattle, WA
http://rfid.cs.washington.edu/
PART 1: RFID and The RFID Ecosystem
PART 2: Current and Future Applications
PART 3: Security and Privacy Issues
+
Technical Protection Mechanisms
Outline
http://rfid.cs.washington.edu/
Image credit: Tom Reese, The Seattle Times
PART ONE
Radio Frequency Identification
http://rfid.cs.washington.edu/
What is RFID?
Wireless ID and tracking
Captures information on: Identity Location Time
Unique identification
Passive (no batteries)
Reader
Tag
http://rfid.cs.washington.edu/
Radio Frequency Identification
Wireless identification and tracking Information on:
Identity Location Time
tag time location
… … …
t 1 A
t 2 B
A B C
t 3 C
http://rfid.cs.washington.edu/
RFID Tags – A Wide Variety
Consumer Item Cases Pallets Trucks Ships / Trains
barcodes
passive tags
active tags
GPS-enabledactive tags
Cos
t of
tag
(loga
rithm
ic)
http://rfid.cs.washington.edu/
Elements of an RFID System
RFID ReaderRFID Tags Reader Antenna
Network Infrastructure
Data ManagementSystem
Applications
http://rfid.cs.washington.edu/
The RFID Ecosystem 100s of passive EPC Gen 2 tags
100s of RFID antennas
85,000 sq ft (8,000 sq m) building
Simulating an RFID-saturated future
http://rfid.cs.washington.edu/
RFID Ecosystem at UW CSE
http://rfid.cs.washington.edu/
PART TWO:Current and Future RFID Applications
http://rfid.cs.washington.edu/
Focus: RFID for Real-Time Location
Current trend: RFID in Hospitals
Track equipment, patients, personnel
Improve utilization, track workflows
Rapid progression in 2009: Feb 19: Awarepoint deploys RFID throughout 4 M sq. ft. Hospital Feb 26: Versus Tech. deploys RFID system at Virginia Mason Mar 4: St. Vincent Hospital deploys RFID workflow tracker Mar 9: St. John’s Deploys RFID to track child patients Mar 23: Good Samaritan tracks surgical instruments w/RFID Mar 24: Western Maryland Health deploys RFID tracking system Mar 25: RFID system for tracking patient files at Cleveland Clinic April 14: RFID vendor Reva Systems gets $5M in VC funding April 21: Greenville Hospital System tracks OR case carts Ongoing…
[ right middle and right bottom image credit: http://www.pcts.com ]
http://rfid.cs.washington.edu/
Focus: RFID for Real-Time Location
Proposed in research: Infer higher-level events from data Business Intelligence Reminding Systems Social Networking
http://rfid.cs.washington.edu/
PART THREE
Security & Privacy Issues+
Technical Protection Mechanisms
Image credit: Karsten Nohl, from: OV-chipkaart Hack using polishing paper, a microscope and Matlab
http://rfid.cs.washington.edu/
Many attacks:
Encryption can improve security but… Increases cost and power consumption, slows down read rate
-- to be useful, RFID tags have to be cheap and fast!
Physical security Foil-lined wallet: works, but you have to remove tag sometime
Skimming Cloning
Replay attack Eavesdropping
Ghost leech
Issue: Basic Insecurity of RFID
http://rfid.cs.washington.edu/
Issue: Basic Insecurity of RFID
Case Study: WA State Enhanced Driver’s License
DHS claims RFID “removes risk of cloning” Can be cloned easily in less than a second w/cheap device
Can be read more than 75 ft away
Sleeve doesn’t always work, worse when crumpled
# EDL Reads, Week of Apr 27th
Case study credit: Karl Koscher, Ari Juels, Tadayoshi Kohno, Vjekoslav Brajkovic
http://rfid.cs.washington.edu/
Our approach in the RFID Ecosystem:
1) Store little on tags, secure link between the tag ID and PII
2) Incorporate cryptographic techniques as they emerge
Issue: Basic Insecurity of RFID
http://rfid.cs.washington.edu/
Who owns collected data?
Who has access to it? Modes of information disclosure: Institutional
Organization collects, uses, and potentially shares personal data Addressed by contracts, federal law, corporate practice (e.g. FIPs)
Peer-to-Peer or “Mediated” Peers and superiors access data through some authorized channel Mediated by access control policies
Malicious Personal data is compromised by unauthorized parties Addressed by secure systems engineering
Issue: Data Access & Ownership
http://rfid.cs.washington.edu/
Our approach: “Physical Access Control Policy”
Each user has a personal view of the data
Each user has access to only those historical events thatoccurred when and where s/he was physically present
Models line-of-sight, augments memory
Other “context-aware” policies are possible:
“Only reveal my location during business hours”
“Only reveal my activity when I am in a meeting”
Issue: Data Access & Ownership
http://rfid.cs.washington.edu/
Issue: Uncertainty of RFID Data
1) In practice, RFID tags are often missed by readers Data cleaning algorithms are commonly applied
2) Further, apps need high-level information from smoothed data Event detection and data mining algorithms applied
But there is always a “sensory gap” between what actually occurs, what is sensed and what is inferred from the data.
http://rfid.cs.washington.edu/
Issue: Uncertainty of RFID Data
Our approach: Directly represent uncertainty with probabilistic datae.g. “Bob could be in his office (p = 0.5), the lounge (p = 0.1), or next door (p = 0.4)”
Problem: probabilistic data is huge; and compressed by throwing away less likely possibilities.
http://rfid.cs.washington.edu/
Main Takeaways
1) Use what security the technology provides Should improve with time
2) Verify implementation meets security/privacy claims
3) Access control can help enforce a policy framework
Novel, context-aware access controls are a possibility
4) RFID data and higher-level info inferred from it probably should not be considered actionable
http://rfid.cs.washington.edu/
Thanks
Thank you!
Check out our blog:http://rfid.cs.washington.edu/blog/
Follow us on Twitter! http://twitter.com/rfid_ecosystem
See publications for details: http://rfid.cs.washington.edu/publications.html
http://rfid.cs.washington.edu/
Backup Slides
Backup Slides…
http://rfid.cs.washington.edu/
Privacy & Security Discussion…
Just having an RFID tag could be a privacy risk
Pseudonymity not Anonymity Each RFID tag you carry has a unique number Sequential readings of your tags create a trace Over time this trace can be used to identify you-“The person who: wears this sweater, takes this bus, uses this bus stop, shops at this grocery, …”
U.S. privacy law doesn’t consider these traces to be PII European and Canadian law may handle this better
Important to discuss these issues RFID is increasingly ubiquitous, may be in the REAL ID cards
http://rfid.cs.washington.edu/
Security of Tags and Readers
Promise: Provides a faster, easier payment option
Problem: Name, #, expiration sent as plaintext
$150 homemade device can steal and replay credit cards
Next generation of cards includes better security
Promise: Faster border-crossings, improved security
Problem: Identity, nationality sent in the clear
Malicious parties can easily identify / target U.S. citizens
Revised passport includes faraday shielding and BAC
First generation RFID credit card vulnerabilities (UMass Amherst, RSA labs)
Security and Privacy Risks of the U.S. e-Passport (UC Berkeley)
http://rfid.cs.washington.edu/
Data Privacy and Security
RFID and Contactless Smart Card Transit Fare Payment
Promise: Streamlines transit experience and book keeping
Problem: Massive databases with transit traces of individuals
Not entirely clear what data is private and how it can be used
Oyster card data is the new law enforcement tool in London
Increasing # of requests for Oyster data: 4 in all of 2004 61 in Jan. 2007
ORCA Card: RFID-Based Transit Card for Seattle Area (August 2008)
Promise: Streamlines transit experience and book keeping Integrated with easy pay and institutional partners
Problem: The word “privacy” appears twice in 500 pages of docs…
http://rfid.cs.washington.edu/
Data Privacy and Security
From RFID Ecosystem user studies: “How do I know if I have a tag on me?”, “How do I opt out?” Users must be carefully educated before consenting There should be equal, available alternatives to the RFID option
If personal RFID data is stored:
Clearly define how each piece of information can and will be used
Define and enforce appropriate access control policies• May depend on user, application, and context of use (PAC)
Formal data privacy techniques to further ensure privacy (K-anonymity)• Store only the information you need, and add noise!
Provide users with direct access to and control of their data
http://rfid.cs.washington.edu/
sightings timestamp sightings timestamp sightings timestamp
Time: 0
’s data store ’s data store ’s data store
0 0 0
http://rfid.cs.washington.edu/
sightings timestamp sightings timestamp sightings timestamp
Time:
’s data store ’s data store ’s data store
1 1 1
1
0 0 0
http://rfid.cs.washington.edu/
sightings timestamp sightings timestamp sightings timestamp
Time:
’s data store ’s data store ’s data store
1 1 1
0 0 0
2 2 2
2