Privacy and Security Aspects in RFID
Chintan I. Patel ![]() 1. Introduction RFID is an abbreviation for Radio Frequency Identification. RFID systems consist of RFID tags and readers. In a generation where wired equipments are replaced by wireless devices, RFID is one such technology which has been deployed for efficient and wire-free use in various applications. RFID has made its mark in applications such as retail, manufacturing, tracking of people, medical records, livestock, shipping, contactless payments, asset tracking, automobiles etc. We know that wireless systems are vulnerable to attacks and security is a major concern, RFID is no exception. RFID is vulnerable to attacks and security and privacy concerns are raised in this technology as well. This paper addresses the security aspects and issues existing in RFID and efficient ways to combat the security concerns for the improvisation of the system.
2. General issues addressed Following are the general issues that will be addressed:
3. Security and Privacy issues 3.1 Security issues Following are the security issues related to RFID: i. Electronic Product Code (EPC) tags were developed by an organization known as EPCglobal Inc. [1]. The EPC tags carry little information known as EPC code. These codes are “used as a pointer to database records for the tag” [1]. But these EPC tags do not guarantee authentication ii. Low cost security tags cannot execute standard cryptographic functions [1] iii. In some cases, the architecture of the RFIDs lack security design specifications iv. Physical security of RFID tags and readers is also a concern, as the destruction of these can be done by the perpetrators.
3.2 Privacy issues “RFID raises two main privacy concerns for users: clandestine tracking and inventorying” [1]. VeriSign’s EPC Discovery Service is used to protect the EPC tags across the organizations. Following are the issues related to the privacy of users: i. When personal information of a user is combined with the tag serial number, the threat to privacy is the highest. For example, if a user makes a purchase by his credit card, then his user identity and serial numbers are easily visible to the marketers or the location where the purchase had been made with the use of RFID readers. ii. The EPC tags consist of manufacturer’s code known as “General Manager” [1] and product code known as “Object class” [1]. These are collectively known as stock keeping unit (SKU). Hence, a person carrying the EPC tag is subject to clandestine inventorying. By this, the readers can store the information about the user’s inventories such as the products purchased by him, and can harvest personal information [1]. The personal information may also include the users medical records, products bought by him, credit card number etc. iii. Tracking is a major concern in military operations where the enemies can track troop movements and supply chains. Tracking of civilians can also be done by getting information from the readers installed at tolls, used to track the vehicles and hence the person’s position [1].
4. Types of attacks and security concerns Figure 1: Types of attacks in RFID [2]
Figure 1 shows the basic types of attacks in RFID. The transponder is same as the EPC tags as shown in figure 1. The relationship between the transponders and the readers must be maintained. Eavesdropping, blocking, jamming and falsifying contents are major types of attacks in RFID. These are discussed as follows:
Factors related to the security and privacy concerns are spying, deception, denial of service and protection of privacy. The protection of privacy is done by an attacker in such a way that he protects himself by attacking the system when he feels threatened by the RFID system [2]. Table 1 shows the attacks that relate to the security concerns.
Table 1: Types of attacks and their concerns [2] 5. Assessment of security aspects in an RFID system The assessment of security aspects done in an RFID system includes assets, perpetrators, threats, vulnerabilities, safeguards and additional controls. Table 2 illustrates the security assessment structure of an RFID system.
Table 2: Assessment of Security architecture for RFID systems
All these aspects must be kept in mind while designing the system so that there may be less loop holes and the security of the system is updated.
6. Efficient ways to improve security in RFID
6.1 Authentication The identity of the program used to drive the RFID chip is checked at first. There are three ways by which the authentication of the RFID chip can be done, namely, checking the identity of the tag, reader and strong mutual authentication.
6.1.1 Check identity of tag The identity of the tag must be checked when the RFID system detects its presence in the system [2]. The EPC offers a large number of ambiguous combinations of numbers to prevent duplication of the numbers and its reuse.
6.1.2 Check identity of reader The authentication of the reader is done by password matching. The password is stored in the tag and when the reader sends a signal to the tag, it matches the password with the one stored in its own memory. This is the simplest technique and is effective for protection. Varying the passwords can keep the system more secure, but they work with read-write transponders only [2].
6.1.3 Strong mutual authentication Mutual authentication takes place between the tag and the reader. The secret keys are not sent over the air interface (to ensure protection). Instead, encrypted random numbers are used, which provides a higher order of security against unauthorized access of intruders [2].
6.2 Encryption Eavesdropping can be prevented using the encryption technique. In case of strong encryption used in the RFID systems, the authentication of the temporary key (session key) must be done at the backend of the RFID system database. The tag must only be used for reading, so that there is no transmission of the session key over the air interface. This would save memory and power used by the tag, since the backend RFID database will store all the information, since the memory in the database is unlimited. This can also help in producing cheap transponders/tags.
6.3 Prevent Readout In practice, the tags do not operate with a switch [2], which could expose them to unauthorized access at anytime by a large number of attackers. In order to prevent this, blocker tags are used which temporarily avoids authorized or unauthorized use of tags. Blocker tags are equipments that pretend to be transponders, which simulate all possible numbers to the reader. This would result in the reader replying to all possible numbers and thereby blocking the reader’s operation temporarily. The reader would be busy and any unauthorized access can also be prevented. There are methods which prevent the blocking of the reader for a long time and be applicable for certain applications in practice.
7. Applications of RFID
8. Conclusion The major loss of assets in the security structure will certainly affect the future developments related to RFID systems. This technology can be used widely in the future, but the security concerns are bound to increase with its rapid usage as it is slowly being deployed in the market. After it is fully established, the system would be more vulnerable to other unknown attacks and strong preventive measures must be taken for its security. The use of RFID in various systems is well known, and the issues related to it are chronic. The growth of this technology will break the barriers of using better wireless systems, but the security aspects are a major concern too.
Summary
References
[1] RFID Security and Privacy: A Research Survey Juels, A; Volume 24, Issue 2, Feb. 2006; Digital Object Identifier 10.1109/JSAC.2005.861395
[2] Security Aspects and Prospective Applications of RFID systems Oertel, B; Wölk, M; Prof. Dr. Hilty, L; Köhler,A; Kelter, H; Ullmann, M; Wittmann, S; http://www.rfidconsultation.eu/docs/ficheiros/RIKCHA_englisch_Layout.pdf |
Articles > Network Security >