Security Issues thwarting RFID adoption

24 07 2012

Radio Frequency Identification (RFID) technology had gained popularity over the past several years in the supply chain and asset management areas. The main advantage of RFID is the automated identification of products and people. Mandates from Department of Defenses and supply-chain giants like Wal-Mart to their suppliers, push wider adoption of this technology.  Automated unique identification advantages of RFID and falling tag costs help develop innovative RFID applications in areas of access control, supply chain /retail services, sub-dermal tags, tags in libraries and smart applications etc. Despite these factors, the adoption rate of RFID technology has stalled significantly in the recent years, security issues and privacy concerns are among the key factors.

RFIDs are small electronic devices that consist of a microchip and an antenna designed for wireless data transmission. The RFID reader interrogates the tags so data can be transmitted over the air. So collectively the RFID system consists of RFID Tags, Readers, communication protocols, Information systems, Networks, Lookup/Location services etc. All elements of the RFID systems need to be secured and its integration between themselves must be considered keeping data security in mind. From the consumer’s aspect, the privacy issue is more important therefore getting more media coverage.

Security and Privacy Issues

Security issues are due to good readers reading data from malicious tags. It is very easy to copy the data from the tags and develop counterfeited tags. Current RFID systems are unsafe:

  1. No authentication – No friend/foe distinction
  2. No access control – Rogue reader can link to tag and Rogue tag can mess up the reader
  3. No encryption – Eavesdropping possible
  4. No RFID protocols standardization  – Available standards are susceptible to reverse engineering
  5. RFID based worms/viruses

Privacy Concerns: The RFID tags pose exponentially greater risk to personal privacy. A malicious reader can read information from good tags leading to two common privacy threats:

  1. Tracking – Private issue happens when the product or person movements, or data is tracked or accessed without explicit permission. The user or product owner cannot turn off the tracking as tag can always be read. Even if we use encryption, only data can be encrypted and tracking can still be done.
  2. Information Leakage – When the data in the tag can reveal the sensitive information to the rouge readers this falls into privacy issues. For example, if the person carries medicines (box) implanted with RFID tags, then the information could be read and their aliments can be found thereby violating the privacy laws.

Some of the countermeasures to address security & privacy issues:

  1. RFID tagged products can be clearly labeled so consumer would have the choice to select products without RFID. One of the product, ‘Kill Codes’, which turns off all RFID tags immediately as the consumer comes into contact.
  2. ‘RSA Blocker Tags’, address privacy concerns while maintaining the integrity of the product. The item can be tracked only by the store’s authorized reader.
  3. Use challenge-response when querying for data.
  4. Good and secure distributed database and web service security.

Conclusion

While the security and privacy issues exist, RFID tags have the potential to revolutionize many areas increasing productivity and cost effectiveness. RFID technology leaders and enablers should focus on developing protocols and standardization to address to security and privacy issues, meanwhile the adoption should be based on corporation/industries being aware of the existing security issues in the RFID systems, current limitations and consumer privacy laws.

____________

  1. http://www.ibiblio.org/Dave/ar00503.htm
  2. https://www.rsa.com/rsalabs/staff/bios/ajuels/publications/pdfs/rfid_survey_28_09_05.pdf
  3. http://www.thingmagic.com/rfid-security-issues
  4. http://www.edri.org/docs/EDRi_RFID_Security_Issues.pdf
  5. http://features.techworld.com/mobile-wireless/1178/security-issues-swamp-rfid/




The discussion of Security in Mobile Payment

2 11 2011

Have you paid bills by your mobile facilities, such as cell phone, PDA or mobile PC? If you have, have you been worried about the security of your purchase or privacy information through the mobile payment and the safety of mobile facilities and systems?

Mobile purchase becomes more and more popular nowadays. “According to Gartner, 340 million global users will use mobile payments in 2014, with such transaction totaling $245 billion, up from $32 billion last year.”[1] This means the mobile-commerce market will enlarge almost eight times in 2014. Many companies have already focused on this business opportunity. Not only the traditional e-commerce companies, such as Amazon and e-Bay,but also some technology companies, such as Google, are working on platform and software to get an advantage in this potential market. This year Google announced that they planned to “start testing a mobile-payment system with the near-field-communication (NFC) technology, which lets consumers pay for products and services by tapping a device against a register at checkout, giving them an alternative to cash or physical credit cards.”[2] In the same year, Amazon and eBay also developed their mobile payment services (Amazon’s MPS and EBay’s ISIS) based on NFC.

NFC is a more advanced technology than RFID (Radio-frequency identification) and Bluetooth for its low-power consumption and higher safety. In NFC based payment system, the mobile device contains two smart chips, the normal SIM card and a separate NFC payment chip. The customer can make a pay by holding the mobile device in front of a NFC reader and entering a security PIN to authorize the deal, so the deal can be finished between a few centimeters. Although this can provide a certain level of safeguard for the customers, there are still bugs in the NFC payment system and design flaws in the NFC devices.

As all wireless signals, the signal of NFC can be eavesdropped with antennas. Data transferred in NFC is much safer than data transferred in RFID, but still has some possibility to be manipulated. Relay attack is also possible for NFC. The hacker can break into the communication procedure and forward a reader request to the victim. When then victim reply, the hacker will get the reply and use this message to analysis user’s information. The hacker can pretend to be the user to carry out some task or even modify the user’s setting. If you lose your phone, the potential security problem could be even worse than any kinds of attack. You provide a free access to your mobile phone. The attacker can decipher the NFC payment chip and make a deal using your device.

The way that making deals between NFC devices is one of the methods of mobile payment, which is called direct mobile billing. The other method is mobile web payment, which means customers can make online transactions by their mobile devices, such as online wallets, online banking and direct operator billings. As we know, the invention and development of Apple’s iPhone and Google’s Android smart systems make the evolution of the smart phone market. People can skim over the website more conveniently and quickly. Therefore, the customers have more chances to choose and buy what they prefer in the online market. At the same time, mobile payment is more popular than ever before. Compared with the PC systems, the smart systems of the mobile devices are still young and have many flaws, so they are easier to attack than PC systems. “Recent studies show that the world of mobile malware is dominated by Trojans and not by worms or viruses. The main reason for this is that Trojans do not need any propagation vector and simply rely on the user’s curiosity to download and install them.”[3] The attacker could make some utility programs or popular games to attract user’s interest. When the user download and install such programs, their mobile devices could be installed by a spyware or a malware. The spyware can collect the user’s information, including ID information, PIN data, incoming and outgoing data, to send to the attacker. There are some famous spyware or malware: Flexispy[4], PbStealer[5] and KeyLogger. The user should be careful when downloading application from internet, and install safeguard software to have certain level of protection.

Instead of traditional payment, mobile payment is a representative of future payment.  Bugs and insecurities will be solved sooner or later. The unsafe elements in the mobile payment systems and mobile devices cannot stop the development of m-payment.

__________________

[1]http://www.bloomberg.com/news/2011-03-31/amazon-com-said-to-be-considering-mobile-payment-service-for-smartphones.html

[2]http://www.bloomberg.com/news/2011-03-15/google-is-said-to-ready-payment-test-in-new-york-san-francisco.html

[3]  Shivani Agarwal, Mitesh Khapra, Bernard Menezes and Nirav Uchat”Security Issues in Mobile Payment Systems”

[4]F-Secure Malware Information Pages: Flexispy.A. (Online) http://www.f-secure.com/v-descs/flexispy_a.shtml.

[5]F-Secure Virus Descriptions : Pbstealer.A. (Online) http://www.f-secure.com/v-descs/pbstealer_a.shtml.





RFID Security and Privacy

3 10 2011

Radio frequency identification (RFID) is one of the many types of automatic identification technologies that exist; it uses radio waves to transmit signals. It typically has three parts, the tag, the reader and the system to process the relayed data. The technology itself is not new, used during the 2nd world war for identifying friendly and enemy aircrafts, but there have been several new ideas on its application.

It makes the tracking and identification of assets, animals, products (e.g. for inventory tracking) and people easy; and of course to enable tracking and identification these subjects have to be tagged with a unique identifier. These tags come in different sizes, some as small as a grain of sand/rice, Hitachi developed the powder type that used electron beams to put information on them, it measured measure 0.05 x 0.05 mm. [1] , Kodak also developed a digestible RFID used for monitoring drug reactions[2]. Some of the common applications includes document tagging (e.g. for anti counterfeiting), pet tagging to make it easy to track or identify missing pets, EZpass, Passports, Ignition Keys, etc it is also used the Energy, Aviation/Aerospace, Manufacturing, Retail, Supply, Access control, Health sectors etc.

Take the health sector applications for instance; one of the applications is in the tracking of patients with mental disorders such as Alzheimer, it would enable them get tracked if they wandered off. This technology could also help health personnel provide emergency aids to people who need it. For instance in an emergency situation the subject’s health records could easily be reached to enable the right assistance be provided thus preventing medical errors. Athletes could have implants that way their vital signs can be monitored to forestall against any kind of medical problem on the field.

Apart from cost, the major challenge is with security and privacy; if the tags are covered with foil, it could block its signals from being scanned (some tags), this could lead to a denial of service, since it would make the tag unavailable and unreadable. Also anyone with a relevant reader could have access to the information; this could raise data integrity issues since there could be the possibility of it being intercepted, interrupted or modified. Security appears to be bolted on instead of built-in; in its early stage of development security might not have been at the fore of the design consideration, more like the developers just wanted something accomplished and “had to” do “this” and subsequently security came in.

Information personal to a subject could be made public and could reveal specific private details. This information can be skimmed, cloned or eavesdropped on; falling into the wrong hands, it could leave the owner at risk of having their identities stolen or abused in some other form. Also these individuals can be tracked as in the case of the human implants e.g.Verichip a glass like casing about the size of a grain of rice and is implanted under the skin. This contains the owner’s Personal ID, name, social security #, health, finance information etc. once scanned these information are available in an unencrypted format to anyone that has access to it.

There are also serious adverse health implications associated with  the implantation as stated in the company’s SEC 10k report such as adverse tissue reactions, migration of the microchip and infection from implantation. [3].

_______________________________

[1].Hitachi RFID Tags: http://www.technovelgy.com/ct/Science-Fiction-News.asp?NewsNum=939

RFID and its applications in management: http://www.g-casa.com/conferences/budapest/papers/Mockler.pdf

Security in Computing: Pfleeger and Pfleeger pg. 639 -641

[2] Kodak RFID Tags: http://www.rfidjournal.com/article/view/3100; http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220070008113%22.PGNR.&OS=DN/20070008113&RS=DN/20070008113

[3] Industry and Business Risks Related to Our HealthID Business: http://www.secinfo.com/d1awwf.q9w.htm#2wvu