RFID Security Experimentation Nicholas Alteen and Janusz Zalewski
Florida Gulf Coast University April 2012
This report outlines the experiments with RFID security performed using the hardware and software described below. Complete instructions on how to perform all described experiments are available upon request, in a form of a User Manual.
1. Equipment and Software Used The essential type of an RFID reader used in these experiments is the ThingMagic USB 2.0 RFID Reader [1]. A large variety of HF Class I/II tags have been at the experimenters’ disposal (see Figure 1).
Figure 1: RFID Readers and Tags
The ThingMagic reader is equipped with the Mercury API [2] provided with the purchase of the RFID Developer’s Kit, which has the ability to communicate both synchronously and asynchronously with the reader. The communication is using the ISO 15693-3 protocol [3]. The USB reader performs I/O over a USB 2.0 connection, which also supplies power to the device. It was determined that the read range is between 5-10 cm. For passive tags, this is within the expected read range. With the Mercury API the application was developed using Microsoft Visual C# 2010 Express and the ISO 15693-3 communication protocol to perform the required tests, as well as some simple read/write functionality.
Figure 2: RFID Console Application
As shown in Figure 2 (left column), the application performs (simulates) six basic security related tasks corresponding to respective threats. A User Manual for running the application and respectuive tasks can be provided upon request.
2. Experiments A total of six experiments have been performed. These experiments attempt to simulate the security threats associated with an RFID system. For reference, the definition of each security threat is included in its respective section.
2.1 Spoofing Identity Experiment Definition: An attacker poses as an authorized user of a system. [4] The ultimate goal of identity spoof attacks is to gain access to a protected system under the guise of an authorized user. Such an attack makes potentially sensitive data completely open for change. Spoof attacks require that the attacker either know in advance authorization credentials, or be able to collect them covertly from an authorized user. A software-based spoof attack can involve collecting passwords or other access credentials as they are passed through a system and later using these credentials to access and edit sensitive data. In an RFID system, this commonly occurs through use of a rogue antenna. The rogue is programmed to intercept tag data that are sent wirelessly as a result of a valid antenna interrogating it. Due to the hardware limitations of this project, the focus of this experiment is instead on using passwords and data locks to secure and access data on tags.
Figure 3: Spoofing Interface Passive RFID tags have the capability of placing temporary or permanent locks on data, as well as enabling password protection to prevent unauthorized modification of these locks. Tags from the factory have no locks or passwords in place, and can be accessed by any user with the requisite hardware. The purpose of this experiment is to demonstrate how passwords work in conjunction with locks to prevent unauthorized modification of data (see Figure 3). It is important to note that, though the locks are password protected, the data are not. This security measure will only protect unauthorized modification of tag data.
2.2 Data Tempering Experiment Definition: Data tampering occurs when an attacker modifies, adds/deletes, or reorders data. [4] From a non-technical perspective, tampering with data implies that the data have been accessed by an unauthorized user and edited. From a technical perspective this definition is only partially correct, because it does not include a deletion of data. As defined in [4], tampering with data includes any changes to data made by an unauthorized user. This experiment will utilize a reader, designated as a rogue, to perform a kill operation on a tag. Not only does such a command render the data on the tag unreadable, it renders the entire tag inoperable for all future use. The kill command of a tag is designed to both delete data and burn out the circuitry on the tag, a doubly-secure measure against data tampering. An example of tag killing occurs when a customer purchases an item equipped with an RFID tag at a store. The item is passed over a reader built into the register that sends the kill command to the tag, so that it leaves the store deactivated (see Figure 4).
Figure 4: Tag Killing
One important note with this experiment is that it requires the unauthorized user be aware of and know the kill password used for the tag. It can happen either by using a high-powered reader or interrogating the tag’s reserved data banks. In this experiment, it is assumed that the unauthorized reader is able to get in close enough vicinity to the tag.
2.3 Repudiation Experiment Definition: Repudiation occurs when an attacker denies an action and no proof exists to prove that the action was performed [4]. Repudiation is a more concise definition for the process of blocking a valid user from performing tasks normally associated with their authority. This can occur in many forms in RFID systems, both physical and electronic. A common physical means for repudiation would be placing a barrier between the reader and tag that is able to block the UHF signal in either direction. When an authorized reader attempts to interrogate a tag, the signal to or from the tag would be blocked. A means of repudiating tag data using software would be to enable locks on the tag data. These locks, if not already put in place by the owner, can be exploited for use against authorized readers. In this experiment, the tags used do not have any authorization passwords programmed into them. A reader, posing as the attacker, interrogates the tag and changes data stored in it. After changing the access passwords, the reader will permanently enable all available locks on the tags. Using the passive tags provided with the ThingMagic USB Reader Development Kit, this includes locks for access, kill commands, EPC data, and user data [4]. After this is done, another reader posing as an authorized user attempts to read/write data from the same tag. Since all locks are placed on the tag, the authorized user will be unable to access it (see Figure 5).
Figure 5: Repudiation
2.4 Information Disclosure Experiment Definition: Information disclosure occurs when information is exposed to an unauthorized user [4]. Such a situation is difficult to create in an RFID system, since physical location plays such an important role. Data transmitted by RFID tags or antenna may only be intercepted by unauthorized users who are within range to read the signals. As such, these systems gain a measure of security by restricting physical access to the RFID system. An ideal situation occurs when there is no way for an unauthorized user to get physically close enough to intercept any data transmissions. However, such a situation is hardly ever the case for real-world systems. A prominent example of information disclosure involves the use of contact-less credit card payments. An increasingly large number of credit card providers are implementing data storage mechanisms inside their cards. Though these are not all RFID mechanisms, the concept still applies. A user takes a large risk any time they do a contact-less payment, since that data transmission is readable by anyone in range who knows how to capture and interpret the data. Since this project does not cover programming the readers on the hardware level, and the equipment provided does not allow for it, the focus of this experiment is on preventing information disclosure threat rather than on creating one. As of late, aluminum wallets are becoming increasingly popular for their ability to block interrogations by readers to any RFID tags located inside the wallet (Figure 6). The purpose of this experiment is to show that these wallets do protect a user’s RFID-enabled credit cards.
Figure 6: Aluminum RFID-Blocking Wallet
2.5 Denial of Service Experiment Definition: Denial of service occurs when service is denied to valid and invalid users of a system [4]. Denial of Service attacks (DoS) are favorite in media reporting. These attacks occur when an unauthorized user or users perform multiple transactions on a website in rapid succession, slowing down the server so it is unable to fulfill requests by authorized entities. From the perspective of an RFID system, this occurs when a rogue reader repeatedly interrogates the same tag, making it unable to respond to interrogations by a valid reader. In RFID systems, a DoS attack can occur using either fast or slow attack speeds. A fast attack speed means many reads over a very short period of time. A slow attack speed means a single read over a very long period of time. When developing this threat module for the application, it was determined that many fast paced reads actually leaves the tag free for interrogation between each read (even if the amount of time between reads was less than ten thousandths of a second). Instead, the application is designed to perform one read over a period of fifteen seconds. Since the tag is still technically being interrogated by the rogue reader, it cannot be interrogated by the valid one.
Figure 7: Reading a Tag during a DoS Attack
For the purpose of this project, a rogue reader is set up to perform a single read of a tag for 15 seconds at a time, while a valid reader can be activated by the user to perform a read (see Figure 7). Should the experiment work correctly, the valid reader will be unable to obtain data from the tag as long as the rogue reader is performing the DoS attack.
2.6 Elevation of Privilege Experiment Definition: Elevation of privilege occurs when an unprivileged user gains higher privilege in a system which they are authorized [4]. Elevation of privilege can occur in one of two manners: vertical, when a user gains higher privilege in a system than normal, and horizontal, when a user is able to access data belonging to another user in the same system with the same access levels [4]. In any secure system, there usually exists data that are restricted to administrators. RFID systems are no exception to this case. The Electronic Product Code (EPC) of a tag is strictly controlled to prevent tag cloning. Should a tag’s EPC become unlocked, it is no difficult task for a malicious user to create copies of that tag.
Figure 8: Elevation of Privilege
The purpose of this experiment is to copy the EPC from one tag to another, effectively cloning it (see Figure 8). For all other readers, the tags will be considered one and the same. This is a common practice for malicious RFID users, because it allows them to give the impression that the data on the cloned tag are true and correct. For example, consider the case of a store that uses RFID. There will be employees with the responsibility of reading these tags to ensure that the data on them reflect the proper price of the product. If an elevation of privilege occurs, a regular employee may gain the ability to write to the tags as well. A tag belonging to an expensive product could easily be cloned. The employee can then adjust the data of the cloned tag to reflect a lower price, kill the original tag, and replace it with the cloned version.
References
[1] ThingMagic. USB RFID Reader. URL: http://www.thingmagic.com/usb-rfid-reader
[2] ThingMagic. Mercury API Programmer’s Guide. Version 875-0049-06 RevA, January 2011 http://www.thingmagic.com/images/stories/publicuserguides/MercuryAPI_ProgrammerGuide_Ja n12.pdf
[3] International Organization for Standardization. ISO/IEC FCD 15693-3. Identification cards Contactless integrated circuit(s) cards – Vicinity cards - Part 3: Anti-collision and transmission protocol. URL: http://www.waazaa.org/download/fcd-15693-3.pdf
[4] Chaudhry, N., Thompson, D., Thompson, C., RFID Technical Tutorial and Threat Modeling Version 1.0. Dept. of Computer Science and Engineering, University of Arkansas, December 2005
