Jaap-Henk Hoepman Security of Systems (SoS) group Institute for Computing and Information Sciences Radboud University Nijmegen, the Netherlands Calling All Things RFID technology, its impact and our challenges
J.H. Hoepman Calling All Things: RFID 2 ContentsContents How it works (Hardware) What it can do (Applications) How it affects us (Societal issues) How to control it (Countermeasures)
J.H. Hoepman Calling All Things: RFID 3 I How it works
J.H. Hoepman Calling All Things: RFID 4 A typical RFID system Transponder/tag active / passive 1 bit – 64 kB (EEPROM/SRAM) controller / CPU read-only / read- write Reader LF / UHF Communication range Coupling Backoffice Databases Datamining
J.H. Hoepman Calling All Things: RFID 5 RFID tags
J.H. Hoepman Calling All Things: RFID 6 RFID readers
J.H. Hoepman Calling All Things: RFID 7 Primary classifiers Active / passive LF / HF / UHF / micro Read-only / read-write State-machine / CPU n-bit / 1-bit
J.H. Hoepman Calling All Things: RFID 8 Reading distance (1) Design range Close-coupling (0 – 1 cm) Proximity coupling (7 – 15 cm) Vicinity/Remote-coupling (0 – 1 m) Long range (> 1m) Eavesdropping range Maximum reading range
J.H. Hoepman Calling All Things: RFID 9 Reading distance (2) LFHFUHFSHF 125 kHz MHz MHz 2.4 / 5.7 GHz Ca 1 m1,5 – 2 m4 – 8 m20 m Good penetration through objects Limited by power consumption of controller/CPU on tag Longer for active tags
J.H. Hoepman Calling All Things: RFID 10 CommunicationCommunication Principle (load modulation) Collision avoidance Prefixes of ID Tag-to- reader eavesdropping hard
J.H. Hoepman Calling All Things: RFID 11 II What it can do
J.H. Hoepman Calling All Things: RFID 12 We now face the imminent expansion of cyberspace into physical space in the form of ■ networked cameras, ■ biometric identification devices, ■ RFID tags on consumer goods, ■ and a wide variety of sensors.
J.H. Hoepman Calling All Things: RFID 13 ApplicationsApplications Health care Emergency services Blindness (“The object in front is a …”) Obsessive Compulsive Disorder (OCD ) Access control “Who is inside?” Emergency information Logistics / Supply chain WalMart Shopping METRO store PRADA “Mind that tree, Richard!
J.H. Hoepman Calling All Things: RFID 14 ApplicationsApplications Travel/traffic Passport Hypertag (advertisement) Tag on object; user (gsm) reads Exploratorium, San Fransisco Reader at object; user wears tag
J.H. Hoepman Calling All Things: RFID 15 Example: “What-is-this” With RFID Not only immovables (GPS) Including billboards RFID (UphID) → URL Conditional access “Sowing seeds” vs “1 UphID for all” 1 RFID = n UphID
J.H. Hoepman Calling All Things: RFID 16 Smart Dust…
J.H. Hoepman Calling All Things: RFID 17 III How it affects us
J.H. Hoepman Calling All Things: RFID 18 In a mediated environment –where everything is connected to everything - it is no longer clear what is being mediated, and what mediates.
J.H. Hoepman Calling All Things: RFID 19 Current RFID systems unsafe No authentication No friend/foe distinction No access control Rogue reader can link to tag Rogue tag can mess up reader No encryption Eavesdropping possible (esp. reader) Predictable responses Traffic analysis, linkability No GUI… … and “distance” not enforced by tag
J.H. Hoepman Calling All Things: RFID 20 RFID Risks: Consumers User profiling Possible robbery target Possible street-marketing target Personalised loyalty/discounts Refuse/grant access to shop/building Even for tags without serial no# Loss of location privacy By tracking same user profile Fake transactions / Identity theft
J.H. Hoepman Calling All Things: RFID 21 RFID Risks: Companies Corporate espionage Scanning competitors inventory (or customer base) Eavesdropping tags Querying tags Unauthorised access Fake RFIDs Derived/competing services Using competitors installed base Denial of service attacks Supply chain failure Jamming signals Fake RFIDs
J.H. Hoepman Calling All Things: RFID 22 Aggregate data Maybe too big to analyse/datamine…. …. but easily searched for 1 person time & space
J.H. Hoepman Calling All Things: RFID 23 IV How to control it
J.H. Hoepman Calling All Things: RFID 24 First ideas “Kill” command Blocker tag Metal shielding Many tags
J.H. Hoepman Calling All Things: RFID 25 Random identifier identifier h g to reader
J.H. Hoepman Calling All Things: RFID 26 Tracing banknotes (1) Primary issues Prevent tracing Prevent “purse scanning” Prevent counterfeiting Trace money laundering
J.H. Hoepman Calling All Things: RFID 27 Tracing banknotes (2)
J.H. Hoepman Calling All Things: RFID 28 Biometric passport (1) Primary issues Prevent tracing Prevent skimming Especially biometric data Prevent counterfeiting
J.H. Hoepman Calling All Things: RFID 29 Biometric passport (2)
J.H. Hoepman Calling All Things: RFID 30
J.H. Hoepman Calling All Things: RFID 31 ResourcesResources Klaus Finkenzeller “RFID-Handbook”, 2nd (3 rd ) ed, Wiley & Sons, ISBN: