RFID Privacy: An Overview of Problems and Proposed Solutions Maxim Kharlamov (mkha130, #13) S. Garfinkel, A. Juels, R. Pappu, “RFID Privacy: An Overview of Problems and Proposed Solutions”, IEEE Security & Privacy 3:3, 34-43, 2005

Radio Frequency IDentification ID How does it work? Tag reader sends radio signal Tag reader sends radio signal Electricity induced in tag’s antenna powers tag’s chip Electricity induced in tag’s antenna powers tag’s chip Tag responds with its ID Tag responds with its ID Reading distance varies from several centimeters to several meters for different tag types RFID tags are used in stores (as barcodes), security systems, payment systems, passports, etc.

RFID technologies are rapidly deploying all over the world, raising privacy and security risks. It is not completely clear how to overcome these risks. Privacy. Cheap, small and easily readable tags allow virtually anyone to covertly spy on people. Security. RFID technologies are susceptible to various DoS, cloning and eavesdropping attacks. Main idea

(+) Personal privacy threats Complete and detailed classification of personal privacy threats: Action – monitoring clients’ behaviour inside stores Action – monitoring clients’ behaviour inside stores Association – tag’s unique ID is associated with a consumer Association – tag’s unique ID is associated with a consumer Location – tracking a person using an associated ID Location – tracking a person using an associated ID Preference – revealing people’s preferences – it is also a value threat Preference – revealing people’s preferences – it is also a value threat Constellation – a set of tags around a person Constellation – a set of tags around a person Transaction – tracking transactions between constellations Transaction – tracking transactions between constellations Breadcrumb – tagged object is still associated with a particular person even after he/she gets rid of it Breadcrumb – tagged object is still associated with a particular person even after he/she gets rid of it

(+) Corporate security threats The authors tried to explain possible security risks not only to customers but also to businesses: Espionage – gathering supply chain data Espionage – gathering supply chain data Competitive marketing – collecting customers’ preferences Competitive marketing – collecting customers’ preferences Infrastructure – DoS attacks can be disastrous Infrastructure – DoS attacks can be disastrous Trust perimeter – very hard to control the amount of information shared with the outer world Trust perimeter – very hard to control the amount of information shared with the outer world

(-) Privacy vs. Security Privacy is a part of security (CIA principle) Privacy is a part of security (CIA principle) The authors tried to concentrate only on privacy, but they did not give its definition The authors tried to concentrate only on privacy, but they did not give its definition Security issues were mentioned, but without “due diligence” Security issues were mentioned, but without “due diligence” Some of the threats in between privacy and security were missed Some of the threats in between privacy and security were missed Example: cloning could allow an adversary to gain access to someone’s private information (ex., cloning a tag used to log into your home computer) Example: cloning could allow an adversary to gain access to someone’s private information (ex., cloning a tag used to log into your home computer)

RFID-Hacking? If somebody copies your proximity card and robs Auckland University, do you think you would be arrested for robbery? “This device can do almost anything involving almost any kind of … RFID tag.” (J. Westhues,