RFID Security Threat Model

1
RFID Security Threat Model

• Presented by Dale R. Thompson
• University of Arkansas

2
What is RFID?

• Stands for Radio Frequency Identification
• Uses radio waves for identification
• New frontier in the field of information
  technology
• One form of Automatic Identification
• Provides unique identification or serial number
  of an object (pallets, cases, items)

3
Applications

• Mobil Speedpass systems
• Automobile Immobilizer systems
• Fast-lane and E-Zpass road toll system
• Animal Identification
• Secure Entry cards
• Humans
• Supply chain management

4
RFID in Supply Chain
5
RFID System
6
RFID Reader

• Also known an interrogator
• Reader powers passive tags with RF energy
• Can be handheld or stationary
• Consists of
• Transceiver
• Antenna
• Microprocessor
• Network interface

7
RFID Tag

• Tag is a device used to transmit information such
  as a serial number to the reader in a contact
  less manner
• Classified as
• Passive energy from reader
• Active - battery
• Semi-passive battery and energy from reader

8
Management System

• Each reader manufacturer
• Commercial middleware
• Open source middleware work at UofA

9
Database

• Store attributes related to the serial number of
  the RFID tag
• Examples
• What is it?
• Who made it?
• Who bought it?
• Where has it been?

10
RFID Frequency range
Frequency Band Description
lt 135 KHz Low frequency
6.765 6.795 MHz HF
7.4 8.8 MHz HF
13.553 13.567 MHz HF
26.957 27. 283 MHz HF
433 MHz UHF
868 870 MHz UHF
902 928 MHz UHF
2.4 2.483 GHz SHF
5.725 5.875 GHz SHF
11
Standarization

• ISO
• 180001 Generic air interfaces for globally
  accepted frequencies
• 180002 Air interface for 135 KHz
• 180003 Air interface for 13.56 MHz
• 180004 Air interface for 2.45 GHz
• 180005 Air interface for 5.8 GHz
• 180006 Air interface for 860 MHz to 930 MHz
• 180007 Air interface at 433.92 MHz
• EPCglobal, Inc. (UHF 868 928 MHz)
• UHF Class-0
• UHF Class-1 Generation-1 (Class-1 Gen-1)
• UHF Class-1 Generation-2 (Class-1 Gen-2)

12
EPCglobal, Inc.

• Not-for-profit organization developing
  commercial, world-wide RFID standards
• http//www.epcglobalinc.org/
• UHF Class-1 Generation-2 (Class-1 Gen-2 or
  commonly known as Gen 2)

13
Electronic Product Code (EPC)
96 bits can uniquely label all products for the
next 1,000 years
14
EPC vs. UPC (Barcodes)

• Both are forms of Automatic identification
  technologies
• Universal Product Code (UPC) require line of
  sight and manual scanning whereas EPC do not
• UPC require optical reader to read whereas EPC
  reader reads via radio waves
• EPC tags possess a memory and can be written
  while UPC do not

15
Trivia on Passive UHF RFID

• How far can a reader read a tag?
• Less than 20 feet
• What causes interference at these frequencies?
• Metal reflects the energy and can shield
• Water absorbs the energy. Microwaves operate at
  2.4 GHz because water absorbs energy at these
  frequencies. Passive UHF operates around 900 MHz,
  which is close enough.

16
University of Arkansas RFID Research Center

• Fully student staffed with 24 industry members,
  which recently became the first open laboratory
  to be accredited by EPCglobal Inc.

17
Security Threat Modeling

• Assemble team
• Decompose system into threat targets
• Identify/Categorize threats to threat targets
• Attack graphs for each threat target
• Assign risk to each threat
• Sort threats
• Mitigate threats with higher risks

18
Decompose System into Threat Targets
19
RFID Threats Categorized with STRIDE

• Spoofing identity
• Tampering with data
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege

20
Spoofing Threat

• A competitor or thief performs an unauthorized
  inventory of a store by scanning tags with an
  unauthorized reader to determine the types and
  quantities of items.

21
Tampering with Data Threats

• An attacker modifies the tag in a passport to
  contain the serial number associated with a
  terrorist or criminal.
• A terrorist or criminal modifies a passport tag
  to appear to be a citizen in good standing
• An attacker modifies a high-priced items EPC
  number to be the EPC number of a lower cost item.
• An attacker modifies the EPC number on tags in
  the supply chain, warehouse, or store disrupting
  business operations and causing a loss of
  revenue.
• An attacker adds a tag in a passport that
  contains the serial number associated with a
  terrorist or criminal.
• An attacker adds additional tags in a shipment
  that makes the shipment appear to contain more
  items than it actually does.
• An attacker modifies the tag-to-reader or
  reader-to-tag signal
• An attacker modifies, adds, deletes, or reorders
  data in a database that contains the information
  about EPC numbers.

22
Repudiation Threats

• A retailer denies receiving a certain pallet,
  case, or item.
• The owner of the EPC number denies having
  information about the item to which the tag is
  attached.

23
Information Disclosure Threats

• A bomb in a restaurant explodes when there are
  five or more Americans with RFID-enabled
  passports detected.
• A smart bomb explodes when an individual carrying
  one or more specific items with tags is detected.
• A mugger marks a potential victim by querying the
  tags in possession of an individual.
• An attacker blackmails an individual for having
  certain merchandise in their possession.

24
Information Disclosure Threats cont.

• A fixed reader at any retail counter could
  identify the tags of a person and show the
  similar products on the nearby screen to a person
  to provide individualized marketing.
• A competitor or thief performs an unauthorized
  inventory of a store by scanning tags with a
  reader to determine the types and quantities of
  items.
• A thief could create a duplicate tag with the
  same EPC number and return a forged item for an
  unauthorized refund.
• A sufficiently powerful directed reader reads
  tags in your house or car.

25
Denial of Service Threats

• An attacker kills tags in the supply chain,
  warehouse, or store disrupting business
  operations and causing a loss of revenue.
• An attacker erases the tags setting all values
  including the EPC number to zero in the supply
  chain, warehouse, or store disrupting business
  operations and causing a loss of revenue.
• A shoplifter carries a blocker tag that disrupts
  reader communication to conceal the stolen item.
• An attacker removes or physically destroys tags
  attached to objects. This is used by an attacker
  to avoid tracking. A thief destroys the tag to
  remove merchandise without detection.
• An attacker shields the tag from being read with
  a Faraday Cage.
• An attacker with a powerful reader jams the
  reader.

26
Elevation of Privilege Threats

• A user logging on to the database to know the
  products information can become an attacker by
  raising his/her status in the information system
  from a user to a root server administrator and
  write or add malicious data into the system.

27
Attack Graph for Performing Unauthorized Inventory
28
Assign Risk with DREAD

• Damage potential (1-10)
• Reproducibility (1-10)
• Exploitability (1-10)
• Affected Users (1-10)
• Discoverability (1-10)

29
Mitigate Threats with Higher Risks
Category Techniques
Spoofing identity Appropriate authentication Protect secrets Dont store secrets
Tampering with data Appropriate authentication Hashes Message authentication codes Digital signatures Tamper-resistant protocols
Repudiation Digital signatures Timestamps Audit trails
Information disclosure Authorization Privacy-enhanced protocols Encryption Protect secrets Dont store secrets
Denial of service Appropriate authentication Appropriate authorization Filtering Throttling Quality of Service
Elevation of privilege Run with least privilege
30
Contact Information

• Dale R. Thompson, P.E., Ph.D.
• Department of Computer Science and Computer
  Engineering
• University of Arkansas
• 311 Engineering Hall
• Fayetteville, Arkansas 72701
• Phone 1 (479) 575-5090
• FAX 1 (479) 575-5339
• E-mail d.r.thompson_at_ieee.org
• WWW http//csce.uark.edu/drt/