6.857: RFID Security and PrivacyTalk Abstract and OutlineWhat is RFID?RFID System PrimerRFID Adhesive LabelsAn RFID “Smart Shelf” ReaderSystem InterfaceRFID HistoryDigression #1: Related Military ApplicationsCommercial ApplicationsSupply-Chain Management (Not Gum)Modern RFID ApplicationsSlide 13Slide 14Tag Power SourceFunctionality ClassesOperating FrequenciesAsymmetric ChannelsSecurity Risks: EspionageEspionage Case StudySecurity Risks: ForgerySlide 22Slide 23Security Risks: SabotageAdversarial ModelAdversarial Model: AttacksAdversarial Model: CountermeasuresIs it really that bad?But…the customer is always right.Digression #2: RFID Public RelationsSecurity ChallengeExample Tag SpecificationResource ConstraintsHash LocksHash Lock Access ControlHash Lock AnalysisRandomized Hash LockRandomized Hash Lock AnalysisBlocker TagsOther WorkRFID PolicySimson’s Bill of RightsA New Idea: Humans and TagsQuestions?Slide 456.857 Lecture - November 2, 20046.857: RFID Security and PrivacyNovember 2nd, 2004Massachusetts Institute of TechnologyComputer Science and Artificial Intelligence Laboratory6.857 Lecture - November 2, 2004Talk Abstract and Outline•Abstract: What is RFID, how does it affect security and privacy, and what can we do about it? •Outline–RFID Introduction, History, and Applications–Security Threats and Adversarial Model–Countermeasures6.857 Lecture - November 2, 2004What is RFID?•Radio Frequency Identification: Identify physical objects through a radio interface.•Many different technologies called “RFID”.•Others types of auto-ID systems include:–Optical barcodes–Radiological tracers–Chemical taggants6.857 Lecture - November 2, 2004RFID System PrimerThree Main Components: •Tags, or transponders, affixed to objects and carry identifying data. •Readers, or transceivers, read or write tag data and interface with back-end databases.•Back-end databases correlate data stored on tags with physical objects.6.857 Lecture - November 2, 2004RFID Adhesive Labels4 cm6.857 Lecture - November 2, 2004An RFID “Smart Shelf” Reader6.857 Lecture - November 2, 2004System InterfaceReader01.203D2A.916E8B.8719BAE03CTagDatabaseReaderNetworkDataProcessing6.857 Lecture - November 2, 2004RFID History•Earliest Patent: John Logie Baird (1926)•“Identify Friend or Foe” (IFF) systems developed by the British RAF to identify friendly aircraft. •Both sides secretly tracked their enemy’s IFF.•How do you identify yourself only to your friends?Don’t shoot! We’re British!Oh. We’re British too!6.857 Lecture - November 2, 2004Digression #1: Related Military Applications•IFF still used today for aircraft and missiles. Obviously classified.•Could envision an IFF system for soldiers. •Lots of military interest in pervasive networks of cheap, RFID-like sensors.•Monitoring pipelines, detecting biological agents, tracking munitions, etc.6.857 Lecture - November 2, 2004Commercial Applications•Early Applications:–Tracking boxcars and shipping containers.–Cows: RFID ear tags.–Bulky, rugged, and expensive devices.•The RFID Killer Application?6.857 Lecture - November 2, 2004Supply-Chain Management(Not Gum)•First Universal Product Code scanned was on a pack of Juicy Fruit gum in 1976.•Every day, over five billion barcodes are scanned around the world.•But barcodes are slow, need line of sight, physical alignment, and take up packaging “real estate”.•Over one billion RFID tags on the market.•Example: Gillette’s “shrinkage” problem.6.857 Lecture - November 2, 2004Modern RFID Applications•Supply-Chain Management–Inventory Control–Logistics–Retail Check-Out•Access Control: MIT Proximity Cards.•Payment Systems: Mobil SpeedPass.•Medical Records: Pet tracking chips.6.857 Lecture - November 2, 2004Prada's RFID ClosetMIT Prox Card6.857 Lecture - November 2, 20046.857 Lecture - November 2, 2004Tag Power Source•Passive: –All power comes from a reader’s interrogation signal.–Tag’s are inactive unless a reader activates them.–Passive powering is the cheapest, but shortest range.•Semi-Passive: –Tags have an on-board power source (battery).–Cannot initiate communications, but can be sensors.–Longer read range, more cost for battery.•Active:–On-board power and can initiate communications.6.857 Lecture - November 2, 2004Functionality ClassesClass Nickname Memory Power SourceFeatures0 Anti-Shoplift TagsNone Passive Article Surveillance1 ElectronicProduct CodeRead-Only Passive Identification Only2 Electronic Product CodeRead/WritePassive Data Logging3 Sensor Tags Read/WriteSemi-Passive Environmental Sensors4 Smart Dust Read/WriteActive Ad Hoc Networking6.857 Lecture - November 2, 2004Operating FrequenciesRange Class LF HF UHFFrequency Range120-140 MHz 13.56 MHz 868-956 MHzMaximum Range?3 meters 3 meters 10 metersTypical Range 10-20 centimeters10-20 centimeters3 meters6.857 Lecture - November 2, 2004Asymmetric ChannelsReader Tag EavesdropperForward Channel Range (~100m)Backward Channel Range (~5m)6.857 Lecture - November 2, 2004Security Risks: Espionage•Corporate Espionage:–Identify Valuable Items to Steal–Monitor Changes in Inventory•Personal Privacy–Leaking of personal information (prescriptions, brand of underwear, etc.).–Location privacy: Tracking the physical location of individuals by their RFID tags.6.857 Lecture - November 2, 2004Espionage Case Study•The US Food and Drug Administration (FDA) recently recommended tagging prescription drugs with RFID “pedigrees”.•Problems:–“I’m Oxycontin. Steal me.”–“Bob’s Viagra sales are really up this month.”–“Hi. I’m Alice’s anti-fungal cream.”6.857 Lecture - November 2, 2004Security Risks: Forgery•RFID casino chips, Mobil SpeedPass, EZ-Pass, FasTrak, prox cards, €500 banknotes, designer clothing.•Skimming: Read your tag, make my own.•Swapping: Replace real tags with decoys.•Producing a basic RFID device is simple.•A hobbyist could probably spoof most RFID devices in a weekend for under $50.6.857 Lecture - November 2, 2004Security Risks: Forgery•Mandel, Roach, and Winstein @ MIT•Took a “couple weeks” and $30 to figure out how produce a proximity card emulator.•Can produce fake cards for a few dollars.•Can copy arbitrary data, including TechCash.•Could read cards from several feet. (My card won’t open the door past a few inches.)•Broke Indala's FlexSecur “data encryption”.(Just addition and
View Full Document
Unlocking...