Embed Size (px)
Citation preview
Introduction
Table of Contents
Securing Radio Frequency Identification (RFID) ............................................................................. 2
Overview ......................................................................................................................................... 3
Components of RFID ....................................................................................................................... 4
Basic Implementation Steps ........................................................................................................... 5
Current Applications ....................................................................................................................... 6
Potential Future Applications ......................................................................................................... 9
Benefits ......................................................................................................................................... 11
Weaknesses .................................................................................................................................. 13
Page 1 of 14
Securing Radio Frequency Identification (RFID)
© 2010 Carnegie Mellon University
Securing Radio Frequency Identification (RFID)
**001 Jonathan Frederick: All right, in this module, we're going to be talking about securing radio frequency identification, or RFID.
Page 2 of 14
Overview
3
Overview
Introduction to Radio Frequency Identification• Components• Basic Implementation• Current and Future applications• Benefits and Weaknesses
Securing Radio Frequency Identification• Threat Categories• Communication Ranges• Security Concerns• Security Recommendations• Known Security Issues
**003 We'll discuss some introduction to radio frequency identification. You kind of need to understand the different components, also how it works. And then we can talk about some applications that RFID is being used in, and then the benefits and weaknesses. Then we'll actually get into securing RFID, talk about threat categories. Also you really need to understand the communication range that RFID works over in order to understand why we need to secure it. We'll discuss specific concerns, recommendations, and talk about some of the security issues that have come to date.
Page 3 of 14
Components of RFID
4
Components of RFID
Tags• Consist of an electromagnetic microchip, memory, and an antenna• Read-only or read-write• Passive (no internal power source), active, and semi-active• Advanced features include tag locking, tag killing, security, and
environmental Sensors
Tag Readers• Mobile or stationary• Various frequencies and distances
— Low, High, and Ultra-High
Middleware• Passes tag reader data over to the backend system
**004 All right. So the major components here are your tags. These consist of a microchip, also memory, and an antenna. They can be read-only or read-write. We have active, passive, and semi-passive. Your active have some kind of power source built into them. You also have advanced features for security, which we'll definitely talk about throughout the remainder of this presentation. We have readers in order to read our tags. These can be mobile or stationary. And we have low, high, and UHF frequencies. The frequencies will depend on how far you need that tag to be able to be read. So we have proximity cards to get into our doors in this building, and
Page 4 of 14
those will act over low or high. If you have something like an EZPass, where your car is at least 50 feet away from the reader, you need UHF. And those have a battery in them, so they are active. And then you also have the middleware that puts all this together and allows the information that you're reading with the reader to go into some kind of backend system.
Basic Implementation Steps
5
Basic Implementation Steps
1. RFID reader emits electromagnetic waves (Forward Channel Signals)
2. RFID tags within an acceptable range take in electricity from the waves through their antenna
(Passive Tags) (Active Tags)
3. Microchips in the tags use the over-the-air electricity to access memory within the tag
3. Microchips in the tags use the electricity to “wake-up” their own internal power source
4. Data from the memory is passed over electromagnetic waves back to the reader (Backscattered Signals)
4. Once powered on; the chip can request information from the reader, perform functions, relay information, etc.
**005 All right. So what are our basic implementation steps? Well, your reader's going to emit an electronic signal and any of the tags that are within a certain range are going to pick up that
Page 5 of 14
signal. At that point, if it's a passive tag, it's going to use that electricity that came from the reader to access its memory and then send back what is in memory to the reader. If you are using an active tag, well there we have that additional power source built into the reader or the tag. So it will activate that power source and then do the same process, take over what's in memory and pass it on to your reader.
Current Applications
6
Current Applications
Tracking Supply chain management to replace the UPC system with EPC
• Involves more than one tag reader location and a networked back end
Access Control Allows an individual access to enter a building, room, country, etc.
Automated Payment RFID enabled credit cards and toll collectionAsset Management Inventories and retail product securityAuthenticity verification Reducing counterfeit goods
• Should Involve digital signatures or cryptography
Matching Linking hospital patients with their prescriptions
**006 All right, so some different instances of RFID can fit into multiple of these categories, but I'll just kind of talk about from a general perspective the different applications that we have here. Of course, the two biggest ones here are
Page 6 of 14
your tracking and access control. Tracking, we have a newer standard, the electronic product code, which is, if you don't know right now, replacing the bar code system. So now we have these tags on products in Wal-Mart and within the DOD that can be read electronically with your readers as opposed to an optical scanner. And typically, that's going to involve more than one reader, because the supplier is going to read it on one end and maybe Wal-Mart's going to read it on the other end to verify yes, we did receive the goods. Access control is going to allow individual access into buildings, as I mentioned before. This can be used with your cars to get onto the turnpike, but then that could also be part of automated payments as well. And we have RFID in our passports, both the passport books that we have and the new passport cards that allow someone to go from Canada to the U.S. or Mexico to the U.S. or to the Caribbean. Both of those have RFID, so we use it for access control into our country. We have automated payments as I mentioned. There was RFID-enabled credit cards. I haven't seen one in a while, so I don't know if it's as popular as it was a couple of years ago. My bank gave me a debit card that had it and then a couple years later they sent me a new one and it didn't have it anymore. So I don't know if there's a privacy concern there, but we'll definitely talk about that more as we go through here. Student: I know the Pay Pass stuff was popular for a little bit. I actually was reading a couple different things where
Page 7 of 14
they actually, a guy had actually punched out the Pay Pass thing to avoid having the RFID reader pick up that information. Which was great until he went to use it in an ATM, right? And it kind of kept it. And that was an issue. But you can actually, if it does have it, you can request one, a card without one, usually. Jonathan Frederick: Okay. Student: Usually. Depending on the bank. If you get one and you don't want it, you can request one without the Pay Pass piece, the RFID piece. Jonathan Frederick: All right. All right, the original application for RFID here was asset management. So when you go into Best Buy and you buy a CD and they forget to disable that RFID and the whole store starts beeping as you walk out but nobody tends to come up and see that you're actually stealing something, that was the original intent. That was what it was originally used for and it still is today. So product security is definitely a big one. Authenticity verification, the FDA is telling people that create prescription drugs to start to use this. I think there's a delay here and they're not doing it yet. But you could definitely verify whether something is counterfeit. Drugs is a good one. You don't want somebody's fake drugs. Also things of very high values, jewelry or special watches, things like that, you would definitely want to try and avoid picking up something that's counterfeit there. And then matching. You can match patients to their drugs in the hospital.
Page 8 of 14
When my wife was in the hospital having a child, they'd come in and scan her bracelet and then scan the drugs as well to make sure-- by matching, we're removing the human element or the human error out of this process.
Potential Future Applications
7
Potential Future Applications
Smart appliances that automatically select the correct wash cycle or track the expiration dates of food
Efficient airline baggage tracking
Tags embedded in roadways and readers in vehicles to allow for driverless travel
Embedding in currency
Related Application: Near Field Communications
**007 All right, some potential future applications. These have been on a list of potential future applications for quite a few number of years now. So there are things that are stopping each of these. Embedding in currency. If you searched on European Union RFID, you will find a thousand conspiracy theorists out there that say that it is already in the European Union currency. Of course they all say
Page 9 of 14
that it's not. And you can pretty much hold it up to a light and see that there is no antenna there. But there are people that think that it is. But think about the privacy implications here. I mean, as soon as you embed something that identifies people or the locations where this is going to go to, now we can track what people are buying and various other things. Airline baggage tracking, again, a privacy concern. It would be great for the airlines to not lose as much baggage. But then you can track potentially this person is going and traveling to these different locations, and that's an invasion of privacy. And then there are some theoretical things here as well. There was going to be a test set up in California at one point in time with vehicles. I'm not sure if that ever panned out or not. But essentially, you could put your tags in the road and then the reader's in the car. And as soon as the car starts to sway a little bit, it realizes that it's going off track and then gets back on track. And smart appliances. How cool would that be to have your refrigerator tell you, well, your cottage cheese went bad two days ago so go ahead and get rid of it. Then you wouldn't have to open it and see that it did go bad, which is pretty disgusting. All right, so some related applications. In cell phones over in Japan and South Korea, we talked about this in our mobile security module. But there's a near field communications which is related to RFID but not the same exact thing. The difference is, in near field communications, we're using the exact
Page 10 of 14
same standards, same frequencies, everything, as RFID, but your phone and say the soda machine that you're putting the phone up to to purchase your soda are both readers. So instead of having a tag and a reader, we have two readers. And then you can do communication in both directions there. This allows for things such as better authentication, better cryptography and encryption, which we would definitely want to see if we were using it for financial transactions.
Benefits
8
Benefits
Increased accuracy due to automated processes
Supply chain time reductions and increased efficiency
Easing management of physical security access
Consumer convenience
**008 All right, so what are some of the benefits that RFID brings? Well, we can definitely increase the accuracy of processes. If you're pulling in parts in a manufacturing
Page 11 of 14
facility, we can also make sure that we're getting the right parts. We can remove human errors out of these processes. Physical security. Instead of giving everybody a key will probably get lost or posting a guard to every door in a building, we just give them an RFID card. It's not as costly as a key, and also, if that got lost, then you would just log into the system and disable that RFID from being used on those doors instead of going out and paying someone to change all your locks when you lose a key. There's also consumer convenience. This goes in with the EZPass and the RFID- enabled credit cards. Is it more convenient to touch your card to something in a convenience store rather than swipe it? I don't know. It seems almost the same process to me. But something like EZPass, that's definitely a lot more convenient. I don't carry any cash or change, so when I roll up to a tollbooth if I don't have a credit card then I definitely want to use my EZ Pass.
Page 12 of 14
Weaknesses
9
Weaknesses
Initial implementation costs
Standards were only recently established
Security concerns
Human rights and privacy concerns
**009 All right. So what are our weaknesses? Well, these tags, they cost anywhere between, like from five cents up to fifty. And then as we start to add new features to them, they can be a lot more than 50 cents as well. So multiply that by the number of products that you have, and that's the initial implementation cost of just the tags. There's also readers and setting up your backend, but the main cost is going to be your tags. There are some standards, but not every single country in the world is using the same standards. Some are starting to agree on them, but it's still a developing process here. And then there's differences in frequencies. So just
Page 13 of 14
because our ultra-high frequencies are set at something doesn't mean that another country's are set to the same thing. So without those frequencies being the same, a tag used in the United States can't be used in another country. The main reason that we're doing this presentation is our security and privacy concerns, and we'll get into those right
Notices
Notices
© 2016 Carnegie Mellon University
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].
This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.
Page 14 of 14
