tag or a reader. At this range it is not possible to capture any intelligible information. However, that might not be needed. The detection range for a reader is much larger than for a tag. An example where this range matters is given now: As described earlier the DOD requires item-level tagging. Now a missile can be developed that locks on to a reader or tag signal. Even though this example is far from real it shows that this range cannot be neglected.
One example of exploiting read ranges is given in where J. Westhues built an apparatus for recording RF conversations between proximity cards and building access readers from a larger distance. Those recorded talks were later played back to gain access to the building. Note that in this example not only was the reading range exploited, also no authentication was in place. It also shows another problem: Users of RFID technology might not even be aware of an ongoing exploit since it does neither interfere with their current doing nor does it leave a trace. 4.4 Attacks against RFID Systems
This section describes different kinds of attacks and exploits that an RFID system might suffer from.
Sniffing and eavesdropping: Most systems use clear text communication for various reasons like too few resources for encryption, too expensive to implement, problems with distributing keys for some schemes, etc. In those systems sniffing is a powerful attack as it can reveal a lot of interesting information for the eavesdropper. Also simple RFID tags do not provide any protection against being read by a misbehaving reader. The learned information can later be used in other attacks against the RFID system.
Tracking: As mentioned earlier, this exploit tries to collect and relate as much information as possible. Especially when item-level tagging becomes ubiquitous it becomes possible to create a precise profile of a person. That results in a loss of privacy.
Spoofing: In this attack scheme an attacker can read the data from an authentic tag and copy it to a blank tag. Since most tags do not provide some kind of authentication or access control an attacker can simply read tags of passing people and save them onto a blank tag for later use.gives an example of a spoofing attack. The attacker reads the tag's data from an item at a store and creates a new tag that replaces the tag for a similar but more expensive item. The retagged item can then be checked out and the attacker will only be charged for the cheaper item.
Replay: In this attack the attacker intercepts communication between a reader
10
and a tag. At a later time the original tag's response can be reused when attacker receives a query from the reader. An example where the conversations between proximity cards and a building access reader was recorded and played back was given at the end of the authentication section. Another example that is often used is the following: A car can record the response that another car gives to the automated toll collection system and use the same response when passing an EZ-Pass checkpoint. The implementation of a challenge-response protocol can prevent those attacks.
Denial of service: This attack can have many different forms. One form is by simply jamming the frequencies used by the RFID system, therefore making communication impossible. Similar by interfering with the MAC protocol another RFID tag (see blocker tag in the privacy section) can prevent a reader from discovering and polling tags. To disable a tag it is enough to wrap it in some metal foil. That prevents the tags from receiving enough energy to respond to queries. This is often used by thieves to disable EAS tags. Apparently it became such a problem that the state of Colorado made it a misdemeanor to wear aluminum underwear in stores with the intent to circumvent theft detection systems. A more manual intensive attack is the following scheme: An Anti-RFID activist might attach random labels on items throughout the store. That causes the RFID system to collect meaningless data that discredits RFID technology.
Virus: An old attack in a new area is the RFID Virus as presented in. The virus targets the database backend in the RFID system. Usually data read from the tags is stored in a database. The virus is a classical SQL injection exploit that targets unchecked or improperly escaped input to the database to execute additional commands.
It becomes more and more apparent that technology alone is not sufficient to address all problems above; it needs support by the legislature. Some US states already released laws such as California's \Information protection Act\of 2005. Even if it would be possible to build a sophisticated tag with strong encryption etc., it would increase a tags price and therefore makes it uninteresting for most applications.
In this section several important issues are addressed. First, possible exploits were discussed and proposals were presented that try to fix those problems. Those proposals range from simple measures such as destroying the tag with the kill command to more sophisticated approaches such as the guardian approach. Then
11
authentication in RFID systems was described. It is a hard problem, mainly because of the limited resources on the chip. Last but not least, several attacks against RFID system have been talked about. Even though RFID tags are simple, there are many possible exploits.
5. RFID Location and Tracking
RFID tags can be used for more than just labeling items. This section presents two proposals that can locate tags and track the movements of them.
presents a study on how to detect movements of an object tagged with a RFID chip. The use of handheld readers to monitor the worker's motion and acceleration detecting tags are dismissed as not applicable or too expensive. The proposed method works as follows: The reader polls the tag a certain number of times per second and counts the number of responses. The observation is that the number of responses decreases when the distance increases. By further analyzing changes in derived approximations of signal-intensity levels a one antenna system works only within a short radial range and limited angles. By increasing the number of readers and tags the systems accuracy can be improved.
is another paper about mapping and localization. In contrast to the other paper they use a robot with 2 antennae located 45 degree to the left and right with respect to the robot, also the robot (reader) is mobile. By comparing the signal strength received on both antennae they can estimate the position of a tag with the Monte Carlo localization algorithm. They show that their method works also in a highly dynamic environment where tags are attached to moving objects. In addition they show that their method can be used to derive the coordinates of the robot if a map of the environment is available.
and put RFID location to practical use. An RFID tag is incorporated into a golf ball. The mobile reader carried by the player indicated a balls position on its LCD Screen or via audio feedback. Detection range is 30 - 100 feet. Unfortunately, the method that is used to locate the ball is proprietary and not described.
This section presented a short introduction into the world of tracking labeled object. With the growing ubiquity of RFID tags those mechanisms might become second nature to us when we need to find our items, maybe track where our children go, etc.
6. New Production Methods
12
This section discusses new ways of producing RFID tags. Tags produced in the current standard process cost between 7.5 and 15 cents. For item-level tagging that cost is still prohibitive. A survey reported that the ideal tag should cost less than a cent. The current production process uses low cost silicon chips which are placed onto an external antenna. The largest part of the production is the attachment of the chip to the antenna. Even with advand methods such as pick-and-place and fluid self assembly as reported in the cost is still high.
Printing a complete tag seems to be a viable alternative. Organic substance is used as printing material. The first RFID tag made from organic material (although not by printing) was presented in 2004, contained 171 polymer thin film transistors, and worked at 125 kHz. Another organic RFID tag is described in. Since then many papers report progress of printing active and passive parts of the circuitry. for example describes how to print transistors. Currently most printed parts are not able to run at the targeted 13.56 MHz but progress is steady.
The reason why 13.56 MHz is targeted is that higher frequencies, although superior in range, suffer from the presence of metals and fluids, while lower frequencies require too large spiral inductors.
7. Social Implications of RFID
The following section is not intended to serve as an argument against RFID tags, nor does it provide a scientific foundation. It is merely here to show also the social impact that a new technology creates and has to cope with.
In the security chapter it was discussed that many people do not trust RFID technology and fear that their privacy might get compromised. In this chapter the objection comes from a different group of people with a different background.
The following paragraph is a part from the Bible:
And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads. And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of the beast. Here is the wisdom. Let him that hath understanding count the number of the beast for it is a human number. His number is - 666. - Revelation 13:16-18
Some people believe that RFID tags are the mark of the beast and rally against it. Their argumentation has two main arguments. The first argument is that RFID tags are likely to replace currencies and credit cards as well as all other ways of paying. In addition they would also serve as identification. That requires people to receive a tag
13
because no one can buy or sell without it, independent of being rich or poor. The second argument is as follows: Since RFID tags are also used as identification they should be implanted to avoid loosing the ID or switching it with someone. Current research has shown that the ideal location for the implant is indeed the forehead or the hand; since they are easy to access and unlike most other body parts do not contain much fluids which interferes which the reading of the chip.
It is unlikely that this issue will prevent RFID technology from succeeding.
8. Summary
This paper presented a survey on RFID technology. RFID technology has a big potential to become ubiquitous in the near future. Today it is already successfully used in supply chain management to track pallets of items. Tracking allows better coordination and control in the production cycle. Now the industry is pushing towards item-level tagging to increase the control even further. However, that also creates concerns, most common privacy concern, but also other security related issues. The paper presented possible scenarios how privacy can be compromised by RFID tags but also several solutions to protect against it. Since RFID technology becomes more and more common, attacks against the system itself start to appear. This paper listed the most common, starting from common sniffing and eavesdropping over denial of service to new RFID viruses.
The paper also showed that there is more to RFID than just supply chain management. The paper covers mechanisms that allow locating or tracking a possibly moving object. Last but not least the paper also surveys research for new production methods for tags. Currently printing tags with organic materials seems to be a promising approach. By printing tags, the cost-intensive assembly of the two main components, antenna and chip, can be eliminated. It also adds higher flexibility to production.
The paper concludes by looking at some social implications that RFID causes. Although not technically relevant, it provides a good outside perspective.
14
