Ministry of Education and Science of Ukraine

State University of Telecommunications

Department of Information and Cybernetics Security

«RFID Security»

Done by:
Kolesnyk Volodymyr
BSD-31
elitabsd11@gmail.com

KYIV — 2020
 2

Plan:
1. Introduction
2. Main Part
3. Conclusion
4. Literature
5. Extended annotation (ukr)
6. Term glossary
 3

1. Introduction
Well, what is the RFID? Radio-frequency identification (RFID) – is a wide
device class that uses electromagnetic fields to automatically identify and track tags
attached to objects. An RFID tag consists of a tiny radio transponder, a radio receiver
and a transmitter. When triggered by an electromagnetic field or pulse, the tag
transmits digital data back to the reader. This thing is realized in many different
forms: from custom chips to even communicational systems (credit cards, passports,
products we buy, pets have RFID chips implanted, used for shop checkouts, access
control systems, track&trace systems for logistics and so on) [3].
There are two types of RFID tags: Passive tags are powered by energy from the
RFID reader's interrogating radio waves. Active tags are powered by a battery and
thus can be read at a greater range from the RFID reader; up to hundreds of meters.
RFID development has raised serious privacy concerns, which resulted in
standard specifications development addressing privacy and security issues. ISO/IEC
18000, 29167 (on-chip cryptography), 20248 (digital signature data structure).
RFID tags can replace bar codes and QR codes. A bar code can only be read if
the reader can visually see the bar code. RFID tags can be read if the reader is nearby.
Here is a RFID frequency bands table:
Band Regulations Range Data speed Remarks

LF: 120–150 kHz Unregulated 10 cm Low Animal identification, factory data collection

Smart cards (ISO/IEC 15693, ISO/IEC

14443 A, B), ISO-non-compliant memory
ISM 10 cm–1 Low to
HF: 13.56 MHz cards (Mifare Classic, iCLASS, Legic,
band worldwide m moderate
Felica ...), ISO-compatible microprocessor
cards (Desfire EV1, Seos)
Short range
UHF: 433 MHz 1–100 m Moderate Defense applications, with active tags
devices
UHF: 865–868 MHz
(Eu) Moderate
ISM band 1–12 m EAN, various standards; used by railroads[16]
902–928 MHz to high
(North America)
microwave: 2450–
ISM band 1–2 m High 802.11 WLAN, Bluetooth standards
5800 MHz
microwave: 3.1– up to
Ultra wide band High Requires semi-active or active tags
10 GHz 200 m
 4

2. Main Part
The problem is security. Like most technologies and networks, RFID systems
are also vulnerable to physical and electronic attacks, namely reverse engineering,
power analysis, eavesdropping, sniffing, denial of service, cloning, spoofing, and
viruses. As this technology matures and finds numerous applications, additionally
with IoT integrations, hackers will continue to seek novel methods in order to access
private information and do hacker stuff. [4-9]
RFID tags can receive and respond to a variety of signals, increasing the risk of
unauthorized access and modification of the data on the tag. In other words, any
unlawful individual who has an RFID card reader can interrogate tags and access its
contents.
Here are some common attack examples:
- Tag isolation. It is technically the simplest attack and probably the most
common. It consists in blocking the tag communications to avoid sending data to the
reader. It is usually carried out by means of a Faraday cage or by jamming RF
signals.
- Tag cloning. The unique identifier (UID) and/or the content of the RFID is
extracted and inserted into another tag. Used for accessing restricted areas.
- Denial of Service (DoS) attacks. The reader is flooded with such a large
amount of information that it cannot deal with the signals sent by real tags. Other
techniques are based on emitting radio noise at the operating frequency of the RFID
system.
- Command injection. Some readers are vulnerable to remote code execution
just by reading the content of a tag.
- Signal replaying. It consists in recording the RFID signal in certain time
instants with the objective of replaying it later.
- Remote tag destruction. There exist RFID zappers that are able to send
energy remotely that once rectified, is so high that certain components of the tag
might be burned. Researchers have also found that it is possible to misuse the kill
 5

password in some tags (Electronic Product Code (EPC) Class-1 Gen-2) with a
passive eavesdropper and then disable the tags.
- SQL injection. Like in the case of command injection, it has been found that
some reader middleware is susceptible to the injection of random SQL commands
[8].
- Virus/Malware injection. Although difficult to perform in the vast majority of
RFID tags due to their low storage capacity, it is possible in certain tags to insert
malicious code that is able to be transmitted to other tags.
- Man-in-the-Middle (MitM) attacks. They consist in placing an active device
between a tag and the reader in order to intercept and alter the communications
between both elements.
- RelAmp, Relay/Amplification attacks. They consist in amplifying the RFID
signal using a relay; thus, the range of the RFID tag is extended beyond its intended
use.
- RFID skimming. They consist in the use of portable point of sales terminals to
make unauthorized and fraudulent charges on payment cards.
There is no absolute best way to even evaluate the RFID security, for we still got
the main vulnerability – human. Actually, it is only about the technology to deal with
all these and one of the most efficient methods is auditing, which is commonly done
at hardware level. In recent years, a number of projects have been developed with the
aim of facilitating researchers’ low-level access to RFID communications [1, 10, 11].
Some of them are just software tools that can be used with commercial RFID readers
(RFIDiot), while others involve specific hardware (Proxmark 3, Tastic, OpenPCD,
OpenPICC, Chameleon Mini), or certain firmware (Proxbrute for Proxmark 3).
Hardware developments are specially interesting: some devices can emulate readers
(Tastic, OpenPCD); others can emulate just tags (OpenPICC); and a few can emulate
both kinds of devices (Proxmark 3, Chameleon Mini).
Therefore, some good security measures exist. Many countermeasures and
capabilities are proposed in literature to ensure security of the RFID system such as
Pseudo-random based solution, Anonymous-ID scheme, symmetric and asymmetric
 6

cryptographic algorithms and others hashing based schemes [2]. Some

countermeasures and solutions were developed to protect personal data and reduce
tracking capabilities. The main techniques proposed in the literature studied for our
classification:
- Delegation Tree. The principle of this method is delegating the
control of reading tags depending on which privacy policy is assigned to each reader
and tag. These specifications can be stored in database for example.[12]
- Protocol added Schemes. The technique consists of integrating a
new coding scheme inside RFID tags and readers in order to create a specific
protocol of communication; in this way, external readers cannot access to the network
tags. [12, 13]
- Tag killing. The tag killing method consists of destroying the
content of tag after this one is no longer need to be used. The retailer can use the kill
command after entering the right pin code. This technique can be used by the sellers
after their products leave the store.[13]
- XOR encryption and PRNG. The XOR encryption and PRNG
method is based on using a randomized protocol at each communication. This
technique is powerful in the way to counter listening attacks such as Eavesdropping
which will make the communication with tag a difficult task.[13]
- Blocker Tag. The Blocker tag technique aim to create an inductive
field by the tag which will block communication between the tag and suspicious
readers. Many occurrences of ID tag will be generated in order to hide the real one
for the reader. [12, 13]
- One-Way Hash Locks. A hash is a one-way function that converts
a variable-length block of data into a fixed-length value called a “hash code.” It
cannot be reversed. A hash function known only to two parties provides two
principles; it authenticates the sender and it provides integrity assurance for sent data.
Weis describe a method by which access control can be achieved via a one-way hash
function lock. [11, 15] In their proposal, a tag would store the hash of a unique key as
the tag’s meta-ID and subsequently enter a “locked state.” The key value and the
 7

meta-ID value would be stored in a back-end enterprise system. Upon interrogation

by a reader, the tag would respond with this meta-ID; a legitimate reader would
consult with the back-end database, retrieve the key that matched the meta-ID value
and transmit the key value to the tag. The tag, upon computing a hash on the received
key value, would compare the resultant hash value with the stored hash value. A
successful match would in essence authenticate the reader to the tag. The tag would
enter an “unlocked” state and transmit its full functionality to nearby readers. [15]
- Physical Shielding Sleeve (The Faraday Cage). A Faraday Cage
is a metal mesh or foil container that is impenetrable by radio signals of certain
frequencies. It can be used to shield a tag from unwanted eavesdropping, but requires
owner compliance for use. A physical shield around the tag can serve as a potential
threat to availability and integrity if it is not removed to allow legitimate readers to
perform their scans. For example, users may fail to remove the tag from its shielding
sleeve in the vicinity of authorized readers; the readers cannot identify the now
unavailable tag. Data integrity is also compromised, as the RFID System does not
record the tag. [16]
- EPC Tag PINs. Juels describes an alternative method to control
access to tags with a simple challenge-response authentication mechanism. This
technique strengthens the resistance of tags to counterfeiting, specifically to cloning
attacks. EPC Class 1 Tags have PIN-controlled access to several sensitive functions,
including “write,” “sleep” and kill.” However, this PIN access was originally
envisioned to allow readers to authenticate to tags. The Juels proposal twists this
inherent capability in EPC Tags to allow for reverse authentication of tags to trusted
readers. A resultant challenge and response communication line between the tag and
the trusted reader ultimately results in mutual authentication of both entities. A
realistic vulnerability of this scheme is the risk of PINs being harvested from tags,
either physically or electronically. Electronic attacks, which involve PIN-guessing
techniques, can be addressed by disabling a tag after a number of incorrect PINs. It is
additionally anticipated that PIN lengths will increase from 8 to 32 bits with the Class
1 Generation 2 Tag Specification; this will statistically increase the complexity of
 8

“guessing” PINs. Juels also proposes that deployed tags have periodic PIN changes,
much like standard system passwords are changed every ninety days per best
practices. This last proposition introduces administrative costs and considerations.
[16]
- RSA Countermeasures. RSA Laboratories has proposed two
techniques to address the tag eavesdropping problem. The first, developed by
researchers at the Massachusetts Institute of Technology (MIT), modifies the silent
tree walking singulation protocol to eliminate reader broadcast of tag data. A second
proposal involves tags in possession of multiple identities. The tag emits different
identifiers over time; only legitimate readers are able to distinguish valid identifiers
from pseudo-identifiers. As of this writing, these two RSA techniques have not been
deployed in RFID vendor production lines for tags or readers.
- Protocol integration. In case of IoT integration, Transport Layer
Security (TLS) or its predecessor, Secure Sockets Layer (SSL), are two protocols
which can provide authentication and encryption controls. Authentication would
address the risks of rogue readers and access points, while encryption would address
the eavesdropping risk.
- Physical and Environmental Controls. Readers and access points
are additionally threatened by natural and structural hazards, to include fire, flooding,
fault induction, and power interruption/loss. These physical threats should be
addressed very carefully, making certain to adhere to industry accepted physical
environment controls. All devices should have back-up/emergency power sources to
ensure that the availability of the system is not compromised. Contingency plans
should be developed such that the system remains functional in the event of internal
component failure. Relevant requirements in these control families are noted in the
Requirements Traceability Matrix (RTM) for United States Visitor and Immigrant
Technology (US-VISIT) Increment 2C, a document produced using NIST Special
Publication 800-53, Recommended Security Controls for Federal Information
Systems (DRAFT).
 9

3. Conclusion
Radio frequency Identification (RFID) is currently considered as one of the most
used technologies for an automatic identification of objects or people. Based on a
combination of tags and readers, RFID technology has widely been applied in various
areas including supply chain, production and traffic control systems. However,
despite of its numerous advantages, the technology brings out many challenges and
concerns still not being attracting more and more researchers especially the security
and privacy issues. In this paper, I have presented the basics of RFID and its
problems, also mentioned some recent works aiming to ensure security and Privacy in
RFID systems. The use of RFID raises data privacy and location privacy issues.
There is no panacea to all its problems, but due to the point we live in modern
digitized world, the only true way to be up and ready – to keep an eye opened on all
new decisions and solutions.

4. Literature
1) Fernández-Caramés T. A Methodology for Evaluating Security in
Commercial RFID Systems [Електронний ресурс] / T. Fernández-Caramés, P.
Fraga-Lamas, M. Suárez-Albela // IntechOpen Limited. – 2017. – Режим доступу до
ресурсу: https://www.intechopen.com/books/radio-frequency-identification/a-
methodology-for-evaluating-security-in-commercial-rfid-systems , captured on
08.12.2020
2) Yi-Pin L. A secure ECC-based RFID authentication scheme integrated
with ID-verifier transfer protocol / L. Yi-Pin, H. Chih-Ming., 2013. – (Journal of Ad
Hoc Networks).
3) Want R. RFID: A key to automating everything / Want R.., 2004. – 290
с.
4) Khattab A. RFID Security - A Lightweight Paradigm / A. Khattab, Z.
Jeddi, E. Amini., 2010. – (1).
 10

5) T. Dimitriou Proxy Framework for Enhanced RFID Security and Privacy

– Las Vegas, USA, 2008. – (IEEE Consumer Communications and Networking
Conference). – (5).
6) Tanenbaum A. RFID Guardian: A Battery-powered Mobile Device for
RFID Privacy Management / Rieback M., Crispo M., 2005. – (Australasian
Conference on Information Security and Privacy). – (LNCS; кн. 3574).
7) Defend B. Cryptanalysis of Two Lightweight RFID Authentication
Schemes / B. Defend, K. Fu, A. Juels., 2007. – (IEEE International Workshop on
Pervasive Computing and Communication Security). – (PerSec).
8) Nohl K. Quantifying Information Leakage in Tree-Based Hash Protocols
/ K. Nohl, D. Evans. – Las Vegas, USA, 2006. – (Eighth International Conference on
Information and Communications Security).
9) Molnar D. A Scalable, delegatable pseudonym protocol enabling
ownership transfer of RFID tags / D. Molnar, A. Soppera, D. Wagner., 2005.
10) Dimitriou T. A Lightweight RFID Protocol to protect against
Traceability and Cloning attacks / Dimitriou., 2005. – (IEEE CreateNet International
Conference on Security and Privacy for Emerging Areas in Communication
Networks). – (SecureComm).
11) Juels A. RFID security and privacy: A research survey / Juels., 2008. –
394 с. – (Selected Areas in Communication; вип. 24).
12) Garfinkel S. An RFID bill of rights [Електронний ресурс] / Garfinkel //
Technology Review. – 2002. – Режим доступу до ресурсу:
http://www.technologyreview.com/articles/02/10/garfinkel1002.asp.
13) Avoine G. Security and Privacy in RFID Systems [Електронний
ресурс] / Avoine – Режим доступу до ресурсу:
http://lasecwww.epfl.ch/gavoine/rfid/.
14) NCR prototype kiosk kills RFID tags [Електронний ресурс] // RFID
Journal. – 2003. – Режим доступу до ресурсу:
http://www.rfidjournal.com/article/articleview/585/1/1/.
 11

15) Hackers Clone E-Passports [Електронний ресурс] // Wired. – 2006. –

Режим доступу до ресурсу:
http://www.wired.com/science/discoveries/news/2006/08/71521.

16) A Service Provider guide to the Basics, Transition Strategies, and

Implementation Issues. // The IPv6 Challenge, Incognito Software. – 2011.

5. Extended annotation (ukr)

У статті розглядається технологія RFID. Мета - допомогти читачеві краще
зрозуміти цю технологію. Типи RFID та їх різноманітні реалізації показані у
вступі разом із таблицею активних частот. Основна частина присвячена темі
безпеки, а саме загальним методам атаки, їх визначенням та заходам безпеки.
Усі типи та класифікації відносяться до поточної літератури, подробиці її
списку. Основна увага приділяється передовим атакам, а також детально
розглядаються їхні заходи протидії, що дають можливість навіть професіоналам
отримати деякі нові актуальні знання. Ось кілька прикладів охоплених тем:
фізичний та екологічний контроль, сучасні інтеграції, фізичні атаки та фізичне
екранування, віддалені атаки (різні методи) та способи забезпечення
дистанційного захисту від проблем «підслуховування» сигналів та їх вирішення
тощо. Усі згадані теми детально висвітлюються, тому ви можете зануритися у
будь-яку з них, всі посилання зазначені у тексті. Ця стаття дуже корисна для
кращого розуміння технології RFID та вивчення основ радіобезпеки.

6. Term glossary
№ Term Translation
1 Radio-frequency identification визначення радіочастот
2 electromagnetic fields електро-магнитні поля
3 attached Додається
4 radio transponder пристрій для прийому радіосигналу та
автоматичної передачі іншого сигналу.
5 radio receiver приймач
6 transmitter Передавач
 12

7 communicational systems Системи зв'язку

8 track&trace systems системи відстеження та слідування
9 interrogating radio wave Запит радіо хвилі
10 privacy concerns проблеми конфіденційності
11 standard specifications development розробка стандартних специфікацій
12 on-chip cryptography криптографія на чіпі
13 digital signature data structure структура даних цифрового підпису
14 bar codes штрих-коди
15 vulnerable вразливий
16 namely reverse engineering а саме зворотне проектування
17 power analysis аналіз потужності/силовий аналіз
18 eavesdropping «підслуховування»
19 sniffing «винюхування»
20 denial of service відмова в обслуговуванні
21 spoofing спуфінг
22 technology matures технологія дозріває
23 unauthorized access несанкціонований доступ
24 unlawful individual неправомірна особа
25 interrogate tags Запит до «мітки»
26 carried out здійснюється
27 extracted витягується
28 flood «повінь» певних запитів до пристроя
29 emitting radio noisе випромінюючи радіошум
30 operating frequency робоча частота
31 instants with the objective of replaying моменти з метою відтворення
32 zapper пульт дистанційного керування для
телевізора, відео чи іншого електронного
обладнання
33 rectified випрямлений
34 middleware проміжне програмне забезпечення
35 susceptible сприйнятливий
36 the vast majority переважна більшість
37 to insert malicious code вставити шкідливий код
38 low storage capacity низька ємність зберігання
39 intercept перехоплювати
40 amplifying the RFID signal посилення сигналу RFID
41 a relay реле
42 skimming скіммінг
43 fraudulent charges шахрайські звинувачення
44 evaluate the RFID security оцінити безпеку RFID
45 vulnerability вразливість
46 auditing аудит
47 the aim of facilitating researchers’ low- мета полегшити доступ дослідників на
level access низькому рівні
48 software tools програмні засоби
49 firmware прошивка
50 symmetric and asymmetric cryptographic симетричні та асиметричні криптографічні
algorithms алгоритми
51 Delegation Tree Дерево делегування
52 assigned призначений
 13

53 The retailer Роздрібний продавець

54 inductive field індуктивне поле
55 occurrences випадки
56 known only to two parties відомий лише двом сторонам
57 subsequently згодом
58 back-end enterprise system фонова система підприємства
59 interrogation допит
60 legitimate reader законний читач
61 retrieve the key отримати ключ
62 metal mesh металева сітка
63 foil container ємність з фольги
64 impenetrable by radio signals непроникний через радіосигнали
65 compliance відповідність
66 potential threat потенційна загроза
67 vicinity of authorized readers поблизу авторизованих читачів
68 Data integrity Цілісність даних
69 challenge-response authentication механізм автентифікації виклик-відповідь
mechanism
70 strengthens зміцнює
71 counterfeiting підробка
72 envisioned передбачав
73 inherent властиві
74 anticipated передбачуваний
75 considerations міркувань
76 the silent tree walking singulation protocol протокол озвучення тихого дерева
77 eliminate усунути
78 predecessor попередник
79 rogue readers неправдиві читачі
80 natural and structural hazards природні та структурні небезпеки
81 to adhere дотримуватися
82 back-up резервне копіювання
83 Contingency plans Плани дій на випадок непередбачених
ситуацій
84 Relevant requirements Відповідні вимоги
85 supply chain ланцюг поставок
86 keep an eye opened «слідкувати», як брати до уваги, «не
загубити з поля зору»
87 ID-verifier ID-верифікатор
88 automating автоматизація
89 Privacy Management Управління конфіденційністю
90 Leakage Витік
91 delegatable делегований
92 Traceability Простежуваність
93 Transition Strategies Стратегії переходу
94 ISM (промисловий, науковий і медичний) є
спектром частот, які можуть бути
використані без особливих ліцензій
14