a balanced perspective on rfid
DESCRIPTION
TRANSCRIPT
- 1. Security, RFID and Consumers
- RFID Security, Theory and Practice
- mr. dr. Bart Schermer RFID Platform Nederland
2. About me
- Secretary RFID Platform Nederland
- Privacy specialist at ECP.NL
- Partner at Considerati
- Assistent professor at the University of Leiden (faculty of law)
3. Board RFID Nederland 4. RFID Nederland
- Stimulating the uptake of RFID technology and ensuring its responsible use
- Market initiative
- 50 participants
- www.rfidnederland.nl
- www.watisrfid.nl
5. Business drivers for RFID
- Realtime insight into business processes increases:
- Efficiency
- Security
- Customer loyalty
6. Why are these similar? Source: ADT Tyco 7. Opposing views... 8. RFID and the Public Opinion 9. RFID vulnerabilities
- Skimming / eavesdropping
- Weak crypto
- Tag reader authentication
10. Security risks
- Access to data on the chip (including possible keys)
- Access to associated databases
- Access to communication between tag and reader
- Attack vector for databases (e.g. viruses, SQL injects)
- Cloning (!!!!)
- Possibility to follow / track trace people
11. Big Brother is watching you! 12. Privacy risks
- Due to its invisible nature RFIDcanbe used to surreptisiously gather personal data.
- Companiescanuse this information to profile and classify customers
- Companiescanuse this information to follow and track consumers throughout their daily lives
- Companiescanuse invasiveMinority Reportstyle advertising
13. The role of privacy
- Information is power
- (Personal) data is used to profile and classify consumers
- Privacy is a means to maintain economic equality between companies and consumers
- Consumers (should) have a say in the processing of their personal data
14. EU Privacy Law
- Data Protection Directive (95/46/EC)
- Telecom Privacy Directive (2002/58/EC)
15. EU Privacy Law
- Surreptitious gathering of personal data is a violation of the data protection directive (95/46/EC).
- Using personal data for other purposes than for which they have been gathered is a violation of the data protection directive
- Surreptiously monitoring and following people is a criminal offence (and where not, it should be).
- Targeted advertising without prior permission from consumers is a violation of the data protection directive and the Telecom Privacy Directive (2002/58/EC).
16. Example I: OV chipkaart
- Mifare Classic (subscriptions etc.) / Mifare Ultralight (day tickets)
- Hack Plotz & Nohl (reverse engineering -> skimming -> cloning)
- Hack Radboud I (Mifare Ultralight) (skimming -> cloning)
- Dutch Data Protection Authority warns GVB, NS
- Hack Radboud II (Mifare Classic) (cryptoanalysis -> skimming -> cloning)
- Press coverage differs from the facts
- NXP (wrongfully) bashed for providing insecure chip
- Security through obscurity worked for 13 years...
See also:https://ovchip.cs.ru.nl/Event_history 17. Example II: retail 18. Privacy or security? 19. Incident driven response...
- Consumer backlash (boycott) against technology
- Motion to cancel the OV chipkaart
- EU Recommendation on RFID & Privacy: -Mandatory privacy impact assesment -Opt-in for retail environment
20. Observations
- Emphasis on technology instead of application
- Security issues and privacy issues are often confused
- Business reality can differ from security reality - security through obscurity may make sense for a business - cost/risk analysis is leading, not 100% security
- Solutions are currently viewed as either/or (e.g. opt-in for retail)
- There is no integrated approach towards security and privacy
21. The right tool for the job
- 100% security is not always the most optimal economic decision
- RFID should not be the only security measure
- Focus on the problem, not the technology
- What tool is most effective
22. Suggestions
- Clear(er) distinction between privacy and security - strengthen overall system security - create tools to enhance privacy (Privacy by design, PETs) - create tools to effectuate legal safeguards (consumer in control)
- Security experts must educate businesses, consumers, policymakers and politicians (in English please)
- Security, business processes, and legal safeguards must strengthen each other
23. The way forward
- Companies should:
- Use RFID in a responsible manner
- Provide benefits not only to themselves, but also to consumers
- Provide openness and transparency about the use of RFID
- Provide a truly free choice for consumers
- Government should:
- Create tools for the protection of privacy (PETs, RFID guardians, logo system)
- Place the consumer in control
- Monitor possible shifts in the balance of power, and correct where necessary
- Security experts and researchers should:
- Try to translate their work in proper English (e.g. Jip and Janneke)
- ...Keep up the good work
24. Bart Schermer ECP.NL / RFID Platform Nederland Overgoo 11 2260 AG Leidschendam 070-4190309 [email_address] RFID zal een grotere impact op onze samenleving hebben dan Internet heeft gehad-- Prof. Cor Molenaar, voorzitter RFID Nederland Questions?