RFID Privacy: An Overview of RFID Privacy: An Overview of Problems and Proposed Problems and Proposed

SolutionsSolutions

Maxim Maxim Kharlamov (mkha130, #13)Kharlamov (mkha130, #13)

S. Garfinkel, A. Juels, R. Pappu, “RFID Privacy: An Overview of Problems and Proposed Solutions”, IEEE Security & Privacy 3:3,

34-43, 2005

RRadio adio FFrequency requency IDIDentificationentification

ID

How does it work?How does it work? Tag reader sends Tag reader sends

radio signalradio signal Electricity induced in Electricity induced in

tag’s antenna powers tag’s antenna powers tag’s chiptag’s chip

Tag responds with its Tag responds with its IDID

Reading distance varies from several centimeters to several meters for different tag types

RFID tags are used in stores (as barcodes), security systems, payment systems, passports, etc.

RRFID technologies are rapidly deploying all FID technologies are rapidly deploying all over the world, raising privacy and security over the world, raising privacy and security

risks. It is not completely clear how to risks. It is not completely clear how to overcome these risks.overcome these risks.

Privacy. Cheap, small and easily readable tags allow virtually anyone to covertly spy on people.

Security. RFID technologies are susceptible to various DoS, cloning and eavesdropping attacks.

Main ideaMain idea

(+) Personal privacy threats(+) Personal privacy threatsComplete and detailed classification of personal privacy Complete and detailed classification of personal privacy

threats:threats: Action – monitoring clients’ behaviour inside storesAction – monitoring clients’ behaviour inside stores Association – tag’s unique ID is associated with a Association – tag’s unique ID is associated with a

consumer consumer Location – tracking a person using an associated IDLocation – tracking a person using an associated ID Preference – revealing people’s preferences – it is also a Preference – revealing people’s preferences – it is also a

value threatvalue threat Constellation – a set of tags around a personConstellation – a set of tags around a person Transaction – tracking transactions between Transaction – tracking transactions between

constellationsconstellations Breadcrumb – tagged object is still associated with a Breadcrumb – tagged object is still associated with a

particular person even after he/she gets rid of itparticular person even after he/she gets rid of it

(+) Corporate security threats(+) Corporate security threatsThe authors tried to explain possible security The authors tried to explain possible security

risks not only to customers but also to risks not only to customers but also to businesses:businesses:

Espionage – gathering supply chain dataEspionage – gathering supply chain dataCompetitive marketing – collecting Competitive marketing – collecting

customers’ preferences customers’ preferences Infrastructure – DoS attacks can be Infrastructure – DoS attacks can be

disastrousdisastrousTrust perimeter – very hard to control the Trust perimeter – very hard to control the

amount of information shared with the outer amount of information shared with the outer worldworld

(-) Privacy vs. Security(-) Privacy vs. SecurityPrivacy is a part of security (CIA principle)Privacy is a part of security (CIA principle)The authors tried to concentrate only on The authors tried to concentrate only on

privacy, but they did not give its definition privacy, but they did not give its definition Security issues were mentioned, but Security issues were mentioned, but

without “due diligence”without “due diligence”Some of the threats in between privacy and Some of the threats in between privacy and

security were missedsecurity were missedExample: cloning could allow an adversary Example: cloning could allow an adversary

to gain access to someone’s private to gain access to someone’s private information (ex., cloning a tag used to log information (ex., cloning a tag used to log into your home computer)into your home computer)

RFID-Hacking?RFID-Hacking?If somebody copies your proximity card and If somebody copies your proximity card and robs Auckland University, do you think you robs Auckland University, do you think you

would be arrested for robbery?would be arrested for robbery?

“This device can do almost anything involving almost any kind of … RFID tag.” (J. Westhues, http://cq.cx/proxmark3.pl)