Denial-of-Service Attack Through Blocker Tags
Modern RFID readers can easily communicate with a larger number of transponders within the interrogation field. Here, the reader uses an anticollision algorithm for selecting an individual transponder in order to communicate with this transponder. For some applications it is sufficient to determine the serial numbers of the transponders situated within the read range, as the corresponding data is stored in a data base (e.g. product data for an EPC).

In practice, there are mainly two established anticollision algorithms, the binary search tree algorithm and the slotted ALOHA procedure. For a more detailed description of blocker tags.

As described in Chapter 7, a binary search tree uses a recursive algorithm that chooses for each collision occurring at a bit location of the received serial number a branch in the binary tree by setting the corresponding bit in the subsequent iteration to ‘0’ or ‘1’. And exactly here, the blocker tag attacks as it simulates a collision at each bit location of the serial number by simultaneously sending ‘0’ and ‘1’ (compare Figure 7.20). The misled reader cannot but run through the entire binary search tree (Juels, n.d.).

The blocker tag pretends to the attacked reader that there are 2k transponders within its interrogation field where k is the number of bits in the serial number. Prompting such a large number of serial numbers literally blocks the affected reader. If a reader needs time t1 for determining a specific serial number, running through the entire search tree requires time tg = t1 × 2n where n is the number of bits of an individual serial number. Assuming that time t1 is 1 ms and length n of a serial number in our system is 48-bit, the reader needs tg = 2.8 × 211 for running through the entire search tree, or in years: 8925! It is obvious that it will not be possible for a reader to recognise any genuine responder in its response field; even more so as it is usually not possible to distinguish between a genuine and feigned serial number. A blocker tag that blocks the entire search tree of a reader (denial-of-service, DOS ) also is called full blocker or universal blocker (Juels, n.d.).

Even the widely used slotted ALOHA procedure can be easily blocked by a blocker tag. For this procedure, the anticollision command of a reader is followed by a previously defined number of slots during which the transponders located in the reader’s interrogation field send their serial numbers to the reader. Here, the transponders randomly choose the used slot. If two or more transponders try to transmit their serial numbers during the same time slot, none of the serial numbers can be correctly read due to the occurring collision. A slotted ALOHA procedure can be easily interrupted if the blocker tag sends – for each available time slot – a serial number, or even easier, an invalid data package (e.g. a data package with an intentionally wrong check sum). The reader is then unable to detect any further transponder in the response field.

It is not always desirable to completely block the search tree and thus the number range of an RFID system. An EPC serial number, for instance, consists of an 8-bit header, 28-bit EPC manager code (the organisation that issued the transponder), 24-bit object manager code (designation of the object according to information from the previous EPC manager) and a 36-bit individual number.

A blocker tag could be designed to exclude specific parts of the binary search tree from blocking. Figure 8.10 shows an example where all serial numbers of the RFID system that start with Bits “01” are excluded from blocking.

Relay Attack
This is a special kind of attack where the attacker can almost deliberately extend the range between reader and transponder by interposing a transmission device (relay). The attacker briefly ‘borrows’ the transponder and uses the relay to simulate for the reader that the transponder itself is located within the reader’s interrogation range. For this, the attacker does not even require physical access to the transponder, but only has to be situated within the read range of the transponder. Usually, the owner of the transponder does not notice the attack or only a long time after the attack, for example, if the attacked transponder was used to carry out transactions that are subject to charges (e.g. shopping or train tickets).

Relay attacks require two different components that are linked via radio communication (Kfir and Wool, 2005; Hancke, 2005). Located close to the reader, there will be one component (ghost, proxy) which is able to receive the reader’s signals and to generate a load modulation in order to communicate to the reader and thus to simulate a transponder. The second component (leech, mole) consists of a transmitter which is able to supply a transponder with the power required for its operation as well as to demodulate a load modulation of the transponder and thus to simulate a reader (Figure 8.11).

The simplest option is now to demodulate in the ghost the data received from the reader or transponder and then to transmit the received data stream one-to-one via radio communication to the leech, which finally sends the data stream to the transponder (Hancke, 2005). Vice versa, the interrogation data sent by the transponder will be demodulated in the leech and the data stream received will be sent one-to-one via radio communication to the ghost which, in turn, transmits the data further to the reader using load modulation (Figure 8.12). The reader assumes that the transponder really is situated within the interrogation range of the reader and that therefore a complete transaction between transponder and reader can be carried out.

The runtimes for the transmission of the data stream between ghost and leech increase with larger distances. Even though signals are transmitted at the speed of light, it will still take about 3 µs per kilometre in one direction. For a time-critical protocol, such as ISO/IEC 14442 Type A, this may quickly turn into a problem. If the last bit of a request or anticollision command sent by the reader is a ‘1’, the first bit of the transponder’s response has to reach the reader at exactly

91.1 µs. The duration of one bit at the used bitrate of 106 kbit/s thus amounts to 9.43 µs. When transmitting modulation signals over a distance of one kilometre, the reader’s command arrives already with a delay of 3 µs. Transmitting the response from leech to ghost will add another 3 µs delay, which means that the response of the transponder will arrive at the reader 6 µs later than expected. This already corresponds to more than half the duration of a bit, and can result in that the response will no longer be accepted by the reader.

The duration of time-outs for sending application commands exceeds the deviations tolerated by ISO/IEC 14443 Type A for request and anticollision commands by multiples. On the other hand, the protocol for the application data is completely transparent, i.e. the application data (INF/APDU) are packaged in a protocol layer, but are never changed, as illustrated in Figure 9.28 for instance. For this reason, it is possible to implement the complete protocol stack of a transponder in the ghost. The ghost itself can then process time-critical commands, such as requests or anticollision commands, without the need for any interaction with the leech or the transponder to be attacked. Similarly, it is possible to build on the leech-side such a communication link to the transponder without having to initially communicate with the ghost. If the ghost finally receives a data block, only the application data contained therein (APDU) will be transmitted to the leech which, in turn, will package them into a complete data block (Figure 9.28) and send them on to the transponder. A similar process is used for the reverse transmission direction. The duration of time-out for application commands usually amounts to some 10–100ms, which means that transmission time between ghost and leech are hardly important any longer. This way, attackers can bridge very large distances. Even partial data transmission in the Internet is feasible.

Relay attacks using protocol stacks in ghost and leech are hard to discover due to the usually strict separation of protocol and application data (APDU). It would require a procedure that suspends this strict separation and, for instance, includes status information of the protocol layer into the authentification of transponder and reader (see Section 8.2.1) (Hancke and Kuhn, 2005).