Security of RFID Systems
Similar to any other telecommunication and information technology system, RFID systems also face the potential risk of being spied out or manipulated. In order to better evaluate potential risks connected to the use of RFID systems, Section 8.1 will provide a closer look at common types of attack on RFID systems. After that, Section 8.2 will present cryptographic procedures for protecting systems from common attacks.

RFID systems rely on that external communication channels link the data registered by the reader to other data pools. However, security issues regarding the back-end of the RFID system are not specific to RFID (Rikcha, 2004). Due to the scope of this book, we will limit this discussion to attacks on the air interface between reader and transponder as well as to attacks on the transponder itself. We will not include attacks on background systems, such as databases. Looking at the application context in an open RFID system, we can see that it usually involves two parties with divergent interests. The system operator forms an active party and provides the infrastructure,

i.e. the reader and background system. The active party also supplies the transponder as well as administrates and utilizes the data that is associated with or stored on the transponder. This means, it controls all data registered by the RFID system and how they are used (Rikcha, 2004).

On the other hand, we have the user of the RFID system, usually a customer or system operator employee. The users form a passive party. Even though the passive party owns the transponders (e.g. a contactless ticket, an ID or the label of a recently bought product), it is not always able to influence the use of the transponders or the utilization of the registered data (Rikcha, 2004).

In a closed system, e.g. manufacturing control in a company via RFID, active and passive parties are not separate. The system operator is also the user of the system. In addition, there may be a third party, such as a hacker or competitor, trying to get unauthorised access to the data stored in the transponder or in the system or even to manipulate the data to his or her personal advantage.

The large-scale introduction of RFID systems for product labels, passports and other IDs, as well as contactless tickets confront the public at large with a new and unfamiliar technology whose functionality – and thus also limits and risks – it does not really understand. The large number of different RFID systems with a huge variety of applications substantially contributes to the corresponding confusion. As with each new technology, RFID does therefore not only meet curiosity, but also fear and rejection. Similar reactions occurred, when barcodes for product labelling, the EAN code or the US UPC , were introduced in the late 1970s.

Then, and also today, the protection of the individual’s private sphere is an important debate issue. It mainly refers to the fear that the new RFID technology could be used for the unnoticed and undesired collection of personal data, which means that the active party can spy out the private sphere. In recent years, civil rights initiatives and consumer protection organizations have tried to inform the public opinion about the potential risks related to the broad usage of RFID systems.

Some countries, particularly the United States, have repeatedly discussed the introduction of regulatory legislation for RFID applications; e.g. in January 2004, the Federal State of Missouri presented the ‘RFID Right to Know Act of 2004 (SB 0867)’, that has not been passed yet, though (Lahiri, 2005). The draft bill requires, among others, the clear and visible labelling of products that contain an RFID chip.

Attacks on RFID Systems
Several basic types of attacks on the different components of an RFID system. In general, attacks may be directed at the transponder, reader or also at the RF interface between transponder and reader.

Attacks can be carried out for a variety of reasons. They can be grouped into four attack types:

Spying out: The attacker tries to get unauthorized access to information and data of the active and passive file.
Deception: The attacker tries to feed incorrect information into the RFID system in order to deceive the active party, i.e. the RFID system operator, or the passive party, i.e. the user of the RFID system.
Denial of service: This kind of attack affects the availability of functions of the RFID system.
Protection of privacy: The attacker considers the RFID system to be a threat to her privacy and tries to protect herself with attacks on the RFID system.

Attacks on the Transponder
Usually the transponder is easily accessible. On goods and tickets it is always available to the attacker, and in most cases even without any time restrictions. Therefore, there is a wide range of attacks with varying degrees of effectiveness.

Permanent Destruction of the Transponder
The easiest attack on a RFID system is the mechanical or chemical destruction of the transponder. The antenna can be easily severed or cut off, for instance. The chip can be easily snapped or smashed.

A transponder can also be destroyed through exposure to a strong field. Therefore, ISO/IEC 14443 or ISO/IEC 15693 specifies a maximum field strength of 12 A/m at a frequency of 13.56 Mhz for inductively coupled transponders. If the transponder is introduced at this frequency into a field with a significantly higher field strength, the waste heat produced at the shunt regulator cannot be sufficiently dissipated any longer and the transponder will be thermally destroyed. If there is no sufficiently strong transmitter available for this frequency range, the transponder can also be put into a microwave oven.

Transponder Shielding/Tuning
A very efficient attack is to use metal surfaces in order to shield a transponder from the reader’s magnetic or electromagnetic radiation. In the simplest case it is sufficient to wrap a foil around the transponder, e.g. household aluminium foil. For inductively coupled transponders, the antenna resonant circuit can be heavily tuned by using a metal surface in its immediate surroundings. In addition, the reader’s magnetic field is dampened due to eddy-current losses in the metal foil. Therefore it is often sufficient to fasten the transponder on one side to a metal surface. It reflects the electromagnetic fields of a UHF backscatter system (e.g. 868 MHz) and efficiently keeps them away from the transponder. In the most favourable case, a passive transponder will not even be supplied with sufficient power to operate the chip.

This kind of attack can be used to temporarily disrupt transponder operation. If the shield is removed, the transponder becomes operable again without restrictions. Today, people with limited technological knowledge can use commercial products for shielding transponders (Cloaktec, n.d.).

Antennas of UHF backscatter transponders are tuned by introducing them into a dielectric,e.g. glass or plastics. The level of tuning increases with increasing capacitivity εr and thickness of the surrounding dielectric. The tuning decreases the interrogation sensitivity of the transponder at the reader’s transmitting frequency, which in turn decreases the read range of such an attacked transponder.

Spoofing and Cloning of Transponders
As we will see in Sections 10.1 and 10.2, there are different complex procedures for storing information on transponders. The most basic one – the read-only transponder – has only one hardcoded identifier which is the transponder’s serial number. Figure 10.10 shows the block diagram of such a simple transponder.

If a read-only transponder enters the sufficiently strong field of a reader it immediately starts to intermittently transmit its serial number which can be easily read by any suitable reader. The attacker can now use discrete components to build a read-only transponder (transponder clone)and replace the PROM containing the transponder’s serial number with a multi-programmable memory (EPROM) or – more basically – with a series of DIP switches. If the attacker then reads out the serial number of a transponder he can program this serial number into the transponder clone. If the transponder clone is introduced into a reader’s field it can send the serial number previously read out from the genuine transponder and thus pretend the presence of this genuine transponder to the reader (Westhues, 2005). The reader is not able to determine whether the currently received serial number was sent by a genuine transponder or a transponder clone. The attacker does not have to have physical access to the transponder, but only needs to use a suitable reader in order to enter the read range of the transponder to be cloned, without being detected.

Transponders with writable memories form the next level of functionality constitute the next step. Often, memory sections can be read or written without any restrictions, i.e. without requiring a password or key. Also here, an attacker can easily manipulate stored data for his personal advantage or produce copies of the attacked transponder by reading data and copying them to other transponders. However, the cloning of transponders can be efficiently prevented by using authentification and encrypted data transmission. RFID applications that are easily accessible for attackers, such as entrance systems or ticket systems, should therefore generally avoid read-only transponders or unencrypted access to data.