Card, mobile credential, payment and security
By Jerry Banks, Co-author of RFID Applied
The issues of privacy and security, although interrelated, are different. With respect to RFID, we define these issues as follows:
Privacy: the ability of the RFID system to keep the meaning of the information transmitted between the tag and the reader secure from non-intended recipients.
Security: the ability of the RFID system to keep the information transmitted between the tag and the reader secure from non-intended recipients.
The issues have very different repercussions and different solutions. In a given environment, an RFID solution may pose security risks without affecting the issue of privacy. An example of this scenario is when a tag broadcasts its unique identification number in a consistent and unencrypted manner. This enables the tag to be detected by any reader that can decode the RF signal. If all that is read is the tag's unique identifier – and no association can be made to what that identifier means without access to the backend database that maintains the relationship between the tag IDs and the objects that they represent – there is no privacy issue. However, issues of traceability and inventorying may remain.
Traceability and inventorying relate to the ability of an unauthorized entity to read the identifiers sent by RFID tags without necessarily being concerned as to what the tag is affixed to or who/what is carrying it. In other words just by capturing the signals emitted by an RFID tag, a third party could trace where the tag is or has been (traceability) as well as to what tags have been detected (inventorying).
A standard EPC tag conveys information associated with a particular item, its model or product class and its manufacturer. Anyone with a standard EPC reader could get close enough to a shopper leaving a store to determine what products and what quantities were purchased. Furthermore, the unauthorized reader could track the shopper from a distance utilizing a high-powered reader.
RFID is an excellent technology for object tracking. In this case, we can define an object as a physical asset that occupies 3-dimensional space. This means that the whereabouts of any physical object (including animals and humans) can potentially be tracked within the scope of the RFID infrastructure. As RFID technology development progresses, this scope can become larger and larger.
This fact has raised many questions and concerns from people because of the potential invasion of privacy that can be attributed to RFID technology. But, before we get deeper into the privacy issues and their repercussions, let's look at a few examples of what privacy advocates and the concerned public claim can go wrong with the use of RFID technology.
Consumer and privacy advocates have closely followed the deployment of RFID enabled solutions in the supply chains of major retailers such as Wal-Mart, Tesco, Target and others. They contend that by using the same technology adopted by the retailers to track individual items through their supply chains, consumers could potentially be tracked after buying the merchandise and leaving the retail stores.
The U.S. government has made a decision to implement contactless chips in U.S. citizen's passports. These chips contain the passport holder's information as well as a digitized picture of the holder. Initially, the U.S. Department of State's proposal did not include any security protocols. The information would be contained unencrypted within the passport's chip. Therefore, anyone with the right reader technology could potentially scan a traveler's passport, perhaps while still in the traveler's possession, and obtain personal information. This, it is argued, could help terrorists, thieves or others to determine the traveler's identity or nationality.
After much negative feedback from the public and different organizations the Department of State changed its proposal and added 3 layers of security:
Security experts still raise a debatable issue relating the fact that the chip's unique identifier can be read by any reader since this falls below the layer of protection provided by the encryption methodology. This could create an issue of passport traceability.
Many libraries, primarily in Europe, have implemented RFID technology in their operation. In the most advanced scenario, the idea is to tag every book in the library with an RFID chip and allow patrons to "automatically" check out the books by means of carrying an RFID tag and making the proper association of books-to-patron as the patrons exit out though the checkout portal. Privacy groups contend that patrons' right of privacy could be violated by someone with the proper technology within close proximity of the patrons. This would allow the malicious person to determine what books have been checked out by the patron.
The most aggressive privacy concern groups claim that governments could potentially gain access to all commercially controlled RFID databases and, therefore, have full access to the consumer, travel, and general habits of its population. Or governments could achieve this by deploying wide-area RFID infrastructures where all the activities of its citizens could be tracked, from what they buy, to what they read, to where they travel, to what they watch on videos.
Initially, commercial applications of RFID did not emphasize security. RFID readers and tags communicated with each other using open, unencrypted messages. Even today, most RFID readers and tags transmit information without any encryption.
There are a few reasons why this has been the case:
The fundamental issue is that in order to create a widespread market for RFID, the cost of its infrastructure must be kept to a minimum. This fact limits the complexity of the tag, thus limiting its capability to process information. So the dilemma of how to create a secure RFID infrastructure remains an elusive target.
High security RFID systems should have the ability to guard against the following categorized security and privacy threats:
Eavesdropping
RFID tags are designed to transmit stored information to an inquiring reader. This allows unauthorized users to scan tags by eavesdropping on the wireless RFID channel. The unrestricted access to tag data might reveal private information if it is stored on the tag.
If the security protocol used in the RFID channel is revealed, attackers can write blank RFID tags with the same formatted data that has been collected. For instance, dishonest persons could replace the RFID tag on an item to get a cheaper price when checking out from a supermarket.
Relay devices can intercept and retransmit RFID queries. With this kind of device, offenders can abuse various RFID applications by replaying the data in order to imitate a genuine data carrier.
There have been many proposals put forth that aim to create a secure RFID environment. Some of these rely on encryption algorithms, some on cleverly designed communications schemes, and others on taking advantage of the basic physical properties of RFID communication.
This is a relatively low-tech approach to the issue of RFID security. Faraday cages are based on the principle that meshes made of certain metals provide a natural barrier to radio waves. It is the same principle that creates one of the challenges for the application of RFID. While extremely effective, this solution requires a conscious, manual action in which the user must cover and uncover the tag every time he or she wants the tag to function. This method does not offer any protection when the tag is not within the Faraday cage.
There are, however, some applications where a Faraday cage may make sense. The use of a Faraday cover on a passport is one that probably works well for most users since passports are usually only open when they need to be presented. For product RFID, however, a Faraday cage is likely cost prohibitive.
This method relies on the attenuation of the RF signal so that it can only travel a few centimeters. The assumption is that an unintended reader would have to be in close proximity to the tag and therefore probably easily identifiable. Actually, this is a very weak method for security protection. Imagine a person carrying products with limited range transmission RFID tags at rush hour in a subway. It is probably next to impossible to avoid potentially malicious persons with readers getting very close.
The KILL command renders the tag unreadable. This is a command built into the chip that can be activated from a reader at the point of sale. In order to execute the KILL command, the reader must transmit a PIN to the tag to ensure that it has the right control access.
Although extremely effective once the command has been successfully executed, it presents two major limitations:
It is not effective until the command has been executed. This means that it must be combined with some other solution to provide protection during the lifecycle of the tag.
It prevents use of the tag for future applications after the item has been sold.
To illustrate this, imagine the following scenario. Richard, a techno-savvy consumer, chooses to buy the latest model of a washing machine which incorporates RFID functionality. The great thing about the washing machine is that it can use its embedded RFID reader to detect what garments have been placed in it by reading the RFID tags embedded in the garments. This information enables the washing machine to automatically control the temperature settings and washing mode so that the delicate garments are not damaged. However, if the articles that Richard bought at his favorite clothing store implemented the KILL commands, Richard would certainly complain about the inconvenience presented by the washing machine not being able to identify the garments.
Albeit, this is not the most tragic scenario that one could devise, but it portrays the issue at hand. The KILL command can severely limit the functionality and applications of RFID downstream from the point of sale.
The use of SLEEP commands on tags is an attempt to answer the shortcomings cited in the KILL command proposal. The SLEEP command, a more commerce-friendly proposal, has been put forth. Instead of killing the tag at the point of sale, this proposal renders the tag temporarily inactive, until the consumer physically reactivates the tag. The fact that the tag must provide a way to allow a consumer to reactivate the tag creates problems. For instance, imagine when Richard (from the previous example) returns to his home after an afternoon of clothes shopping. In order to achieve the benefits of his RFID-enabled washer, he would have to physically reactivate each tag.
This approach, introduced by IBM, provides a seemly simple, yet effective solution to minimize tag recognition from standard read distances. The procedure uses a tag with a full antenna that can be clipped at the point of sale by the consumer in order to reduce the span of the antenna and therefore reduce its readable range from a few meters to only one or two centimeters.
As you can see, there are many challenges to creating a secure and privacy-enabling RFID solution. There are, however, a variety of technologies and mechanisms in place to assist issuers and consumers. Certainly, we are only beginning to understand the challenges and the solutions to this complex technological and societal question.
This article is part of an ongoing series that explains the principles of RFID. It was created for RFIDNews by Jerry Banks, Tecnologico de Monterrey, Monterrey, Mexico, one of four co-authors of RFID Applied, John Wiley, 2007, ISBN-10:0471793655; ISBN-13:978-0471793656.
