RFID: Security Threat?
First Published: X-Force Monthly Magazine

Media interest in Radio Frequency Identification (RFID) has increased substantially in recent months, and you may have been quizzed about the security implications of the technology.

RFID technology is based on attaching a chip with a small antenna (referred to as an RFID Tag) to an object that will emit a unique signal response (the identifier) when a specific radio frequency is directed at it. The most common forms you will encounter are the passive RFID tags (having no internal power) attached to books and other merchandise (usually stuck to the packaging) to prevent theft.

RFID tags have been in use since the 1980s and are increasingly used for all manner of jobs. The most common usage is as a form of inventory control and tracking. As an example, in the early 1990s most clothing rental companies (think in terms of black-tie events and weddings) started sewing RFID tags into their garments for inventory management. The tags themselves are encased in a special plastic that can survive repeated exposure to the chemicals used in dry-cleaning, are uniquely linked to each individual item and have their details stored in a database system. Why not use a barcode instead and just scan it? Imagine that a truck pulls into a warehouse with 5,000 items on board — scanning each barcode would take a long time. Instead, by using RFID tags, the hauler just throws the boxes of items down a chute and each tag is read automatically — without even having to open the boxes.

So how does this warrant an identity threat? Using clothing as an example, have you ever bought an expensive suit from a store, and then returned to the store several months later to be greeted personally, or wondered how the salesman knew your sizes perfectly? Yes, you guessed it: a lot of expensive suits have embedded RFID tags sewn into them (often in the collar or lapel) for inventory control and to combat “stock shrinkage” (i.e., theft). They are supposed to be disabled after the sale, but are often forgotten about.

Today’s RFID tags can be very small (the smallest are 0.15mm x 0.15mm) and may be implanted or embedded in anything. They typically carry no more than 2KB of data and some may even contain writable memory; but the most common mass-produced versions normally possess only memory enough for a read-only 96-bit serial number.

RFID security threats can be broken into two categories — threats that use the data, and threats that manipulate the data. Consider the use of RFID tags embedded within large denomination money notes or mass transit charge cards (such as London’s “Oyster Card” for use on the “tube,” train and bus). Just as with WiFi, attackers can use special high-powered antennas to query RFID tags from a range greater than expected (most RFID technologies are designed to operate within 2cm – 2m ranges, but with a high-powered antenna the attacker may extend this range to 200m). Now imagine that potential attackers are sitting at a second-story window above a busy shopping arcade, using a high-gain antenna to read how much cash people are carrying as they walk by. Similarly, in a not-so-nefarious scenario, consider haggling for the best price with an antiques dealer after he has already read how much cash is in your wallet.

Attacks directed against RFID systems are expected to get more sophisticated as RFID tag usage extends further into our everyday lives. The most serious RFID threats relate to cloning and manipulation of data. Since the chips within RFID tags are very simple, they are trivial to clone — which means that security systems that rely upon stored data such as the unique 96-bit serial number for identification are easy to bypass (e.g., badge access to an office and “smart money” forgery). The most interesting attacks focus on changing the data on a RFID tag so that it affects the system reading it. For instance, consider an RFID tag that stores the owner’s name and address, but has been changed by the attacker to contain classic SQL-Injection strings. The device reads the data, populates a stored procedure with the newly read data and then executes a SQL query of the attacker’s choice – ‘; DROP DATABASE -- springs to mind.

    Copyright 2001-2007 © Gunter Ollmann