1 / 34

RFID Technical Tutorial and Threat Modeling

RFID Technical Tutorial and Threat Modeling. Presented by: Neeraj Chaudhry University of Arkansas. RFID Tutorial Outline. Introduction RFID System Tags Readers Data link layer Modulation Encoding Anti-Collision Protocol Frequencies Standardization EPCglobal Network EPC vs UPC

stesha
Download Presentation

RFID Technical Tutorial and Threat Modeling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RFID Technical Tutorial and Threat Modeling Presented by: Neeraj Chaudhry University of Arkansas

  2. RFID Tutorial Outline • Introduction • RFID System • Tags • Readers • Data link layer • Modulation • Encoding • Anti-Collision Protocol • Frequencies • Standardization • EPCglobal Network • EPC vs UPC • EPC Tag Classes • Class-0 Tag • Class-1 Gen-1 Tag • Class-1 Gen-2 Tag • RFID Threats Categorized with STRIDE

  3. What is RFID? • Stands for Radio Frequency Identification • Uses radio waves for identification • New frontier in the field of information technology • One form of Automatic Identification • Provides unique identification or serial number of an object

  4. Applications • Mobil Speedpass systems • Automobile Immobilizer systems • Fast-lane and E-Zpass road toll system • Animal Identification • Secure Entry cards • Humans • Supply chain management

  5. RFID System • Tags consists of antenna and a microchip • Readers consists of a transmitter, receiver, and one or more antennas • Management system • Communication protocol • Computer Networks

  6. RFID System

  7. RFID Tag • Tag is a device used to transmit information such as a serial number to the reader in a contact less manner • Classified as : • Passive • Active • Semi-passive

  8. Characteristics Passive RFID tag Active RFID tag Power Source Provided by a reader Inbuilt Availability of power Within the field of reader Continuous Signal Strength (Reader to Tag) High Low Signal Strength (Tag to Reader) Low High Communication range < 3meters >100 meters Tag reads < 20 moving tags @ 3mph in few seconds >1000 moving tags @ 100mph in 1 sec Memory 128 bytes 128 Kbytes Applicability in supply chain Applicable where tagged items movement is constrained Applicable where tagged items movement is variable and unconstrained Classification of Passive and Active tag

  9. RFID Reader • Also known an interrogator • Reader powers the tag by sending it RF energy • Can be handheld or stationary • Consists of: • Transmitter • Receiver • Antenna • Microprocessor • Memory • Controller or Firmware • Communication channels • Power

  10. Communication Link • Inductive Coupling • Backscatter Coupling

  11. Modulation • Process of changing the characteristics of radio waves to encode data and to transmit it to the other end • Techniques used depends on the power consumption, reliability and available bandwidth. • Amplitude Shift Keying (ASK) • Frequency Shift keying (FSK) • Phase Shift Keying (PSK)

  12. Encoding

  13. Anti-Collision Protocol • Tag Anti-Collision protocol • Aloha/Slotted Aloha • Deterministic binary tree walking • Query tree walking • Reader Anti-Collision protocol • TDM/FDM

  14. RFID Frequency range

  15. Standarization • ISO • 18000–1: Generic air interfaces for globally accepted frequencies • 18000–2: Air interface for 135 KHz • 18000–3: Air interface for 13.56 MHz • 18000–4: Air interface for 2.45 GHz • 18000–5: Air interface for 5.8 GHz • 18000–6: Air interface for 860 MHz to 930 MHz • 18000–7: Air interface at 433.92 MHz • EPCglobal • UHF Class-0 • UHF Class-1 Generation-1 (Class-1 Gen-1) • UHF Class-1 Generation-2 (Class-1 Gen-2)

  16. Electronic Product Code Global (EPCglobal) Network • EPCglobal Network consists of five component • Electronic Product Code (EPC) number • ID system (tags and readers) • EPC middleware • Discovery Service (ONS) • Information service

  17. Electronic Product Code (EPC)

  18. EPC vs. UPC (Barcodes) • Both are forms of Automatic identification technologies • Universal Product Code (UPC) require line of sight and manual scanning whereas EPC do not • UPC require optical reader to read whereas EPC reader reads via radio waves • EPC tags possess a memory and can be written while UPC do not

  19. EPC Tag Classes

  20. EPCglobal UHF Class-0 Tag • Describes physical layer reader-to-tag link, tag-to-reader link and data link anti-collision protocol • Reader to tag link use 100% or 20% modulation amplitude modulated (AM) carrier signal • Use binary tree anti-collision protocol

  21. Class-0 Reader-to-Tag Symbols

  22. Binary tree anti-collision protocol for Class-0

  23. EPCglobal UHF Class-1 Gen-1 • Employs same modulation and encoding techniques as UHF Class-0 • Use query tree walking anti-collision protocol • Reader queries by using group of bits, matching tags responds with an 8-bit response during one of eight time slots. Eight time slot for tags response

  24. Query Tree Protocol for Class-1 Gen-1 and first step of Gen-2

  25. EPCglobal UHF Class-1 Gen-2 • Use one of ASK, FSK or PSK modulation with PWM encoding referred as pulse-interval encoding (PIE) format. • Reader chooses the encoding format for tag-to-reader link. • FM0 • Miller • Use Aloha-based random anti-collision protocol called Q protocol

  26. Q Protocol (Anti-Collision Protocol) • Select phase • Single out particular tag population with one or more bits like query tree protocol • Inventory phase – identify individual tag using Q protocol (slotted-aloha based) • Reader sends Query with parameter Q and Session number (Q=4 is suggested default) • Reader creates slotted time • Tags pick random 16-bit number for handle • Tags in requested session pick a random number in the range [0,2^Q-1] for slot_number • If slot_number = 0, backscatter handle • If slot_number != 0, wait that number of slots to backscatter handle • Reader ACKs individual tag with handle and goes to access phase. All other tags wait. • If more that one tag answers, reader can send same Q again or send modified Q • Access phase • Reader interacts with tags requesting EPC number and any other information

  27. RFID Threats Categorized with STRIDE • Spoofing identity • Tampering with data • Repudiation • Information disclosure • Denial of service • Elevation of privilege

  28. Spoofing Threat • A competitor or thief performs an unauthorized inventory of a store by scanning RFID EPC tags with an unauthorized reader to determine the types and quantities of items. An unauthorized reader can query the tag for the EPC number because most tags used in the supply chain respond to any reader. The EPC number is only a number. However, because of the standard way of creating an EPC number, an attacker can determine the manufacturer and possibly the product number. It is likely that the number assigned to all manufacturers will become public knowledge as well as the product number after some short period of time.

  29. Tampering with Data Threats • An attacker modifies a tag. • An attacker modifies the tag in a passport to contain the serial number associated with a terrorist or criminal. • An attacker modifies a high-priced item’s EPC number to be the EPC number of a lower cost item. • An attacker modifies the EPC number on tags in the supply chain, warehouse, or store disrupting business operations and causing a loss of revenue. • An attacker adds a tag to an object. • An attacker adds a tag in a passport that contains the serial number associated with a terrorist or criminal. • An attacker adds additional tags in a shipment that makes the shipment appear to contain more items than it actually does. • An attacker deletes data on a tag. • An attacker kills tags in the supply chain, warehouse, or store disrupting business operations and causing a loss of revenue • An attacker erases the tags setting all values including the EPC number to zero in the supply chain, warehouse, or store disrupting business operations and causing a loss of revenue. • An attacker removes or physically destroys tags attached to objects. This is used by an attacker to avoid tracking. A thief destroys the tag to remove merchandise without detection. • An attacker reorders data on a tag or reorders tags. • An attacker exchanges a high-priced item’s tag with a lower-priced item’s tag.

  30. Repudiation Threats • A retailer denies receiving a certain pallet, case, or item. • The owner of the EPC number denies having information about the item to which the tag is attached.

  31. Information Disclosure Threats • A bomb in a restaurant explodes when there are five or more Americans with RFID-enabled passports detected. • An attacker blackmails an individual for having certain merchandise in their possession. • A fixed reader at any retail counter could identify the tags of a person and show the similar products on the nearby screen to a person to provide individualized marketing. • A competitor or thief performs an unauthorized inventory of a store by scanning tags with a reader to determine the types and quantities of items. • A thief could create a duplicate tag with the same EPC number and return a forged item for an unauthorized refund.

  32. Denial of Service Threats • An attacker kills tags in the supply chain, warehouse, or store disrupting business operations and causing a loss of revenue. • A shoplifter carries a blocker tag that disrupts reader communication to conceal the stolen item. The blocker tag is used against the Class-0 using the tree walking anti-collision protocols. An attacker can simulate many RFID tags simultaneously causing the anti-collision to perform singulation on a large number of tags making the system unavailable to authorized use.

  33. Elevation of Privilege Threats • A user logging on to the database to know the product’s information can become an attacker by raising his/her status in the information system from a user to a root server administrator and write or add malicious data into the system.

  34. Contact Information NEERAJ CHAUDHRY 705 West Putman Street, Apt # R-2, Fayetteville, AR-72701 Email: nchaudh@gmail.com Phone: (479) 599-9107 Dale R. Thompson, P.E., Ph.D. Department of Computer Science and Computer Engineering University of Arkansas 311 Engineering Hall Fayetteville, Arkansas 72701 Phone: +1 (479) 575-5090 FAX: +1 (479) 575-5339 E-mail: d.r.thompson@ieee.org WWW: http://csce.uark.edu/~drt/

More Related