RFID Security: A Reality Check
The news that someone might be able to kill your EPC tags with their cell phone is not as scary as some news stories made out.
Feb 27, 2006—Two weeks ago, the EE Times reported that Adi Shamir, professor of computer science at the Weizmann Institute of Science, told the RSA conference he was able to crack the passwords for the most popular brand of Gen 1 EPC tags and kill them. According to the EE Times, Shamir told the audience that “a cell phone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity."
When I read this article, I was extremely confused. How could a cell phone be used to kill the tags? Was he talking about 13.56 MHz tags and using a Nokia phone with a 13.56 MHz interrogator built in? But there are no high-frequency Gen 1 EPC tags. The article also failed to point out some very relevant facts—such as that Gen 1 EPC tags were not designed to be used in situations where security was a real concern.
Shamir and Oren used what’s called a side-channel attack. Instead of sending possible passwords until hitting on the right one, the hacker analyzes the behavior of the protected devices to "slowly insinuate" the correct password or key needed to access the protected data. Oren told O’Connor that using a cell phone, which operates in the UHF band, to do this kind of attack would require the creation of firmware written to alter the phone's RF capability so that rather than communicating voice or data over a given phone network, it would instead search for EPC tags. Oren and Shamir didn’t create the firmware, and Orem told O’Connor he didn’t know how easy or hard it would be to do so. Therefore, a phone attack is only theoretical at this point. If Shamir mentioned these salient facts at the conference, they were not reported in the EE Times story.
The bigger problem with the original story and other articles that picked it up was the lack of context provided. The EE Times article says: “Shamir said the pressure to get tags down to five cents each has forced designers to eliminate any security features, a shortcoming that needs to be addressed in next-generation products.” There are two problems with this statement. First, it assumes every tag needs a great deal of data protection, regardless of its application. Second, it shows an ignorance of the fact that the next generation already has greatly enhanced security features.
The amount of security required for anything depends on the value of the thing being protected and the application involved. While my son Thomas’s drawings are precious to me, protecting them doesn’t require the same level of security as protecting a Van Gogh. The Gen 1 tag was designed for use in the supply chain, simply to track goods moving from point to point. The original idea was that there was no need for any security on the tags because they would have only a serial number and all the data about the product would be secured in a database. Concerns that some tagged items could wind up in consumers’ hands led the Auto-ID Center to introduce the kill command, which necessitated a security code to prevent people from killing tags accidentally or maliciously.
Login and post your comment!
Not a member?
Signup for an account now to access all of the features of RFIDJournal.com!
SEND IT YOUR WAY
RFID JOURNAL EVENTS
ASK THE EXPERTS
Simply enter a question for our experts.