RFID Journal Blog
Text size:
T
T
T
Academic Navel Gazing Continues
4 CommentsResearchers at the department of computer science and engineering at the University of South Carolina in Columbia, have published a paper, “Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study,” that claims security flaws in radio frequency identification tire sensors could expose drivers to the threat of being tracked, because cars can be identified by capturing the ID in the sensor. I don’t know the students who wrote this paper, but they strike me as smart people who are incapable of thinking.
I’ll explain why this paper is absurd in a moment, but first lets take a look at what the paper says. The abstract points out that tire pressure monitoring systems represent one of the first, if not the first, in-car wireless networks mandated for every new automobile. They say the security and privacy implications of such in-car wireless sensor networks are not fully understood, so they decided to evaluate the privacy and security implications of two tire pressure monitoring systems using both laboratory experiments with isolated tire pressure sensor modules and experiments with a complete vehicle system.
The researchers found that the sensor messages can be sniffed and decoded from up to 40 meters (120 feet) from a passing vehicle with a basic low-noise amplifier and the openly available GNU radio platform (a GNU radio is comprised of hardware and software and can be used for intercepting radio signals).
The researchers write: “This raises location privacy risks because vehicles could potentially be tracked through these identifiers and drivers do not have any option to disable the system. Furthermore, current protocols do not employ authentication mechanisms and vehicle implementation do not appear to perform basic input validation or filtering of messages. This allows straightforward spoofing of sensor messages. One of our experiments demonstrates this by triggering the tire pressure warning message in a moving vehicle through a spoofed message from another nearby vehicle.”
Folks, be warned. You are in eminent danger of having someone trigger a false pressure-warning message when your tires are properly inflated. This could become a major problem in cities around the world. Imagine the mayhem when driver after driver is forced to pull over and look at their tires, only to discover they are properly inflated. Chaos!
The privacy implications they talk about are no less ridiculous. They claim that someone with sophisticated knowledge of RF systems could set up a GNU radio alongside a road and identify cars and sniff out the IDs in the sensors in the tire pressure sensors. Why would anyone do this? The paper doesn’t say. It only says: “If the sensor IDs were captured at certain roadside tracking points and stored in databases, third parties could infer or proof [sic] that the driver has visited potentially sensitive locations such as medical clinics, political meetings, or nightclubs.”
Actually, that is false. If the senor IDs were captured and stored in a database, it wouldn’t prove anything. In order to prove that a specific driver was in a specific location, you would have to link a specific sensor to a specific car and then link that specific car to a specific driver.
I don’t know if vehicle makers keep track of which sensor with a specific ID got put into a specific car. If they don’t, then the only real threat would be if the person sniffing found another way to link a specific sensor to a specific car and driver (by, say, walking up and asking to see ID). But even if the auto companies do store information on which sensor went into which car, you would still need to know who owns that car.
So if I were a criminal or a policeman sitting on the roadside sniffing IDs in sensors, I would need to get into the carmaker’s database to find out the vehicle identification number (VIN) of the car that specific sensor went into. Then, I would need to access either the database of the dealer that sold the car or the department of motor vehicles to find out who bought or registered the car.
This would be difficult for a criminal to do. But I know that there are people who are paranoid about Big Brother governments watching their every move. Government agents who are hell bent on tracking you could certainly gain access to car company and motor vehicle department databases, right? Yeah, probably. But here is an important fact that the researchers seem to have overlooked—THERE IS AN IDENTIFYING SERIAL NUMBER ON THE FRONT AND BACK OF EVERY CAR.
That’s right, every car has a license plate. And if you are a government agent who wants to play Big Brother, you could either have a guy with binoculars read license plate from 100 meters or more, or you could photograph plates and look up the owner in the department of motor vehicles. That gets around the nettlesome problem of trying to match the sniffed sensor ID to the VIN. So the researchers have discovered a much more difficult way of identifying cars than already exists. I wonder if the University of South Carolina would give me a Ph.D. if I came up with, say, a really elaborate way of identifying prisoners with serial numbers on their prison garb.
OK, I’m being a little hard on these guys. Academics researchers do the world a valuable service by exploring the security vulnerabilities of RFID and wireless sensors, when there is a real threat. And there could be a time where unsecured wireless vehicle networks involve a real threat. If the use of these expands and the networks are not secured, perhaps criminals could use the researchers’ technique to disable the steering in a car, or terrorists could use it to disable an airplane engine in flight. But by putting their research in the context of an invasion of privacy using RFID today, they are hurting the RFID industry, because bloggers and privacy advocates will use their paper to justify their opposition to RFID. This does no one any good.
Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark's opinions, visit the RFID Journal Blog or click here.
I’ll explain why this paper is absurd in a moment, but first lets take a look at what the paper says. The abstract points out that tire pressure monitoring systems represent one of the first, if not the first, in-car wireless networks mandated for every new automobile. They say the security and privacy implications of such in-car wireless sensor networks are not fully understood, so they decided to evaluate the privacy and security implications of two tire pressure monitoring systems using both laboratory experiments with isolated tire pressure sensor modules and experiments with a complete vehicle system.
The researchers found that the sensor messages can be sniffed and decoded from up to 40 meters (120 feet) from a passing vehicle with a basic low-noise amplifier and the openly available GNU radio platform (a GNU radio is comprised of hardware and software and can be used for intercepting radio signals).
The researchers write: “This raises location privacy risks because vehicles could potentially be tracked through these identifiers and drivers do not have any option to disable the system. Furthermore, current protocols do not employ authentication mechanisms and vehicle implementation do not appear to perform basic input validation or filtering of messages. This allows straightforward spoofing of sensor messages. One of our experiments demonstrates this by triggering the tire pressure warning message in a moving vehicle through a spoofed message from another nearby vehicle.”
Folks, be warned. You are in eminent danger of having someone trigger a false pressure-warning message when your tires are properly inflated. This could become a major problem in cities around the world. Imagine the mayhem when driver after driver is forced to pull over and look at their tires, only to discover they are properly inflated. Chaos!
The privacy implications they talk about are no less ridiculous. They claim that someone with sophisticated knowledge of RF systems could set up a GNU radio alongside a road and identify cars and sniff out the IDs in the sensors in the tire pressure sensors. Why would anyone do this? The paper doesn’t say. It only says: “If the sensor IDs were captured at certain roadside tracking points and stored in databases, third parties could infer or proof [sic] that the driver has visited potentially sensitive locations such as medical clinics, political meetings, or nightclubs.”
Actually, that is false. If the senor IDs were captured and stored in a database, it wouldn’t prove anything. In order to prove that a specific driver was in a specific location, you would have to link a specific sensor to a specific car and then link that specific car to a specific driver.
I don’t know if vehicle makers keep track of which sensor with a specific ID got put into a specific car. If they don’t, then the only real threat would be if the person sniffing found another way to link a specific sensor to a specific car and driver (by, say, walking up and asking to see ID). But even if the auto companies do store information on which sensor went into which car, you would still need to know who owns that car.
So if I were a criminal or a policeman sitting on the roadside sniffing IDs in sensors, I would need to get into the carmaker’s database to find out the vehicle identification number (VIN) of the car that specific sensor went into. Then, I would need to access either the database of the dealer that sold the car or the department of motor vehicles to find out who bought or registered the car.
This would be difficult for a criminal to do. But I know that there are people who are paranoid about Big Brother governments watching their every move. Government agents who are hell bent on tracking you could certainly gain access to car company and motor vehicle department databases, right? Yeah, probably. But here is an important fact that the researchers seem to have overlooked—THERE IS AN IDENTIFYING SERIAL NUMBER ON THE FRONT AND BACK OF EVERY CAR.
That’s right, every car has a license plate. And if you are a government agent who wants to play Big Brother, you could either have a guy with binoculars read license plate from 100 meters or more, or you could photograph plates and look up the owner in the department of motor vehicles. That gets around the nettlesome problem of trying to match the sniffed sensor ID to the VIN. So the researchers have discovered a much more difficult way of identifying cars than already exists. I wonder if the University of South Carolina would give me a Ph.D. if I came up with, say, a really elaborate way of identifying prisoners with serial numbers on their prison garb.
OK, I’m being a little hard on these guys. Academics researchers do the world a valuable service by exploring the security vulnerabilities of RFID and wireless sensors, when there is a real threat. And there could be a time where unsecured wireless vehicle networks involve a real threat. If the use of these expands and the networks are not secured, perhaps criminals could use the researchers’ technique to disable the steering in a car, or terrorists could use it to disable an airplane engine in flight. But by putting their research in the context of an invasion of privacy using RFID today, they are hurting the RFID industry, because bloggers and privacy advocates will use their paper to justify their opposition to RFID. This does no one any good.
Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark's opinions, visit the RFID Journal Blog or click here.
READERS' COMMENTS
Take this research seriously
Mark, Let me start this off by saying that I am a huge proponent of RFID and I work with embedded systems for a living. I think we really need to take this kind of research seriously. A lot of RFID technology ignores security because it's expensive and the implications of being compromised may not seem like a big deal. However, at the bottom of page 12 they note that they crashed the TPMS ECU to the point where it needed to be replaced by the dealership. If a system can be put into an unrecoverable state remotely, even if that system doesn't control critical functions, it needs to be examined and understood. Seemingly innocuous crashes in desktop PC software are constantly used to get systems to do things they weren't intended to do. If this "crash" is revealed to be something that can be exploited at a distance and interfere with the CAN BUS communication then it is very serious. Other researchers have already shown, and it's obvious from its very nature, that with access to CAN BUS you can do anything from displaying messages on the dashboard to _disabling the brakes on a vehicle_. Regarding license plates you are also being a bit naive here. Yes, (almost) anyone can read a license plate from a distance but identifying a car via RFID has several advantages. First, no expensive computer vision is required. Second, vehicles can be identified even when there isn't a clear view of the plate and it can be done from any orientation. Now with a cheap battery powered RFID data logger you can keep track of when someone comes and goes without a camera and without putting someone on surveillance duty. There are many ways this could be exploited. The people in the embedded community who don't take these things seriously are looking for trouble in the next few years. These researchers probably aren't opposed to RFID, they're opposed to unsecured RFID and they're trying to let people know now before it becomes a real problem. Let's support them, review their findings, and try to keep them on the white hat side of fence. If we beat them up over media generated paranoia they may not be willing to share when they find something really bad. - Tim
Posted By: Tim Mattison 8/24/10 at 10:48 AM
My problem is not with the research
Tim, thanks for your post. My problem is not with the research. My problem is with the context it is put in. As I said, I believe that the ability to disable or hack RFID and other wireless networks is a serious issue. And if the researchers had said that they understand that the threat with car tires might be minimal today, it has serious implications for the use of these technologies going forward, I would not have been critical. But every researcher examining the security of RFID system, puts the research in the context of Big Brother tracking everyone, and this strikes me as just plain stupid. You say I’m naïve on the license place issue. I disagree. If you were a government agency, it would be far easier to set up machine vision and then go to the department of motor vehicle and look up who owns the car than to use RFID. As I mentioned, getting the serial number with “cheap battery powered RFID data logger” gets you nothing but a meaningless serial number. All you would learn is that a car with a pressure sensor ID 1234567 ran by one checkpoint. What in the world is the value of this? None as far as I can see, and putting the research in the context of big brother spying on people is seriously damaging to the adoption of a technology. If researchers want to be taken seriously, they have to think seriously about what the issues are and not reflexively say every time you can read a tag it amounts to a serious threat to privacy. This is a poor justification for useful research.
Posted By: Mark Roberti 8/25/10 at 7:26 AM
To corrupt technology you only need imagination
To corrupt technology you only need imagination I am only new to this area of technology and I agree that there is a lot of hysteria about privacy issues. Having said that, I think it is as important when considering the benefits of each new application to give sufficient time and imagination to how it can be abused; because if it can, it will. You said that you can’t see the value of knowing that “car with a pressure sensor ID 1234567 ran by one checkpoint”. I say that you just need a little imagination. On message spoofing; just ask yourself, how annoying is spam? If it is a easy matter to trigger a warning indicator I’d avoid the local collage campus!. And then there’s the commercial said of spam; a warning light triggered 100 yards from a gas/petrol station will bring in enough business for some people to consider it. On Big Brother: You’re right, there are far better, and easier, ways for an errant government agencies to track mass population movements, and it makes little sense to use RFID for this purpose. But once you know what car a person drives it’s a very cheap and effective means of verifying their movements after the fact, in the same way that cell phone triangulation can be used. Processing of RFID information is a lot easier and more reliable than visual information, can be done in real-time, and can be done night and day and in all weathers. On the criminal side, just knowing that a car is moving is moving in your vicinity can be useful. Scan the tags from the local police force and you have a cheap portable police proximity detector. On the commercial side, having a unique identifier in every car and a cheap and easy way of detecting their movements has so many possibilities, from the recovery of stolen vehicles to spying on your spouses movements. I’ve only been thinking about this for a 15 minutes but give me another 15 minutes and a little seed capital and I’ll make you a millionaire and the civil liberties lobby very unhappy! Keith McLoughlin
Posted By: 9/2/10 at 12:31 PM
Imagination versus reality
I’m not going to waste time explaining why I think each of your scenarios are implausible. I will just make a few points. First, imagination applies to positive uses of the technology, as well as negative. One thing that always baffles me is why opponents always think technology will be applied negatively, when in fact, the history of the past 50 years shows that technology has made the world more prosperous and democratic (think of how protestors in Iran used the Internet). Second point is, I can imagine ways every technology can be abused, from matchsticks to hammers to the Internet. Society has found ways to prevent wide-scale abuses of matchsticks to burn down houses, hammers to kill people and the Internet to spread child pornography. There are still abuses, of course. And I have long said that there will be those that abuse RFID. But as abuses occur—and so far they have been few and far between—they can be addressed. Third point I would like to make is that while it is easy to imagine abuses, one has to examine the likelihood of abuses. If there is no benefit to someone in abusing the technology, they will not abuse it. So you need to look at not just what is possible, but what the likely benefit might be to a criminal or government or large company to committing that abuse. People make money from spam, which is why it is a problem. I have yet to see a plausible scenario for using RFID to spy on people. Fourth, you say that “processing of RFID information is a lot easier and more reliable than visual information” (photographing cars and interpreting the image to get the license plate number) and “once you know what car a person drives it’s a very cheap and effective means of verifying their movements after the fact . . .” It’s interesting to me that you are suggesting that a technology that is proven and in use in many cities around the world is difficult to use, but RFID is cheap and easy. I suspect it is a lot more difficult than the researchers suggest. Imagine a busy highway with thousands of tires passing a reader per minute. Collecting that information with no interference as one car passes behind another would not be so easy. And you still need a way to match the unique serial number in a pressure sensor with the owner of the car. I would suggest if you are trying to catch you wife cheating, it would be easier to rent a car (so she doesn’t recognize you) and follow her to her tryst. (It’s also worth noting that if this does become a problem there are simple technological and legal fixes.) Finally, I would like to point out that some 100 million cars around the world have a long-range transponder on their windshield that can be read from 100 meters, and there have been no reported incidents of people being tracked. So what we are lead to believe is that people will be tracked in the future with a short-range transponder in the pressure sensor in the tire of their car, even though they are not being tricked today with either their license plate or the long-range transponder on their windshield. That just doesn’t make a lot of sense to me.
Posted By: Mark Roberti 9/3/10 at 7:01 AM