Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

EPC Tags Subject to Phone Attacks

At last week's RSA security conference, renowned cryptographer Adi Shamir said EPC RFID tags are very vulnerable to attack—one that could be deployed using a cellular phone.
By Mary Catherine O'Connor
Tags: Privacy
"How easy or hard it would be to write this firmware, I can not say," Oren allows. "What the firmware would do depends on what the tag maker is trying to hide [what data it is protecting]." The firmware could be written to use power analysis to determine a password, a technique Shamir and Oren proved possible. Oren says he does not know how close a phone would need to be to the tag, but a supplemental antenna could boost the phone's range.

Ari Juels, principal research scientist at RSA Laboratories, says this type of power analysis could also be used to crack key cryptography, used to protect account data encoded to the tag embedded in some credit cards. Juels does not know the amount of time or distance from the tag an attack on an HF tag would require. He says, however, that if firmware were written to perform power analysis in order to determine the cryptographic key, thieves could use that key to make clones of the cards. This wouldn't necessarily require the thief to make an exact clone of the tag or card, he says, adding, "You could rejigger your mobile phone to simulate the credit card, and then go into a store to use your phone to make a payment." A growing number of merchants are enabling their POS systems to accept RFID payments. And while cellular phones operate in the UHF band, those enabled for the near field communication protocol contain an RFID module that operates in the HF range (13.56 MHz), which is what the RFID credit card payment systems use.

Still, Juels and Oren point out that power analysis is not a new type of data attack, and that the same type of protections contact-based smart cards use to protect those cards from hacking through power analysis could also be used to protect RFID tags. These protections mask the spikes in power consumption—but in so doing, they force the hardware to consume more energy overall. Tag makers, on the other hand, are always looking for ways to reduce the amount of energy passive tags must consume to make them more efficient.

"There are fairly well-studied mechanisms to find ways to withstand these attacks," says Juels. "I don't think [Shamir's] results show an immediate threat to payment devices, but they do show that attacks that have been done on other technologies could also succeed on RFID devices." He adds, "This is something that exploits some of the naivety that has gone into security designs for EPC tags. For EPCglobal, the cost to counteract these threats shouldn't be too high, and might not require changing the [air-interface] standard."

By next week, Oren says he hopes to publish details on the power analysis attack they performed. He says he sent all of this documentation to EPCglobal already, and assumes the technologists there are reviewing it. EPCglobal US says it is studying Shamir’s findings.

"Security is very important to us, and we are taking a proactive role in addressing security at all levels of the EPCglobal Network," explains Sue Hutchinson, director of industry adoption for EPCglobal US. "In fact, security has been a focus for both the hardware and software action groups and is currently the focus of our Architecture Review Committee, which is looking at security, not only on the tag but for all levels of information flow in the EPCglobal Network."

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations