Get documents about "Layerone RFID Technology Security Privacy Luiz Eduardo Dos Santos
Document Sample
Layerone / 2006
RFID – Technology, Security & Privacy
Luiz Eduardo Dos Santos, CISSP
luiz AT arubanetworks.com
What are we talking about today?
• RFID history
• Technologies
• WiFi tags
• Privacy/ Security
Layerone 2006
Who am I?
• Networking guy
• Security guy
• Aruba’s WSIRT Incident Manager
• Speaker at some conferences
• WLAN at Blackhat, DEFCON & CCC
Layerone 2006
What is RF-ID and why?
• Radio Frequency Identification
• “Derived” from the IFF (Identification Friend of Foe)
transponder, used in World War II
• 1945, the Soviet government used a passive covert
listening device which retransmitted incident radio
waves with audio information
• First commercial use in 1976
• Anti-theft tags
• Inventory control (barcode replacement?)
• Detect misplaced products and expired goods
• Tracking and identifying “everything”
Layerone 2006
RFID “Components”
• Tags (also known as transponders), can
be active, semi-active and passive
Frequencies used can be: LF, HF, UHF,
uW, GPS)
• Readers (transceiver)
• Back-end systems
Layerone 2006
More about tags
• Up to 1000 write cycles (some are read
only)
• Some have some sort of write protection
• Each tag carries an unique identifier
• WiFi tags are programmable by the RTLS
• Some newer WiFi tags have a built-in
crypto accelerator
Layerone 2006
Myths
• RFID will replace barcode
• RFID is just a “talking” barcode (nope, up
to 2kB of info)
• Tags can ONLY (and are intended) to be
read at relative short distances *
Layerone 2006
RFID technologies & applications
• Used to locate mobile items
• Two different technologies
• Wi-Fi Tags
• UHF ‘RFID’ passive tags
• Differing range, cost, capabilities
UHF RFID tags work at 915 MHz. Wi-Fi tags work at 2400 MHz.
They are inexpensive, They are expensive,
usually passive (no batteries) active (batteries with relatively short life)
but very short-range and longer-range
UHF RFID tag applications Wi-Fi tag applications
•Wholesale/retail distribution chain •High-value mobile equipment
•Carton-level tagging through the supply chain (groceries) •IV pumps & other equipment in hospitals
•Item-level tagging of high-value items (razor blade •Patients in hospitals
packages) •Manufacturing (aero engines)
•Real-time checking of truck loading •Shipping industry (rail cars, shipping containers)
•Homeland security implications of an audit chain for •Identify IT equipment in server farms
foodstuffs •Locate mobile equipment for on-site maintenance
•Manufacturing
•Potential to replace bar-codes
Layerone 2006
RFID technologies – UHF
Reader
- 915 MHz
Loading dock application
ERP, etc interface RFID server - Special antennas
- Passive tags on cartons
- API from server - Filters data - For passive tags
LAN - Active tags on pallets
- Middleware - Simple business rules - Range ~ 5m
- Transport only
- Integration - Stores for audit
- Real-time decisions
Technology Characteristics & Issues
• Passive tags • Cost of tags (~50c but still too high)
• Low-cost
• Cost of readers (~$1000 installed)
• Low-complexity
• Carry UPC-like information
• Short range of detection (~2 meters)
• Radio requirements • Not re-programmable
• 902-928 (915) MHz • Duplicate reads
• RF transmissions excite tags • Missed reads & RF coverage holes
• Tags return information to reader • Detecting vector motion (direction through a
• Traffic characteristics doorway)
• Many transactions, little data per transaction • Management, coordination of many readers
• Back-end integration requirements • Middleware & ERP integration
• ERP & business systems integration • Immature technology – emerging reader
architectures
• Business case difficult
Layerone 2006
RFID technologies – Wi-Fi Tags
EMS Mobility
Real Time Location
- API with x, y, z Controller
Server
- zone alerts / LAN
- Manages tags
alarms - Transport only
- Programs tags Access Points Wi-Fi tags & clients
- Integration
Technology Characteristics & Issues
• Wi-Fi tags • Use existing WLAN infrastructure
• High-cost • Cost of tags (~$50)
• High-complexity (tag provisioning) • Range (~ 30 meters)
• Radio requirements • Lack of standards
• Wi-Fi • Battery life (~1 year) (depends on scan rate)
• Association or ‘Blink’ (clock, motion, etc) • Number of servers, complexity of administration
• Longer range than UHF: 20+ meters
• Middleware, business rules integration
• Traffic characteristics
• Opensystem & WEP (now 802.11i)
• Few transactions, “larger” data sets (60 bytes data chunks)
• RSSI from different BSSIDs • Some support multiple SSIDs
• Back-end integration requirements • All calculations done in the RTLS
• Usually standalone business-rules engine • Ability to track any WiFi device
• Any Wi-Fi client can be tracked, located
• RTLS will generate alerts, reports, etc
Layerone 2006
First-generation Wi-Fi tags
Location Server Mobility
- Tracks tags Controller
- Processes data LAN
- Programs tags - Transport only
- Business rules
- API integration
5 – Location Server 3 – Location server 2 – tag associates, 1 – tag wakes up (on
integrates with IT processes RSSI authenticates and clock or motion) and
applications (inventory, information, connects to the listens for AP’s on all
maintenance, nurse call, compares to site location server Wi-Fi channels, logs
etc) as middleware fingerprint and RSSI
determines location
• Operates as an overlay over the WLAN infrastructure 4 – tag may be
• Requires long transmit times reprogrammed,
firmware-updated, or
• 802.11 association for every transmission report more detailed
• Rather poor battery life telemetry
information, battery
• Large tag profile state, etc
Layerone 2006
Second-generation Wi-Fi tags
Location Server EMS Mobility
- Tracks tags - API with x, y, z Controller
- Processes data - zone alerts / LAN
- Programs tags alarms - Transport only
- Business rules
- API integration
3 – network determines 1 – tag blinks with
2 – network detects
4 – Location Server no tag location, reports x, y, pre-determined frame
blink at multiple APs
longer derives location , z
only applies business rules
& tag programming
5 – New downlink frames allow
• Greatly improved battery life simple reprogramming of the
tag without association (e.g.
• No association required channels, blink rate)
• Smaller tag profile
• Simplified Location Server
• WLAN infrastructure provides xyz on API
• Standardization opportunity
• Mix-and-match tags & Location Servers & WLANs
Layerone 2006
Future Generations of RFID
Several opportunities for integrating infrastructure and technology
Reader
LAN
Location Server EMS Mobility
- Programs tags - API with x, y, z Controller
- Business rules - zone alerts /
- API integration alarms
5 – Location server 4 – Mobility 3 – WLAN determines tag 2 – integrate Wi-Fi,
correlates between controller manages location, reports x, y, z UHF readers / APs for 1a – Wi-fi only tags
signals from UHF, UHF readers as well simplicity & cost
Wi-Fi APs as Wi-Fi APs savings
1b – UHF RFID tags
• Multi-technology network
• Single mobility controller architecture for UHF
1c – combined
readers, Wi-Fi APs technology tag (Wi-Fi,
• Multi-technology tags Bluetooth, UHF)
allows wide-area
• Wi-Fi for range, UHF/Bluetooth for proximity detection & accuracy
• Expense constraints where it counts
• Unified Location Server
• Single server handles UHF & Wi-Fi & combination tags
Layerone 2006
TDOA Location Technologies
Use standard Wi-Fi tags, but require special receivers: good outdoors
Tracking baggage trains time
B C A
tC-B tA-B
X tA-C
X
y XC-XB = p
XC-XA = q
XA-XC = r
Receiver A B x C
• TDOA (Time Difference of Arrival) accuracy is constant (dependent on the accuracy of time measurement, 1ft/nsec)
• Accuracy of 10nsec is 10ft, regardless of distance measured: 10ft whether the measurement is 60ft or 180ft
• RSSI accuracy is proportional to distance
• 25% of 60ft is 15ft, 25% of 180ft is 45ft
• Outdoor usually means long distances from tag to AP, so TDOA is often preferred
• TDOA technology requires special receiver hardware today
• Combined Wi-Fi AP with TDOA receivers are available, but expensive
• Mobile RF obstacles (e.g. planes, catering trucks) create shadows & multipath, so accuracy can vary
• Shadow, multipath effects may affect RSSI more than TDOA
Layerone 2006
(some of) Today’s RF-ID Applications
• Inventory control (product tracking)
• Human and animal implants
• People tracking (parks/ clubs)
• Car keys
• Access control (badges)
• Luggage tracking
• Passports / immigration documents
• Customer loyalty cards
• Toll collection
• Libraries
• Exxon’s Speedpass
• Cattle tracking
Layerone 2006
“New” RF-ID Applications
• MP3 player with smartcard
• Clothing
• Vending machines
• Casino chips
• Cellphones
Layerone 2006
Future RF-ID Applications
• Home appliances (refrigerators, washers,
“smart” ovens)
• Money
• Smart paper (books, business cards)
• Sports
• And many more to come...
Layerone 2006
Security Concerns (RFID in General)
• No (or weak) encryption (overhead)
• User data memory can be modified
• No read protection *
• No “scanning” protection
Layerone 2006
Privacy Concerns
• Eavesdropping (customer AND business
privacy issues)
• “better” customer profiling
• Possible person identification (when the tag has
no read protection)
• “hotlisting” based on products you are carrying
(books, etc)
• Collection and use of PII (personally
indentifiable information)
• 21st century dumpster dive
Layerone 2006
Possible Solutions
• Kill the tag once it leaves the store
• RSA’s blocker tag
• Lock unused memory on the tag
• Encryption? Overhead? ...
Hash lock access control
Layerone 2006
Attacks
• RF-Dump
manipulates user data on the tag
• Tag swapping
• Convert products EPCs
• RF-ID Bombs
Layerone 2006
WiFi Tags Security Concerns
• Well, same concerns as you would have
in any WLAN environment
• So, almost... What’s new? The new
components
• “Rogue” RTLS
• Spoofed tags
• Packet injection to confuse the RTLS
• And so on....
Layerone 2006
Resources
• http://www.rf-dump.org/
• http://www.spychips.com/
• http://www.nocards.org/
• http://www.rfidjournal.com/
• http://www.boycottgillette.com/
• And, well .. http://www.google.com
Layerone 2006
Done
• That’s all!
• Questions?
Layerone 2006
Thanks!
luiz AT arubanetworks.com
le AT wlansec.org
Layerone 2006
Related docs
