Threats to security and privacy in RFID and ubiquitous computing

This article identifies and analyzes RFID for unique identification, a key element of ubiquitous computing. With RFID network can include inanimate objects, people, animals, such as at Internet can link up with Web 2.0 social networks and create connections between people, machines and any inanimate entity like a painting. The possibilities that will provide ubiquitous computing in conjunction with RFID are unimaginable but it urgently needs to protect both from the perspective of safety and privacy so that all must be tackled vigorously.

The acronym RFID (Radio Frequency Identification) refers to a method of unique identification and automatic that is based on storing and remotely retrieve data using devices called tags or some RFID tags. RFID technology also known as DSRC (Dedicated Short Range Communication) incorporates the use of electromagnetic or electrostatic coupling in the portion of RF (Radio Frequency) electromagnetic spectrum (typical frequencies used are in the range from 125 to 135 kHz (LF passive tags ) 13.56 MHz (HF tags) in the range of 869 to 957 MHz and 2.45 GHz (UHF tags)) to uniquely identify a person, animal or object, it is a more advanced alternative to traditional bar codes. Recently, the UPU (Universal Postal Union) has said it hopes soon to adopt RFID to track delivery times of international mail over a hundred of its member nations. Gartner sees RFID as a business of three billion dollars by 2010.

Doing a little background on RFID technology seems to have its origins in 1948 with the researcher Harry Stokman. An initial application was during the Second World War when the United Kingdom used RFID devices to distinguish the return of its aircraft for possible English German planes because the radar could only signal the presence of a plane but not the kind of plane whether it was friend or foe. Commercial use of RFID comes from the nineties and the list of their applications today is endless: the monitoring of products in large retail sales companies, RFID tags in hospital patients, baggage tracking in airports, passports, library books, vehicles RFID sensors to detect motion, temperature, food quality, radiation level, tire status, GPS position, etc..

Of the growing list of RFID benefits some of them are: (i) For manufacturers and retailers: it reduces the inventory is done manually and less use of safety stock, sales increased due to reduced out of stock, increases visibility and improves
Stock availability and reduces transportation costs and shipping volume, predictions and more accurate stock replenishment, reduced threats and contractions in the supply chain, you get the product integrity. (ii) For clients: improved product selection, product freshness for products with shelf life, easier identification in claims, improved products in stock on the shelves for when you want them.


RFID Components
The main components in an RFID system are:
(1) label or RFID tag is an object that can join, injected or incorporated into a person, product or animal for identification purposes unambiguous distance using radio waves. It consists of a base substrate (PVC, paper, etc..) That is placed on an antenna (contactless interface and distance of copper, conductive ink, etc.). And that is placed on an integrated circuit or chip (with pre-memory and processor masquerade or EEPROM) can include an optional power supply and all coated with a layer of epoxy resin, adhesive or paper.
Each RFID tag contains a unique 96-bit code that facilitates the identification process called EPC (Electronic Product Code), whose format has four fields: (i) Header. Sets the version of 8-bit EPC. (ii) EPC manager number. Describes the originator of the EPC is the product manufacturer 28-bit. (iii) Number of object class. Describe the type of product of 24 bits. (iv) Serial number. Unique identifier for this element of 36-bit product. RFID tags can be classified into active (fully independent), semi-passive (battery used to reinforce assistance to energize that provides the reading unit), passive (requires energy radiated by the reading unit), read-only , read-write and write only once. Passive tags are programmed by the manufacturer or the installation, the power obtained from using RF energy transferred from the reading unit, have no battery power available only if they are in the scope of a reader, usually store a few bytes, for example, 128 bytes, you can read hundreds of tags to a foot to fifteen feet from the reader. Active tags have a battery last 2 to 6 years, the availability of food is continuous, you can read thousands of tags at a distance of 100 feet or more and at speeds like 160 km / h, equipped with high memory of hundreds of Kbytes can integrate sensors: pressure, temperature, acceleration, magnetic cam-po, GPS position, radiation, alarm log, vibration level, light, humidity, etc.. Entities are used for more valuable as people, electronic assets, shipping containers, etc..

(2) Units of interrogation or readers. They are used to read RFID tags and in some cases even to write about them. A growing threat is the design of smart antennas very high gain that could read RFID tags from many miles away, even by satellite.

(3) Middleware. It is the necessary interface between databases and enterprise information management software. Provides various functions: data filtering, system monitoring and coordination of multiple reading units.

(4) business application software. It is used to manage the data. The two last points are not exempt from all kinds of threats to information security.

Threats about RFID
RFID technology offers unprecedented opportunities for theft, covert tracking and behavioral profiling. Without proper controls, attackers can make unauthorized reading of RFID tags and covert tracking the location of people, animals or objects (correlating views of labels). The snooping (snooping) is possible by establishing communications eavesdropping tag / reader. Attackers can also manipulate RFID-based systems (eg payment systems for retail sales) or by cloning RFID tags, modifying the existing tag data or preventing RFID tags are read. Throughout history, people have proposed various countermeasures against these threats. The simplest solution is to disable RFID tags permanently well (using techniques such as killing (using the command EPCglobal Hill), clipping (mechanically break some or all of the antenna), RFID-Zapper (allows off-permanently destroy passive tags) or frying) or temporarily using Faraday boxes or modes sleep / wake or jamming generator. In cryptology has devised new algorithms for RFID tags including public-key cryptographic primitives, block ciphers, stream ciphers and protocols lightweight computer for authentication. It also has de-signed access control mechanisms attached to its label (hash-based lock and pseudonyms) or off-label as blockers or proxy RFID improvement. Some privacy implications are: (i) to detect the presence of an RFID tag. Usually indicates the presence of a human being. (ii) Determining the origin of the person carrying the tags. (iii) Monitoring. Correlation of multiple observations of the identifier of the entity / RFID tag. (iv) Hotlisting. The attacker has in advance a list of labels / entities you want to recognize. (v) Re-write tags. For example by using cookies or malware. The main privacy concerns about RFID are are unique identifiers for all objects worldwide, is a possible correlation of massive data, you can track individuals and obtain their behavior profiles, data stored in a tag can alter the labels can be read remotely (including satellite), readers can be hidden and hide the placement of RFID tags with labels for the customer to lure kill them. RFtracker.com can be searched by RFID tag number, there are names of persons associated in a database. RFtracker.com maintains two BDs, one with matching tag numbers to people who have those numbers and items with other databases that keep records of views by reading RFID tags located worldwide with date-time, location and tag number RFID.


Concluding remarks
Our research group has worked over fifteen years in RFID technology, where ubiquitous computing is a present and future without limits from various points of view offensive, defensive, tags design, synthesis of unconventional reading units, antennas, management risk, tests of attacks and countermeasures, and so on.

This article is part of activities within LEFIS-APTICE project (funded by Socrates).

Bibliography

- Areitio, J. "Information Security: Network, Computer and Information Systems. Cengage Learning-Auditorium. 2009.
- Areitio, J. "Security Considerations around RFID technology. Conectrónica Magazine. No. 105. March 2007.
- Areitio, J. "Analysis around technologies for the concealment of information." Conectrónica Magazine. No. 109. July-August 2007.
- Areitio, J. "Analysis around security forensic antiforenses techniques, incident response and management of digital evidence. Conectrónica Magazine. No. 125. March 2009.
- Lee, W., Wang, C. and Dagon, D. "Botnet Detection: Countering the Largest Security Threat". Springer. 2007.
- Howard, R. "Cyber Fraud". Auerbach Publishers, Inc. 2009.
- Flegel, U. "Privacy Respecting Intrusion Detection". Springer. 2007.

Author:

Prof. Dr. Javier Areitio Bertolín - E. Mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Professor at the Faculty of Engineering. Degrees.
Director of the Research Networks and Systems. University of Deusto.

Professor at the Faculty of Engineering. Degrees.
Director of the Research Networks and Systems.
University of Deusto.