RFID Security and Privacy: A Research Survey
Ari Juels
Источник: RSA Laboratories, 28 September 2005
http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/pdfs/rfid_survey_28_09_05.pdf
Abstract—This article surveys recent technical research on the problems of privacy and security for RFID (Radio Frequency IDentification).
RFID tags are small, wireless devices that help identify objects and people. Thanks to dropping cost, they are likely to proliferate into the billions in the next several years – and eventually into the trillions. RFID tags track objects in supply chains, and are working their way into the pockets, belongings and even the bodies of consumers. This survey examines approaches proposed by scientists for privacy protection and integrity assurance in RFID systems, and treats the social and technical context of their work. While geared toward the non-specialist, the survey may also serve as a reference for specialist readers.
A condensed version of this survey will appear in the IEEE Journal on Selected Areas in Communication (J-SAC) in 2006.
Keywords: authentication, cloning, counterfeiting, EPC, privacy, security, RFID
I. Introduction
RFID (Radio-Frequency IDentification) is a technology for automated identification of objects and people. Human beings are skillful at identifying objects under a variety of challenge circumstances. A bleary-eyed person can easily pick out a cup of coffee on a cluttered breakfast table in the morning, for example. Computer vision, though, performs such tasks poorly. RFID may be viewed as a means of explicitly labeling objects to facilitate their “perception” by computing devices.
An RFID device – frequently just called an RFID tag – is a small microchip designed for wireless data transmission. It is generally attached to an antenna in a package that resembles an ordinary adhesive sticker. The microchip itself can be as small as a grain of sand, some 0.4mm2 [82]. An RFID tag transmits data over the air in response to interrogation by an RFID reader.
In both the popular press and academic circles, RFID has seen a swirl of attention in the past few years. One important reason for this is the effort of large organizations, such as Wal-Mart, Procter and Gamble, and the United States Department of Defense, to deploy RFID as a tool for automated oversight of their supply chains. Thanks to a combination of dropping tag costs and vigorous RFID standardization, we are on the brink of an explosion in RFID use.
Advocates of RFID see it as a successor to the optical barcode familiarly printed on consumer products, with two distinct advantages:
1) Unique identification: A barcode indicates the type of object on which it is printed, e.g., “This is a 100g bar of ABC brand 70% chocolate.” An RFID tag goes a step further. It emits a unique serial number that distinguishes among many millions of identically manufactured objects; it might indicate, e.g., that “This is 100g bar of ABC brand 70% chocolate, serial no. 897348738.”1 The unique identifiers in RFID tags can act as pointers to a database entries containing rich transaction histories for individual items.
2) Automation: Barcodes, being optically scanned, require line-of-sight contact with readers, and thus careful physical positioning of scanned objects. Except in the most rigorously controlled environments, barcode scanning requires human intervention. In contrast, RFID tags are readable without line-of-sight contact and without precise positioning. RFID readers can scan tags at rates of hundreds per second. For example, an RFID reader by a warehouse dock door can today scan stacks of passing crates with high accuracy. In the future, point-of-sale terminals may be able to scan all of the items in passing shopping carts [90].
Due to tag cost and a hodgepodge of logistical complications – like the ubiquity of metal shelving, which interferes with RFID scanning – RFID tags are unlikely to appear regularly on consumer items for some years. Retailers have expressed interest, though, in ultimately tagging individual items. Such tagging would, for instance, address the perennial problem of item depletion on retail shelves, which is costly in terms of lost sales.
Today, RFID is seeing fruition in the tagging of crates and pallets, that is, discrete bulk quantities of items. RFID tagging improves the accuracy and timeliness of information about the movement of goods in supply chains.
The main form of barcode-type RFID device is known as an EPC (Electronic Product Code) tag. An organization known as EPCglobal Inc. [25] oversees the development of the standards for these tags. Not surprisingly, EPCglobal is a joint venture of the UCC and EAN, the bodies that regulate barcode use in the United States and the rest of the world respectively.
EPC tags cost less than thirteen U.S. cents apiece in large quantities at present [2]. Manufacturers and users hope to see per-tag costs drop to five cents in the next few years [75]. RFID readers cost several thousand dollars each, but it is likely that their cost will soon drop dramatically.
In the quest for low cost, EPC tags adhere to a minimalist design. They carry little data in on-board memory. The unique index of an EPC tag, known as an EPC code, includes information like that in an ordinary barcode, but serves also as a pointer to database records for the tag. An EPC code today can be up to 96 bits in length [47].2 Database entries for tags, of course, can have effectively unlimited size, so that the recorded history of a tag and its associated object can be quite rich. EPCglobal has developed a public lookup system for EPC tags called the ONS (Object Name Service), analogous in name and operation with the DNS (Domain Name System). The purpose of the ONS is to route general tag queries to the databases of tag owners and managers.
In general, small and inexpensive RFID tags are passive. They have no on-board power source; they derive their transmission power from the signal of an interrogating reader. Passive tags can operate in any of a number of different frequency bands. LF (Low-Frequency) tags, which operate in the 124 kHz – 135 kHz range, have nominal read ranges of up to half a meter. HF (High-Frequency) tags, operating at 13.56 Mhz, have ranges up to a meter or more (but typically on the order of tens of centimeters). UHF tags (Ultra High-Frequency), which operate at frequencies of 860 MHz – 960 MHz (and sometimes 2.45GHz), have the longest range – up to tens of meters. UHF tags, though, are subject to more ambient interference than lower-frequency types. Later in this survey, we enumerate the major standards for passive RFID devices.
Some RFID tags contain batteries. There are two such types: semi-passive tags, whose batteries power their circuitry when they are interrogated, and active tags, whose batteries power their transmissions. Active tags can initiate communication, and have read ranges of 100m or more. Naturally, they are expensive, costing some $20 or more.
less credit-cards, like American Express ExpressPayTM and the Mastercard PayPassTM use RFID. Some fifty million house pets around the world have RFID tags implanted in their bodies, to facilitate return to their owners should they become lost.
In a world where everyday objects carried RFID tags – perhaps the world of the future – remarkable things would be possible. Here are a few possibilities (among the myriad that the reader might dream up):
Smart appliances: By exploiting RFID tags in garments •
and packages of food, home appliances could operate more cleverly. Washing machines might select wash cycles automatically, for instance, to avoid damage to delicate fabrics. Your refrigerator might warn you when the milk has expired or you have only one remaining carton of yogurt – and could even transmit a shopping list automatically to a home delivery service.3
Shopping: In retail shops, consumers could check out •
by rolling shopping carts past point-of-sale terminals. These terminals would automatically tally the items, compute the total cost, and perhaps even charge the consumers’ RFID-enabled payment devices and transmit receipts to their mobile phones. Consumers could return items without receipts. RFID tags would act as indices into database payment records, and help retailers track the pedigrees of defective or contaminated items.
Interactive objects: Consumers could interact with •
RFID-tagged objects through their mobile phones. (Some mobile phones already have RFID readers.) A consumer could scan a movie poster to display showtimes on her phone. She could obtain manufacturer information on a piece of furniture she likes by waving her phone over it.
Medication compliance: Research at Intel and the Uni-•
versity of Washington [32] exploits RFID to facilitate medication compliance and home navigation for the elderly and cognitively impaired. As researchers have demonstrated, for example, an RFID-enabled medicine cabinet could help verify that medications are taken in a timely fashion. More generally, RFID promises to bring tremendous benefits to hospitals [30].
But what, really, is “RFID”?
We have discussed the basics of RFID and laid out some evocative scenarios. Yet we have not formally defined the term “RFID.” A wholly satisfying definition is elusive. But it is not a mere pedantic exercise: The definition of RFID can have an important impact on technical and policy discussions.4
In this article, we use “RFID” to denote any RF device whose main function is identification of an object or person. At the rudimentary end of the functional spectrum, this definition excludes simple devices like retail inventory tags, which merely indicate their presence and on/off status. It also excludes portable devices like mobile phones, which do more than merely identify themselves or their bearers. A broad definition for “RFID” is appropriate because the technical capabilities and distinctions among RF devices will drift over time, and the privacy and authentication concerns that we highlight in this paper apply broadly to RF identification devices great and small. Most importantly, though, the names of standards like ‘ISO 14443” or ”EPC Class-1 Gen-2” do not trip off the tongue or inhere well in the mind. The term “RFID” will unquestionably remain the popular one, and the term according to which most people frame debate and policies – a fact it behooves technologists to remember.
Of course, standards precisely define classes of RF devices. It is worth briefly mentioning the major ones. ISO 18000 is a multi-part standard that specifies protocols for a number of different frequencies, including LF, HF, and UHF bands. For UHF tags, the dominant standard will very likely be the recently ratified EPCglobal Class-1 Gen-2 standard. For HF tags, there are two main standards apart from ISO 18000. ISO 14443 (types A and B) is a standard for “proximity” RFID devices; it has a nominal 10cm operating range. ISO 15693 is a more recent HF standard for “vicinity” RFID devices; it can achieve longer nominal ranges – up to 1m for large antenna setups. (Mode 1 of ISO 18000 Part 3 is based on ISO 15693.)
Also of note is the NFC (Near-Field Consortium) standard (NFCIP-1/ECMA340, ISO 18092). Compatible with ISO 14443 and ISO 15693, this HF standard transcends the fixed tag-reader model, in that an NFC device can operate as either a reader or a tag, and thus either transmit or receive. Some mobile phones today support NFC; many portable devices may well in the future.
Security and Privacy Problems
1) Privacy: RFID raises two main privacy concerns for users: clandestine tracking and inventorying.
RFID tags respond to reader interrogation without alerting their owners or bearers. Thus, where read range permits, clandestine scanning of tags is a plausible threat. As discussed above, most RFID tags emit unique identifiers, even tags that protect data with cryptographic algorithms (as we discuss below). In consequence, a person carrying an RFID tag effectively broadcasts a fixed serial number to nearby readers, providing a ready vehicle for clandestine physical tracking. Such tracking is possible even if a fixed tag serial number is random and carries no intrinsic data.
The threat to privacy grows when a tag serial number is combined with personal information. For example, when a consumer makes a purchase with a credit card, a shop can establish a link between her identity and the serial numbers of the tags on her person. Marketers can then identify and profile the consumer using networks of RFID readers – both inside shops and without. The problem of clandestine tracking is not unique to RFID, of course. It affects many other wireless devices, such as Bluetooth-enabled ones [51].
In addition to their unique serial numbers, certain tags – EPC tags in particular – carry information about the items
to which they are attached. EPC tags include a field for the “General Manager,” typically the manufacturer of the object, and an “Object Class,” typically a product code, known formally as a Stock Keeping Unit (SKU).5 (See [47] for details.) Thus a person carrying EPC tags is subject to clandestine inventorying. A reader can silently determine what objects she has on her person, and harvest important personal information: What types of medications she is carrying, and therefore what illnesses she may suffer from; the RFID-enabled loyalty cards she carries, and therefore where she shops; her clothing sizes and accessory preferences, and so forth. This problem of inventorying is largely particular to RFID.
Today the problems of clandestine RFID tracking and inventorying are of limited concern, since RFID infrastructure is scarce and fragmentary. As explained above, the tagging of individual retail items is probably some years away. Once RFID becomes pervasive, however, as is almost inevitable, the privacy problem will assume more formidable dimensions. One harbinger of the emerging RFID infrastructure is Verisign’s EPC Discovery Service [48]. It creates a unified view of sightings of individual EPC tags across organizations.
Figure 1 illustrates the threat of clandestine RFID inventorying as it might in principle emerge in the future.
Remark: Some people like to point out that mobile phones already permit wireless physical tracking, and are practically ubiquitous. Mobile phones, however, have on/off switches. More importantly, mobile phones transmit signals receivable only by specialized telecommunication equipment. The owner of a mobile phone mainly reposes trust in her service provider. By contrast, most RFID tags are scannable by commodity RFID readers, which will soon be everywhere. Of course, mobile handsets increasingly exploit new channels like Bluetooth and WiFi, so some of the privacy distinctions between RFID tags and mobile phones will erode. Mobile phones, though, have fairly considerable computing power, and can support sophisticated forms of access control.
There is already considerable political and media ferment around RFID privacy. Several consumer advocacy groups have mounted campaigns against RFID deployment in retail settings. In 2003, for example, a boycott [3] caused Benetton to disavow RFID-tagging plans for its garments (amid misconceptions about the company’s plans [6]). In the same year, a group of privacy organizations signed a position statement on the use of RFID in consumer products [27].6
Fig. 1. An illustration of potential consumer privacy problems of RFID
Passports: An international organization known as the International Civil Aviation Organization (ICAO) has promulgated guidelines for RFID-enabled passports and other travel documents [46], [57]. The United States has mandated the adoption of these standards by twenty-seven “Visa Waiver” countries as a condition of entry for their citizens. The mandate has seen delays due to its technical challenges and changes in its technical parameters, partly in response to lobbying by privacy advocates [91].8
Human implantation: Few other RFID systems have inflamed the passions of privacy advocates like the VeriChip system [84]. VeriChip is a human-implantable RFID tag, much like the variety for house pets. One intended application is medical-record indexing; by scanning a patient’s tag, a hospital can locate her medical record. Indeed, hospitals have begun experimentation with these devices [41]. Physical access control is another application in view for the VeriChip.
In the United States, several states have initiated RFID-privacy legislation, most notably California, where the state assembly considered (and rejected) bills in 2004 and 2005. Often overlooked in policy discussion is the REAL ID Act, recently passed by the U.S. legislature. This bill mandates the development of federal U.S. standards for drivers’ licenses, and could stimulate wide deployment of RFID tags.
a) Read ranges: Tag read ranges are an important factor in discussions about privacy. Different operating frequencies for tags induce different ranges, thanks to their distinctive physical properties. Under ideal conditions, for instance, UHF tags have read ranges of over ten meters; for HF tags, the maximum effective read distance is just a couple of meters. Additionally, environmental conditions impact RFID efficacy. The proximity of radio-reflective materials, e.g., metals, and radio-absorbing materials, like liquids, as well as ambient radio noise, affect scanning distances. At least one manufacturer, Avery Dennison, has devised RFID tags specially for application to metal objects. Liquids – like beverages and liquid detergents – have hampered the scanning of UHF tags in industry RFID pilots. Protocol and hardware-design choices also affect read ranges.
The human body, consisting as it does primarily of liquid, impedes the scanning of UHF tags, a fact consequential to RFID privacy. If in the future you find yourself worried about clandestine scanning of the RFID tag in your sweater, the most effective countermeasure may be to wear it!
Sometimes RFID tags can foul systems by reason of excessively long range. In prototypes of automated supermarket-checkout trials run by NCR Corporation, some (experimental) patrons found themselves paying for the groceries of the people behind them in line [90].
Certainly, the RFID industry will overcome many of these impediments, so it would be a mistake to extrapolate tag capabilities too far into the future. It is important, however, to keep the limitations of physics in mind.
IV. Conclusion
It is astonishing how a modest device like an RFID tag, essentially just a wireless license plate, can give rise to the complex melange of security and privacy problems that we explore here. RFID privacy and security are stimulating research areas that involve rich interplay among many disciplines, like signal processing, hardware design, supply-chain logistics, privacy rights, and cryptography. There remain connections to be explored between the work surveyed here and other areas of study. We conclude by highlighting a few of these.
The majority of the articles treated in this survey explore security and privacy as a matter between RFID tags and readers. Of course, tags and readers lie at the fringes of a full-blown RFID system. At the heart will reside a massive infrastructure of servers and software. Many of the attendant data-security problems – like that of authenticating readers to servers – involve already familiar data-security protocols. But the very massive scaleof RFID-related data flows and cross-organizational information sharing will introduce new data-security problems. We have mentioned key-management and PIN distribution for tags as one such potential problem. Other challenges will arise from the fluidity of changes in tag ownership. Today, domain names, for example, do not change hands very frequently; the DNS can involve human-intermediated access-control. The ONS – should it indeed see fruition – will need to accommodate many, many more objects that change hands with great frequency.
Sensors are small hardware devices similar in flavor to RFID tags. While RFID tags emit identifiers, sensors emit information about their environments, like ambient temperature or humidity. Sensors typically contain batteries, and are thus larger and more expensive than passive RFID tags. Between active RFID tags and sensors, however, there is little difference but nomenclature. For example, some commercially available active RFID devices are designed to secure port containers. They emit identifiers, but also sense whether or not a container has been opened. Given such examples, there is surprisingly little overlap between the literature on sensor security and that on RFID security. The boundaries between wireless-device types will inevitably blur, as evidenced by the dual role of reader and tag played by NFC devices.
Another important aspect of RFID security that of user perception of security and privacy in RFID systems. As users cannot see RF emissions, they form their impressions based
on physical cues and industry explanations. RFID will come to secure ever more varied forms of physical access and logical access. To engineer usable RFID systems and permit informed policy decisions, it is important to understand how RFID and people mix. This area sees some preliminary examiniation in [66], [77], [23].
Further reading: Finkenzeller [29] is the standard reference for general technical background on RFID. Shorter and more accessible are the on-line primer materials published by the RFID Journal [1], which is also a helpful source of current industry news.
The master’s thesis of Steven Weis [88] describes early work in the area of RFID privacy, and provides good technical background. The recent U.S. Federal Trade Commission report in [21] provides a helpful regulatory perspective on RFID as it relates to consumers. An advisory committee known the Article 29 Working Party is in the process of developing European Commission privacy guidelines for RFID, which should be available soon. In 2003, a workshop on RFID Privacy took place at the MIT Media Lab. The workshop gave rise to a recently published book entitled RFID: Applications, Security, and Privacy [37]; the contributing authors offer a rainbow of backgrounds and perspectives.
References
[1] rfid Journal. Online publication. Referenced 2005 at
[2] Alien Technology Corporation achieves another step toward pervasive, economic rfid with announcement of 12.9 cent rfid labels, 13 September 2005. Alien Technology Press Release. Referenced 2005 at http://www.alientechnology.com.
[3] Boycott Benetton web site, 2005. Referenced 2005 at
http://www.boycottbenetton.com.
[4] ecrypt (European network for excellence in cryptology), stream cipher project Web page, 2005. Referenced 2005 at http://www.ecrypt.eu.org/stream/.
[5] Texas Instruments gen 2 inlay data sheet, 2005. Referenced 2005 at http://www.ti.com/rfid/docs/manuals/pdfSpecs/epc inlay.pdf
[6] Benetton explains rfid privacy flap. RFID Journal, 23 June 2004. Referenced 2005 at http://www.rfidjournal.com/article/articleview/471/1/1/.
[7] Merloni unveils rfid appliances. RFID Journal, 4 April 2003. Referenced 2005 at http://www.rfidjournal.com/article/articleview/369/1/1/.
[8] r. j. Anderson and m. g. Kuhn. Low cost attacks on tamper resistant devices. In b. Christianson, b. Crispo, t. m. a. Lomas, and m. Roe, editors, Security Protocols Workshop, volume 1361 of Lecture Notes in Computer Science, pages 125-136. Springer-Verlag, 1997.
[9] g. Ateniese, j. Camenisch, and b. de Madeiros. Untraceable rfid tags via insubvertible encryption. In 12th ACM Conference on Computer and Communication Security, 2005. To appear. [10] g. Avoine. Privacy issues in rfid banknote protection schemes. In j.-j. Quisquater, p. Paradinas, y. Deswarte, and a. Abou El Kadam, editors, The Sixth International Conference on Smart Card Research and Advanced Applications – CARDIS, pages 33-48. Kluwer Academic Publishers, 2004. [11] g. Avoine. Adversarial model for radio frequency identification, 2005. Cryptology ePrint Archive, Report 2005/049. Referenced 2005 at http://eprint.iacr.org. [12] g. Avoine, e. Dysli, and p. Oechslin. Reducing time complexity in rfid systems. In b. Preneel and s. Tavares, editors, Selected Areas in Cryptography – SAC 2005, Lecture Notes in Computer Science. Springer-Verlag, 2005. To appear.