Security Issues for ISO 18000-6 Type C RFID: Identification and Solutions

Rfid Background

RFID provides a means to remotely identify and monitor assets. Initially used for monitoring retail inventories, supply chain management, automatic toll collection (e.g. EZ-Pass), and keyless entry systems, RFID is now being coupled with sensors to monitor the asset’s condition (Todd, Phillips, Schultz, Hawkins & Jensen, 2009; Law, Bermak & Luong, 2010). The attachment of sensors increases the value and applicability of the information provided by the tag. Wireless sensors offer many advantages for monitoring conditions in hard to access places and machinery because wiring is minimal and minimal infrastructure is required for wireless sensor systems. As a result, RFID systems are being investigated for use as the communication medium for edge devices to sense conditions for critical infrastructures such as the Smart Grid (next generation power grid). This increase makes RFID systems a target for or a tool in the use of a malicious cyber-attack. Thus, the security of the communication protocols employed to connect RFID devices together must be investigated.

RFID systems are comprised of four major components: RFID tags, RFID readers, RFID middleware, and backend software. The backend software controls the overall system and provides the repository of information for the tags. An enterprise resource planning (ERP) software package is one example of backend software. The RFID middleware sits between the backend software and RFID reader. Sometimes the RFID middleware is contained within the RFID reader itself. The RFID middleware provides the functionality of a device driver to link the RFID reader to the network and ultimately to the backend software, and filters or prunes the information sent to the backend software. This helps to reduce the amount of data transmitted over the network. The RFID reader is the edge device providing the last mile network connection between itself and the RFID tag. RFID tags are attached to the asset. RFID tags contain a unique identification number and possibly some additional memory that may read only or read-writable. Some RFID tags, termed a license plate tag, contain only the unique identifier that is used to access a record in a database maintained by the backend software. More advanced tags offer additional memory that can store or record additional information, such as expiration date or to track information over the asset’s lifetime.

One general classification for RFID tags is based on how they are powered. There are three types of tags using this classification: passive, battery-assisted passive (BAP), and active. Passive tags have no on-board battery and must harvest their operating energy from the environment. A group of passive tags are shown in Figure 1.

Figure 1.

Passive RFID tags