RFID Wireless Link Threats

3.1 Introduction

RFID devices are used in logistics, consumer applications and different business specific applications. With the increasing number of RFID devices used in daily life, security and user privacy concerns are also becoming critical. Since RFID uses a wireless medium, all the threats associated with wireless media usage exist in RFID systems. RFID systems are further challenged by these threats because of the tags’ limited hardware and energy capacity for implementing robust security measures.

Tags can be passive or active. A passive tag obtains all of its energy for communications and data processing from the electric or magnetic field of the reader. An active tag on the other hand includes a battery. The general operation of a passive tag is given in Figure 1. In this chapter we will overview the possible wireless link based attacks against RFID systems using passive tags and summarize the current protection algorithms against them.

Figure 1.

Passive tag communications

According to hardware complexity, RFID tags can be low-end, mid-range and high-end systems. Low-end systems are mostly low-cost, low-power one-bit transponders with no medium access control. Mid-range tags allow reading and writing on their memory. They can be addressed and they can support cryptographic security primitives. High-end tags such as smartcards allow complex authentication algorithms. Top-end smartcards carry cryptographic co-processors allowing complex calculations.

3.2 Eavesdropping Attacks

Eavesdropping is the interception of the communication between the reader and the tag or the unauthorized listening to and storing of information in the open wireless medium. A similar attack is the skimming attack where the attacker actually provides power to the tag and acts as a false reader. In an eavesdropping attack, the attacker passively listens and records to the bits over the air. Therefore he has to be in the vicinity of the reader and the tag in order to perform the attack. The attacker also has to have the right RF equipment before recovering and storing the wireless data. The attacker with better wireless equipment with higher sensitivity RF devices will be able to eavesdrop correctly further away from the reader and the tag than the attacker with simple RF equipment. As long as the communication standard and the frequency is known, obtaining the bits from the wireless medium is an easy task for the passive attacker listening to the medium. The severity of the this attack against different RFID systems is mainly determined by the range of the wireless communications, i.e., the distance between the tags and the reader. This range is determined by the operating frequency of the reader, the physical coupling method and the transmit power of the active elements. The recovery of useful data by eavesdropping can be prevented by application layer encryption of the transmitted data. Many HF RFID systems have components that can implement application layer encryption however these attacks are still important since many application layer algorithms are designed based on the assumption that the HF RFID communication range was small. In (Hancke, 2011) the vulnerabilities of such systems are discussed.

It is also important to make a distinction between channels in this attack. The reader-to-tag channel, also called the forward channel, carries a higher RF power signal since the power emitted will be used to power the tag and its RF logic. The tag-to-reader channel, or the backward channel, has much lower RF power since the tag is passive and using the reader transmitted signal. Depending on the distance, the attacker may only sense the communications but cannot recover the data, or can recover only the forward channel’s or both the forward and backward channels’ data.