Foundations of Privacy 2010 Guy Katz. Introduction to RFID How does it work Threats to user privacy Possible solutions.

Foundations of Privacy 2010

Guy Katz

Introduction to RFID How does it work Threats to user privacy Possible solutions

“Wireless” Identification System Consists of

◦ Tag Small transponder Attached to a physical object

◦ Transceiver Reads (writes) data from tags Connected to some database

RFID has been around for 60 years◦ “Friend or Foe” systems in WW II:

German pilots would roll their planes when coming back to base

The British put basic transmitters on theirs Theft prevention (1970’s)

◦ Trucks in Los Alamos laboratory had transponders Toll payments Agriculture

A large increase in deployment since year 2000

Reasons:◦ Tags and readers much smaller and cheaper◦ World wide standardization (ISO)

Supply Chain Management◦ From production to customer; replaces bar codes

Payment systems◦ Toll roads, cafeterias, Rav-Kav

Access Control◦ Weizmann Institute of Science

Theft Prevention Anti-Counterfeiting

◦ Passports, Money Bills Implanted Tags

Electronic Product Codes (RFID)

Barcodes

Read Rate High throughput. Multiple (>100) tags can be read simultaneously

Very low throughput. Tags can only be read manually, one at a time

Line of Sight Not required Definitely required

Durability Can even be internally attached

Easily damaged, swapped or removed; cannot be read if dirty or greasy

Human Capital Virtually none. Once up and running, the system is completely automated

Large requirements. Laborers must scan each tag

Event Triggering

Capable. Can be used to trigger certain events (like door openings, alarms, etc)

Not capable. Cannot be used to trigger events

Contain an antenna and a small circuit Purpose in life: broadcast an ID

◦ Usually 128 bits Very small - a few millimeters “Cost Barrier” – 5 cent per tag Two subgroups:

◦ Active Tags◦ Passive Tags

Integrated Circuit

4 x 4 mm

Can initiate communication on their own◦ Transmit, looking for a reader

Range can be over 100 meters Require a power source

◦ Consequently, expensive

Active RFIF TagPart of a monitoring system

6.5 x 4 x 2 cm

No power source◦ Consequently, very cheap

Energy extracted from RF signal Can’t initiate communication on their own

◦ Need to receive energy before they can answer Range up to 10 meters

Power tags through RF signals Usually connected to

some database Singulation (Anti-Collision)

◦ Communicate with many tags at once Still a bit expensive

◦ Cheapest ones around 500$

A method used by readers Goal: discover all present tags Difficulty: If many tags answer together,

answers get mixed up The reader can’t separate their answers

◦ Does know that more than one tag responded Need a way to solve collisions…

The standard singulation protocol Each round, readers looks for a n-bit prefix

◦ Asks: “Who starts with 1010…?”◦ Tags answer with their next digit

If multiple tags answer, recurse on both (n+1) bits prefixes

For n tags and k identity bits, O(n*k) In practice, a few seconds for a shopping

cart

0 1

0 1 1

0

0 1

010 011 101

Who has “ “?

010 011 101

Who has “1“?

101

Who has “10“?

101

Who has “0“?

011010

Who has “00“?Who has “01“?

011010

Various ranges◦ From 120 KHz to 10.6 GHz

Dictate passive read range◦ From 10cm to 10 meters, accordingly.

Can be used to ignore more distant tags

Sniffing/Eavesdropping Spoofing/Cloning Tracking Replay Denial Of Service

Not all attacks related to privacy!

Tags contain an identification code EPC usually consists of 64-128 bits

◦ Some bits indicate vendor and product ID◦ Others form a unique product ID

Tags becomes associated with a person!◦ Don’t even need to know item type

Reading is done silently and remotely Personal information can be gathered

◦ Information about individuals’ habits: where you go, what you buy…

◦ Physical tracking of people Military and Corporate Espionage

◦ Track down parts and components Implanted Tags

◦ Big Brother?

Need to keep the tags cheap A wide range of systems and uses

◦ No single solution suits everyone Need to only block malicious readings

Defining the typical adversary◦ What sort of equipment? Readers, tags, scanners,

etc…◦ What sort of abilities?

Can impersonate a reader? Connect to the DB?◦ Always present?

We focus on EPC (Electronic Product Code) RFID tags

Goal: prevent the adversary from associating a tag with a person

Physically prevent RFID tags from transmitting◦ Aluminum foil lined wallets◦ Special cases for smart passports

Take off covers when transmission needed Problem: only suitable for specific RFID tags

◦ Led lined supermarket bags? Commercial products

already available

Passport Case Available for 18$

Tags contain a “kill” command◦ A supermarket might disable tags on checkout

Zombie tags don’t answer readers Prevents association of people with their

tags◦ Covers most privacy concerns

Problems: ◦ Some applications need the tag alive

Alice’s milk carton Return products to stores Toll payment tags, implanted tags

An approach proposed by Juels and Brainard (2004)

Tags broadcast a privacy bit – “its ok/not ok to read me”

Problem: readers may choose to obey policy◦ Corrupt readers risk being caught

How does the owner configure the tags? Naïve solution…

Cryptographic solutions inherently expensive◦ Require computational power◦ Require more memory◦ Sometimes require source of randomness

Three approaches have been proposed:◦ Hash-Lock ◦ Re-Encryption◦ Silent Tree Walking

So far, all too expensive to be practical◦ But we’ll have a look anyway…

Similar to a password A tag can be locked by a reader

◦ Locked tags don’t transmit until unlocked◦ Locked tags have an ID y◦ Can only be unlocked by x s.t. h(x) = y

h: standard one-way hash function The consumer knows x, can unlock at home When locked, cannot be associated with the

owner

Problems: ◦ Tags still need to calculate h(x)

Expensive…◦ Many tags, hard to manage◦ Consumer might not be aware of all the tags he’s

carrying

Mechanism to prevent counterfeiting of money bills

The idea:◦ Put an RFID tag inside the bill◦ Every bill has a unique ID◦ Encrypt the ID with a police public key◦ Periodically re-encrypt it

Can’t link different appearances of a given tag

Re-encryption done by external agents (in big stores, banks, etc)

Problems: ◦ Costly infrastructure◦ Burdensome process

Often need to re-encrypt People naturally lazy

◦ Unclear just how effective the process is

Readers use singulation protocols◦ Most common: Tree Walking

It is sufficient to eavesdrop the reader to identify the tag (up to last bit)

A reader transmits much louder◦ Can be “heard” from further away

The idea: encrypt the reader’s requests◦ Makes eavesdropping harder

Problem: How to encrypt?◦ Tags have limited resources and no randomness◦ Need a shared reader-tag key beforehand◦ Makes the system impractical

Still, might be useful combined with other solutions…

Using an exterior device to block tag readers

Enables a user to block the adversary◦ One blocker suffices for all tags ◦ Cheap

Same price as a tag Don’t have to change existing RFID tags Can turn off at home…

The idea: disrupt the singulation protocol◦ Trick the reader - make it think all tags are

present◦ Makes reading useless

For instance, a tag that disrupts the tree walking algorithm◦ Always answers both 0 and 1

Might require two antennas◦ The reader doesn’t know which tags exist

The blocker will disrupt any reading around it

Can be configured to only disrupt “private branches”◦ Specific ID’s defined as private◦ Readers have no right to read them…

Can change the tree walking algorithm to avoid unneeded queries

1

0

0 1

010 011 101

Who has “ “?

010 011 101

Who has “1“?

101

Who has “10“?

101

Who has “0“?

011010

BlockerBlocks 0*Blocker

Blocks 0*

0

Who has “00“?

1

Who has “01“?

0 10 1

011010

Can the blocker itself pose a privacy breech?◦ Can track a unique “private zone”◦ Allow only a few privacy policies?

Bob’s blocker may disrupt Alice’s readings◦ Can use a random “private zone” to avoid conflicts◦ Tradeoff with the previous bullet

Tailored for the tree walking algorithm◦ However, should be adjustable to any other

algorithm as well Can be used in Denial of Service attacks

RFID is becoming cheap and widespread It can easily disclose private information Partial solutions:

◦ Physical blocks◦ Zombie tags◦ Privacy Bits

Encryption schemes are effective, but require expensive tags and infrastructure◦ Only suitable for specific cases

Blocker tags are a cheap, effective solution for EPC RFID tags

“Squealing Euros: Privacy-Protection in RFID-Enabled Banknotes” by Juels and Pappu, 2003

“Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems” by Weis et al, 2003

“Selective Blocking of RFID Tags for Consumer Privacy” by Juels, Rivest & Szydlo, 2003

“RFID Privacy: An Overview of Problems and Proposed Solutions” by Garfinkel, Juels & Pappu, 2005

“RFID”, presentation by Alon Rosen