The acronym RFID (Radio-Frequency Identification) refers to a method of unique and automatic identification based on remotely storing and retrieving data using devices called RFID tags. RFID technology, also known as DSRC (Dedicated Short Range Communication), incorporates the use of electromagnetic or electrostatic coupling in the RF (Radio Frequency) portion of the electromagnetic spectrum (typical frequencies used are: 125 to 135 kHz (passive LF tags); 13.56 MHz (HF tags); 869 to 957 MHz; and 2.45 GHz (UHF tags)) to uniquely identify a person, animal, or object. It is a more advanced alternative to traditional barcodes. The UPU (Universal Postal Union) recently indicated that it expects to soon adopt RFID for tracking international mail delivery times in more than one hundred of its member countries. Gartner sees RFID technology as a three trillion dollar business by 2010.
Looking back at the history of RFID technology, it appears to have originated in 1948 with researcher Harry Stokman. One of its initial applications was during World War II when the United Kingdom used RFID devices to distinguish returning British aircraft from potentially German planes, as radar could only detect the presence of an aircraft but not its type (friend or foe). Commercial use of RFID began in the 1990s, and the list of its applications today is endless: product tracking in large retail companies, RFID tags for hospital patients, baggage tracking at airports, passport tracking, library books, RFID sensors in vehicles to detect movement, temperature, food quality, radiation levels, tire condition, GPS position, and more.
From the growing list of RFID benefits, some of them are: (i) For manufacturers and retailers: reduced manual inventory and less use of safety stock, increased sales due to reduced out-of-stock items, improved
stock visibility and availability, reduced transportation costs and shipping volume, more accurate stock predictions and replenishment, reduced supply chain threats and disruptions, and improved product integrity. (ii) For customers: improved product selection, better product freshness for perishable goods, easier identification for claims, and improved product availability on shelves.
RFID Components
The main components in an RFID system are:
(1) RFID tag or label An RFID tag is an object that can be attached to, injected into, or embedded in a person, product, or animal for the purpose of unique identification at a distance using radio waves. It consists of a base substrate (PVC, paper, etc.) on which an antenna (contactless interface and copper wire, conductive ink, etc.) is placed, and on which an integrated circuit or chip (with pre-masked memory or EEPROM and processor) is placed. It may include an optional power supply, and the whole is coated with a layer of epoxy resin, adhesive, or paper.
Each RFID tag contains a unique 96-bit code that facilitates the identification process, called the Electronic Product Code (EPC). This code has four fields: (i) Header: Defines the EPC version (8 bits). (ii) EPC Manager Number: Describes the EPC originator, i.e., the product manufacturer (28 bits). (iii) Object Class Number: Describes the product type (24 bits). (iv) Serial Number: A unique identifier for that product item (36 bits). RFID tags can be classified as active (fully autonomous), semi-passive (using a backup battery to supplement the power provided by the reading unit), passive (requiring power from the reading unit), read-only, read-write, and write-once. Passive tags are programmed by the manufacturer or at the installation site. They obtain their power from the RF energy transferred by the reader unit; they do not have a battery and are only powered when within range of a reader. They typically store few bytes, for example, 128 bytes, and can read hundreds of tags from about 30 centimeters to 5 meters away from the reader. Active tags have a battery that lasts from 2 to 6 years, provides continuous power, and can read thousands of tags at distances of 100 meters or more and speeds of up to 160 km/h. They have a large memory capacity of hundreds of kilobytes and can integrate sensors such as pressure, temperature, acceleration, magnetic field, GPS position, radiation, alarm log, vibration level, light, humidity, etc. They are used for higher-value items such as people, electronic assets, shipping containers, etc.
(2) Interrogation units or readers. They are used to read RFID tags and, in some cases, even to write on them. A growing danger is the design of high-gain smart antennas that could read RFID tags from many kilometers away, even via satellite.
(3) Middleware. This is the necessary interface between the company's databases and the information management software. It provides various functions: data filtering, system monitoring, and coordination of multiple reading units.
(4) Business application software. This is used to manage the collected data. The last two points are not exempt from all kinds of information security threats.
Threats Surrounding RFID:
RFID technology offers unprecedented opportunities for theft, covert tracking, and behavioral profiling. Without appropriate controls, attackers can perform unauthorized reading of RFID tags and surreptitiously track the location of people, animals, or objects (by correlating tag views). Snooping is possible by eavesdropping on tag/reader communications. Attackers can also manipulate RFID-based systems (e.g., retail payment systems) by cloning RFID tags, modifying existing tag data, or preventing RFID tags from being read. Various countermeasures against these threats have been proposed throughout history. The simplest solution is to deactivate RFID tags either permanently (using techniques such as killing (using the Hill EPCglobal command), clipping (mechanically breaking part or all of the antenna), RFID-Zapper (which allows for the permanent deactivation/destruction of passive tags), or frying) or temporarily using Faraday cages, sleep/wake modes, or jamming generators. In cryptography, new algorithms have been devised for RFID tags, including public-key cryptographic primitives, block ciphers, stream ciphers, and computationally lightweight authentication protocols. Access control mechanisms have also been developed, both on the tag itself (hash-based and pseudonym-based locks) and externally, such as tag blockers or RFID enhancement proxies. Some privacy implications include: (i) Detecting the presence of an RFID tag. This usually indicates the presence of a human. (ii) Determining the origin of the person wearing the tags. (iii) Tracking. Correlating multiple observations of the RFID tag/entity identifier. (iv) Hotlisting. The attacker possesses a pre-existing list of tags/entities they wish to identify. (v) Rewriting tags. For example, using cookies or malware. The main privacy concerns regarding RFID are: the identifiers are unique to all objects worldwide; massive data correlation is possible; individuals can be tracked and their behavioral profiles obtained; the data stored on a tag can be altered; tags can be read remotely (even via satellite); readers and the placement of RFID tags can be concealed by using decoy tags for the customer to destroy. RFtracker.com allows searches by RFID tag number, and there are associated people's names in a database. RFtracker.com maintains two databases: one matching tag numbers with people who own items with those numbers, and another that stores records of RFID tag views by readers located worldwide, including date, time, location, and RFID tag number.
Final Considerations
Our research group has been working for over fifteen years on RFID technology, where ubiquitous computing represents a limitless present and future from various perspectives: offensive, defensive, tag design, synthesis of unconventional reading units, antennas, risk management, attack testing and countermeasures, etc.
This article is part of the activities carried out within the LEFIS-APTICE (funded by Socrates).
Bibliography
- Areitio, J. “Information Security: Networks, Computing and Information Systems”. Cengage Learning-Paraninfo. 2009.
- Areitio, J. “Security Considerations Regarding RFID Technology”. Conectrónica Magazine. No. 105. March 2007.
- Areitio, J. “Analysis Regarding Technologies for Information Concealment”. Conectrónica Magazine. No. 109. July-August 2007.
- Areitio, J. “Analysis Regarding Forensic Security, Anti-Forensic Techniques, Incident Response and Digital Evidence Management”. Conectrónica Magazine. No. 125. March 2009.
- Lee, W., Wang, C. and Dagon, D. “Botnet Detection: Countering the Largest Security Threat”. Springer. 2007.
- Howard, R. “Cyber Fraud”. Auerbach Publishers, Inc. 2009.
- Flegel, U. “Privacy Respecting Intrusion Detection.” Springer. 2007.
Author:
Prof. Dr. Javier Areitio Bertolín – E.Mail:
Professor at the Faculty of Engineering. ESIDE.
Director of the Networks and Systems Research Group.
University of Deusto.
