The scope of the Technical Report is to consider the threats and vulnerabilities associated with specific characteristics of RFID technology in a system comprising:<\/p>\n
the air interface protocol covering all the common frequencies;<\/p>\n<\/li>\n
the tag including model variants within a technology;<\/p>\n<\/li>\n
the interrogator features for processing the air interface;<\/p>\n<\/li>\n
the interrogator interface to the application.<\/p>\n<\/li>\n<\/ul>\n
The Technical Report addresses specific RFID technologies as defined by their air interface specifications. The threats, vulnerabilities, and mitigating methods are presented as a toolkit, enabling the specific characteristics of the RFID technology being used in an application to be taken into consideration. While the focus is on specifications that are standardized, the feature analysis can also be applied to proprietary RFID technologies. This should be possible because some features are common to more than one standardized technology, and it should be possible to map these to proprietary technologies.<\/p>\n
Although this Technical Report may be used by any operator, even for a small system, the technical details are better considered by others. In particular the document should be a tool used by RFID system integrators, to improve security aspects using a privacy by design approach. As such it is also highly relevant to operators that are not SME\u2019s, and to industry bodies representing SME members.<\/p>\n
| PDF Pages<\/th>\n | PDF Title<\/th>\n<\/tr>\n | ||||||
|---|---|---|---|---|---|---|---|
| 4<\/td>\n | Contents Page <\/td>\n<\/tr>\n | ||||||
| 6<\/td>\n | Foreword <\/td>\n<\/tr>\n | ||||||
| 7<\/td>\n | Introduction <\/td>\n<\/tr>\n | ||||||
| 8<\/td>\n | 1 Scope 2 Terms and definitions <\/td>\n<\/tr>\n | ||||||
| 11<\/td>\n | 3 Symbols and abbreviations <\/td>\n<\/tr>\n | ||||||
| 12<\/td>\n | 4 Threats and Attack scenarios 4.1 Introduction <\/td>\n<\/tr>\n | ||||||
| 13<\/td>\n | Figure 1 \u2014 Penetration Testing Framework: a proposed pictorial representation 4.2 Attacks to an RFID System with a Fake Reader Figure 2 \u2014 FR used as interferer <\/td>\n<\/tr>\n | ||||||
| 14<\/td>\n | Figure 3 \u2014 FR used to eavesdrop RT’s signal 4.3 Attacks to a RFID system with a Fake Tag Figure 4 \u2014 Attack performed by a FT 4.4 Attacks to a RFID system with a Fake Reader and a Fake Tag <\/td>\n<\/tr>\n | ||||||
| 15<\/td>\n | Figure 5 \u2014 Creating a cloned tag Figure 6 \u2014 Relay attack 4.5 Attack to a Real Tag with a Fake Reader and a Fake Tag 4.6 Attack to a Real Tag with a Fake Reader Figure 7 \u2014 Unauthorised tag activation 4.7 Attack to a Real Reader with a Fake Tag <\/td>\n<\/tr>\n | ||||||
| 16<\/td>\n | Figure 8 \u2014 Use of unauthorised tag with Real Reader 5 Vulnerabilities 5.1 Introduction 5.2 Denial of service 5.3 Eavesdropping <\/td>\n<\/tr>\n | ||||||
| 17<\/td>\n | 5.4 Man in the Middle 6 Mitigation measures 6.1 Introduction 6.2 Mitigation measures for secured RFID Devices 6.2.1 Mitigation measures for tags 6.2.2 Mitigation measures for readers 6.2.3 Mitigation measures for the Air Interface Protocol 6.3 Mitigation measures against attacks 6.3.1 Introduction 6.3.2 Eavesdropping 6.3.3 Skimming <\/td>\n<\/tr>\n | ||||||
| 18<\/td>\n | 6.3.4 Relay attack 6.3.5 Denial of Service 7 Conclusions <\/td>\n<\/tr>\n | ||||||
| 20<\/td>\n | Annex A (informative) Attack scenarios A.1 Amusement parks takes visitors to RFID-land A.1.1 Introduction A.1.2 Threat scenarios <\/td>\n<\/tr>\n | ||||||
| 21<\/td>\n | A.1.3 DPP objectives of relevance A.1.4 Security objectives of relevance <\/td>\n<\/tr>\n | ||||||
| 22<\/td>\n | A.1.5 Privacy objectives of relevance A.2 Purpose of Use and Consent A.2.1 Purpose 1 <\/td>\n<\/tr>\n | ||||||
| 23<\/td>\n | Figure A.1 \u2014 Athletic shoe A.2.2 Purpose 2 (with explicit consent) A.2.3 Purpose 3 (with no explicit consent <\/td>\n<\/tr>\n | ||||||
| 24<\/td>\n | Figure A.2 \u2014 Screens A.3 Multi-tag and purpose RFID environment for Healthcare A.3.1 Scenario description – Emergency A.3.2 The hospital RFID environment <\/td>\n<\/tr>\n | ||||||
| 25<\/td>\n | Figure A.3 \u2014 RFID enabled Bed A.3.3 Arrival at the hospital Figure A.4 \u2014 Implanted Pacemaker <\/td>\n<\/tr>\n | ||||||
| 26<\/td>\n | A.3.4 Treatment at the hospital A.3.5 The value of the drug prescribed A.3.6 Returning home Figure A.5 \u2014 Drugs cabinet A.3.7 The home RFID environment <\/td>\n<\/tr>\n | ||||||
| 27<\/td>\n | A.3.8 Drug repeat prescription and out of date drug recycling Figure A.6\u2014 Out of date drugs <\/td>\n<\/tr>\n | ||||||
| 28<\/td>\n | Annex B Original Test Set ups and Results B.1 Test Area B.2 Equipment <\/td>\n<\/tr>\n | ||||||
| 29<\/td>\n | B.3 Overview of the Tests B.3.1 Introduction B.3.2 Range tests B.3.3 Write Tests B.3.4 Illicit Reading <\/td>\n<\/tr>\n | ||||||
| 30<\/td>\n | B.3.5 Eavesdropping B.3.6 Detection inside buildings B.3.7 Combined EAS\/RFID systems B.4 Test procedures and results B.4.1 General <\/td>\n<\/tr>\n | ||||||
| 31<\/td>\n | Table B.1 \u2014 Measurements of noise floor levels <\/td>\n<\/tr>\n | ||||||
| 32<\/td>\n | B.4.2 Reading range B.4.2.1 Introduction B.4.2.2 Reading range for LF systems Figure B.1 \u2014 Measuring reading range at LF <\/td>\n<\/tr>\n | ||||||
| 33<\/td>\n | Table B.2 \u2014 Reading range results for LF tags B.4.2.3 Reading range for HF systems <\/td>\n<\/tr>\n | ||||||
| 34<\/td>\n | Figure B.2 \u2014 Measuring reading range at HF <\/td>\n<\/tr>\n | ||||||
| 35<\/td>\n | Table B.3 \u2014 Reading range results for HF tags <\/td>\n<\/tr>\n | ||||||
| 36<\/td>\n | B.4.2.4 Reading range for UHF Figure B.3 \u2014 Measuring reading range at UHF <\/td>\n<\/tr>\n | ||||||
| 37<\/td>\n | Table B.4 \u2014 Reading range results for UHF tags <\/td>\n<\/tr>\n | ||||||
| 38<\/td>\n | Table B.5 \u2014 Reading range results of the latest integrated circuits manufactured by Impinj <\/td>\n<\/tr>\n | ||||||
| 39<\/td>\n | B.4.3 Write range B.4.3.1 Introduction B.4.3.2 Write range at LF Figure B.4 \u2014 Measuring write range at LF <\/td>\n<\/tr>\n | ||||||
| 40<\/td>\n | Table B.6 \u2014 Tests results <\/td>\n<\/tr>\n | ||||||
| 41<\/td>\n | B.4.3.3 Write range at LF B.4.3.4 Write range at HF B.4.3.5 Write range at UHF <\/td>\n<\/tr>\n | ||||||
| 42<\/td>\n | Figure B.5 \u2014 Write range equipment at UHF <\/td>\n<\/tr>\n | ||||||
| 43<\/td>\n | B.4.4 Illicit reading B.4.4.1 Introduction B.4.4.2 Illicit reading of the contents of shopping bags <\/td>\n<\/tr>\n | ||||||
| 44<\/td>\n | Figure B.6 \u2014 Contents of tagged items in shopping bag <\/td>\n<\/tr>\n | ||||||
| 45<\/td>\n | Figure B.7 \u2014 Hand held reader <\/td>\n<\/tr>\n | ||||||
| 46<\/td>\n | Table B.7 \u2014 Analysis of illicit reading of shopping bags B.4.4.3 Containers with pills <\/td>\n<\/tr>\n | ||||||
| 47<\/td>\n | Figure B.8 \u2014 Tagged bottles and box of pills B.4.4.4 Proximity cards <\/td>\n<\/tr>\n | ||||||
| 48<\/td>\n | B.4.4.5 Airline label tag B.4.4.6 LF tags B.4.5 Eavesdropping B.4.5.1 Introduction <\/td>\n<\/tr>\n | ||||||
| 49<\/td>\n | B.4.5.2 LF and HF tests Table B.8 \u2014 Maximum distances for eavesdropping with LF and HF tags B.4.5.3 Measurements at UHF B.4.6 Detection inside buildings <\/td>\n<\/tr>\n | ||||||
| 50<\/td>\n | B.4.7 Combined EAS\/RFID system B.5 Analysis of results <\/td>\n<\/tr>\n | ||||||
| 51<\/td>\n | B.6 Conclusions <\/td>\n<\/tr>\n | ||||||
| 52<\/td>\n | Annex C Additional Test Set ups and Results C.1 Introduction C.2 Scope of tests C.3 Documenting the results C.4 Equipment required for additional tests <\/td>\n<\/tr>\n | ||||||
| 53<\/td>\n | C.5 Description of tests C.5.1 Activation distance for HF system C.5.1.1 General C.5.1.2 Test set up Figure C.1 \u2014 Test setup for Operated Range Test C.5.1.3 Test Procedure <\/td>\n<\/tr>\n | ||||||
| 54<\/td>\n | C.5.2 Activation distance for UHF system C.5.2.1 Introduction C.5.2.2 Test set up <\/td>\n<\/tr>\n | ||||||
| 55<\/td>\n | C.5.2.3 Procedure C.5.3 Eavesdropping tests for HF system C.5.3.1 Introduction C.5.3.2 Test set up <\/td>\n<\/tr>\n | ||||||
| 56<\/td>\n | Figure C.2 \u2014 Test set-up for eavesdropping measurement C.5.3.3 Procedure <\/td>\n<\/tr>\n | ||||||
| 57<\/td>\n | C.5.4 Eavesdropping tests for UHF system C.5.4.1 Introduction C.5.4.2 Test set up C.5.4.3 Procedure <\/td>\n<\/tr>\n | ||||||
| 58<\/td>\n | C.6 Test results C.6.1 Equipment utilised during the tests C.6.2 Description of Tests C.6.2.1 Introduction C.6.2.2 Measurement of ambient noise <\/td>\n<\/tr>\n | ||||||
| 59<\/td>\n | C.6.2.3 HF Measurements C.6.2.4 Introduction C.6.2.4.1 General C.6.2.4.2 Interrogator Figure C.3 \u2014 Loop antenna for the library system C.6.2.4.3 Tags Figure C.4 \u2014 Library tag number 1 <\/td>\n<\/tr>\n | ||||||
| 60<\/td>\n | Figure C.5 \u2014 Library Tag number 2 Figure C.6 \u2014 Library tag number 3 and 4 Figure C.7 \u2014 Library tag number 5 <\/td>\n<\/tr>\n | ||||||
| 61<\/td>\n | Figure C.8 \u2014 Label shape dimension 75 by 45 mm C.6.2.4.4 Maximum Activation Range <\/td>\n<\/tr>\n | ||||||
| 62<\/td>\n | Figure C.9 \u2014 Library system with library tag and loop antenna Table C.1 \u2014 Activation ranges of tags at HF <\/td>\n<\/tr>\n | ||||||
| 63<\/td>\n | Figure C.10 \u2014 HF Activation distance as function of the field strength @ 10 m distance C.6.2.4.5 Maximum Eavesdropping Range <\/td>\n<\/tr>\n | ||||||
| 64<\/td>\n | Figure C.11 \u2014 Trace of tag response using an active antenna Table C.2 \u2014 Maximum ranges for eavesdropping at HF C.6.2.5 Measurements at UHF C.6.2.6 Introduction C.6.2.6.1 General <\/td>\n<\/tr>\n | ||||||
| 65<\/td>\n | C.6.2.6.2 Interrogator Figure C.12 \u2014 Front view of !D Top interrogator with integrated antenna Figure C.13 \u2014 Integrated antenna dimensions of the !D Top interrogator Figure C.14 \u2014 Antenna dimensions of the !D Top interrogator 112 by 122 mm <\/td>\n<\/tr>\n | ||||||
| 66<\/td>\n | C.6.2.6.3 Tags Figure C.15 \u2014 The two types of retail tag (Type A at top and Type B at bottom) C.6.2.6.4 Maximum activation range <\/td>\n<\/tr>\n | ||||||
| 67<\/td>\n | Figure C.16 \u2014 Photo showing the activation range at max power Table C.3 \u2014 Activation ranges measured at UHF <\/td>\n<\/tr>\n | ||||||
| 68<\/td>\n | Figure C.17 \u2014 UHF Activation distance as function of the transmitter power in W e.r.p. C.6.2.6.5 Eavesdropping <\/td>\n<\/tr>\n | ||||||
| 69<\/td>\n | Figure C.18 \u2014 Set-up of equipment for eavesdropping test at UHF <\/td>\n<\/tr>\n | ||||||
| 70<\/td>\n | Figure C.19 \u2014 Eavesdropping test at UHF Figure C.20 \u2014 Display on portable receiver <\/td>\n<\/tr>\n | ||||||
| 71<\/td>\n | C.6.2.7 Discussion C.6.2.8 Conclusion <\/td>\n<\/tr>\n | ||||||
| 72<\/td>\n | Bibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" Information technology. RFID threat and vulnerability analysis<\/b><\/p>\n |