RFID Security

Contributed by Joanne C. Kelleher

The RFID Security Alliance has changed the format of their monthly meetings and will now start with an open discussion of a topic of interest. The meetings can be joined in person in California or via conference call.

This month Alliance member and security expert Lukas Grunwald will do a 20 minute introductory talk leading into an open discussion on these topics:

• “Security and the Dynamics of Public Awareness”
• “Live Report: Current situation of Access Control at German Airports”

With more than a decade of experience as a computer security expert, Lukas Grunwald is the founder of DN-Systems in Germany, where he heads a security research lab. Mr. Grunwald is also the CTO and co-founder of NeoCatena Networks, a California-based supplier of RFID security solutions dedicated to protecting high-value items from cloning and counterfeiting.

Once the open discussion is over, those who wish to stay on the call for RFIDSA internal business topics are welcome.

Please join us on Wednesday, February 10, 2010 at 10 AM PST / 1PM EST.  Contact Anna Haight [a@qlmconsulting.com] for details and to obtain a copy of the presentation slides.

RFID Security Alliance meetings are usually scheduled for the second Wednesday of each month. More info about the RFID Security Alliance is at http://www.rfidsa.com or via the LinkedIn Group at http://www.linkedin.com/groups?gid=62849.

Contributed by Joanne C. Kelleher

I just received an email from ABI Research announcing their Annual RFID End User Survey top line results.

Good news: “Nearly half (49%) of those respondents currently using, deploying, evaluating, or piloting RFID report that they expect their RFID budgets to increase in 2010.”

Missing: The issue of RFID security.

This topic wasn’t listed in the table of contents, list of tables, list of charts, questions this report answers or the press release. One of the applications covered is Security/Access Control Applications, but that doesn’t count.

At $5,000 I did not purchase this 326 page report. If anyone has, please add a comment and let us know if RFID security is hidden inside.

Report Description: http://www.abiresearch.com/research/1003626-012210  

Press release: https://www.abiresearch.com/press/1564-RFID+End+User+Survey+Results%3A+Nearly+Half+to+Increase+Budgets+in+2010

Updated 2/3/2010:

Survey author Michael Liard added his response in the comments below. 

This post also appeared on the RFID Security Alliance’s  LinkedIn site and Daniel Mullen, Executive Director at AIM – Association for Automatic Identification and Mobility, added his comment there –  http://www.linkedin.com/newsArticle?viewDiscussion=&articleID=104977101&gid=62849

Contributed by Joanne C. Kelleher

Karsten Nohl, the researcher and hacker who almost two years ago declared that Mifare was insecure, will be speaking at the January RFID Security Alliance meeting and recently made two presentations at the 26th Chaos Communication Congress (CCC) conference – http://events.ccc.de/congress/2009/Fahrplan/speakers/1317.en.html . 

These CCC presentations have received some widespread press.  One was about cloning the radio frequency IDs from the “Prime” product line of Swiss manufacturer Legic. The second divulged cell phone encryption codes, see the NY Times article at http://www.nytimes.com/2009/12/29/technology/29hack.html?_r=1&scp=1&sq=karsten%20nohl&st=cse .

If you want to see Karsten’s slides from his talks about these 2 hacks, you can find them here:

• Cloning RFID from Legic: http://events.ccc.de/congress/2009/Fahrplan/events/3709.en.html. This was especially interesting to see the process they went through to try and break the cards.
• Cell phone Encryption Codes: http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html

Karsten will be leading a discussion about Mifare and several other types of ’secure’ RFID which have been broken at the January 13, 2010 RFID Security Alliance meeting, which can be attended live in California or via phone. For more details about this meeting see http://rfidsa.blogspot.com/2010/01/karsten-nohl-to-discuss-hacking-mifare.html.

Contributed by Joanne C. Kelleher

Bert Moore, Editor of AIM Global’s RFID Connections newsletter, asked in today’s issue “Will this be the year that RFID security is finally implemented?”

With the long lead time to get to a full project implementation, we think that Bert’s thesis is correct – although the timeframes may still continue to push out a bit.

Moore points out that there are many options for providing RFID security (including simply reading the tag ID, tag/reader authentication, specialized cards that can only be read when activated by the user, high levels of public key encryption, and back-end security), adding a second or even third layer to security makes it far less likely that a criminal can successfully hack a system, and that adequate tag data security is essential in addressing privacy issues by securing data against unauthorized access.

Moore suggests that perhaps a revision to Murphy’s Law should be posted in every office of anyone designing, implementing or using RFID in order to trigger security conscious thinking: “Anything that can be hacked will be hacked.”

SecureRF and other members of the RFID Security Alliance discussed the state of the RFID marketplace in December and also see more emphasis on security and some positive changes on the way in 2010.  See the summary of this discussion at http://rfidsa.blogspot.com/2009/12/rfidsas-view-of-rfid-marketplace.html.

Like Moore, the firms in the RFID Security Alliance see the potential vulnerability of RFID (real or theoretical) not a liability, but as an opportunity to design security into the RFID products and systems we offer our clients.

I recommend you read his full article, RFID: 2010 Will This Be The Year…?, Wednesday, January 06, 2010 in RFID Connections.
http://www.aimglobal.org/members/news/templates/template.aspx?articleid=3629&zoneid=26

Contributed by Joanne C. Kelleher

As I mentioned in my last post, the RFID Security Alliance was planning to hold an open discussion on two  topics at our December meeting:

• The current state of the RFID marketplace
• What may happen as RFID readers become more ubiquitious, such as in cell phones

A summary of these discussions have been posted to the RFID Security Alliance blog.

We decided that we liked this format so look for announcements about upcoming topics and guest speakers for our January 13 and February 10 meetings.

Louis M. Parks, CEO of SecureRF Corporation, contributed a posting to The Connecticut Innovation Blog which appears today.

Louis talks about the convergence of three trends:

• Aging security and cryptographic technologies
• The movement toward smaller computer platforms which may not be able to run these technologies
• The increase in computing power to attack and hack these systems

Read more about Securing Connecticut in the 21st Century: Challenges and Opportunities at http://www.ctinnovations.com/blog/?p=468.

Contributed by Joanne C. Kelleher

Engineering researchers at The University of Arkansas recently announced that they “have developed a unique and robust method to prevent cloning of passive radio frequency identification tags. The technology, based on one or more unique physical attributes of individual tags rather than information stored on them, will prevent the production of counterfeit tags and thus greatly enhance both security and privacy for government agencies, businesses and consumers.”   These researchers have identified that the minimum power response at multiple frequencies is unique for each tag.

Other researchers have also identified ways to make RFID tags unique. The founders of Verayo use Physical Unclonable Function (PUF) technology which exploits the unavoidable integrated circuit fabrication process variations.  The University of Exeter and QinetiQ are partnering on a project, recently discussed in this blog, to build products based on physical sciences research in the field of tailored electromagnetic materials – made by studying the wings of butterflies.

But with all of these options for anti-cloning, counterfeit tags could still be produced. From an implementation standpoint, the big question is how can you tell these unique tags apart so you know when you have a counterfeit one?

For each business application you would need to have a database that stored all of the individual tag values that were determined when the tag was produced or put into production. When each tag was needed to be validated the unique value would have to be determined again and then compared to the value in the database. If a match was found then you would know that you have a good tag. If the match was not found, because the values are physically unique, then you have a counterfeit.

A similar lookup process would need to occur if you stored a unique identifier in the memory of each tag, except in this case you are looking for duplicate occurrences of a value rather then a missing value.

Having a database of valid values may work for some closed-loop applications, but could quickly become an issue when applied to a supply chain or logistics situation where the tags are read by multiple companies in an environment that may not have access to a centralized database.

Since some of these projects are in the early stages it isn’t clear yet how easily these unique physical characteristics could be identified outside of a laboratory environment and if the process could as fast as what is required when an RFID tag moves through a distribution center. We will have to wait and see.