Beruflich Dokumente
Kultur Dokumente
Threat Modeling
1
RFID Tutorial Outline
• Introduction
• RFID System
• Tags
• Readers
• Data link layer
– Modulation
– Encoding
– Anti-Collision Protocol
– Frequencies
• Standardization
• EPCglobal Network
• EPC vs UPC
• EPC Tag Classes
– Class-0 Tag
– Class-1 Gen-1 Tag
– Class-1 Gen-2 Tag
• RFID Threats Categorized with STRIDE
2
What is RFID?
• Stands for Radio Frequency Identification
• Uses radio waves for identification
• New frontier in the field of information
technology
• One form of Automatic Identification
• Provides unique identification or serial
number of an object
3
Applications
• Mobil Speedpass systems
• Automobile Immobilizer systems
• Fast-lane and E-Zpass road toll system
• Animal Identification
• Secure Entry cards
• Humans
• Supply chain management
4
RFID System
• Tags consists of antenna and a microchip
• Readers consists of a transmitter,
receiver, and one or more antennas
• Management system
• Communication protocol
• Computer Networks
5
RFID System
6
RFID Tag
• Tag is a device used to transmit
information such as a serial number to the
reader in a contact less manner
• Classified as :
– Passive
– Active
– Semi-passive
7
Classification of Passive and Active tag
Characteristics Passive RFID tag Active RFID tag
9
Communication Link
• Inductive Coupling
• Backscatter Coupling
10
Modulation
• Process of changing the characteristics of
radio waves to encode data and to
transmit it to the other end
• Techniques used depends on the power
consumption, reliability and available
bandwidth.
– Amplitude Shift Keying (ASK)
– Frequency Shift keying (FSK)
– Phase Shift Keying (PSK)
11
Encoding
BINARY
DIGITS 0 1 0 0 1 1 0 1 0 0 1 0
NRZ
RZ
MANCHESTER
PWM
PPM
MILLER
FM0
12
Anti-Collision Protocol
• Tag Anti-Collision protocol
– Aloha/Slotted Aloha
– Deterministic binary tree walking
– Query tree walking
• Reader Anti-Collision protocol
– TDM/FDM
13
RFID Frequency range
Frequency Band Description
< 135 KHz Low frequency
14
Standarization
• ISO
– 18000–1: Generic air interfaces for globally accepted
frequencies
– 18000–2: Air interface for 135 KHz
– 18000–3: Air interface for 13.56 MHz
– 18000–4: Air interface for 2.45 GHz
– 18000–5: Air interface for 5.8 GHz
– 18000–6: Air interface for 860 MHz to 930 MHz
– 18000–7: Air interface at 433.92 MHz
• EPCglobal
– UHF Class-0
– UHF Class-1 Generation-1 (Class-1 Gen-1)
– UHF Class-1 Generation-2 (Class-1 Gen-2)
15
Electronic Product Code Global
(EPCglobal) Network
• EPCglobal Network consists of five
component
– Electronic Product Code (EPC) number
– ID system (tags and readers)
– EPC middleware
– Discovery Service (ONS)
– Information service
16
Electronic Product Code (EPC)
17
EPC vs.
UPC (Barcodes)
65 KB read-write with
Class 3 Semi-passive
built-in battery
19
EPCglobal UHF Class-0 Tag
• Describes physical layer reader-to-tag link,
tag-to-reader link and data link anti-
collision protocol
• Reader to tag link use 100% or 20% modulation
amplitude modulated (AM) carrier signal
• Use binary tree anti-collision protocol
20
Class-0 Reader-to-Tag Symbols
BINARY 0
BINARY 1
NULL
21
Binary tree anti-collision protocol for
Class-0
22
EPCglobal UHF Class-1 Gen-1
24
EPCglobal UHF Class-1 Gen-2
• Use one of ASK, FSK or PSK modulation
with PWM encoding referred as pulse-
interval encoding (PIE) format.
• Reader chooses the encoding format for
tag-to-reader link.
– FM0
– Miller
• Use Aloha-based random anti-collision
protocol called Q protocol
25
Q Protocol (Anti-Collision Protocol)
• Select phase
– Single out particular tag population with one or more bits like query tree protocol
• Inventory phase – identify individual tag using Q protocol (slotted-aloha
based)
– Reader sends Query with parameter Q and Session number (Q=4 is suggested
default)
– Reader creates slotted time
– Tags pick random 16-bit number for handle
– Tags in requested session pick a random number in the range [0,2^Q-1] for
slot_number
– If slot_number = 0, backscatter handle
– If slot_number != 0, wait that number of slots to backscatter handle
– Reader ACKs individual tag with handle and goes to access phase. All other tags
wait.
– If more that one tag answers, reader can send same Q again or send modified Q
• Access phase
– Reader interacts with tags requesting EPC number and any other information
26
RFID Threats Categorized with
STRIDE
• Spoofing identity
• Tampering with data
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege
27
Spoofing Threat
• A competitor or thief performs an unauthorized inventory
of a store by scanning RFID EPC tags with an
unauthorized reader to determine the types and
quantities of items. An unauthorized reader can query
the tag for the EPC number because most tags used in
the supply chain respond to any reader. The EPC
number is only a number. However, because of the
standard way of creating an EPC number, an attacker
can determine the manufacturer and possibly the
product number. It is likely that the number assigned to
all manufacturers will become public knowledge as well
as the product number after some short period of time.
28
Tampering with Data Threats
• An attacker modifies a tag.
– An attacker modifies the tag in a passport to contain the serial number associated with a
terrorist or criminal.
– An attacker modifies a high-priced item’s EPC number to be the EPC number of a lower cost
item.
– An attacker modifies the EPC number on tags in the supply chain, warehouse, or store
disrupting business operations and causing a loss of revenue.
• An attacker adds a tag to an object.
– An attacker adds a tag in a passport that contains the serial number associated with a
terrorist or criminal.
– An attacker adds additional tags in a shipment that makes the shipment appear to contain
more items than it actually does.
• An attacker deletes data on a tag.
– An attacker kills tags in the supply chain, warehouse, or store disrupting business operations
and causing a loss of revenue
– An attacker erases the tags setting all values including the EPC number to zero in the supply
chain, warehouse, or store disrupting business operations and causing a loss of revenue.
– An attacker removes or physically destroys tags attached to objects. This is used by an
attacker to avoid tracking. A thief destroys the tag to remove merchandise without detection.
• An attacker reorders data on a tag or reorders tags.
– An attacker exchanges a high-priced item’s tag with a lower-priced item’s tag.
29
Repudiation Threats
• A retailer denies receiving a certain pallet,
case, or item.
• The owner of the EPC number denies
having information about the item to which
the tag is attached.
30
Information Disclosure Threats
• A bomb in a restaurant explodes when there are five or
more Americans with RFID-enabled passports detected.
• An attacker blackmails an individual for having certain
merchandise in their possession.
• A fixed reader at any retail counter could identify the tags
of a person and show the similar products on the nearby
screen to a person to provide individualized marketing.
• A competitor or thief performs an unauthorized inventory
of a store by scanning tags with a reader to determine
the types and quantities of items.
• A thief could create a duplicate tag with the same EPC
number and return a forged item for an unauthorized
refund.
31
Denial of Service Threats
• An attacker kills tags in the supply chain,
warehouse, or store disrupting business
operations and causing a loss of revenue.
• A shoplifter carries a blocker tag that disrupts
reader communication to conceal the stolen
item. The blocker tag is used against the Class-0
using the tree walking anti-collision protocols. An
attacker can simulate many RFID tags
simultaneously causing the anti-collision to
perform singulation on a large number of tags
making the system unavailable to authorized
use.
32
Elevation of Privilege Threats
• A user logging on to the database to know
the product’s information can become an
attacker by raising his/her status in the
information system from a user to a root
server administrator and write or add
malicious data into the system.
33
Contact Information
NEERAJ CHAUDHRY
705 West Putman Street,
Apt # R-2, Fayetteville, AR-72701
Email: nchaudh@gmail.com
Phone: (479) 599-9107
34