Foundations of Privacy 2010
Guy Katz




Introduction to RFID
How does it work
Threats to user privacy
Possible solutions


“Wireless” Identification System
Consists of
◦ Tag
 Small transponder
 Attached to a physical object
◦ Transceiver
 Reads (writes) data from tags
 Connected to some database

RFID has been around for 60 years
◦ “Friend or Foe” systems in WW II:
 German pilots would roll their planes when coming
back to base
 The British put basic transmitters on theirs

Theft prevention (1970’s)
◦ Trucks in Los Alamos laboratory had transponders


Toll payments
Agriculture


A large increase in deployment since year
2000
Reasons:
◦ Tags and readers much smaller and cheaper
◦ World wide standardization (ISO)

Supply Chain Management
◦ From production to customer; replaces bar codes

Payment systems
◦ Toll roads, cafeterias, Rav-Kav

Access Control
◦ Weizmann Institute of Science


Theft Prevention
Anti-Counterfeiting
◦ Passports, Money Bills

Implanted Tags
Electronic Product Codes
(RFID)
Barcodes
Read Rate
High throughput.
Multiple (>100) tags can
be read simultaneously
Very low throughput. Tags
can only be read manually,
one at a time
Line of Sight
Not required
Definitely required
Durability
Can even be internally
attached
Easily damaged, swapped or
removed; cannot be read if
dirty or greasy
Human Capital
Virtually none. Once up
and running, the system
is completely automated
Large requirements.
Laborers must scan each
tag
Event
Triggering
Capable. Can be used to
trigger certain events
(like door openings,
alarms, etc)
Not capable. Cannot be
used to trigger events


Contain an antenna and a small circuit
Purpose in life: broadcast an ID
◦ Usually 128 bits



Very small - a few millimeters
“Cost Barrier” – 5 cent per tag
Two subgroups:
◦ Active Tags
◦ Passive Tags
Integrated Circuit
4 x 4 mm

Can initiate communication on their own
◦ Transmit, looking for a reader


Range can be over 100 meters
Require a power source
◦ Consequently, expensive
Active RFIF Tag
Part of a monitoring system
6.5 x 4 x 2 cm

No power source
◦ Consequently, very cheap


Energy extracted from RF signal
Can’t initiate communication on their own
◦ Need to receive energy before they can answer

Range up to 10 meters



Power tags through RF signals
Usually connected to
some database
Singulation (Anti-Collision)
◦ Communicate with many tags at once

Still a bit expensive
◦ Cheapest ones around 500$




A method used by readers
Goal: discover all present tags
Difficulty: If many tags answer together,
answers get mixed up
The reader can’t separate their answers
◦ Does know that more than one tag responded

Need a way to solve collisions…


The standard singulation protocol
Each round, readers looks for a n-bit prefix
◦ Asks: “Who starts with 1010…?”
◦ Tags answer with their next digit



If multiple tags answer, recurse on both (n+1)
bits prefixes
For n tags and k identity bits, O(n*k)
In practice, a few seconds for a shopping cart
Who has “01“?
“ “?
“1“?
“10“?
“0“?
“00“?
0
0
1
1
0
0
1
1
010
011
101

Various ranges
◦ From 120 KHz to 10.6 GHz

Dictate passive read range
◦ From 10cm to 10 meters, accordingly.

Can be used to ignore more distant tags





Sniffing/Eavesdropping
Spoofing/Cloning
Tracking
Replay
Denial Of Service
Not all attacks related to privacy!


Tags contain an identification code
EPC usually consists of 64-128 bits
◦ Some bits indicate vendor and product ID
◦ Others form a unique product ID

Tags becomes associated with a person!
◦ Don’t even need to know item type


Reading is done silently and remotely
Personal information can be gathered
◦ Information about individuals’ habits: where you
go, what you buy…
◦ Physical tracking of people

Military and Corporate Espionage
◦ Track down parts and components

Implanted Tags
◦ Big Brother?


Need to keep the tags cheap
A wide range of systems and uses
◦ No single solution suits everyone

Need to only block malicious readings

Defining the typical adversary
◦ What sort of equipment? Readers, tags, scanners,
etc…
◦ What sort of abilities?
 Can impersonate a reader? Connect to the DB?
◦ Always present?


We focus on EPC (Electronic Product Code)
RFID tags
Goal: prevent the adversary from associating
a tag with a person

Physically prevent RFID tags from
transmitting
◦ Aluminum foil lined wallets
◦ Special cases for smart passports


Take off covers when transmission needed
Problem: only suitable for specific RFID tags
◦ Led lined supermarket bags?

Commercial products
already available
Passport Case
Available for 18$

Tags contain a “kill” command
◦ A supermarket might disable tags on checkout


Zombie tags don’t answer readers
Prevents association of people with their tags
◦ Covers most privacy concerns

Problems:
◦ Some applications need the tag alive
 Alice’s milk carton
 Return products to stores
 Toll payment tags, implanted tags



An approach proposed by Juels and Brainard
(2004)
Tags broadcast a privacy bit – “its ok/not ok
to read me”
Problem: readers may choose to obey policy
◦ Corrupt readers risk being caught


How does the owner configure the tags?
Naïve solution…

Cryptographic solutions inherently expensive
◦ Require computational power
◦ Require more memory
◦ Sometimes require source of randomness

Three approaches have been proposed:
◦ Hash-Lock
◦ Re-Encryption
◦ Silent Tree Walking

So far, all too expensive to be practical
◦ But we’ll have a look anyway…


Similar to a password
A tag can be locked by a reader
◦ Locked tags don’t transmit until unlocked
◦ Locked tags have an ID y
◦ Can only be unlocked by x s.t. h(x) = y
 h: standard one-way hash function


The consumer knows x, can unlock at home
When locked, cannot be associated with the
owner

Problems:
◦ Tags still need to calculate h(x)
 Expensive…
◦ Many tags, hard to manage
◦ Consumer might not be aware of all the tags he’s
carrying


Mechanism to prevent counterfeiting of
money bills
The idea:
◦
◦
◦
◦

Put an RFID tag inside the bill
Every bill has a unique ID
Encrypt the ID with a police public key
Periodically re-encrypt it
Can’t link different appearances of a given
tag


Re-encryption done by external agents (in big
stores, banks, etc)
Problems:
◦ Costly infrastructure
◦ Burdensome process
 Often need to re-encrypt
 People naturally lazy
◦ Unclear just how effective the process is

Readers use singulation protocols
◦ Most common: Tree Walking


It is sufficient to eavesdrop the reader to
identify the tag (up to last bit)
A reader transmits much louder
◦ Can be “heard” from further away

The idea: encrypt the reader’s requests
◦ Makes eavesdropping harder

Problem: How to encrypt?
◦ Tags have limited resources and no randomness
◦ Need a shared reader-tag key beforehand
◦ Makes the system impractical

Still, might be useful combined with other
solutions…


Using an exterior device to block tag readers
Enables a user to block the adversary
◦ One blocker suffices for all tags
◦ Cheap
 Same price as a tag


Don’t have to change existing RFID tags
Can turn off at home…

The idea: disrupt the singulation protocol
◦ Trick the reader - make it think all tags are present
◦ Makes reading useless

For instance, a tag that disrupts the tree
walking algorithm
◦ Always answers both 0 and 1
 Might require two antennas
◦ The reader doesn’t know which tags exist


The blocker will disrupt any reading around it
Can be configured to only disrupt “private
branches”
◦ Specific ID’s defined as private
◦ Readers have no right to read them…

Can change the tree walking algorithm to
avoid unneeded queries
Who has “00“?
“1“?
“10“?
““01“?
“0“?
“?
0
0
1
1
0
0
1
0
1
1
100
101
010
011
101
Blocker
Blocks 0*

Can the blocker itself pose a privacy breech?
◦ Can track a unique “private zone”
◦ Allow only a few privacy policies?

Bob’s blocker may disrupt Alice’s readings
◦ Can use a random “private zone” to avoid conflicts
◦ Tradeoff with the previous bullet

Tailored for the tree walking algorithm
◦ However, should be adjustable to any other
algorithm as well

Can be used in Denial of Service attacks



RFID is becoming cheap and widespread
It can easily disclose private information
Partial solutions:
◦ Physical blocks
◦ Zombie tags
◦ Privacy Bits

Encryption schemes are effective, but require
expensive tags and infrastructure
◦ Only suitable for specific cases

Blocker tags are a cheap, effective solution
for EPC RFID tags





“Squealing Euros: Privacy-Protection in RFIDEnabled Banknotes” by Juels and Pappu, 2003
“Security and Privacy Aspects of Low-Cost Radio
Frequency Identification Systems” by Weis et al,
2003
“Selective Blocking of RFID Tags for Consumer
Privacy” by Juels, Rivest & Szydlo, 2003
“RFID Privacy: An Overview of Problems and
Proposed Solutions” by Garfinkel, Juels & Pappu,
2005
“RFID”, presentation by Alon Rosen