EPC RFID tag security weaknesses and defenses: Passport cards, enhanced drivers licenses, and beyond

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2009, Pages 33-42

  Koscher, Karl ^a   Juels, Ari ^b   Brajkovic, Vjekoslav ^a   Kohno, Tadayoshi ^a  

^a UNIVERSITY OF WASHINGTON   (United States)

^b RSA Laboratories   (United States)

Author keywords

Authentication; Cloning; EPC; Passport card; RFID; WHTI

Indexed keywords

ANTI-CLONING; ELECTRONIC PRODUCT CODES; IDENTITY DOCUMENTS; RF-ID TAGS; SECURITY APPLICATION; SECURITY WEAKNESS; SYSTEM SECURITY; WASHINGTON STATE;

AUTHENTICATION; CLONING; ELECTRONICS INDUSTRY; RADIO NAVIGATION; VACUUM APPLICATIONS;

NETWORK SECURITY;

EID: 74049091231     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1653662.1653668     Document Type: Conference Paper

References (43)

1. New York to o er enhanced driver's license. Newsday, 16 September 2008. Referenced October 2008 at http://www.newsday.com/services/newspaper/ printedition/tuesday/news/nynylice165845220sep16,0,5665783,print.story.
2. Card format passport; changes to passport fee schedule [final action]; 22 CFR parts 22 and 51. Federal Register, 72(249):74169-74173, December 31, 2007. Referenced 2008 at http://www.gpoaccess.gov/fr.
3. Card format passport; changes to passport fee schedule [proposed rule]; 22 CFR parts 22 and 51. Federal Register, 71(200):60928-60932, October 17, 2006. Referenced 2008 at http://www.gpoaccess.gov/fr.
4. Smart Card Alliance. Comments of the smart card alliance to the department of state federal register notice, \card format passport; changes to passport fee schedule," 22 CFR parts 22 and 51, rin 1400-ac22, public notice 5558, 3 November 2006. Referenced 2008 at http://www.smartcardalliance. org/resources/pdf/Smart Card Alliance Response Passport Card Final.pdf.
5. R. Anderson and M. Kuhn. Tamper resistance - a cautionary note. In Second USENIX Workshop on Electronic Commerce, pages 1-11, 1996.
6. G. Avoine. Online bibliography: Security and privacy in RFID systems, 2008. Referenced 2008 at http://www.avoine.net/rid.
7. S. Bono, M. Green, A. Stubble eld, A. Juels, A. Rubin, and M. Szydlo. Security analysis of a cryptographically-enabled RFID device. In P. McDaniel, editor, 14th USENIX Security Symposium, pages 1-16. USENIX, 2005.
8. E. Borgida and R. E. Nisbett. The differential impact of abstract vs. concrete information on decisions. Journal of Applied Social Psychology, (7):258-271,1977.
9. S. Breznitz. Cry Wolf: The Psychology of False Alarms. Lawrence Erlbaum Associates, 1984.
10. D. M. Caggiano and R. Parasuraman. The role of memory representation in the vigilance decrement. Psychonomic Bulletin and Review, 11(5):932-937, October 2004.
11. B. Danev, T. S. Heydt-Benjamin, and S. Capkun. Physical-layer identification of RFID devices. In 18th USENIX Security Symposium, pages 199{214, 2009.
12. F. D. Garcia, P. van Rossum, R. Verdult, and R. W. Schreur. Wirelessly pickpocketing a Mifare Classic card. In IEEE Symposium on Security and Privacy (S&P 2009), pages 3{15. IEEE, 2009.
13. R. Gerdes, T. Daniels, M. Mina, and S. Russell. Device identification via analog signal fingerprinting: A matched filter approach. In Network and Distributed System Security Symposium (NDSS), 2006.
14. Marco Gruteser and Dirk Grunwald. A methodological assessment of location privacy risks in wireless hotspot networks. In First International Conference on Security in Pervasive Computing, pages 10-24, 2003.
15. TMcloning. Journal of the American Medical Informatics Association (JAMIA), 13(5):601-607, November 2006.
16. T. S. Heydt-Benjamin, D. V. Bailey, K. Fu, A. Juels, and T. O'Hare. Vulnerabilities in first-generation RFID-enabled credit cards. In Financial Cryptography, pages 2-14, 2007.
17. EPCglobal Inc. Class 1 generation 2 UHF air interface protocol standard version 1.1.0. Referenced 2008 at http://www.epcglobalinc.org/standards/uhfc1g2/ uhfc1g2 1 1 0-standard-20071017.pdf.
18. M. Jakobsson and S. Wetzel. Security weaknesses in Bluetooth. In D. Naccache, editor, The Cryptographer's Track at RSA, volume 2020 of Lecture Notes in Computer Science, pages 176-191. Springer-Verlag, 2001.
19. A. Juels. Strengthing EPC tags against cloning. In ACM Workshop on Wireless Security (WiSe), pages 67-76. ACM Press, 2005.
20. A. Juels. RFID security and privacy: A research survey. IEEE Journal on Selected Areas in Communication, 24(2), February 2006.
21. A. Juels, D. Molnar, and D. Wagner. Security and privacy issues in e-passports. In D. Gollman, G. Li, and G. Tsudik, editors, SecureComm, pages 74-88. IEEE, 2005. Referenced 2008 at http://eprint.iacr.org/2005/095.pdf.
22. J. King and A. Mcdiarmid. Where's the beep?: security, privacy, and user misunderstandings of RFID. In Useability, Psychology, and Security, pages 1-8, 2008.
23. K. Koscher, A. Juels, T. Kohno, and V. Brajkovic. EPC RFID tags in security applications: Passport Cards, Enhanced Drivers Licenses, and beyond. Technical report. Available at ftp://ftp.cs.washington.edu/tr/2008/10/UW-CSE-08- 10-02.PDF.
24. R. S. Nickerson. Con rmation bias: A ubiquitous phenomenon in many guises. Review of General Psychology, 2(2):175-220, 1998.
25. K. Nohl, D. Evans, Starbug, and H. Plötz. Reverse-engineering a cryptographic RFID tag. In USENIX Security, pages 185-193, 2008.
26. F. Nylander. Alien Technology Higgs Gen2 IC LoadImage command application note 1 for 96 bit EPC memory, revision 7, 14 December 2006. Referenced 12 Sept. 2008 at http://www.alientechnology.com/docs/Load Image Applicaton Note 1.pdf.
27. M. C. O'Connor. Industry group says e-passport clone poses little risk. RFID Journal, 9 August 2006. Referenced 2008 at http://www.rfidjournal. com/article/articleview/2559/1/1/.
28. United States Department of Homeland Security. Privacy impact assessment for the use of radio frequency identification (RFID) technology for border crossings, 22 January 2008. Referenced 2008 at http://www.dhs.gov/xlibrary/ assets/privacy/privacy pia cbp rfid.pdf.
29. Washington State Department of Licensing. FAQ: EDL / ID, 2008. Referenced 2008 at http://www.dol.wa.gov/driverslicense/edlfaq.html.
30. OpenPCD project, 2008. Referenced 2008 at www.openpcd.org.
31. M. R. Rieback, G. Gaydadjiev, B. Crispo, R. F. H. Hofman, and A. S. Tanenbaum. A platform for RFID security and privacy administration. In USENIX LISA, pages 89-102, 2006. Current project information referenced 2008 at www.rfidguardian.org.
32. T. S. Saponas, J. Lester, C. Hartung, S. Agarwal, and T. Kohno. Devices that tell on you: Privacy trends in consumer ubiquitous computing. In 16th USENIX Security Symposium, pages 55-70, 2007.
33. S.J. Sherman, K.S. Zehner, J. Johnson, and E.R. Hirt. Social explanation: The role of timing, set, and recall on subjective likelihood estimates. Journal of Personality and Social Psychology, 44:1127-1143, 1983.
34. Read range for Gen2 RFID in 2008? 40 feet. RFID Update, 14 August 2008. Referenced 2008 at http://www.rfidupdate.com/articles/index.php?id=1656.
35. L. J. Skitka, K. L. Mosier, and M. Burdick. Does automation bias decision-making? Int. J. Human-Computer Studies, 51:991-1006, 1999.
36. J. R. Smith, A. P. Sample, P. S. Powledge, S. Roy, and A. Mamishev. A wirelessly-powered platform for sensing and computation. In Ubicomp, pages 495-506, 2006.
37. Identity Stronghold. Identity Stronghold's Secure Sleeve to protect US Passport Card. Company news release. Referenced 11 September 2008 at www.identitystronghold.com.
38. Identity Stronghold. Washington State Enhanced Drivers License guarded by Identity Stronghold Secure Sleeve. Company annotation on news article. Referenced 11 September 2008 at www.identitystronghold.com/links.php.
39. C. Swedberg. All eyes on FDA for drug e-pedigree. RFID Journal, 2008. Referenced 2008 at http://www.rfidjournal.com/article/articleview/4013/1/ 1.
40. Bureau of Consular Affairs United States Department of State. Western hemisphere travel initiative (whti) overview, 2008.
41. N. D. Weinstein. Perceived probability, perceived severity, and health-protective behavior. Health Psychology, 19:65-74, 2000.
42. J. Westhues. Hacking the prox card. In S. Garfinkel and B. Rosenberg, editors, RFID: Applications, Security, and Privacy, pages 291-300. Addison-Wesley, 2005.
43. K. Witte and M. Allen. A meta-analysis of fear appeals: Implications for effective public health campaigns. Health Education and Behavior, 27(5):591-615, 2000.