Classifying RFID attacks and defenses

Information Systems Frontiers

Volumn 12, Issue 5, 2010, Pages 491-505

  Mitrokotsa, Aikaterini ^b   Rieback, Melanie R ^a   Tanenbaum, Andrew S ^a  

^a VU UNIVERSITY AMSTERDAM   (Netherlands)

^b NONE

Author keywords

Classification; RFID attacks; RFID security

Indexed keywords

CLASSIFICATION; EFFECTIVE ALGORITHMS; LOW COSTS; PERVASIVE COMPUTING TECHNOLOGY; RFID (RADIO FREQUENCY IDENTIFICATION); RFID ATTACKS; RFID COMMUNICATION; RFID NETWORKS; RFID SECURITY; TECHNICAL POTENTIAL;

PROFITABILITY; SECURITY OF DATA; UBIQUITOUS COMPUTING;

RADIO FREQUENCY IDENTIFICATION (RFID);

EID: 78650174439     PISSN: 13873326     EISSN: None     Source Type: Journal    
DOI: 10.1007/s10796-009-9210-z     Document Type: Conference Paper

References (53)

1. 22C3 (2007). RFID Zapper. https://events.ccc.de/congress/2005/static/r/f/ i/RFID-Zapper(EN)-77f3.html. Accessed July 2009.
2. G Avoine P Oechslin 2005 RFID traceability: A multilayer problem AS Patrick M Yung (eds) Financial cryptography and data security, 9th international C, FS 2005, Roseau, The Commonwealth of Dominica Lecture notes in computer science, security and cryptology 3570 Springer-Verlag Berlin, Heidelberg 125 140 10.1007/b137875 Avoine, G.; Oechslin, P. (2005). RFID traceability: A multilayer problem. In A. S. Patrick; M. Yung (Eds.), Financial cryptography and data security, 9th international C, FS 2005, Roseau, The Commonwealth of Dominica. Lecture notes in computer science, security and cryptology (Vol. 3570, pp. 125-140). Berlin, Heidelberg: Springer-Verlag. doi: 10.1007/b137875.
3. J Ayoade 2007 Privacy and RFID systems, roadmap for solving security and privacy concerns in RFID systems Computer Law; Security Report 23 555 561 10.1016/j.clsr.2007.09.005 (Pubitemid 350026134)
4. Center for Democracy; Technology (2006). CDT working group on RFID: Privacy best practices for deployement of RFID technology. Interim Draft. http://www.cdt.org/privacy/20060501rfid-best-practices.php. Accessed July 2009.
5. Desmedt, Y. (2006). Major security problems with the " unforgeable" (Feige-)Fiat-Shamir proofs for identity and how to overcome them. In Proceedings of the 6th worldwide congress on computer and communications security and protection (Securicomm'88), March 1988 (pp. 141-159). Paris, France.
6. Devadas, S.; Suh, E.; Paral, S.; Sowell, R.; Ziola, T.; Khandelwal, V. (2008). Design and implementation of PUF-based "unclonable" RFID ICs for anti-counterfeiting and security applications. In Proceedings of the 2008 IEEE international conference on RFID, 16-17 April 2008 (pp. 58-64). Las Vegas: IEEE Computer Society.
7. Dimitriou, T. (2005). A lightweight RFID protocol to protect against traceability and cloning attacks. In Proceedings of the 1st international conference on security and privacy for emerging areas in communication networks (SecureComm'05) (pp. 59-66). Las Vegas: IEEE Computer Society.
8. Emvelope (2005). Products. http://www.emvelope.com/products. Accessed July 2009.
9. EPCGlobal (2005). Guidelines on EPC for consumer products. http://www.epcglobalinc.org/public/ppsc-guide/. Accessed July 2009.
10. EPCGlobal Inc. (2005). EPC radio-frequency identity protocols Class-1 Generation-2 UHF RFID protocol for communications at 860 MHz-960 MHz. Specification for RFID air interface. (Vol. 1.2.0). http://www.epcglobalinc.org/ standards/uhfc1g2/uhfc1g2-1-2-0-standard-20080511.pdf. Accessed July 2009.
11. European Commission (1995). Directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free Movement of such data. Official Journal of European Communities, (L.281), 31.
12. European Digital Rights (EDRI-gram) (2006). Cloning an electronic passport. EDRI-gram, digital civil rights in Europe. No. 4-16. http://www.edri.org/edrigram/number4.16/epassport/. Accessed July 2009.
13. Federal Office for Information Security (2004). Security aspects and prospective applications of RFID systems. RFID consultation website. http://www.rfidconsultation.eu/docs/ficheiros/RIKCHA-englisch-Layout.pdf. Accessed July 2009.
14. M Fedhofer S Dominikus J Wolkerstorfer 2004 Strong authentication for RFID systems using the AES algorithm M Joye J-J Quisquater (eds) Cryptographic hardware and embedded systems - CHES 2004. Proceedings of the 6th international workshop on cryptographic hardware and embedded systems (CHES'04) Lecture notes in computer science 3156 Springer Berlin 357 370 10.1007/b99451 10.1007/978-3-540-28632-5-26
15. Fedhofer, M.; Dominikus, S.; Wolkerstorfer, J. (2004). Strong authentication for RFID systems using the AES algorithm. In M. Joye; J.-J. Quisquater (Eds.), Cryptographic hardware and embedded systems - CHES 2004. Proceedings of the 6th international workshop on cryptographic hardware and embedded systems (CHES'04). Lecture notes in computer science (Vol. 3156, pp. 357-370). Berlin: Springer. doi: 10.1007/b99451.
16. K Fishkin S Roy B Jiang 2004 Some methods for privacy in RFID communication C Castellucia H Hartenstein C Paar D Westhoff (eds) Security in Ad-hoc and sensor networks, proceedings of the 1st European workshop on security (ESAS '04) Lecture notes in computer science, computer communication networks and telecommunications 3313 Springer Berlin 42 53 10.1007/b105219 Fishkin, K.; Roy, S.; Jiang, B. (2004). Some methods for privacy in RFID communication. In C. Castellucia, H. Hartenstein, C. Paar,; D. Westhoff (Eds.), Security in Ad-hoc and sensor networks, proceedings of the 1st European workshop on security (ESAS '04). Lecture notes in computer science, computer communication networks and telecommunications (Vol. 3313, pp. 42-53). Berlin: Springer. doi: 10.1007/b105219.
17. C Floerkemeier R Schneider M Langheinrich 2004 Scanning with a purpose-supporting the fair information principles in RFID protocols H Murakami H Nakashima H Tokuda M Yasumura (eds) Ubiquitous computing systems, second international symposium (UCS '04), Tokyo, Japan Lecture notes in computer science 3598 Springer Berlin 214 231 10.1007/11526858 Floerkemeier, C.; Schneider, R.; Langheinrich, M. (2004). Scanning with a purpose-supporting the fair information principles in RFID protocols. In H. Murakami, H. Nakashima, H. Tokuda,; M. Yasumura (Eds.), Ubiquitous computing systems, second international symposium (UCS '04), Tokyo, Japan. Lecture notes in computer science (Vol.3598, pp. 214-231). Berlin: Springer. doi: 10.1007/11526858.
18. Friedl, S. (2007). SQL Injection attacks by example. http://unixwiz.net/ techtips/sql-injection.html. Accessed July 2009.
19. Garcia, F. D.; de Koning Gans, G.; Muijrers, R.; van Rossum P.; Verdult, R.; Wichers Schreur, R.; et al. (2008). Dismantling MIFARE classic. In Proceedings of the 13th European symposium on research in computer security, Malaga, Spain. Lecture notes in computer science (Vol. 5283, pp. 97-114). Berlin: Springer.
20. S Garfinkel A Juels R Pappu 2005 RFID privacy: An overview of problems and proposed solutions IEEE Security; Privacy 3 3 34 43 10.1109/MSP.2005.78 (Pubitemid 40860471)
21. J Halamka A Juels A Stubblefield J Westhues 2006 The security implications of VeriChip cloning Journal of American Medical Informatics Association 13 6 601 607 10.1197/jamia.M2143 (Pubitemid 44648757)
22. Hancke, G.; Kuhn, M. (2005). An RFID distance bounding protocol. In Proceedings of the 1st international conference on security and privacy for emerging areas in communication networks (SecureComm'05) (pp. 67-73). Las Vegas: IEEE Computer Society.
23. Information Technology Laboratory, National Institute of Standards and Technology (2001). Security requirements for cryptographic modules. Federal information processing standards publication. FIPS PUB 140-2. 25 May 2001. http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf. Accessed July 2009.
24. Inoue, S.; Yasuura, H. (2003). RFID Privacy using user-controllable uniqueness. In Proceedings of RFID privacy workshop. MA, USA: MIT.
25. International Civil Aviation Organization (2002). ICAO document 9303 - Part 1 machine readable passport (Vol. 2). http://www2.icao.int/en/MRTD/Pages/ Doc9393.aspx. Accessed July 2009.
26. International Organization for Standardization (2009). ISO/IEC 9798: Information technology-security techniques-entity authentication, Part 1(1997), Part 2 (2008), Part 3 (1998), Part 4 (1999), Part 5 (2004). www.iso.org. Accessed July 2009.
27. A Juels 2004 Minimalist cryptography for low-cost RFID tags C Blundo S Cimato (eds) Security in communication networks, proceedings of the 4th international conference on security in communication networks (SCN'04), Amalfi, Italy, 8-10 September 2004 Lecture notes in computer science, security and cryptology 3352 Springer Berlin 149 164 10.1007/b105083 Juels, A. (2004). Minimalist cryptography for low-cost RFID tags. In C. Blundo; S. Cimato (Eds.), Security in communication networks, proceedings of the 4th international conference on security in communication networks (SCN'04), Amalfi, Italy, 8-10 September 2004. Lecture notes in computer science, security and cryptology (Vol. 3352, pp. 149-164). Berlin: Springer. doi: 10.1007/b105083.
28. Juels, A. (2005). Stengthening EPC tags against cloning. In M. Jakobsson; R. Povendran (Eds.), Proceedings of ACM workshop on wireless security (WiSec'05) (pp. 67-76). New York: ACM.
29. Juels, A.; Rivest, R.; Szydlo, M. (2003). The Blocker tag: Selective blocking of RFID tags for consumer privacy. In V. Alturi (Ed.), Proceedings of the 8th ACM conference on computer and communication security, Washington, DC, USA (pp. 103-111). New York: ACM.
30. Karjoth, G.; Moskowitz, P. A. (2005). Disabling RFID tags with visible confirmation: Clipped tags are silenced. In V. Atluri, S.D.C. di Vimercanti,; R. Dingledine (Eds.), Proceedings of the 2005 ACM workshop on privacy in the electronic society (WPES '05) (pp. 27-30). Alexandria: ACM.
31. Karygiannis, A.; Phillips, T.; Tsibertzopoulos, A. (2006). RFID security: A taxonomy of risk. In Proceedings of the 1st international conference on communications and networking in China (ChinaCom'06) (pp. 1-7). Beijing: IEEE.
32. Karygiannis, T.; Eydt, B.; Barber, G.; Bunn, L.; Phillips, T. (2007). Guidelines for securing radio frequency identification (RFID) systems: Recommendations of the national institute of standards and technology. NIST Special publication 800-98, national institute of standards and technology, technology administration U.S. Department of Commerce.
33. Kent, J. (2005). Malaysia car thieves steal finger. BBC News, 31 March 2005. http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm. Accessed July 2009.
34. Kfir, Z.; Wool, A. (2005). Picking virtual pockets using relay attacks on contactless smart card. Proceedings of the 1st international conference on security and privacy for emerging areas in communication networks (SecureComm'05) (pp. 47-48). Silver Spring: IEEE Computer Society Press.
35. S Kinoshita F Hoshino T Komuro A Fujimura M Ohkubo 2004 Low-cost RFID privacy protection scheme Transactions of information processing society of Japan 45 8 2007 2021
36. A Laurie 2007 Practical attacks against RFID Network Security 9 4 7 10.1016/S1353-4858(07)70080-6 (Pubitemid 47449639)
37. MobileCloak (2009) The off switch for "always on" mobile wireless devices, spychips, toll tags, RFID tags and technologies. http://www.mobilecloak.com. Accessed July 2009.
38. L Mirowski J Hartnett 2007 Deckard: A system to detect change of RFID tag ownership International Journal of Computer Science and Network Security 7 7 89 98
39. MIT Auto-ID Center (2003) Draft protocol specification for a 900 MHz class 0 radio frequency identification tag. http://epcglobalinc.org/standards/ specs/900-MHz-Class-0-RFIDTag-Specification.pdf. Accessed July 2009.
40. Molnar, D.; Wagner, D. (2004). Privacy and security in library RFID: Issues, practices and architectures. In Proceedings of the 11th conference on computer and communications security (ACM CCS '04), Washington DC USA (pp. 210-219). New York: ACM.
41. Ohkubo, M.; Suzuki, K.; Kinoshita, S. (2003). Cryptographic approach to "privacy-friendly" tags. In Proceedings of RFID Privacy Workshop. Cambridge: MIT.
42. CH Quan WK Hong HC Kim 2006 Performance analysis of tag anti-collision algorithms for RFID systems Emerging directions in embedded and ubiquitous computing, proceedings of EUC 2006 workshops: NCUS, SecUbiq, USN, TRUST, ESO, and MSA, Seoul, Korea, August 1-4, 2006 Lecture notes in computer science, information systems and applications, incl. Internet/Web, and HCI Springer Berlin 382 391 10.1007/11807964 Quan, C. H.; Hong, W. K.; Kim, H. C. (2006). Performance analysis of tag anti-collision algorithms for RFID systems. In Emerging directions in embedded and ubiquitous computing, proceedings of EUC 2006 workshops: NCUS, SecUbiq, USN, TRUST, ESO, and MSA, Seoul, Korea, August 1-4, 2006. Lecture notes in computer science, information systems and applications, incl. Internet/Web, and HCI (Vol. 4097, pp. 382-391). Berlin: Springer. doi: 10.1007/11807964.
43. Raboud University Nijmegen (2008). Dismantling contactless smart cards. 08-33A. Press Release. http://www2.ru.nl/media/pressrelease.pdf. Accessed July 2009.
44. Reid, J.; Gonzalez Nieto, J. M.; Tang, T.; Senadji, B. (2007). Detecting relay attacks with timing-based protocols. In Proceedings of the 2nd ASIAN symposium on information, computer and communications security, Singapore (pp. 204-213). New York: ACM. (Pubitemid 47479240)
45. M Rieback B Crispo A Tanenbaum 2005 RFID Guardian: A battery-powered mobile device for RFID privacy management C Boyd N González M Juan (eds) Information security and privacy, proceedings of the 10th Australasian conference on information security and privacy (ACISP '05), Brisbane, Australia, July 4-6, 2005 Lecture notes in computer science, security and cryptology 3574 Springer Berlin 184 194 10.1007/11506157 Rieback, M.; Crispo, B.; Tanenbaum, A. (2005). RFID Guardian: A battery-powered mobile device for RFID privacy management. In C. Boyd, N. González,; M. Juan (Eds.), Information security and privacy, proceedings of the 10th Australasian conference on information security and privacy (ACISP '05), Brisbane, Australia, July 4-6, 2005. Lecture notes in computer science, security and cryptology (Vol. 3574, pp. 184-194). Berlin: Springer. doi: 10.1007/11506157.
46. Rieback, M.; Crispo, B.; Tanenbaum, A. (2006). Is your cat infected with a computer virus? In Proceedings of the 4th IEEE international conference on pervasive computing and communications (PerComm '06), Pisa, Italy (pp. 169-179). Washington, DC: IEEE Computer Society.
47. Riscure (2006). Privacy issue in electronic passport. http://www.riscure.com/contact/privacy-issue-in-electronic-passport.html. Accessed July 2009.
48. Singlelee, D.; Preneel, B. (2005). Location verification using secure distance bounding protocols. In Proceedings of the 2nd IEEE international conference on mobile, Ad Hoc and sensor systems (MASS'05) (pp. 834-840). New York: IEEE Press. (Pubitemid 44612357)
49. Swedberg, C. (2006). Broadcom introduces secure RFID chip. RFID Journal. 29 June 2006. http://rfidjournal.com/article/view/2464/1/1. Accessed July 2009.
50. Tanenbaum, A. (2008). Dutch public transit card broken: RFID replay attack allows free travel in The Netherlands. http://www.cs.vu.nl/~ast/ov-chip- card/. Accessed July 2009.
51. P Tuyls L Batina 2006 RFID tags for anti-counterfeiting D Pointcheval (eds) Topics in cryptology - CT- RSA 2006, proceedings of the cryptographer's track at the RSA conference 2006, San Jose, CA, USA, February 13-17, 2006 Lecture notes in computer science, security and cryptology 3860 Springer Berlin 115 131 10.1007/11605805 Tuyls, P.; Batina, L. (2006). RFID tags for anti-counterfeiting. In D. Pointcheval (Ed.), Topics in cryptology - CT- RSA 2006, proceedings of the cryptographer's track at the RSA conference 2006, San Jose, CA, USA, February 13-17, 2006. Lecture notes in computer science, security and cryptology (Vol. 3860, pp. 115-131). Berlin: Springer. doi: 10.1007/11605805.
52. Weis, S. A. (2003) Security and privacy in radio-frequency identification devices. Master's thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology.
53. S Weis S Sarma R Rivest D Engels 2003 Security and privacy aspects of low-cost radio frequency identification systems D Hutter G Müller W Stephan M Ullmann (eds) Security in pervasive computing, proceedings of the 1st international conference in security in pervasive computing, boppard, Germany, March 12-14, 2003 Lecture notes in computer science 2802 Springer Berlin 201 212 10.1007/b95124