1

Executive Post Graduate Programme in e-Governance (EPGP-EG), 2013-14

Identity Management

GROUP # 3Pravin Kolhe M. Jyothi Rani

Sanjay Singh Vivek SrivastavaChandan Kumar Jha

Presented by

Threats for RFID

July-2013, IIM Indore

2

RFID = Radio Frequency IDentification. RFID is ADC (Automated Data Collection) technology that:-

uses radio-frequency waves to transfer data between a reader and a movable item to identify, categorize, track.

is fast and does not require physical sight or contact between reader/scanner and the tagged item.

attempts to provide unique identification and backend integration that allows for wide range of applications.

1. WHAT IS RFID

3

SOME RFID TAGS…

4

SOME RFID READERS…

5

Broadly threats are categorized based on:- Confidentiality, Integrity, Availability as- Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege

3. TYPES OF THREATS FOR RFID

6

“Spoofing occurs when an attacker successfully poses as an authorized user of a system”

A competitor or thief performs an unauthorized inventory of a store by scanning tags with an unauthorized reader to determine the types and quantities of items.

An attacker trying to save money by buying expensive goods that have RFID price tags spoofed to display cheaper prices.

4. SPOOFING IDENTITY

7

Appropriate authentication, Protect secrets, Don’t store secrets

4. MITIGATING SPOOFING IDENTITY

8

“Data tampering occurs when an attacker modifies, adds, deletes, or reorders data”

For Eg:- An attacker modifies a passport tag to appear to be a citizen

in good standing. An attacker adds additional tags in a shipment that makes

the shipment appear to contain more items than it actually does.

5. TAMPERING WITH DATA

9

Appropriate authentication, Message authentication codes Digital signatures, Tamper-resistant protocols

5. MITIGATING TAMPERING WITH DATA

10

“Repudiation occurs when a user denies an action and no proof exists to prove that the action was performed” A retailer denies receiving a certain pallet, case, or item. The owner of the EPC number denies having information

about the item to which the tag is attached.

6. REPUDIATION

11

Digital signatures, Timestamps, Audit trails

6. MITIGATING REPUDIATION

12

“Information disclosure occurs when information is exposed to an unauthorized user” A bomb in a restaurant explodes when there are five or more

Americans with RFID-enabled passports detected. An attacker blackmails an individual for having certain

merchandise in their possession. A sufficiently powerful directed reader reads tags in your

house or car.

7. INFORMATION DISCLOSURE

13

Authorization, Privacy-enhanced protocols, Encryption,

7. MITIGATING INFORMATION DISCLOSURE

14

“Denial-of-service denies service to valid users. Denial-of-service attacks are easy to accomplish and difficult to guard against.” An attacker with a powerful reader jams the reader. An attacker intrudes into the system thereby aborting the

transactions.

8. DENIAL OF SERVICE

15

Appropriate authentication, Appropriate authorization, Filtering, Throttling, Quality of Service

8. MITIGATING DENIAL OF SERVICE

16

“A user logging on to the database to know the product’s information can become an attacker by raising his/her status in the information system from a user to a root server administrator and write or add malicious data into the system.” A system user modifies the authorisation & authentication

privileges to transfer money to his account.

9. ELEVATION OF PRIVILEGE

17

Run with least privilege Hierarchy based privilege Restricted privilege to user.

9. MITIGATING ELEVATION OF PRIVILEGE

18

Damage potential (1-10) Reproducibility (1-10) Exploitability (1-10) Affected Users (1-10) Discoverability (1-10)

10. ASSIGN RISK WITH DREAD

19

RFID is extensively used worldwide due to its efficient and convenient features.

Still, it has threats & vulnerabilities associated with it. Despite the proposed mitigation strategies yet it is not

possible to design full-proof RFID system. Extensive research is being carried out for reliable RFID

system.

12. CONCLUSION

20

CONTACT: -

Pravin Kolhe, Executive Engineer

Water Resources Department, Government of Maharashtra

Email:- pravinkolhe82@gmail.comwww.pravinkolhe.com

PPT downloaded from www.pravinkolhe.com

21

THANK YOU…!GROUP # 3, EPGP-EG, IIM INDORE, 2013-14