1 presented by july-2013, iim indore. 2 rfid = radio frequency identification. rfid is adc...
TRANSCRIPT
1
Executive Post Graduate Programme in e-Governance (EPGP-EG), 2013-14
Identity Management
GROUP # 3Pravin Kolhe M. Jyothi Rani
Sanjay Singh Vivek SrivastavaChandan Kumar Jha
Presented by
Threats for RFID
July-2013, IIM Indore
2
RFID = Radio Frequency IDentification. RFID is ADC (Automated Data Collection) technology that:-
uses radio-frequency waves to transfer data between a reader and a movable item to identify, categorize, track.
is fast and does not require physical sight or contact between reader/scanner and the tagged item.
attempts to provide unique identification and backend integration that allows for wide range of applications.
1. WHAT IS RFID
3
SOME RFID TAGS…
4
SOME RFID READERS…
5
Broadly threats are categorized based on:- Confidentiality, Integrity, Availability as- Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege
3. TYPES OF THREATS FOR RFID
6
“Spoofing occurs when an attacker successfully poses as an authorized user of a system”
A competitor or thief performs an unauthorized inventory of a store by scanning tags with an unauthorized reader to determine the types and quantities of items.
An attacker trying to save money by buying expensive goods that have RFID price tags spoofed to display cheaper prices.
4. SPOOFING IDENTITY
7
Appropriate authentication, Protect secrets, Don’t store secrets
4. MITIGATING SPOOFING IDENTITY
8
“Data tampering occurs when an attacker modifies, adds, deletes, or reorders data”
For Eg:- An attacker modifies a passport tag to appear to be a citizen
in good standing. An attacker adds additional tags in a shipment that makes
the shipment appear to contain more items than it actually does.
5. TAMPERING WITH DATA
9
Appropriate authentication, Message authentication codes Digital signatures, Tamper-resistant protocols
5. MITIGATING TAMPERING WITH DATA
10
“Repudiation occurs when a user denies an action and no proof exists to prove that the action was performed” A retailer denies receiving a certain pallet, case, or item. The owner of the EPC number denies having information
about the item to which the tag is attached.
6. REPUDIATION
11
Digital signatures, Timestamps, Audit trails
6. MITIGATING REPUDIATION
12
“Information disclosure occurs when information is exposed to an unauthorized user” A bomb in a restaurant explodes when there are five or more
Americans with RFID-enabled passports detected. An attacker blackmails an individual for having certain
merchandise in their possession. A sufficiently powerful directed reader reads tags in your
house or car.
7. INFORMATION DISCLOSURE
13
Authorization, Privacy-enhanced protocols, Encryption,
7. MITIGATING INFORMATION DISCLOSURE
14
“Denial-of-service denies service to valid users. Denial-of-service attacks are easy to accomplish and difficult to guard against.” An attacker with a powerful reader jams the reader. An attacker intrudes into the system thereby aborting the
transactions.
8. DENIAL OF SERVICE
15
Appropriate authentication, Appropriate authorization, Filtering, Throttling, Quality of Service
8. MITIGATING DENIAL OF SERVICE
16
“A user logging on to the database to know the product’s information can become an attacker by raising his/her status in the information system from a user to a root server administrator and write or add malicious data into the system.” A system user modifies the authorisation & authentication
privileges to transfer money to his account.
9. ELEVATION OF PRIVILEGE
17
Run with least privilege Hierarchy based privilege Restricted privilege to user.
9. MITIGATING ELEVATION OF PRIVILEGE
18
Damage potential (1-10) Reproducibility (1-10) Exploitability (1-10) Affected Users (1-10) Discoverability (1-10)
10. ASSIGN RISK WITH DREAD
19
RFID is extensively used worldwide due to its efficient and convenient features.
Still, it has threats & vulnerabilities associated with it. Despite the proposed mitigation strategies yet it is not
possible to design full-proof RFID system. Extensive research is being carried out for reliable RFID
system.
12. CONCLUSION
20
CONTACT: -
Pravin Kolhe, Executive Engineer
Water Resources Department, Government of Maharashtra
Email:- [email protected]
PPT downloaded from www.pravinkolhe.com
21
THANK YOU…!GROUP # 3, EPGP-EG, IIM INDORE, 2013-14