It looks as if the RFID blocker tag device posited by researchers from the well known security and cryptography company RSA Labs, is likely to be demonstrated at their annual conference next week.
The idea behind this device is to exploit the polling anti-collision protocol which an RFID tag uses when communicating with the reader. The reader emits a radio signal which is picked up by the antenna of the RFID tag (the antenna is many times the size of the actual RFID chip containing the electronics and the serial number) which in most current designs then powers the circuitry of the RFID chip, usually (but not always) through induction.
RFID readers essentially communicate with one RFID tag at a time. The RFID tags do not transmit their entire 96bit serial number (for EPC compliant tags) in one burst, they respond to signals from the reader by revealing one binary digit at a time.
How does the reader distinguish one RFID tag from its neighbours within range ? The reader interrogates the RFID tags to ask "whose serial number starts with a 1 in the first position ?" Those RFID tags which do not meet this test then remain silent, and ignore the rest of the interrogation sequence, whilst the rest of them transmit a "yes that is correct" answer back to the reader and then await a similar question about the next digit in their binary serial number. The process is repeated until the reader has identified each of the RFID tags in range.
The idea of RSA Labs RFID blocker device is to essentially construct an RFID tag (or more probably something somewhat larger and more expensive at this stage) which mimics the "yes" answers transmitted by the RFID tags when the reader asks about a particular digit of the RFID tag's serial number.
If the RFID tag blocker device always answers "yes", or answers "yes" in a random manner, then the RFID reader believes that there are thousands or millions of RFID tags within range and cannot reliably distinguish between any real RFID tags that you are carrying and the false RFID tag serial numbers it is apparently reading.
This "universal blocking" approach is, as described in the research paper, effectively a Denial of Sservice attack on the RFID reader, and so the RSA Labs researchers are talking about "selective" tag blocking limited to ranges of RFID tag serial numbers, and that is the sort of device that is likely to be made public next week.
This illustrates that the privacy weaknesses of the current RFID tag standards and proposals, go hand in hand with security weaknesses as well. How will stock control be enforced even in warehouses and the distribution logistics chain, when such devices fall into the hands of thieves , or, since the military authorities are so interested in RFID tagged logistics , into the hands of saboteurs or terrorists ?
If the RFID tags are meant to trigger alarms when unauthorised movements of goods are detected by a reader, how long before such alarms are switched off due to false alerts caused by RFID blockers ? If a "Smart Shelf" or doorway portal reader in a warehouse is monitoring a number of expensive or, in the case of the military, lethal RFID tagged objects, a selective RFID blocker tag could be used to fool the system into thinking it has a full inventory, even though some or all of the items have been stolen.
There is no reason why the RFID tag blocker device should not be actively powered with an extended range antenna and used maliciously. Since the radio frequencies used by these RFID tags are all in the licence free Industrial, Scientific, Medical bands, it is not currently illegal to own or operate such a blocker device.
The proper way to protect against such attacks would be to have a strong cryptographic handshake between the rader and the tag and to encrypt all the radio transmissions. This would also protect the currently vulnerable plans for a "kill" code which has been mooted by EPCglobal, but which has not been tested in any supermarket trials so far.
Obviously this functionality is more akin to the current Contactless Smart Card technology, involving tamper resistant circuitry and on chip cryptographic engines etc. which is used in some relatively expensive, re-usable RFID tags suitable for shipping containers and to some extent in transport pre-payment cards etc. e.g. the Oyster Card. These technologies are not yet cheap enough to be incorporated into "5 cent" disposable smart labels for individual consumer items.
Leave a comment