EPC RFID Tag Security Weaknesses and Defenses: Passport Cards, Enhanced Drivers Licenses, and Beyond Karl Koscher University of Washington Seattle, Washington, USA supersat@u.washington.edu Ari Juels RSA Labs Cambridge, Mass., USA ari.juels@rsa.com Vjekoslav Brajkovic University of Washington Seattle, Washington, USA balkan@cs.washington.edu Tadayoshi Kohno University of Washington Seattle, Washington, USA yoshi@cs.washington.edu Presented by: Terry Gregory

Purpose Explore the security risks & challenges created by the increasingly common use of the EPC (Electronic Product Code) RFID tag Evaluate 2 specific EPC tag case studies United States Passport Card (PASS Card) Washington State Enhanced Driver’s License (WA EDL) Identify Security Vulnerabilities & Weaknesses Susceptibility to cloning Extended read ranges Ability to remotely kill (wipe) the WA EDL (a form of DoS attack) Provide Defensive Countermeasures Demonstrate anti-cloning techniques for off-the-shelf EPC tags Co-opt the EPC KILL command (a native privacy feature) to achieve EPC tag authentication

Background: EPC RFID Tags The EPC (Electronic Product Code) tag is an RFID (Radio-Frequency IDentification) device EPCglobal Standard: Class-1 Generation-2 UHF Tag (860 MHz – 960 MHz) Most dominant, emerging as the successor to the optical barcode Like barcodes, EPC tags emit static codes used to identify and track objects

Background: EPC RFID Tag Uses Common Uses: Track shipping containers, cases, and pallets within supply chains Tag high-dollar items in retail stores (e.g., clothing, software) Tag & Authenticate drugs within the pharmaceutical industry Identify & Authenticate Individuals (Identification documents) Facilitate the compilation of detailed object histories and pedigrees Adopted by many corporations (e.g., Wal-Mart, US DoD), who have mandated EPC Tag usage by their top suppliers Proponents envision a future in which tagging of individual items facilitates a full life-cycle of automation, from shop floors to retail POS, in home appliances, and through to recycling facilities (tracking from “cradle to grave”)

Background: EPC RFID Tag Advantages/Disadvantages EPC Tag Advantages (over traditional barcodes): Can transmit information over short distances to RFID readers automatically via radio frequency Passive, receiving its power from the reader RFID readers do not require direct line-of-sight or physical contact to scan an EPC tag Data includes not just manufacturer and model number, but also a unique identifier or serial number Inexpensive (< 5 cents/ea in large quantities) EPC Tag Disadvantages: Low cost drives low functionality Cannot perform cryptographic operations (encryption, authentication) Possess no explicit anti-cloning features (i.e., no mechanism for EPC readers to authenticate the validity of the tags they scan) Tags emit their EPC promiscuously, i.e., to any querying reader

Background: EPC RFID Tag Interrogation Source: EPC Class 1 GEN 2 UHF RFID Tag Emulator for Robustness Evaluation and Improvement. Omar Abdelmalek, David Hély and Vincent Beroulle 2013

Example Reader to Tag Interrogation Source: GS1 EPC Tag Data Standard 1.7

Background: EPC RFID Tag Data-Security Feature #1 KILL Command Mandatory feature of the EPCglobal Standard Designed to protect consumer privacy by allowing tags to be permanently disabled at the POS in retail environments (no longer trackable) When a tag receives the KILL command, along with a valid 32-bit KILL PIN, it becomes permanently disabled (“self-destructs”) Requires sufficient power (dBm) from the reader to disable itself Insufficient power - tag replies with “Insufficient Power” error code Invalid KILL PIN - tag ignores command altogether Important side-effect: The “Insufficient power” response inadvertently validates a correct KILL PIN

Background: EPC RFID Tag Data-Security Feature #2 ACCESS Command Optional feature of the EPCglobal Standard Designed to provide secured access to memory banks containing the ACCESS & KILL PINs When a tag receives the ACCESS command, along with a valid 32-bit ACCESS PIN, it transitions into a “secured” state, granting read/write access to the PIN memory bank Also provides word-level, read/write operations of the PINs

Background: EPC RFID Tag Data-Security Feature #3 TID (Tag Identifier) Designed to uniquely identify a specific Tag Can be factory programmed and locked at the discretion of the tag manufacturer (but is not always done) When uniquely identified, and perma-locked, theoretically prevents cross-copying A unique TID could be linked to a unique EPC in the Backend Database to authenticate a given tag E.g., shipping of expensive pharmaceuticals

Background: EPC RFID Tag Memory Map Source: GS1 EPC Tag Data Standard 1.7

Two EPC Tag Case Studies US Passport Card (PASS Card) An Identity document intended for land-border and seaport entry into the US (first issued in 2008) Deployed in response to the Western Hemisphere Travel Initiative (WHTI), a US law requiring travelers show valid passport docs Washington State Enhanced Driver’s License (WA EDL) Also WHTI compliant, first issued by WA State (other states have followed) Both among the first and most prominent examples of EPC RFID tag use in a security application

Why use EPC Tags for these two applications? Esp. since members of Congress had expressed concerns about the security and privacy of the Passport Card (2006) Department of State cited a technical need for simultaneous reads of multiple documents & a need for passenger pre-processing – both supported by EPC Department also noted that the NIST had certified the Passport Card as “meeting or exceeding ISO security standards.“ Further noted that Passport Cards would not carry personally identifiable information, and would include protective, radio-opaque sleeves to help prevent unwanted scanning U.S. Department of Homeland Security (DHS), in its Privacy Impact Assessment of the Passport Card, highlighted the TIDs as a powerful tool against anti-counterfeiting (ie, removing the risk of cloning)

Experimental Evaluation: Data Cloning (Public Data) Authors acquired samples of both cards & begin evaluating the security risks Demonstrated that the public data (EPC) in both documents could be easily read and cloned to another off-the-shelf tag using a single read Tag’s private data could not be cloned Passport Card: ACCESS PIN (set & locked) KILL PIN (set & locked) WA EDL: KILL PIN (not set, not locked) Though tags did not contain personally identifiable data, author’s note that the public data (i.e., unique serial numbers) could support clandestine tracking

Experimental Evaluation: Data Cloning (TID) TID-based Anti-Cloning Mechanism was weak TIDs were not tag-unique (Gen-2 standard does not enforce uniqueness or locking by manufacturer). TID’s reported by sample cards: Passport Card: E2 00 34 11 FF B8 00 00 00 02 (Manufacturer | Model ID + Manufacturer Configuration Values) – No Unique TID! WA EDL: E2 00 10 50 (Manufacturer | Model ID) – No Unique TID! Both EPC & TID values were easily cloned onto another off-the-shelf EPC tag. Additionally, even assuming physical cloning was preventable, logical cloning would still be possible via EPC Tag Emulators (which already exist). RFID readers cannot differentiate.

Another Concern: Read Ranges Given the cloning threat (single read), tag read ranges become a major consideration in the vulnerability of tags to clandestine scanning, so… US Department of State issued radio-opaque shielding sleeves with each Passport Washington State issued protective sleeves for EDLs as well Consistent use of protective sleeves requires diligence on the part of EDL and Passport Card bearers (unlikely) Read ranges could vary due to… The material to which a tag is affixed The configuration of the interrogating reader The physical characteristics of the surrounding scanning environment The tag's antenna

Experimental Evaluation: Read Range Test Scenarios Tested read ranges in different physical environments: Indoors, freestanding, but with other objects nearby Indoors, in a corridor, with no other nearby objects Outdoors in free space With different carrying modes: Held away from the body Inside a purse, both inside a wallet and in a side pocket In a backpack In a wallet in a back trouser pocket In a wallet in a front shorts pocket Adjacent to a wallet in a front shorts pocket

Experimental Evaluation: Read Ranges Test Scenarios With different protective sleeves (crumpled vs new): In a new sleeve, held out by hand; In a crumpled sleeve, held out by hand; In a new sleeve, in a wallet in a back trouser pocket; and In a crumpled sleeve, in a wallet in a back trouser pocket. Why these tests? Read range results have a strong bearing on overall security of the border-crossing system

Experimental Evaluation: Read Range Test Results Observations: Both cards were subject to reading at distances > 50 meters in optimal conditions Passport Cards, while not readable in new protective sleeve, were readable under certain circumstances in a crumpled sleeve EDLs were readable, inside protective sleeves, at a distance of some tens of centimeters

Experimental Evaluation: Denial-of-Service Attack WA EDLs: Issued without setting of KILL PIN Therefore vulnerable to over-the-air KILLing by any reader (DoS) Also vulnerable to Covert Channel attack – ie, setting of KILL PIN by any reader to “mark” EDL bearer with 32-bit value accessible by any other reader (for tracking) Passport Cards Not vulnerable to DoS, as KILL PIN is set & locked at card issuance.

Defensive Proposals Class-1 Gen-2 tag specification contains no explicit anti-cloning features Propose co-opting the two native Gen-2 access-control commands (KILL, ACCESS) to achieve EPC tag authentication Seeking to provide a backward-compatible cloning defensive strategy, requiring no changes to existing readers or tags

Cloning Defensive Proposal #1: Co-Opting KILL Command for Tag Authentication Authors refer to as KILL-Based Authentication (KBA) To Authenticate Tag, a Reader… Must have knowledge of a tag’s valid KILL PIN (Pkill) Constructs an invalid KILL PIN (P’kill) Transmits the KILL PIN pair (P’kill; Pkill), in a random order, across two low-power KILL command sessions Expected Result… A valid tag will acknowledge the correct PIN (by responding with an “Insufficient Power” error code) and reject the incorrect PIN (with no response at all) An invalid tag will respond correctly only once (i.e., with no response to P’kill) – but will not respond to either PIN.

Cloning Defensive Proposal #1: Co-Opting KILL Command for Tag Authentication The Challenge of KILL-Based Authentication (KBA) … Requires reliable transmission of commands in the low-power range of the target tag Too much power, and the tag will kill itself Too little power, and the tag will not respond at all Advantage: Backwards-compatible, requiring no changes to deployed EPC tags

Cloning Defensive Proposal #2: Co-Opting ACCESS Command for Tag Authentication Authors refer to as ACCESS-Based Authentication (ABA) A form of one-time “challenge-response” To Authenticate Tag, a Reader… Must have knowledge of a tag’s ACCESS PIN (Paccess) as well as its Private Data (D) Transmits the Paccess and confirms correct Private Data (D) Disadvantages… ACCESS is an optional command in the EPCglobal standard, so not all tags support it Requires Reader have knowledge of Paccess, which is a privileged access Authors therefore focus their implementation around KBA instead

Implementing KILL-based Authentication (KBA) The Implementation Challenge Reader Power Calibration: I.e., Having the reader transmit enough power to interrogate a tag, but not enough to actually KILL the tag Two KBA Algorithms are proposed & evaluated: Simple KBA Algorithm Scaled KBA Algorithm Each Algorithm consists of two phases: Reader Power Calibration Phase – correct power level is determined Authentication Phase – the KILL command is issued

Implement & Test: 1. Simple KBA Algorithm Reader Power Calibration Phase Reader ramps up power, from min to max, in its smallest possible increments Reader transmits the KILL command at each level When reader receives its first reply from the tag, reader’s power level is fixed (at that level) Authentication Phase Reader sends N KILL commands (N-1 bogus PINs, 1 real PIN), at the selected power level, to authenticate the tag

Test Results: 1. Simple KBA Algorithm Tested using varying distances b/w Tag and Reader’s Antenna Test Criteria: N = 10 (# KILL commands sent) Algorithm repeated 10 times/distance Expectation: 10 successful tag authentications at each distance Observations: Weakness… if tag too close, reader power level not low enough to avoid unintentional KILL Successfully authenticates tag most of the time In practice, authentication could be repeated if unsuccessful Reader Settings Power range: 15dBm – 30dBm Min Increment: .25 dB

Implement & Test: 2. Scaled KBA Algorithm More sophisticated. Attempts to avoid unintentional KILLs Calibrates reader power levels b/w the min power required to read tag and the min power required to write tag Why? More power required to write than to read. Tag disablement (a true KILL) would require, minimally, the power to write

Implement & Test: 2. Scaled KBA Algorithm Reader Power Calibration Phase (5 steps) Via power ramping, determine the minimum power level required to read the tag (PWRR) Via power ramping, determine the minimum power level required to write to the tag (PWRW) Verify a sufficient margin b/w PWRW and PWRR to scale reader’s power levels (Margin = PWRW - PWRR). If not, then abort. Scale the reader's power level within the margin window (PWRR + Margin) Ensure that the power level selected doesn't allow a tag to write to itself Authentication Phase Reader sends N KILL commands (N-1 bogus PINs, 1 real PIN), at the selected power level, to authenticate the tag

Test Results: 2. Scaled KBA Algorithm Tested using varying distances b/w Tag and Reader’s Antenna Test Criteria: N = 10 (# KILL commands sent) Algorithm repeated 100 times/ea Expectation: 100 successful tag authentications at each distance Observations: Achieves objective – alleviates unintentional KILLs at short ranges Weakness… calibration phase requires writing to tag, and not all tags support being written to (e.g., PASS cards are perma-locked read-only) Reader Settings Power range: 15 dBm – 30 dBm Min Increment: .25 dB Adopted Margin: 2 dB

Conclusion KILL-Based Authentication (KBA) offers a viable strategy in defense of the Gen-2 EPC Tag’s weakness to cloning Simple KBA is the most promising approach when Scaled KBA cannot be used * *e.g., when tag writing is not supported (as is the case with the PASS Card) Lessons learned & suggested defensive directions are applicable, in general, to any Gen-2 EPC Tag deployment.

Technological Advances Existing EPC Gen 2 Tags based on 2004 EPCGlobal Standard New standard ratified in 2013, EPC Gen 2v2, to address many of these security concerns EPC Gen2v2 is backward-compatible, includes optional security features: Untraceable function to hide portions of data, restrict access privileges and reduce a tag’s read range Support for cryptographic authentication of tags and readers, to verify identity and reduce the risk of counterfeiting and unauthorized access E.g., Authenticate command to implement Tag and/or Reader authentication, using Tag’s cryptographic suite. Includes deriving session keys and exchanging parameters for subsequent communications.

Thank you Q&A ?

Backup Slides

Related Work: Attacks on Other types of RFID tags Proxmark Device used to clone Proximity Cards & VeriChip tags (human implantable RFID tags) Similar to Class 1 Gen-2 RFID tags, but operate in a different frequency range Brute force Key-Cracking attacks against TI DST (crypto-enabled RFID) Cipher & RNG attacks on Philips Mifare Classic RFID tag Cloning attacks against 1st Gen-1 RFID-enabled credit cards Cloning attacks against the e-passport (similar to the Passport card, but with crypto authentication)

Test Results: 2. Scaled KBA Algorithm Test Criteria: Adopted a margin of 2 dBm N = 10 for this tests Algorithm repeated 100 times at each distance Expectation: 100 successful authentications at each distance