IWD2243 Wireless & Mobile Security Chapter 6 : Wireless Embedded System Security Prepared by : Zuraidy Adnan, FITM UNISEL

6.1 Introduction Radio Frequency Identification (RFID) Radio transmission containing some type of identifying information. Cryptographically encoded challenges and response. Include Point of Sale (POS) Automated Vehicle Identification (AVI) Restrict access to building rooms within buildings Livestock identification Asset tracking Pet ownership identification Warehouse management and logistics and etc. Prepared by : Zuraidy Adnan, FITM UNISEL

6.2 RFID Security in General RFID is being used in multiple areas where little or no consideration was given to security issues. Case : - Exxon Mobile Speedpass, RFID POS system Adi Shamir – monitor power level in RFID tags – can compromise SHA 1 algorithm in RFID Adi Shamir – common cell phone can conduct an attack in a given area. Wall mart begin use RFID in its supply chain Dept of Defense use RFID to improve data quality and management of inventories. Prepared by : Zuraidy Adnan, FITM UNISEL

6.3 RFID Radio Basics Radio – small piece of “electromagnetic spectrum” that covers all forms of radiation Radio frequency (RF) broken down to a number of band. US – RF handled by FCC Europe – RF mostly handled by ETSI RFID – most system utilize one of three general bands, LF (125 kHz to 134kHz), HF (13.56 MHz), and ultra HF (860 to 930 MHz). See figure 24.3 : Two different RFID tags and reader with integral antenna, page 621. Prepared by : Zuraidy Adnan, FITM UNISEL

6.4 RFID architecture Consist of a reader and tag (also known as a label or chip) Reader queries tag, obtain information, and then take action based on that info. Tag / label Transponders – Combination of transmitters & receivers. Transponders use in RFID is called tag/label/chip. RFID tag contain the following items : Encoding/decoding circuitry, Memory, Antenna, Power supply, Communication control. Active & Pasive tag See figure 24.4 : Passive & active tag processes, page 624 Prepared by : Zuraidy Adnan, FITM UNISEL

6.4 RFID architecture Consist of a reader and tag (also known as a label or chip) Reader queries tag, obtain information, and then take action based on that info. Tag / label Transponders – Combination of transmitters & receivers. Transponders use in RFID is called tag/label/chip. RFID tag contain the following items : Encoding/decoding circuitry, Memory, Antenna, Power supply, Communication control. Active & Pasive tag See figure 24.4 : Passive & active tag processes, page 624 Prepared by : Zuraidy Adnan, FITM UNISEL

6.4 RFID architecture Passive vs Active tag Passive tag – no battery or power source, wait signal from a reader. Contains resonant circuit capable of absorbing power from the readers antenna. Obtaining power from reader device is done using an electromagnetic property known as Near Field. Antenna and reader must in close proximity to work. Active tag use battery as its own power source. No need Near Field functionalities. Longer distance. Semi-passive tag – have a battery but also using Near Field function to power the radio circuits. Prepared by : Zuraidy Adnan, FITM UNISEL

6.4 RFID architecture Reader Middleware Can be called also as “interrogator” or “transceivers” Handheld unit – combination of reader and antenna Contains system interface such as RS232 serial port or Ethernet jack, cryptographic encoding and decoding circuitry, power supply or battery, communication control circuits. Middleware Software that manage the readers and data coming from the tags, and passes to the backend of the systems. Backend can be standard commercial database such as SQL, MySQL, Oracle, Postgres. Prepared by : Zuraidy Adnan, FITM UNISEL

6.5 Data communication (RFID) Tag data Few bytes to several megabytes Depends on application and the individual tag Many proprietary formats, the latest standard Electronic Product Code (EPC) Replacement of Universal Product Code (UPC) See figure 24.5 : Typical UPC bar code, page 627. EPC – use GID-96 format. GID-96 has 96 bits (12 bytes) of data. 28 bit General Manager Number (identify organization), 24 bit object class (break down product into group), 36 bit serial number, 8 bit header. See figure 24.6 : Reader & Tag interaction, page 628. Prepared by : Zuraidy Adnan, FITM UNISEL

6.5 Data communication (RFID) Tag data Few bytes to several megabytes Depends on application and the individual tag Many proprietary formats, the latest standard Electronic Product Code (EPC) Replacement of Universal Product Code (UPC) See figure 24.5 : Typical UPC bar code, page 627. EPC – use GID-96 format. GID-96 has 96 bits (12 bytes) of data. 28 bit General Manager Number (identify organization), 24 bit object class (break down product into group), 36 bit serial number, 8 bit header. See figure 24.6 : Reader & Tag interaction, page 628. Prepared by : Zuraidy Adnan, FITM UNISEL

6.5 Data communication (RFID) Protocols See table 24.2 : RFID Tag protocol, page 629. Prepared by : Zuraidy Adnan, FITM UNISEL

6.6 Physical Form Factor (Tag Container) Can be in any form desired to perform required function Design may be influenced by type of antenna. May be in form of standalone device, or integrated in other object such as car ignition key. Cards Many purposes, such as building access. See figure 24.7 & 24.8 : Fake credit card showing the RFID chip and antenna, A passive tag’s internal components, page 631. Key Fobs – Exxon Mobile SpeedPass Other form factors – E-ZPass (Toll collection system) See figure 24.9 : E-ZPass windshield-mounted tag, page 633. Prepared by : Zuraidy Adnan, FITM UNISEL

6.7 Threat and Target Identification Target, can be entire systems, or a section of the overall systems. Organization can suffer tremendous loss. Eg. RFID tag was manipulated in POS, so that the price of an item RM200 was reduced to RM19.95, 90% loss for company. RF manipulation. Prevent the tag of an object from being detected by a reader. Wrap item in aluminum foil, or place it in metallic coated Mylar bag. Prepared by : Zuraidy Adnan, FITM UNISEL

6.7 Threat and Target Identification Attack-over-the-air-interface Four type of attacks :- Spoofing, Insert, Replay, DOS attacks. Spoofing – Supply false info that looks valid and that the system accepts. Involve a fake domain name, IP add, or MAC. Eg. Broadcasting incorrect EPC number over the air when a valid number was expected. Insert – Insert system command where data is normally expected. Common in website, where malicious code was injected into a web based app. SQL injection. Can be applied in RFID situation, by having a tag carry a system command rather that valid data in its data storage area. Prepared by : Zuraidy Adnan, FITM UNISEL

6.7 Threat and Target Identification Attack-over-the-air-interface Replay – RFID signal is intercepted and its data is recorded; this data is later transmitted to a reader where it is played back. DOS – known as flood attacks – signal is flooded with more data it can handle. RF jamming. Manipulating tag data RF dump, RF dump-PDA. Prepared by : Zuraidy Adnan, FITM UNISEL

6.7 Threat and Target Identification Middleware Any point between reader and backend Eg. Exxon Mobile SpeedPass system. The weakest point – LAN. Replay and DOS attack can be done. Social engineering attack. Connection between data center and credit card centers can also be a point of attack. Prepared by : Zuraidy Adnan, FITM UNISEL

6.7 Threat and Target Identification Backend “Where the money is” Blended attacks Combinations of all attacks. To ensure the attack success. Prepared by : Zuraidy Adnan, FITM UNISEL

6.8 Management of RFID security Risk and vulnerability assessment Who, what, when, where, and How. Hardening the target, Tag, Middleware, Backend Read : Notes from underground. Risk management Validating all the equipments Tag, Middleware, Backend. Threat management. Confirming the integrity of the system Prepared by : Zuraidy Adnan, FITM UNISEL