1. 1 Presented by July-2013, IIM Indore

2. 2  RFID = Radio Frequency IDentification.  RFID is ADC (Automated Data Collection) technology that:-  uses radio-frequency waves to transfer data between a reader and a movable item to identify, categorize, track.  is fast and does not require physical sight or contact between reader/scanner and the tagged item.  attempts to provide unique identification and backend integration that allows for wide range of applications.

3. 3

4. 4

5. 5  Broadly threats are categorized based on:- Confidentiality, Integrity, Availability as-  Spoofing identity  Tampering with data  Repudiation  Information disclosure  Denial of service  Elevation of privilege

6. 6  “Spoofing occurs when an attacker successfully poses as an authorized user of a system”  A competitor or thief performs an unauthorized inventory of a store by scanning tags with an unauthorized reader to determine the types and quantities of items.  An attacker trying to save money by buying expensive goods that have RFID price tags spoofed to display cheaper prices.

7. 7  Appropriate authentication,  Protect secrets,  Don’t store secrets

8. 8  “Data tampering occurs when an attacker modifies, adds, deletes, or reorders data”  For Eg:-  An attacker modifies a passport tag to appear to be a citizen in good standing.  An attacker adds additional tags in a shipment that makes the shipment appear to contain more items than it actually does.

9. 9  Appropriate authentication,  Message authentication codes  Digital signatures,  Tamper-resistant protocols

10. 10  “Repudiation occurs when a user denies an action and no proof exists to prove that the action was performed”  A retailer denies receiving a certain pallet, case, or item.  The owner of the EPC number denies having information about the item to which the tag is attached.

11. 11  Digital signatures,  Timestamps,  Audit trails

12. 12  “Information disclosure occurs when information is exposed to an unauthorized user”  A bomb in a restaurant explodes when there are five or more Americans with RFID-enabled passports detected.  An attacker blackmails an individual for having certain merchandise in their possession.  A sufficiently powerful directed reader reads tags in your house or car.

13. 13  Authorization,  Privacy-enhanced protocols,  Encryption,

14. 14  “Denial-of-service denies service to valid users. Denial-of-service attacks are easy to accomplish and difficult to guard against.”  An attacker with a powerful reader jams the reader.  An attacker intrudes into the system thereby aborting the transactions.

15. 15  Appropriate authentication,  Appropriate authorization,  Filtering,  Throttling,  Quality of Service

16. 16  “A user logging on to the database to know the product’s information can become an attacker by raising his/her status in the information system from a user to a root server administrator and write or add malicious data into the system.”  A system user modifies the authorisation & authentication privileges to transfer money to his account.

17. 17  Run with least privilege  Hierarchy based privilege  Restricted privilege to user.

18. 18  Damage potential (1-10)  Reproducibility (1-10)  Exploitability (1-10)  Affected Users (1-10)  Discoverability (1-10)

19. 19  RFID is extensively used worldwide due to its efficient and convenient features.  Still, it has threats & vulnerabilities associated with it.  Despite the proposed mitigation strategies yet it is not possible to design full-proof RFID system.  Extensive research is being carried out for reliable RFID system.

20. 20 PPT downloaded from www.pravinkolhe.com

21. 21