nfc rfid security
play

NFC (RFID) Security Prof. Gildas Avoine Universit e catholique de - PowerPoint PPT Presentation

NFC (RFID) Security Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY Technological Background Security Threats Examples Conclusion TECHNOLOGICAL BACKGROUND Technological Background


  1. NFC (RFID) Security Prof. Gildas Avoine Universit´ e catholique de Louvain, Belgium Information Security Group

  2. SUMMARY Technological Background Security Threats Examples Conclusion

  3. TECHNOLOGICAL BACKGROUND Technological Background Security Threats Examples Conclusion

  4. Definition and Architecture Definition (RFID (Recommandation U.E. 2009)) [RFID] means the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to communicate to or from a tag through a variety of modulation and encoding schemes to uniquely read the identity of a radio frequency tag or other data stored on it. Gildas Avoine NFC (RFID) Security 4/19

  5. Near Field Communication Extension of several RFID proximity communication standards [ISO14443]. Additional Features [ISO18092], [ISO21481] ◦ Peer-to-Peer connections between two (active) devices. ◦ Emulation of (passive) RFID tags. (Initiator / Target). ◦ NFC Data Echange Format. Gildas Avoine NFC (RFID) Security 5/19

  6. Basic RFID Supply chain tracking. ◦ Track boxes, palettes, etc. www.aeroid.co.uk Libraries. ◦ Improve book borrowing and inventories. www.rfid-library.com Pet identification. ◦ Replace tattoos by electronic ones. ◦ ISO11784, ISO11785. www.flickr.com Localisation. ◦ Children in amusement parks, Elderly people. ◦ Counting cattle. www.safetzone.com Gildas Avoine NFC (RFID) Security 6/19

  7. Evolved RFID and NFC Building access control. ◦ Eg. UCL, MIT. Credit: G. Avoine Automobile ignition key. Credit: G. Avoine ◦ Eg. TI DST, Keeloq. Public transportation. www.carthiefstoppers.com ◦ Eg. Brussels, Boston, Paris, ..., Thalys. Payment. ◦ Eg. Visa, Baja Beach Club. www.brusselnieuws.be Electronic documents. ◦ Eg. ePassports. Loyalty cards. blogs.e-rockford.com Gildas Avoine NFC (RFID) Security 7/19

  8. Tag Characteristics power frequency UHF active HF communication meters LF dm passive cm UID 1 KB 40 KB storage no pwd 10 cents sym crypto EPC asym crypto 50 cents ISO14443 euros calculation ISO15693 cost Logistics standard Access control Gildas Avoine NFC (RFID) Security 8/19

  9. SECURITY THREATS Technological Background Security Threats Examples Conclusion

  10. Security Threats Adversary’s objectives 41126751 Wig model #4456 (cheap polyester) 93479122 Replacement hip medical part #459382 Das Kapital and Communist-party 54872164 handbook 500 Euros in wallet 55542390 Serial numbers: 597387,389473… 09840921 30 items of lingerie Credit: Ari Juels Credit: Inspired by Ari Juels Gildas Avoine NFC (RFID) Security 10/19

  11. RFID/NFC Specificities Low capabilities. ◦ Calculation, Memory, Bandwidth, Asymmetry. Wireless. ◦ Easy to skim and eavesdrop. Ubiquity. ◦ Answer without holder’s agreement or awareness. Fast authentication. ◦ On-the-fly authentication. Gildas Avoine NFC (RFID) Security 11/19

  12. EXAMPLES Technological Background Security Threats Examples Conclusion

  13. Example 1: Impersonation Mifare Classic, NXP Semiconductors, 1995. Access control, public transportation, payment (wallet), ... Broken in 2008. Gildas Avoine NFC (RFID) Security 13/19

  14. Example 2: Relay Attacks Verbatim messages are relayed. Cannot be avoided with cryptographic means. Attacks are doable by a scriptkiddies (NFC). No satisfactory solution yet. Gildas Avoine NFC (RFID) Security 14/19

  15. Example 3: Information Leakage from the Card Public Transportation. Last validations in the card not protected. Quite limited anonymity. Gildas Avoine NFC (RFID) Security 15/19

  16. Example 3: Information Leakage from the Database Pet Identification. Database is public in some countries. Problem not only related to NFC/RFID, but amplified. Logphilia. Gildas Avoine NFC (RFID) Security 16/19

  17. CONCLUSION Technological Background Security Threats Examples Conclusion

  18. From Manufacturers to Users Gildas Avoine NFC (RFID) Security 18/19

  19. Conclusion “Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID. Consequently, privacy and information security features should be built into RFID applications before their widespread use (principle of security and privacy-bydesign)”. (European Commission Recommendation of 12.5.2009) Gildas Avoine NFC (RFID) Security 19/19

Recommend


More recommend