NFC (RFID) Security Prof. Gildas Avoine Universit e catholique de - - PowerPoint PPT Presentation

nfc rfid security
SMART_READER_LITE
LIVE PREVIEW

NFC (RFID) Security Prof. Gildas Avoine Universit e catholique de - - PowerPoint PPT Presentation

Mar 01, 2023 165 likes •372 views

NFC (RFID) Security Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY Technological Background Security Threats Examples Conclusion TECHNOLOGICAL BACKGROUND Technological Background

slide-1
SLIDE 1

NFC (RFID) Security

  • Prof. Gildas Avoine

Universit´ e catholique de Louvain, Belgium Information Security Group

slide-2
SLIDE 2

SUMMARY

Technological Background Security Threats Examples Conclusion

slide-3
SLIDE 3

TECHNOLOGICAL BACKGROUND

Technological Background Security Threats Examples Conclusion

slide-4
SLIDE 4

Definition and Architecture

Definition (RFID (Recommandation U.E. 2009)) [RFID] means the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to communicate to or from a tag through a variety of modulation and encoding schemes to uniquely read the identity of a radio frequency tag or other data stored on it.

Gildas Avoine NFC (RFID) Security 4/19

slide-5
SLIDE 5

Near Field Communication

Extension of several RFID proximity communication standards [ISO14443]. Additional Features [ISO18092], [ISO21481]

  • Peer-to-Peer connections between two (active) devices.
  • Emulation of (passive) RFID tags. (Initiator / Target).
  • NFC Data Echange Format.

Gildas Avoine NFC (RFID) Security 5/19

slide-6
SLIDE 6

Basic RFID

www.aeroid.co.uk www.rfid-library.com www.flickr.com www.safetzone.com

Supply chain tracking.

  • Track boxes, palettes, etc.

Libraries.

  • Improve book borrowing and inventories.

Pet identification.

  • Replace tattoos by electronic ones.
  • ISO11784, ISO11785.

Localisation.

  • Children in amusement parks, Elderly people.
  • Counting cattle.

Gildas Avoine NFC (RFID) Security 6/19

slide-7
SLIDE 7

Evolved RFID and NFC

Credit: G. Avoine Credit: G. Avoine www.carthiefstoppers.com www.brusselnieuws.be blogs.e-rockford.com

Building access control.

  • Eg. UCL, MIT.

Automobile ignition key.

  • Eg. TI DST, Keeloq.

Public transportation.

  • Eg. Brussels, Boston, Paris, ..., Thalys.

Payment.

  • Eg. Visa, Baja Beach Club.

Electronic documents.

  • Eg. ePassports.

Loyalty cards.

Gildas Avoine NFC (RFID) Security 7/19

slide-8
SLIDE 8

Tag Characteristics

cost power frequency communication standard calculation storage

Access control Logistics active passive LF HF UHF meters dm cm UID 1 KB 40 KB no pwd sym crypto asym crypto EPC ISO14443 ISO15693 10 cents 50 cents euros

Gildas Avoine NFC (RFID) Security 8/19

slide-9
SLIDE 9

SECURITY THREATS

Technological Background Security Threats Examples Conclusion

slide-10
SLIDE 10

Security Threats

Adversary’s objectives

500 Euros in wallet Serial numbers: 597387,389473… Wig model #4456 (cheap polyester) 30 items

  • f lingerie

Das Kapital and Communist-party handbook Replacement hip medical part #459382

Credit: Ari Juels

55542390 41126751 09840921 54872164 93479122

Credit: Inspired by Ari Juels

Gildas Avoine NFC (RFID) Security 10/19

slide-11
SLIDE 11

RFID/NFC Specificities

Low capabilities.

  • Calculation, Memory, Bandwidth, Asymmetry.

Wireless.

  • Easy to skim and eavesdrop.

Ubiquity.

  • Answer without holder’s agreement or awareness.

Fast authentication.

  • On-the-fly authentication.

Gildas Avoine NFC (RFID) Security 11/19

slide-12
SLIDE 12

EXAMPLES

Technological Background Security Threats Examples Conclusion

slide-13
SLIDE 13

Example 1: Impersonation

Mifare Classic, NXP Semiconductors, 1995. Access control, public transportation, payment (wallet), ... Broken in 2008.

Gildas Avoine NFC (RFID) Security 13/19

slide-14
SLIDE 14

Example 2: Relay Attacks

Verbatim messages are relayed. Cannot be avoided with cryptographic means. Attacks are doable by a scriptkiddies (NFC). No satisfactory solution yet.

Gildas Avoine NFC (RFID) Security 14/19

slide-15
SLIDE 15

Example 3: Information Leakage from the Card

Public Transportation. Last validations in the card not protected. Quite limited anonymity.

Gildas Avoine NFC (RFID) Security 15/19

slide-16
SLIDE 16

Example 3: Information Leakage from the Database

Pet Identification. Database is public in some countries. Problem not only related to NFC/RFID, but amplified. Logphilia.

Gildas Avoine NFC (RFID) Security 16/19

slide-17
SLIDE 17

CONCLUSION

Technological Background Security Threats Examples Conclusion

slide-18
SLIDE 18

From Manufacturers to Users

Gildas Avoine NFC (RFID) Security 18/19

slide-19
SLIDE 19

Conclusion

“Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID. Consequently, privacy and information security features should be built into RFID applications before their widespread use (principle of security and privacy-bydesign)”. (European Commission Recommendation of 12.5.2009)

Gildas Avoine NFC (RFID) Security 19/19