10 RFID Security Concerns and Threats

Like any other security devices and mechanism RFID is not flawless. Despite its
widespread application and usage, RFID poses security threats and challenges that
need to be addressed properly before deployment. This post aims to highlight several
important RFID related security issues.
1.

RFID Counterfeiting: depending on the computing power,

RFID can be classified into three categories:

2.

Basic tags

3.

Tags that uses symmetric keys

4.

Tags that uses public-key

Since basic tags do not use any encryption, they can be counterfeited easily. As you
already know that supply chain management and travel industries. Attackers can write
information to a basic black tag or can modify data in the tag writable basic tag in
order to gain access or validate a products authenticity. The things that an attacker
can do with basic tags are:

They can modify the existing data in the basic tags and can
make invalid tags into a valid tag and vice-versa. They can lower
the price of an expensive item to buy it at reduced price.

The attackers can change the tag of an object to that of

another tag embedded in another object.

They can create their own tag using personal information

attached to another tag.

So, make sure your tag is using some sort of cryptography when you are dealing with
sensitive object such a passports or any identity documents. If you have to use basic
tag, make sure you have proper security measures, monitoring and audit program in
place to detect any anomalies in your RFID system.
2. RFID Sniffing
Sniffing is a major of concern in deploying RFID solution. RFID readers always send
requests to the tags to send back its identity information. Once the reader reads
information sent by the tag, it verifies it with the data stored in a backend server.
Unfortunately, most of the RFID tags do not have a way to discriminate between a
request sent by a valid RFID read and a fake RFID reader. An attacker can use his
own RFID reader to read the tags and use it for their own purposes.
3. Tracking
By reading information received from RFID tag an attacker can track the location and
movement of an object or a person. When a tag is attached to an object and the object
enter the RFID readers field, the RFID read can identify the object and locate its
position. So, you need to remember that whenever you attach an RFID tag to an
object, you need to accept that fact that an attacker can track your object even if you
are using encrypted messages to communicate between the tags and the RFID readers.
An attacker can use mobile robots in order to track the location.
4. Denial of Service
When a reader request information from a tag, it receive the identification id and
compares it with the id stored in the database server. Both the RFID reader and the
backend server are vulnerable to denial of service attacks. When DoS attack takes
place, the tags fail to verify its identity with the reader and as a result the service gets
interrupted. So, you need to make sure both the reader and the database server has
mechanism to fight against denial of service attack.
5. Spoofing

In a spoofing attack, the attacker masquerade as a legitimate user of the system. The
attacker can pose himself as an authorized Object Naming Service user or database
user. If an attacker can successfully get access to the system with his spoofed
credentials he can do whatever he wants with RIFD data such as responding to invalid
requests, changing RFID id, denying normal service or even writing malicious code in
the system.
6. Repudiation
As you know that repudiation means when as user officially deny that he has done an
action and we have no way to verify that whether he has performed that particular
action. In the case of RFID, repudiation can happened in two ways: one is the sender
or receiver may deny doing an action such as sending RFID request and we have no
evidence to proof that. The second one is the EPC number owner or the database
owner denies that it has any data about the tags attached to an object or a person.
7. Insert Attacks
In this type of attack, an attacker tries to insert system commands to the RFID system
instead of sending normal data.an example of RFID insert attack is that a tag carrying
system command in its memory..
8. Replay Attacks
An attacker intercepts communication message flowing between the reader and the
tags and he records the tags response that can be used as a response to readers
request. An example of reply attack is a perpetrator recording communication between
access card reader and a proximity card, which can be used to access a secure facility.
9. Physical Attacks
It happens when an attacker physically obtain tags and alter its information.
Physically attack can take place in a number of ways such as an attacker using a probe
to read and to alter the data on tags. X-ray band or other radial band destroys data in
tags, which an attacker can use to attack an RFID system-this type of attack is also
known as radiation imprinting. Electromagnetic interference can disrupt
communication between the tags and the reader.

Beside, anyone can easily remove tags from objects with knife or any other tools,
which will make your object unrecognizable by the RFID reader.
10.

Viruses

Like any other information system, RFID is also prone to virus attacks. In most cases
the backend database is the main target. An RFID virus can either destroy or disclose
the tags data stored in the database disrupt the service or block the communication
between the database and the reader.