2009 Sixth International Conference on Information Technology: New Generations

An Empirical Study for Protecting Passive RFID Systems against Cloning

Mostafa M. El-Said and Ira Woodring School of Computing and Information Systems Grand Valley State University Allendale, MI 49418 E-mail: {elsaidm@gvsu.edu and irawoodring@gmail.com}
Abstract RFID technology plays a key role in various areas of interest without guaranteeing security and privacy issues. Limitations of tag design make privacy and security enforcement a special challenge. In this paper, we introduce the essential components of an RFID system. Subsequently the RFID tagto-reader authentication is presented as a solution framework for the tag cloning problem. The proposed solution involves receiving EPC RFID Generation-2 standard response messages, which vary according to power level when sent a tag KILL command. Moreover, an empirical analysis is conducted to determine the necessary power level to kill the RFID tag for different brands and types. The intention of the conducted experiments is to determine the necessary power levels at which various RFID tags were able to be killed when preprogrammed with a specific KILL password. The authors found that results of power levels at which tags killed themselves varied widely. Keywords: RFID, EPC, security, eavesdropping, transponder, RFID tag, RFID reader, tag cloning 1. Introduction Passive RFID tags are very popular because of their simple design and cheaper cost (tag costs $0.05) [1]. The tags simple design contradicts with the tags required security.
Reader Tag

Passive RFID tags consist of four main sub-units such as shown in figure 1. These units manage the tags communication phases such as follows [6, 10, and 13]: Energizing - Phase I The tag is beaconed by an incoming RF signal from the reader. Communication - Phase II The tags antenna detects the electromagnetic wave and induces energy into a capacitor. The capacitor feeds power into the tags microchip. The tag performs the requested operation and returns a response back to the reader. Unload - Phase III The tag remains silent (capacitor unloaded) waiting for further commands from the reader To complete these communication phases, the reader adjusts the signal power level according to the desired operation such as tag programming, tag query, tag access, tag lock and tag KILL [1, 3]. RFID tags come in many different shapes, sizes and capabilities. There are four major classifications of RFID tags: (i) active tags: self-powered tags, (ii) semi-active tags: tags containing an onboard battery, however the battery is not used unless the tag is interrogated by a reader, (iii) passive tags: tags that are beaconed by reader interrogation and (iv) semipassive tags: tags containing onboard battery to power up the tags internal circuitry. The tag benefits from the onboard battery because the tag can rely on the injected energy collected from the reader to transmit its data to longer read ranges [8]. In this paper, we will focus on passive RFID tags. The major problem with an RFID tag is that it acts as an always on device in an open system. It talks with any RFID reader unit without any restrictions, releasing sensitive information about a certain object. Therefore, there is a pressing need to secure the RFID system. There are three levels of security that protect the RFID system. i. Tag-Reader Level ii. Reader-Tag Level iii. Reader- Backend Level The passive Tag-Reader security level has been overlooked by RFID industry because passive tags have been designed without security in mind. This risk resulted from the quick transition made from non-secure barcode based systems to non-secure RFID based systems. Consequently, a lot of
558

Micro controller

Memory Chip

Beacon RF
Radio Radio

Antenna

Figure 1. RFID System Architecture The RFID system consists of three main components: i. RFID tag (Transponder) ii. RFID reader (Interrogator) iii. RFID Backend System
978-0-7695-3596-8/09 $25.00 2009 IEEE DOI 10.1109/ITNG.2009.272

backdoors have been opened for attackers to skim and clone tags with the same tag ID [3 and 4]. This is a potentially devastating situation, especially in RFID systems that are used in the Department Of Homeland Security such as the epassport system. In this paper we will focus on solving the tag cloning problem. Then an attacker may flood the reader with this bogus information continuously. This leads to a storm of errors and eventually causes a DoS attack. Research efforts in securing RFID systems are gathering pace as RFID providers look for having an applicable solution across different tag types. In [11], a new RFID transponder design with cryptographic capabilities is introduced for class-1 Gen-2 tags. The new design requires that the tag implement an asymmetric ciphering module. Furthermore, many proposals have suggested several cryptographic protocols to protect RFID systems using a shared secret key to authenticate readers to the tag [5, 7]. These standards have not fully addressed issues of key management efficiently. Authors in [12] presented a mutual authentication framework by exchanging two challenge/response messages. In [1], authors introduce an effective solution to protect the RFID tag privacy. The proposed solution relies on using a blocker tag, which is a passive RFID device. The blocker tag blocks RFID readers as well as some selected subsets of tag ID codes located in a designated privacy zone. As a result, these models can not be applied to the current passive RFID tag. The proposed tag design requires the tag to have enough computing power, which is not available in current tags. However, the majority of the work done in this area suffers from the following weakness because: These solutions require a significant change to the tag chip design. Cryptographic function resources required by proposals [1, 5, 7, 11, and 12] are not available in the current passive tags. None of these proposals has been validated using simulation or real experimentation

[1]. The proposed work presents a significant solution to perform an implicit tag authentication based on the use of the KILL command. Many researchers focused on the KILL command operation and how it has been attacked [1, 2, 3, 9 and 10]. According to the EPCGlobal standard, when a tag associated with a certain product has been killed, the tag is permanently disabled. However, a recent study found out that when the reader issued the KILL command the tags memory banks are zeroed out only. Furthermore, authors are able to reprogram the tag again and bring it to life [3]. Once the process of tag killing is started, any errors will return the tag to the arbitrate state. The tag may respond such as follows depending on the supplied power level strength and password value such as described in figure 2 [3].

Interrogator issues KILL(password, CW with a certain power level)

If Tag receives invalid non zero kill password If Tag receives a zero kill password If Tag receives valid kill password & insufficient power level If Tag receives valid kill password & sufficient power level

Tag responds with error code and stays in its current state

Tag responds with error code and stay in its current state

Looking beyond the issues addressed by todays RFID solutions, the proposed research aims to: (i) Introduce a tag reader authentication mechanism by controlling the power level of the KILL command. This results in protecting RFID systems against hacking using cloned tags. (ii) Devise a mechanism to determine the correct power level of the KILL command to avoid killing the tag accidentally during the tag reader authentication. In this research, we intended to scale up the work presented in [2 and 10] and use the KILL command for dual purposes. The original intent of the KILL command was to protect consumers privacy and render tags inoperable as soon as they leave the point of sale. However, consumers dont always want their tags killed, but should still have a right to privacy

Figure 2. Kill Command Operation According to the EPC standard, when a tag receives a correct password with a power level that is too low to kill a tag, it responds with an error code. This response implicitly authenticates the tag to the reader, as an incorrect password sent via the KILL command would result in no response from the tag. However, too low a power does not provide the tag with enough power to respond even if the password is correct. This paper describes power results determined from testing a variety of tags, with the goal of determining an appropriate power level at which to send the KILL command so that tag authentication, but not actual killing of the tag, takes place.

559

Tag responds with a 1 bit of value 0 and move to killed state

Tag doesnt respond and move to arbitrate state

The remainder of the paper is organized as follows. Section 2 describes a tag-reader authentication solution. Section 3 summarizes our experimental results. Section 4 concludes the paper and outlines future work. 2. Tag Authentication Solution Approach Our goal is to determine the tag killing power level. So, the reader knows what power level to send to authenticate the tag. In order to do this, we decide to divide this task into two subtasks:

set tagj power = i; query tagj ; pause thread 1 second; if tagj responds back with its EPCj value for 5 times in row then tagj is guaranteed to respond at this power level; end if Program the tag with a unique kill password value } end for end for 2.2. Subtask II: KILL Tag Power Level Determination Testing for the correct power level for which to kill a tag was implemented by first programming the KILL code for the tag in use. Though arbitrary, a KILL password of FF FF FF FF was used for all tag testing. Once the tag KILL password was programmed, the power level was set to 0, and the KILL command with correct password was sent to the reader. Exceptions were caught, and their messages returned to the application, and then to the user. A query of tags in the field was then performed to determine if the tag had indeed been killed. The power was then increased by .1 db, the kill command with correct password sent, and so on. Algorithm 2: Determining the Tags Sufficient Power Level to Disable the Tag Permanently Input: n tags, Tagj, tags EPC EPCj, Highest Power Level HPL, Output: Tagj s KillingPowerLevel Procedure: Position tagj with EPCj in the field of the RFID reader at a distance of 1.5 meters for every tagj and j<n do for(i=0; i<highest power level; i=i+0.1) do { Send KILL command to tagj with power = i; query tagj ; pause thread 1 second; if tagj does not respond back with its EPCj then tagj is deemed successful killed at this power level; Record KillingPowerLevel exit else if increment the power level by 0.1 dB and repeat all the above steps } end for end for

The first subtask programs the tag and determines the power level to get the tag to respond consistently to the readers general commands. The second subtask determines the sufficient power level to get the tag to respond to the readers KILL command.

The reasons for breaking a single task into two subtasks are: To draw a boundary between the power levels required for various tag operations. To determine how different power levels are related to each other. 2.1. Subtask I: Programming the Tag In this section, initial experiments reveal that a tag might respond at a particular power level, yet not respond again for several more increments of a power level; to be considered a consistent response then, a working definition of five successful queries in a row was instituted. Initial tests results using this method proved to be erratic, resulting in a large number of protocol errors being reported by the reader. This problem lead to the insertion of a delay between all commands sent to the reader. It was hypothesized that the commands were being sent too quickly to the unit, in effect flooding the tags with signals to which they could not appropriately respond. After deliberation, a pause of a second was deemed to be more than satisfactory for the delay, and after implementation the testing procedure began to return consistent and useful results. These steps are summarized in Algorithm 1. Algorithm 1: Determining the Tags Power Level to Obtain a Consistent Query Response

Input: n tags, Tagj, tags EPC EPCj, Lowest Power Level LPL, Highest Power Level HPL, Procedure: Program tagj with EPCj; for every tagj and j<n do for(i=lowest power level; i<highest power level; i++) do {

560

In the next section, example 1 and 2 demonstrate the usefulness of the proposed solution framework. Example 1: Good-Tag Authentication Input: Tagj, tag (i) is a good tag with tags EPC EPCj Output: Tag (i ) is allowed access to the system Procedures: Application developer programs a tag (i) with the EPCj number and the KILL command password. Then the tag is placed in the field of the RFID reader at a distance of 1.5 meters.

EPCj number can be obtained by skimming process (fake reader broadcasts read queries and collects returned EPCs numbers) Spoofed tag does not have the correct KILL command password

Step 1 @ The RFID reader side Reader broadcasts a read Query message Tag (i) responds back with its EPCj number Reader sets its power level to Insufficient to Kill Tag according to Algorithm 2 Reader generates and sends a random number RN back to the field The reader XORs the random number RN with the KILL command password associated with the tags EPCj. This yields a value V1. The reader sends the KILL command, the value (V1) back to the field. This process scrambles the password value and protects it from being easily cracked Step 2 @ The RFID tag side Tag (i) receives the KILL command along with the value (V1) Tag (i) successfully verifies the correctness of the KILL command password and measures the incoming power level: o If the power level isnt high enough to execute the KILL command as expected, tag (i) returns an error message Not enough Power such as given in figure 2

Step 1 @ The RFID reader side Reader broadcasts a read Query message Spoofed tag (i) responds back with its EPCj number Reader sets its power level to Insufficient to Kill Tag according to algorithm 2 Reader generates and sends a random number RN back to the field The reader XORs the random number RN with the KILL command password associated with the tags EPCj. This yields a value V1. The reader sends the KILL command, the value (V1) back to the field. Again, this process scrambles the password value and protects from being easily cracked Step 2 @ The RFID tag side Tag (i) receives the KILL command along with the value (V1) Tag (i) fails to verify the correctness of the KILL command password: o So the tag fails to execute the KILL command. Then, tag (i) does not return any error messages such as given in figure 2 Step 3 @ The RFID reader side The reader times out and ignore the tag (i) in the field. Consequently, tag (i) has been denied access to the system. 3. Experimental Results The experimentation analyses are conducted using the RFID testbed given in figure 3.

Step 3 @ The RFID reader side The reader implicitly can ensure it talks to the right tag and allow the tag to access the system. Example 2: Spoofed-Tag Authentication Input: tag (i) is a spoofed tag with EPC number EPCj Output: Tag (i) is denied access to the system Procedures: An attacker programs a fake tag (i) with spoofed EPCj number and guessed non-correct KILL command password. Then the tag is placed in the field of the RFID reader at a distance of 1.5 meters.

Figure 3. RFID Testbed

561

The testbed consists of the following components: Alien ALR-9814 RFID Portal Tags used for testing included: o Alien 9454 M-Tag Inlay o UPM RAFLATAC 3000707 Inlay o Alien 9440 Squiggle o UPM RAFLATAC 3000794 Frog Inlay o Avery AD-622 Inlay o Avery AD-220 Inlay The reader was connected to a LAN, with IP addressing occurring via the LAN router's internal DHCP mechanism. Power kill levels were obtained for all of the tags at a read range of 1.5 meters Testing software was written in Java, using the HTTP interface capability of the reader. The software included features for querying, writing, and killing tags, as well as changing power levels of the connected antennae. Application development unit (Compaq Presario 2100 laptop) Tag tests were run via Aliens provided Java API. An alienClass1Reader object was initially created, and all commands were sent to the reader via methods of this object. The tag programming phase is illustrated in Figure 4.

Figure 5. Tag Read Test The read test described in Figure 5 was conducted by initially programming the tag to be tested with a unique EPC (00 11 22 33 00 11 22 33). This was done to ensure that the tag could be recognized even if there happened to be another tag somewhere in the readers field. The readers power level was then set to 0, and the query command sent to the reader. An array of tags would then be returned from the reader and the results displayed in the message area. If multiple tags were found in the tag area, they were then found and removed. This process continued until the query verified that only one tag was in the field at a time. The power level was then increased by a tenth of a decibel, the tag query sent, and so on. The power level range was increased to the readers maximum value (15 db) so as to ensure that the tag had really been killed; in earlier tests it was found that though tags seemed to be dead at one power level, that they would appear at an increased power level, or even at the same power level given another query such as given in figure 6. It was therefore deemed prudent to test over the entire power range of the reader to make sure that a tag that seemed killed was really dead.

Figure 4. Tag Programming with an EPC Number The procedure for writing tags merely programmed a tag EPC. Sending this command did not always result in a successful tag programming however; a revision early in the development of the software was to add a loop to send the command multiple times. This loop lead to much more consistent results with programming tags, yet took considerably longer to complete, upward of eleven seconds each time since this feature also included the one second delay between commands sent to the reader.

Figure 6. Tad Power killing Test

562

The tag killing power level is summarized in the following table for each different tag.

Conf. on Applied Research in Information Technology, Conway, Arkansas, Mar. 3, 2006. 5. Dang Nguyen Duc, Jaemin Park, Hyunrok Lee, Kwangjo Kim (2006). "Enhancing Security of EPCglobal Gen-2 RFID Tag against Traceability and Cloning". The 2006 Symposium on Cryptography and Information Security Hiroshima, Japan. Daniel M. Dobkin, Titus Wandinger (2008). The RF in RFID: A Radio-oriented Introduction to Radio Frequency Identification Available Online at: www.wj.com/documents/Articles_PDF/RF_in_RFID _v0.1.pdf David Molnar, Andrea Soppera, David Wagner (2005). Privacy for RFID through trusted computing. Proceedings of the 2005 ACM workshop on Privacy in the electronic society Engels, Daniel W.; Sarma, Sanjay E. (2005). "Standardization Requirements within the RFID Class Structure Framework". MIT AUTO-ID Labs Technical Report, January 2005 Hannes Riedenbauer (2006), RFID - EPC AND SECURITY MECHANISMS. Programme For Advanced Contactless Technology (Proact) Publications

Tag Alien 9454 M-Tag Inlay UPM RAFLATAC 3000707 Inlay Alien 9440 Squiggle UPM RAFLATAC 3000794 Frog Inlay Avery AD-622 Inlay Avery AD-220 Inlay

Tag Killed Power Value in dB 4.7 4.1 3.5 8.8 8.6 3.9

6.

The table describes a direct relationship between the Tags Consistent Read Value for 5 times and the Tag Killed Value. 4. Conclusions and Future Work The main objective of the proposed research is to introduce a low cost solution for the RFID tag cloning problem by enforcing tag authentication. We have presented a simple protocol for passive RFID tags, especially EPCGlobal Class-1 Gen-2 RFID tags. Our protocol achieves desirable security features of a RFID system including: implicit tag-to-reader authentication. This approach was deemed as a possible way to implicitly verify an RFID tag; if a correct password was sent to the tag along with insufficient power level, it should respond with an error code message, specifically Not enough power to complete command. The authors found that results of power levels at which tags killed themselves varied widely. This is one of the first attempts to create a universal tag killing power level database for each tag profile. In the future, we will seek to develop a light weight reader tag solution. 5. References 1. Ari Juels, Ronald L. Rivest, Michael Szydlo (2003). "The blocker tag: selective blocking of RFID tags for consumer privacy". CCS '03: Proceedings of the 10th ACM conference on Computer and comm security Ari Juels, Strengthening EPC Tags Against Cloning WiSe '05: Proceedings of the 4th ACM workshop on Wireless security, September 2005 Bolan, C. (2006), The Lazarus Effect: Resurrecting Killed RFID Tags, Proceedings of the 4th Australian Information Security Management Conference, 4th Dec, 2006, Edith Cowan Univ, Perth, Western Australia D. R. Thompson, N. Chaudhry, and C. W. Thompson (2006), RFID security threat model in Proc. Acxiom Laboratory for Applied Research (ALAR)

7.

8.

9.

10. Mostafa El-Said, Brandon Belcher and George Nezlek (2008). LIGHTWEIGHT RFID AUTHENTICATION PROTOCOL: AN EXPERIMENTAL STUDY The 30th International Conference on Information Technology Interfaces (ITI 2008), PP 583-588 11. Paolo Bernardi, Filippo Gandino, Bartolomeo Montrucchio, Maurizio Rebaudengo, Erwing Ricardo Sanchez (2007), Design of an UHF RFID transponder for secure authentication, GLSVLSI '07: Proceedings of the 17th great lakes symposium on Great lakes symposium on VLSI 12. Selma Boumerdassi, Papa Kane Diop, ric Renault, Anne Wei (2005). A new two-message authentication protocol for RFID sensor networks. MPAC '05: Proceedings of the 3rd international workshop on Middleware for pervasive and ad-hoc computing WPES '05: Proceedings of the 2005 ACM workshop on Privacy in the electronic society 13. Yingjiu Li, Xuhua Ding (2007). Protecting RFID communications in supply chains. ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications security.

2.

3.

4.

563