Proceedings of the 51st Annual INMM Meeting Baltimore, MD, July 11-15, 2010WHY RFID TAGS OFFER POOR SECURITY Jon S. Warner and Roger G. Johnston Vulnerability Assessment Team Nuclear Engineering Division Argonne National Laboratory 9700 S. Cass Ave, Building 206, Argonne, IL 60439-4840 ABSTRACT Radio Frequency Identification Devices (RFIDs) are tags that transmit a fixed, supposedly unique serial number when excited or powered on. These devices are useful for inventory purposes, i.e. counting and locating assets when there is no malicious adversary. They provide, however, no reliable information about theft, tampering, or diversion for material control and accounting (MC&A) purposes or other security and safeguards applications. This is because they are not security devices, and can be easily spoofed. It is, for example, easy to counterfeit RFIDs, "lift" them, tamper with the RFID reader, or fool the RFID reader with fake radio frequency signals sent from a distance. ("Lifting" an RFID tag means removing it from one object or container and placing it on another without being detected.) This paper discusses physical and electronic RFID vulnerabilities, including a generic discussion of inexpensive attack methods and resources readily available to an adversary. The use of RFIDs for nuclear safeguards is, we believe, an example of the common problems of confusing inventory with security, and treating security as an afterthought. INTRODUCTION As vulnerability assessors[1], we’re very critical of the use of Radio Frequency Identification Devices (RFIDs) for nuclear security and safeguards. RFID systems typically use a fixed (static) identification number transmitted by each RFID tag for inventory and tracking purposes. (Technically, most RFIDs are actually inductive, not radio frequency devices.) Regardless of the communications protocol used—RFID, radio frequency (rf), infrared, acoustical, hardwired, etc.—a system that makes a decision about theft based on a fixed identification number is problematic because it is generally easy for an adversary to spoof.[2] Moreover, the ad hoc addition of sensors to a tag or inventory system that has no intrinsic security in the hopes that security can be added on as a patch is wishful thinking, and serves mostly to obfuscate the real security issues. The RFID Journal defines RFIDs thusly: “Radio frequency identification (RFID) is a generic term that is used to describe a system that transmits the identity (in the form of a unique serial number) of an object or person wirelessly, using radio waves. It's grouped under the broad category of automatic identification technologies.”[3] The standard RFID frequencies are low frequency (usually around 125KHz), high frequency (13.56 MHz), ultra-high frequency (433 and 900 MHz, for example) and even microwave (2.45 and 5.8 GHz). Most of the low frequency, and many of the high frequency RFID tags are passive. That means they do not have their own power source. They draw their power from the rf signal supplied by the reader during communications. These passive tags typically rely on a method called backscatter modulation to communicate to the reader. Backscatter modulation works as follows: the reader sends an rf signal to the tag; the tag echoes the signal back but with slight fluctuations in the signal; these fluctuations are then demodulated by the reader thereby producing the supposedly unique serial number (or other data). There are also active rf tags (which have their own power source), as well as semi-active ones. The majority of the ultra-high frequency and microwave tags supply their own power (that is, they are active tags). Whatever the technology or frequency being used, an RFID system is composed of three main parts: 1) tag, 2) reader, and 3) computer or microprocessor that is in or used in conjunction with the reader to coordinate RFID data collection and interpret the results. RFID systems are widely employed by organizations like Walmart to keep track of their merchandise. By removing the human element, the inventory system can operate faster and more efficiently. In this context, RFID makes a lot of sense. Working on this premise, a number of organizations have built or proposed RFID-based Materials Control and Accounting (MC&A) devices and systems[4-11], an example of which can be found in figures 1 and 2. Figure 1 - An example of an MC&A RFID device attached to a storage drum. (Argonne National Laboratory photo from reference 5.) Figure 2 - Internal view of the device shown in figure 1. It includes a tamper-indicating sensor (“seal sensor”). (Argonne National Laboratory photo from reference 5.) INVENTORY VS. SECURITY When organizations like Walmart are keeping track of their merchandise, they are performing inventory. Inventory entails counting, tracking, and locating assets. These assets might include people, animals, DVD players, televisions, etc. Inventory systems may well detect inadvertent errors by innocent insiders, such as sending a shipment to the wrong location, but they are not fundamentally designed to deal with spoofing, incapacitation, or other deliberate and planned nefarious attacks. This is the job of security. An inventory system doesn’t understand the concept of deliberate theft, but a security system does. Any device, system, or program that makes no significant attempt to protect itself from malicious adversaries cannot be used to come to any reliable or meaningful conclusions about theft or diversion (or any other security issue). Security is a difficult enough task when it is built into a system from the very beginning, and when threats, attacks, adversaries, consequences, and vulnerabilities have all been carefully considered. Security doesn’t happen by accident, nor can it be tacked onto an inventory system in an ad hoc, “band-aid” like manner. In our experience, there are a few common misconceptions concerning the difference between inventory and security: Myth 1: Some argue that because the job of an inventory system is to track and locate assets, and since the inventory system can tell if something is missing, then the inventory system must be able to determine if theft or diversion has taken place. Comment 1: An inventory system might report that all barcodes or RFIDs are present on all containers, but this does not mean the assets are all present. The inventory system might well be counting empty boxes, drums, or containers. (Surreptitious entry to most containers is relatively easy). Moreover, the barcodes or RFIDs may have been lifted, counterfeited, or the reader tricked or tampered with. These things are typically also easy to do in our experience. Myth 2: Some would claim that we are encouraging people to ignore inventory data when it indicates missing items. Comment 2: More data is always better than less when it comes to matters of security. If an inventory system reports that something is missing, then the data should be acted on. If an employee is driving home and spots a pallet of his organization’s assets lying along the side of the road then he should take action. This, however, is an instance of dumb luck, and not the basis for an effective security strategy. Relying on inventory data to make conclusions about theft or diversion is similarly relying on dumb luck. Myth 3: It is a simple matter to add security to an existing inventory system. Comment 3: It is certainly true that one can always tack on security components onto an inventory device or system. (The seal sensor shown in figure 2 is an example.) In our experience as vulnerability assessors, however, this almost never leads to good security. The best way to have good security is to incorporate security into the design of a device, system, or program from the very start, at the design stage. Myth 4: The adversary doesn’t really want to cover his tracks, so he won’t try to spoof our inventory system. Comment 4: We believe that the majority of criminals (or other adversaries) would like to avoid being detected for as long possible, even if it just to buy themselves a few minutes of time to get away. Surreptitious theft or tampering is almost always going to be attractive to an adversary, especially for something as risky as going after nuclear material. Myth 5: Nuclear Material, Control, and Accounting or Accountability (MC&A) is an inventory function. Comment 5: This myth appears to be widespread.[2,4-11] MC&A superficially resembles an inventory function, because it involves counting, tracking, and locating nuclear assets. Because it is use to determine if there has been theft, diversion, tampering, or espionage, however, it is fundamentally a security function. MC&A In our view, a common problem with nuclear MC&A is that even though it superficially looks like an inventory function, it is not. Fundamentally, MC&A is about theft. It involves ensuring that theft of nuclear material doesn’t occur or is at least detected, and making sure that the proper authorities are alerted if theft does happen. These are the attributes of a security system, not an inventory system. Indeed, according to the United States Nuclear Regulatory Commission[12]: Material control means the use of control and monitoring measures to prevent or detect loss when it occurs or soon afterward. Material accounting is defined as the use of statistical and accounting measures to maintain knowledge of the quantities of SNM present in each area of a facility. It includes the use of physical inventories and material balances to verify the presence of material or to detect the loss of material after it occurs, in particular, through theft by one or more insiders. Phrases such as “…measures to prevent or detect loss” and “through theft by one or more insiders” make it quite clear that MC&A is a security function. Tracking an item, on the surface of it, is a useful idea; without security though, there is no way to tell if the system is tracking an empty container or not, or if the inventory system is being spoofed. Typical mistakes we see with many MC&A concepts and programs, especially those that invoke the use of RFIDs include the following: • Thinking MC&A is an inventory function and therefore security doesn’t really matter. • At first acknowledging that inventory and security are different functions, but then claiming that the inventory system can be counted on to sound an alert if theft or diversion occurs. • Not avoiding mission creep. This is when an inventory system (usually very quickly) comes to be viewed (quite incorrectly) as a security system. • Engaging in the ad hoc addition of technologies or sensors onto existing inventory devices or systems (often by people with limited experience in security who have not carefully analyzed the security issues or assumed the mindset of the adversary) in the hope that effective security will somehow result. • Believing that high technology will automatically solve security problems. • Assuming that the inventory tag is permanently coupled to the asset of interest. In fact, “lifting”, i.e. removing a tag from one object or container and placing it on another without being detected is, in our experience, usually quite straightforward. • Not realizing that tags, including RFIDs are usually easy to counterfeit. • Not realizing that the reader (especially handheld readers) must be very carefully protected from tampering (starting right at the factory). • Not realizing that tags that are read in a remote, non-contact manner (like RFIDs) are often easy to eavesdrop on. • Not realizing that the readers used to read tags in a remote, non-contact manner (like RFIDs readers) are often easy to spoof from a distance even without counterfeiting the tag. • Not arranging for a through and independent vulnerability assessment, ideally early, iteratively, and often in the design process, and then again when the device or system is fielded. There are a number of examples of these problems in the open literature. One paper states that “Employing an RFID system has the potential to offer an immense payback; enhanced safety and security, reduced need for manned surveillance, real time access to status and event history data, and overall cost effectiveness.”[11] In our view, this approach (shown in figure 2) is an example of slapping a sensor onto an inventory device in a rudimentary manner, and then claiming the new system provides security. This method might detect an adversary who wasn’t concerned about getting caught, however the design doesn’t appear to fundamentally include any features for effectively detecting tampering or spoofing by an adversary who wishes to operate surreptitiously. The remainder of the paper seems focused on the inventory aspects of the system. Other publications on this technology also appear to have problems in terms of inventory vs. security.[4,5,6] Another report equates inventory to loss prevention[7]: “One of the main components of the Environmental Protection Agency’s (EPA) Clean Materials Program is to prevent the loss of radioactive materials through the use of tracking technologies. If a source is inadvertently lost or purposely abandoned or stolen, it is critical that the sources be recovered before harm to the public or the environment occurs. Radio frequency identification (RFID) tagging on radioactive sources is a technology that can be operated in the active or passive mode, has a variety of frequencies available allowing for flexibility in use, is able to transmit detailed data and is discrete.” The remainder of the report evaluates several commercial-off-the-self RFID systems to determine their efficacy during transportation. No mention of the need for security is discussed. There is no fundamental discussion about what the tracking system is actually doing, or the fact that it is tracking an RFID tag, not the contents of the container. If a container has no reliable tamper detection features, then there is no way to determine if theft or diversion has occurred. The following statement is another example of what we suspect is confusion about inventory versus security: “The relevant diversion paths were analyzed and the extent to which RFIDs improve efficiency and effectiveness was assessed. In general, RFIDs improve efficiency of safeguards substantially. The use of RFIDs also provides depth to the safeguards approach and complicates diversion strategy. Therefore, RFIDs slightly improve safeguards effectiveness in general due to increased ability to verify activities and consequent deterrence.”[8] To us, this is similar to stating that a paper barcode ‘improves safeguards and complicates diversion strategies’. In fact, the security offered by RFIDs is not much better than that offered by paper barcodes, except that RFID readers are much easier to spoof at a distance than barcode scanners. There are other examples of the apparent lack of security focus concerning RFIDs in the open literature. For example, in reference 9, a Fellow of the Council of Foreign Relations writes: “For example, Walmart uses radio-frequency identification (RFID) tags for continuous tracking of its inventory of costly items such as high-definition television sets. Nations could use RFID tags to monitor containers of nuclear material.” Another example is the summary report of a DOE workshop on RFIDs for IAEA applications, where confusion about RFID terminology abounds[13], and a “proof of concept” paper that touts the security benefits of an RFID-based inventory system[10]. RFID VULNERABILITES RFID tags are becoming ubiquitous. They are used in many different aspects of daily life: highway toll payment systems, proximity cards, library books, EPC merchandise tagging at retail stores, passports, credit cards, and so on. Since RFIDs and RFID readers are ubiquitous, they are also readily available to adversaries. The Internet is rife with information, software, and hardware designs targeted towards attacking or hacking RFID systems. This means that a large portion of the data developed by the RFID hobbyist and hacking community is publicly available. In this context, using RFID devices/systems in the nuclear materials arena may not be the best choice. The potential bad guy already has a large body of data to draw from in order to design an attack on RFID-based technologies. Indeed, as vulnerability assessors, we have found that the inexpensive development kits sold by RFID manufacturers, the information on RFID technology readily available on the Internet and in patents, and the hobbyist circuit designs, software, and devices that can be purchased online to be very helpful in counterfeiting and sniffing RFIDs and spoofing their readers (including at a distance). Moreover, vendors and manufacturers are usually eager to provide technical support, advice, and free samples, though RFID tags and readers are so inexpensive and readily available that they can often be cannibalized. Because RFID devices are so pervasive, and because they are used extensively in cash transactions, and because of the huge privacy concerns surrounding there use, and because the RFID industry has often publically stated (incorrectly) that the security of RFIDs is unbreakable [14-16], a large worldwide RFID hacking community has risen up to do what they do best—hack the system. The best way to get a hacker to do something is to tell her that it can’t be done. We won’t exhaustively review all the known RFID attack vectors here. Instead, we will broadly characterize the various attack methods that have been used against RFID devices and systems. Communication-based attacks are attacks on the rf interface between a transponder (tag) and a reader. One important fact is that, with the proper equipment, these attacks can occur over much greater distances than the end user’s usual reader-to-tag communications distance. The following are a few generic communication-based RFID attacks: ! Skimming: Reading data off of someone else's tag without their knowledge using a commercial or home made reader. ! Sniffing: “Listening in” on a tag/reader communication stream. ! Spoofing tag/reader communication: The act of sending an unauthorized (but correctly formatted) signal to the tag or reader. ! Denial of Service (DoS): Preventing communication from occurring by blocking, jamming, or overwhelming the hardware or software. ! Replay Attack: Recording data off one RFID tag and playing it back later. ! Man in the Middle: Bridging the gap between a reader and tag that are too far apart spatially to communicate in the ordinary manner. The adversary’s man-in-the-middle electronics or microprocessor acts as a go-between between the reader and the tag, altering the conversation as needed for nefarious purposes. The tag or transponder is usually the most accessible part of an RFID system for an adversary. Some tag-based attacks include: ! Clone: Impersonate a tag with stolen data. ! Reprogramming: Change data on a tag. This only works on certain kinds of RFIDs. ! Tracking: Track a user or his/her habits using RFID data on their person in order to gain useful intelligence information. ! Virus and Worm Injection: Use the RFID tag as a carrier for a computer virus. This only works on certain kinds of RFIDs. ! Tag Destruction: Destroy the tag so that it cannot communicate (Denial of Service type of attack). We have demonstrated many of the above attacks in the Argonne Vulnerability Assessment Team. In addition, we have demonstrated the following kinds of attacks on RFID readers: ! Tamper with the Reader’s Electronics, Firmware, or Data: For example, we can make the reader register an RFID tag as present even if no tag is in the area. This attack can be turned on or off remotely with radio frequency signals. Typically, an RFID reader can be surreptitiously hijacked with about 15 seconds of access if the attack is well practiced. ! Man-In-The-Middle/Manipulate-In-The-Middle: Intercept data between one portion of the reader and another portion of the reader, then change the data at will. In an RFID reader, for instance, you might find an RFID interface module connected to a microprocessor, which in turn is connected to a computer or a display (or both), or some other type of output. By hijacking the data flow to the microprocessor, or to the display, or to the computer, the bad guy can do all sorts of mischief. CRYPTOGRAPHIC RFIDs Cryptographic communications are intended to provide secure communications between two (or more) physically secure points in time or space. If either of the points are unsecure and open to probing, hacking, etc. then the benefit of the cryptography is lost. Typically, RFID tags have no significant tamper or intrusion detection capabilities built in, and can be opened to extract the cryptographic key manually. Manufacturers are again eager to provide technical support, free samples, and cheap evaluation kits. These all help an adversary reverse engineer the RFID if he wishes to. More often, however, cryptographic RFIDs have been defeated through cryptoanalysis. Over the years, a number of cryptographic RFID devices have been introduced. One of these is the Digital Signal Transponder (DST) developed by Texas Instruments. The DST contains a secret and proprietary cipher based on a 40-bit cryptographic key. It is used for vehicle immobilization, electronic payment, and other high importance applications. The DST crypto system was broken in 2005. This means that ~150 Million DST RFID transponders currently in use are vulnerable to cloning or spoofing.[17] Another popular crypto system is the Mifare Crypto 1, which has a market share of 85% for contactless smart cards.[18]. The Mifare Crypto 1 encryption has been soundly beaten, multiple ways.[18-20] In fact, one group states that they can break the security encryption in less than 1 second.[18] Another broken crypto system is Hitag2.[21] It is used extensively in the auto industry for vehicle immobilization and proximity card systems. Many more crypto systems have been beaten or are in the process of being beaten cryptographically. Part of the problem with cryptographic RFIDs is that they currently don’t have enough memory space and power available to do cryptography well on an RFID chip. CONCLUSION RFIDs are inventory devices, not security devices, and should not be used to make determinations about nuclear theft, diversion, tampering, or espionage. In fact, any device or system—whether it uses RFIDs or not—that is based on a fixed identification number is unlikely to provide effective security. Note that we are not objecting to the use of radio frequency (rf) communication in hardware intended for nuclear security, safeguards, or MC&A. Indeed, some of our own prototypes of security and safeguards devices rely on rf.[22] What we are questioning is the use of RFIDs, or any other tags that generate an unchanging identification number for critical security applications. We believe there are many worrisome examples of inventory getting confused with security for nuclear applications, and MC&A being viewed incorrectly as an inventory function. Certainly RFIDs and RFID systems are easy to beat, and piling on security sensors in an ad hoc fashion does not fundamentally alter that fact. Any device or system used or proposed for nuclear MC&A should have security built in from the ground up. The device or system should undergo early, thorough, independent, multiple, and iterative vulnerability assessments throughout the design, prototype, and deployment processes. ACKNOWLEDGEMENT AND DISCLAIMER This work was performed under the auspices of the United States Department of Energy (DOE) under contract DE-AC02-06CH11357. The views expressed in this paper are those of the authors and should not necessarily be ascribed to Argonne National Laboratory or DOE. REFERENCES 1. Argonne National Laboratory, “Vulnerability Assessment Team”, http://www.ne.anl.gov/capabilities/vat. 2. JS Warner and RG Johnston, “Contact Memory Buttons and Nuclear Safeguards” Journal of Nuclear Materials Management 37(2), 11-15 (2009). 3. “What Is RFID?”, RFID Journal, http://www.rfidjournal.com/article/view/1339/1/129. 4. H Tsai and YY Liu, YY, “Radio Frequency Identification (RFID) Surveillance Tag”, United States Patent Application US 2010/0033323 A1, http://www.freepatentsonline.com/20100033323.pdf. 5. H Tsai, K Chen, K, M Jusko, et al., “Report on a 2009 Mini-Demonstration of the ARG-US Radio Frequency Identification (RFID) System in Transportation”, http://rampac.energy.gov/rfid/rfid.htm. 6. K Chen, et. al., “ARG-US-An RFID-Based Tracking and Monitoring System for Nuclear Materials Packages”, Proceedings of the 50th INMM Meeting, Tucson, AZ, July 12-16, 2009. 7. TA Warren, RM Walker, DE Hill, et al., “RadSTraM: Radiological Source Tracking and Monitoring, Phase II Final Report”, http://www.epa.gov/rpdweb00/docs/source-management/rfid01267-phase-ii-final-report.pdf. 8. J Jo, “Radio Frequency Identification Devices: Effectiveness in Improving Safeguards at GasCentrifuge Uranium-Enrichment Plants”, Proceedings of the 48th INMM Meeting, Tucson, AZ, July 8-12, 2007. 9. CD Ferguson, CD. “Strengthening Nuclear Safeguards”, Issues Online in Science and Technology (Spring 2008), http://www.issues.org/24.3/ferguson.html. 10. CA Pickett, et al., A ‘Proof of Concept’ Demonstration of RF-Based Technologies for UF6 Cylinder Tracking at Centrifuge Enrichment Plant”, http://wwwpub.iaea.org/MTCD/Meetings/PDFplus/2007/cn1073/Papers/4B.2%20Ppr_Pickett%20-%20Evaluation%20of%20RFBased%20Tracking%20for%20UF6%20Cylinders%20at%20Centrifuge%20Enrichment%20Pla.pdf. 11. K Chen, K, H Tsai, and YY Liu, “Development of the RFID System for Nuclear Materials Management”, Proceedings of the 49th INMM Meeting, Nashville, TN, July 13-17, 2008. 12. United Stares Nuclear Regulatory Commission, “Material Control and Accounting”, http://www.nrc.gov/security/mca.html. 13. U.S. Department of Energy, “A Summary Report of a DOE Workshop on RFID Technology for IAEA Safeguard Applications (DRAFT), January 2007”. 14. J Mick, “Re: Company Claims New Active RFID Chip to be ‘Uncloneable’", DailyTech, http://www.dailytech.com/Company+Claims+New+Active+RFID+Chip+to+be+Uncloneable/article12899.htm. 15. Alfred C, “Next-Gen ‘unclonable’ RFID chips Launched by Verayo”, Top Tech Reviews.Net, http://www.toptechreviews.net/computer-technology/next-gen-unclonable-rfid-chips-launched-byverayo/. 16. S Boggan, “‘Fakeproof’ e-passport is cloned in minutes”, Times Online, http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece. 17. S Bono, M Green, A Stubblefield, A, et al., “Security Analysis of a Cryptographically-Enabled RFID Device,” Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, August 31August 5, 2005. 18. FD Garcia, GK Gans, R Muijrers, et al., “Dismantling MiFare Classic”, Proceedings of the 13th European Symposium on Research in Computer Security (ESORICS 2008), Lecture Notes in Computer Science, 5283, 97-114 (2008). 19. NT Courtois, K Nohl, K, and S O’Neil, “Algebraic Attacks on MiFareCrypto-1, London Oyster Card”, http://www.nicolascourtois.me.uk. 20. KE Penri-Williams, “Implementing an RFID ‘Mifare Classic’ Attack”, MSc Thesis, http://www.penri-williams.com/blog/. 21. NT Courtois, K Nohl, K, and S O’Neil, and JJ Quisquater, “Practical Algebraic Attacks on the HiTag2 Stream Cipher”, Lecture Notes in Computer Science: Information, 5735, 167-176 (2009), http://www.springerlink.com/content/tn5x801545113547/. 22. JS Warner and RG Johnston, “Chirping Tag and Seal”, Proceedings of the 51st Annual INMM Meeting, Baltimore, MD, July 11-15, 2010.