1、BSI Standards PublicationPD CEN/TR 16670:2014Information technology RFID threat and vulnerabilityanalysisPD CEN/TR 16670:2014 PUBLISHED DOCUMENTNational forewordThis Published Document is the UK implementation of CEN/TR 16670:2014.The UK participation in its preparation was entrusted to Technical Co
2、mmittee IST/34, Automatic identification and data capture techniques.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct applic
3、ation. The British Standards Institution 2014.Published by BSI Standards Limited 2014ISBN 978 0 580 83895 8ICS 35.240.60Compliance with a British Standard cannot confer immunity from legal obligations.This Published Document was published under the authority of the Standards Policy and Strategy Comm
4、ittee on 30 June 2014.Amendments/corrigenda issued since publicationDate T e x t a f f e c t e dPD CEN/TR 16670:2014TECHNICAL REPORT RAPPORT TECHNIQUE TECHNISCHER BERICHT CEN/TR 16670 June 2014 ICS 35.240.60 English Version Information technology - RFID threat and vulnerability analysis Technologies
5、 de linformation - RFID, analyse vulnrabilit et de menace Informationstechnik - Analyse zur Bedrohung und Verletzlichkeit durch beziehungsweise von RFID This Technical Report was approved by CEN on 20 January 2014. It has been drawn up by the Technical Committee CEN/TC 225. CEN members are the natio
6、nal standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slov
7、akia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any form and by any mean
8、s reserved worldwide for CEN national Members. Ref. No. CEN/TR 16670:2014 EPD CEN/TR 16670:2014CEN/TR 16670:2014 (E) 2 Contents Page Foreword 4 Introduction .5 1 Scope 6 2 Terms and definitions .6 3 Symbols and abbreviations 9 4 Threats and Attack scenarios 10 4.1 Introduction . 10 4.2 Attacks to an
9、 RFID System with a Fake Reader 11 4.3 Attacks to a RFID system with a Fake Tag . 12 4.4 Attacks to a RFID system with a Fake Reader and a Fake Tag 12 4.5 Attack to a Real Tag with a Fake Reader and a Fake Tag 13 4.6 Attack to a Real Tag with a Fake Reader 13 4.7 Attack to a Real Reader with a Fake
10、Tag 13 5 Vulnerabilities . 14 5.1 Introduction . 14 5.2 Denial of service . 14 5.3 Eavesdropping 14 5.4 Man in the Middle 15 6 Mitigation measures . 15 6.1 Introduction . 15 6.2 Mitigation measures for secured RFID Devices 15 6.2.1 Mitigation measures for tags . 15 6.2.2 Mitigation measures for read
11、ers . 15 6.2.3 Mitigation measures for the Air Interface Protocol . 15 6.3 Mitigation measures against attacks 15 6.3.1 Introduction . 15 6.3.2 Eavesdropping 15 6.3.3 Skimming . 15 6.3.4 Relay attack . 16 6.3.5 Denial of Service . 16 7 Conclusions 16 Annex A (informative) Attack scenarios 18 A.1 Amu
12、sement parks takes visitors to RFID-land 18 A.1.1 Introduction . 18 A.1.2 Threat scenarios . 18 A.1.3 DPP objectives of relevance 19 A.1.4 Security objectives of relevance . 19 A.1.5 Privacy objectives of relevance 20 A.2 Purpose of Use and Consent . 20 A.2.1 Purpose 1 . 20 A.2.2 Purpose 2 (with exp
13、licit consent) 21 A.2.3 Purpose 3 (with no explicit consent . 21 A.3 Multi-tag and purpose RFID environment for Healthcare . 22 A.3.1 Scenario description - Emergency 22 A.3.2 The hospital RFID environment . 22 A.3.3 Arrival at the hospital . 23 A.3.4 Treatment at the hospital . 24 A.3.5 The value o
14、f the drug prescribed 24 A.3.6 Returning home 24 A.3.7 The home RFID environment . 24 PD CEN/TR 16670:2014CEN/TR 16670:2014 (E) 3 A.3.8 Drug repeat prescription and out of date drug recycling 25 Annex B Original Test Set ups and Results 26 B.1 Test Area 26 B.2 Equipment 26 B.3 Overview of the Tests
15、. 27 B.3.1 Introduction 27 B.3.2 Range tests 27 B.3.3 Write Tests . 27 B.3.4 Illicit Reading . 27 B.3.5 Eavesdropping . 28 B.3.6 Detection inside buildings 28 B.3.7 Combined EAS/RFID systems 28 B.4 Test procedures and results 28 B.4.1 General . 28 B.4.2 Reading range 30 B.4.3 Write range . 37 B.4.4
16、Illicit reading 41 B.4.5 Eavesdropping . 46 B.4.6 Detection inside buildings 47 B.4.7 Combined EAS/RFID system 48 B.5 Analysis of results . 48 B.6 Conclusions . 49 Annex C Additional Test Set ups and Results 50 C.1 Introduction 50 C.2 Scope of tests 50 C.3 Documenting the results 50 C.4 Equipment re
17、quired for additional tests . 50 C.5 Description of tests . 51 C.5.1 Activation distance for HF system 51 C.5.2 Activation distance for UHF system 52 C.5.3 Eavesdropping tests for HF system 53 C.5.4 Eavesdropping tests for UHF system . 55 C.6 Test results 56 C.6.1 Equipment utilised during the tests
18、 56 C.6.2 Description of Tests 56 Bibliography 70 PD CEN/TR 16670:2014CEN/TR 16670:2014 (E) 4 Foreword This document (CEN/TR 16670:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC Technologies”, the secretariat of which is held by NEN. Attention is drawn to the possibility that some o
19、f the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The other deliverables are: EN 16
20、570, Information technology Notification of RFID The information sign and additional information to be provided by operators of RFID application systems EN 16571, Information technology RFID privacy impact assessment process EN 16656, Information technology - Radio frequency identification for item
21、management - RFID Emblem (ISO/IEC 29160:2012, modified) CEN/TR 16684, Information technology Notification of RFID Additional information to be provided by operators CEN/TS 16685, Information technology Notification of RFID The information sign to be displayed in areas where RFID interrogators are de
22、ployed CEN/TR 16669, Information technology Device interface to support ISO/IEC 18000-3 CEN/TR 16671, Information technology Authorisation of mobile phones when used as RFID interrogators CEN/TR 16672, Information technology Privacy capability features of current RFID technologies CEN/TR 16673, Info
23、rmation technology RFID privacy impact assessment analysis for specific sectors CEN/TR 16674, Information technology Analysis of privacy impact assessment methodologies relevant to RFID PD CEN/TR 16670:2014CEN/TR 16670:2014 (E) 5 Introduction In response to the growing deployment of RFID systems in
24、Europe, the European Commission published in 2007 the Communication COM(2007) 96 RFID in Europesteps towards a policy framework. This Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst respecting the basic legal framework safeguarding fundamental valu
25、es such as health, environment, data protection, privacy and security. In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of 2009. The Mandate addres
26、ses the data protection, privacy and information aspects of RFID, and is being executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187 020, which
27、 was published in May 2011. Phase 2 is concerned with the execution of the standardization work programme identified in the first phase. This document will provide the additional information of the RFID application that will need to be provided to a citizen by accessing the source identified on the
28、sign where the RFID application is operating. This information will be aligned with the details set out in the Recommendation, but some of this might not be available at the outset, a Technical Report is the preferred form of initial delivery to establish basic requirements. PD CEN/TR 16670:2014CEN/
29、TR 16670:2014 (E) 6 1 Scope The scope of the Technical Report is to consider the threats and vulnerabilities associated with specific characteristics of RFID technology in a system comprising: the air interface protocol covering all the common frequencies; the tag including model variants within a t
30、echnology; the interrogator features for processing the air interface; the interrogator interface to the application. The Technical Report addresses specific RFID technologies as defined by their air interface specifications. The threats, vulnerabilities, and mitigating methods are presented as a to
31、olkit, enabling the specific characteristics of the RFID technology being used in an application to be taken into consideration. While the focus is on specifications that are standardized, the feature analysis can also be applied to proprietary RFID technologies. This should be possible because some
32、 features are common to more than one standardized technology, and it should be possible to map these to proprietary technologies. Although this Technical Report may be used by any operator, even for a small system, the technical details are better considered by others. In particular the document sh
33、ould be a tool used by RFID system integrators, to improve security aspects using a privacy by design approach. As such it is also highly relevant to operators that are not SMEs, and to industry bodies representing SME members. 2 Terms and definitions For the purposes of this document, the following
34、 terms and definitions apply. 2.1 blocker tag tag forcing the reader to enter in its singulation algorithm Note 1 to entry: The idea of the blocker tag that looks like a tag that we can have in our pocket, is to emit both 0 and 1 creating a collision and forcing the reader to enter in its singulatio
35、n algorithm. If the blocker tag emits simultaneously 0 and 1 (that requires two antennas), the reader may never complete its algorithm. The blocker tag should be seen as a hacker device that is able to generate a denial of service in a legitimate system. We can even assess that a blocker tag has alw
36、ays a malicious behaviour since it cannot be selective and forbids the reading of one tag whereas it authorises the reading of the others. Moreover, the blocker tag works like a tag in a passive mode. So, it requires being in the reader field and it will protect only a small volume around itself. So
37、 a blocker tag can be considered as a malicious tag, which prevents a legal system to read legal tags or as a mitigation technique preventing an illegal reader to read a legal tag. 2.2 blocking another way to produce a denial of service is to interfere during the anti-collision sequence Note 1 to en
38、try: Different devices have been developed. 2.3 cloning impersonation technique that is used to duplicate data from one tag to another Note 1 to entry: Data acquired from the tag by whatever means is written to another tag. Unless the technology and application require the interrogator to authentica
39、te the RFID tag, cloning is possible. Cloning the unique chip ID presents a significantly bigger challenge for the attacker, but some researchers claim that this is possible. There is also a special case of cloning that needs to be considered where the application accepts multiple AIDC technologies.
40、 Cloning data from an RFID-enabled card can be replicated in magnetic stripe. In some payment card systems, information that might be PD CEN/TR 16670:2014CEN/TR 16670:2014 (E) 7 cloned from an AIDC card could be used in payment situations known as cardholder not present for purchases made on the Int
41、ernet or by telephone. In this case, the clone is virtual and requires no encoding on another RFID tag. 2.4 denial of service preventing communication between the interrogator and the tags Note 1 to entry: There are two main ways to accomplish a “denial of service“. The first one is to create electr
42、omagnetic interferences, the second one is to insert a blocker tag in the communication. 2.5 destruction making the tag definitively unusable without using a logical kill function whenever such a function exist in the rfid protocol Note 1 to entry: Destruction may refer to the reader too. Although t
43、his attack threats RFID system availability, its different from deny of service because it cant reactivate and repair it. Destruction is considered as an attack when its practiced without holders knowledge. Two destruction types can be distinguished1) Hardware-and 2) Software destruction. While this
44、 can be seen as a security threat to the RFID operator, there are also situations where it might affect the individual. For example, if a public transport tag is accidentally damaged, then the individuals rights associated with it can be lost. In a similar manner as for tag removal, tag destruction
45、can be used as a control to protect the privacy 2.6 eavesdropping passive attack, which consists in remotely listening to transactions between a Real Reader and a Real Tag 2.7 guardian special device developed by Melanie Rieback from a Dutch University to help citizens to communicate with their own
46、contactless smartcards Note 1 to entry: As an active device it can be turned into a blocking tag preventing an attacker to access such contactless cards. Thus, it can blur any pervasive reading by actively emitting a jamming signal in the sidebands of a typical RFID tag. Such a mechanism enables mul
47、tiple functionalities: information can be sent to the reader or to the tag for secret key management, authentication, access control; monitoring of the RFID environment to warn of possible unsolicited reading; creation of collisions to prevent from the possible inquisitive reading. As a consequence,
48、 the RFID guardian is a useful tool to ensure the privacy but it is also an efficient device to create denials of service. Whereas the blocker tag is designed to carry out a simple load modulation, the RFID guardian is an active device that requires batteries and that is able to emit is own signal.
49、As a consequence, the distance of use is much larger. 2.8 jamming creating a signal in the same range as used by the reader in order to prevent tags from communicating with the reader Note 1 to entry: Because the RFID air interface protocol depends on radio signals, an attacker can exploit any such signals within the range of the communication between interrogator and tag 2.9 man in the middle object or person interfering in the communication between a real reader and a real tag PD CEN/TR 16670:2014CEN/
