• Sun

• SAP
• Microsoft
• Oracle

RFID Middleware
1
Sun’s RFID Software Architecture
2
Sun’s Event Manager
3
Sun’s Information Server
4
5 SAP
APPLICATION INTERROGATOR RF TAG

Tag Physical Memory

Decoder
AIR Logical
Application Program Interface

Encoder Memory Map

DEVICE
INTERFACE
COMMANDS
COMMANDS
APPLICATIONCO Tag Driver
MMANDS Command /
and
Response
APPLICATIONRES Mapping
Unit
PONSES Rules RESPONSES

DEVICE
RESPONSES

Logical Memory Note: The Logical Memory Map in the Tag

Physical Memory is given by the Tag
architecture and the mapping rules in the
DATA PROTOCOL PHYSICAL Tag Driver. All the information in the
PROCESSOR INTERROGATOR Logical Memory is represented in the
Logical Memory Map

ISO/IEC 15961 ISO/IEC 15962 ISO/IEC 15962 ISO/IEC 18000

Annexes
6
Standards
• Lots of source code
• Generic protocols
• Back-end databases
• High-value data
• False sense of security

Why RFID systems are vulnerable to attacks

7
• Buffer Overflows
– The life of a buffer overflow begins when an attacker
inputs data either directly (i.e. via user input) or indirectly
(i.e. via environment variables).
– This input data is deliberately longer then the allocated
end of a buffer in memory, so it overwrites whatever else
happened to be there.
– Since program control data is often located in the memory
areas adjacent to data buffers, the buffer overflow can
cause the program to execute arbitrary code

RFID-Based Exploits
8
• Buffer Overflows
– RFID tags are limited to 1024 bits or less.
– However, commands like 'write multiple blocks' from ISO-15693 can
allow a resource-poor RFID tag to repeatedly send the same data
block, with the net result of filling up an application-level buffer.
– Meticulous formatting of the repeatedly sent data
– An attacker can also use contactless smart cards, which have a larger
amount of available storage space.
– An attacker can really blow RFID middleware's buffers away, by using
a resource rich actively-powered RFID tag simulating device, like the
RFID Guardian

RFID-Based Exploits
9
• Code Insertion
– Malicious code can be injected into an application
by an attacker, using any number of scripting
languages including VBScript, CGI, Java, JavaScript,
and Perl

RFID-Based Exploits
10
• SQL injection
– SQL injection is a type of code insertion attack that tricks a
database into running SQL code that was not intended.
– Attackers have several objectives:
• They might want to enumerate (map out) the database structure.
Then, the attackers might want to retrieve unauthorized data, or
make equally unauthorized modifications or deletions.
• Databases also sometimes allow DB administrators to execute
system commands. A system command can be used to attack the
system

RFID-Based Exploits
11
• Worm is a program that self-propagates across a network,
exploiting security flaws in widely-used services
• A worm is distinguishable from a virus in that a worm does
not require any user activity to propagate
• Worms usually have a payload, which performs activities
ranging from deleting files, to sending information via email,
to installing software patches
• One of the most common payloads for a worm is to install a
“backdoor” in the infected computer, which grants hackers
easy return access to that computer system in the future.

RFID-Based Worms
12
• One can develop RFID based viruses using SQL
language.
• The SQL data can be transmitted to a system
via an RFID tag

RFID-Based Viruses
13
64 and 96 bit EPC tags have been defined

01 0000A21 00015E 000189DF0

Header EPC Manager Object Class Serial Number
8 Bits 8 – 35 bits 39 – 56 bits 60 – 95 bits

• Allows for unique IDs for 268 million companies

• Each company can then have 16 million object classes
• Each object or SKU can have 68 billion serial numbers
assigned to it

EPC Tags
14
 EPC Network

Manufacturer Retailer

1. EPC lifecycle begins when a Manufacturer tags the product

The EPC Network

15
 EPC Network
Electronic Product Code
urn:epc:sgtin:47400.18559.1234

Identification on Bar Codes

Identification for Serialized Information

Synt
ax 4th level 3rd level 2nd level Top level
1 Dom
ain ds . vnds . verisign . com
Name
Manufacturer
EPC 18559 . 47400 . onsepc
Retailer . com
1. EPC lifecycle begins when a Manufacturer tags the product
Manufacturer ID identifies supplier as Gillette
Object (product) Class identifies as Mach 3 razor (12 pk)

The EPC Network

16
 EPC Network

Manufacturer Retailer

1. EPC lifecycle begins when a Manufacturer tags the product

2. Manufacturer records product information (e.g., manufacture date, expiration date,
location) into EPC Information Service
3. EPC Information Service registers EPC “knowledge” with EPC Discovery Service

The EPC Network

17
 EPC Network

Manufacturer Retailer

4. Manufacturer sends product to Retailer

5. Retailer records “receipt” of product into EPC-IS
6. Retailer’s EPC-IS then registers product “knowledge” with EPC Discovery Service

The EPC Network

18
 EPC Network

7 Retailer
Application

Manufacturer Retailer

7. If Retailer requires product information, Root ONS is queried for location of

Manufacturer’s Local ONS
8. Manufacturer’s Local ONS is queried for location of EPC-IS

The EPC Network

19
 Total
EPC Network Transaction
Time:
<10
milliseconds

Retailer
Application

Manufacturer Retailer

9. Retailer queries Manufacturer EPC-IS for desired product information (e.g.,

manufacture date, expiration date, etc.)

The EPC Network

20
There is no global body that has set RFID regulation in stone; every country has its own
rules. Low frequency and High frequency RFID tags can be used globally without a
license, but UHF may not be used globally due to the lack of accepted standards. For
example: in North America, limitations exist on UHF usage, specifically targeting
transmission power. These limitations are not accepted by France because UHF
interferes with military bands.
As well, there are regulations for health and environmental issues.

Regulations
21
In Europe, it is illegal to dispose of boxes with RFID tags because of the possibility of
damaging sensitive recycling machinery. Potential health risks are associated with the
Electromagnetic Field surrounding RFID tags; every country has specific regulations
regarding this concern.

Regulations
22
The following is a list of many standards that apply to RFID technology:
ISO 11784 & 11785 - These standards regulate the Radio frequency identification of
animals in regards to Code Structure and Technical concept
ISO 14223/1- Radio frequency identification of Animals, advanced transponders - Air
interface
ISO 10536 - Close coupled cards
ISO 14443 - Proximity cards
ISO 15693 - Vicinity cards
ISO 18000 - RFID for item Management; Air Interface
EPC Global

Regulations Standards
23
One of the major RFID security concerns is the threat of illegal tracking:
• tags could be read from a distance without the owner’s
knowledge, leading to the disclosing of location or other
sensitive information contained in the RFID tag’s
memory

• the cloning of RFID tags - poses a problem for

companies employing RFID technology for entry into
their building, or for compromising payment methods,
such as the Esso Speed pass.

RFID Security Concerns

24
Unfortunately, the technology does not currently
exist to practically encrypt commercial RFID tags,
though proposed low-encryption solutions include
backward channeling and third-party agents. An
industry standard label has also been suggested as
a way to alleviate RFID security concerns.

RFID Security Concerns

25
RFID is about identifying and handling Items…

 Physical Materials
 Components and sub-assemblies
 Products
 Containers
 Physical carriers
 People
 Locations
 Documents and other forms information carrier
……….virtually anything tangible that is part of a business process.
This is the opportunity………

RFID Items
26
 Privacy & Security as
Primary Design Requirements
Designers, Manufacturers and users of RFID technology
should address the privacy and security issues as part of its
original design. Rather than retrofitting RFID systems to
respond to privacy and security issues, it is much preferable
that security should be designed in from the beginning.

Notice - Choice & Consent - Onward Transfer - Access -

Security

RFID Privacy
27
 Consumer Transparency

Ideally, there should be no secret RFID tags or readers. Use of

RFID technology should be as transparent as possible and
consumers should know about such implementation and usage
as they engage in any transaction that involves an RFID system.

But……

RFID Privacy
28
 Technology Neutrality

RFID technology, in and of itself, does not impose

threats to privacy. Privacy breaches occur when
RFID, like any technology, is deployed in a way that is
not consistent with responsible management
practices that foster sound privacy protection

RFID Privacy
29
 Some achievements based on the fact that the man
can also draw the right conclusions from false
premises. The computer does not create it.
[Lothar Schmidt]

o improved inventory management

o greater transparency in the production
o lower storage costs
o Simplified system management
o efficient production management
o fast and correct incoming and outgoing control
o continuous inventory
o better traceability.
o…

Rationalization potential
30
ERP EAI-Middleware
MES

SCM
Auto-ID-Infrastructure
GPS
Process level
CRM Tracking RFID Barcode
& Tracing

Infrastructure Realtime Enterprise (RTE)

31
 RFID- Chip Sensor- und RFID- chip
• Movement
• Temperature
• Humidity
•…

Hitachi 2001
RFID Tag with 0.4mm² RFID with GPS-Coupling

RFID-Tags
32