Intrusion Detection in RFID Systems - Semantic Scholar

5 downloads 254402 Views 159KB Size Report
a reader into accepting the identity of this particular tag. Tag cloning is a type of ... as password control, keyed HMAC and digital signatures have inherent ...
Intrusion Detection in RFID Systems Geethapriya Thamilarasu and Ramalingam Sridhar University at Buffalo, Buffalo, NY 14260-2000 {gt7, rsridhar}@cse.buffalo.edu

1

Abstract— In recent years, advances in Radio Frequency identification (RFID) technology has led to their widespread adoption in diverse applications such as object identification, access authorization, environmental monitoring and supply chain management. Although the increased proliferation of tags enables new applications, they also raise many unique and potentially serious security and privacy concerns. Security solutions in RFID systems need to be strengthened to ensure information integrity and to prevent hackers from exploiting the sensitive tag data. In this paper, we address the importance of intrusion detection security paradigm for RFID systems. We present an overview of state of the art in RFID security and investigate the limitations of traditional security solutions based on cryptographic primitives and protocols. We propose an RFID intrusion detection model that integrates information from RFID reader layer and middleware layer to detect anomalous behavior in the network, thus improving their resilience to security attacks.

1. I NTRODUCTION Radio Frequency Identification (RFID) is a technology that uses radio waves to provide automated identification of objects and people. A simple RFID system consists of a tag (or transponder) that is a small RF chip coupled to a microprocessor which wirelessly communicates with a RFID reader. Compared to traditional barcode identification technology, RFIDs are more superior and efficient as they do not require light of sight to access data, have a larger read range, with readers capable of communicating with multiple tags. RFID technology has the potential to provide automated data capture and system analysis, enable visibility in environments where tracking is not possible, deliver better asset utilization and thus optimize and improve the operational efficiency of a system. Due to these numerous advantages, RFID today is widely deployed in various applications such as inventory tracking, warehouse management, homeland security, healthcare monitoring and supply chain management, including the most popular RFID supply chain systems developed by WalMart and US Department of Defense (DoD). 1

c 978-1-4244-2677-5/08/$25.00 2008 IEEE

However, with the growing popularity of RFID, problems of security and privacy poses serious daunting challenges to several RFID applications. In VeriMed based RFID medical implants, malicious modification to health information can lead to incorrect medical treatment [1]. In military based supply chain application, enemy forces monitoring the RFID communications can obtain information about the troop movement. US National Institute of Science and Technology (NIST) has shown that RFIDs to be used in US passports can be read from as far away as 30 feet [2]. Variety of countermeasures such as on tag cryptography, authentication and access control have been proposed in recent years to provide RFID security. Since the RFID chip is small in size, with limited storage memory and processing capacity, it restricts the number and length of encryption keys that it can hold, making it a challenge to implement strong encryption algorithms on the tag. Also, existing cryptographic measures to provide security features to RFID applications are not entirely resilient to threats. For example, researchers at Johns Hopkins University and RSA Laboratories have shown that the RFID used in the ExxonMobil’s SpeedPass can be easily spoofed [3]. They also discovered cryptographic vulnerabilities in some of the high security car keys. The researchers demonstrated that the RFID chips used weak encryption keys that can be broken within a few hours. Also as demonstrated in [4], for attacks where the authentic tag itself is compromised, such as change in tag ownership, it is difficult to rely on authentication mechanisms to prevent illegal owners of the tag from accessing the service. In this work, we propose a security framework that focuses on developing an intrusion detection system (IDS) for RFID systems. In addition to the existing security mechanisms, we monitor the RFID network for any anomalous activity. Using the auditing module in our IDS, we gather relevant information about the RFID tags and readers. We evaluate our model through statistical anomaly detection techniques to profile the normal tag/reader activity and detect network intrusions if the observed behavior deviates from the expected behavior.

2. R ELATED W ORK Research in RFID security has gained momentum in recent years. A number of publications focus on the security and privacy implications in various RFID applications [5], [6], [7]. Rotter et al provide a detailed description of possible security attacks in RFID and propose a framework for evaluating and assessing various security and privacy risks [1]. Researchers have developed several countermeasures to RFID threats such as deactivation of tags, on-tag cryptographic solutions such as encryption, authentication and hash codes [8]. Juels et al studied several RFID authentication protocols against the security threats [9]. Konidala et al proposed a simple tag-reader mutual authentication scheme based on a 16 bit random number generator, XOR function and Access and kill passwords [10]. Despite the plethora of security solutions available, due to their small size and constrained resources, tags are not capable of executing complex cryptographic solutions like hash functions. To address this, few lightweight authentication protocols that does not require cryptographic hash/keys in the tag have been proposed [11], [12]. However lightweight security mechanisms such as using bitwise keys as proposed by Peris-Lopez et al are not fully secure and can easily be broken (passwords) or compromised [13], [14]. Rieback et al proposed RFID Guardian that integrates various security mechanisms (auditing, key management, access control and authentication) into a single compact battery device [15]. Some of these security concepts such as auditing had not been used in the context of RFID earlier. Although leveraging various security functionalities enhance the security features of the system, it suffers from a big problem of single point of failure. Compromising RFID Guardian is sufficient to take over the entire network. Mirowski et al proposed Deckard - an intrusion detection system model to detect change in tag ownership [4]. This is one of the preliminary research to address the need for intrusion detection systems in RFID. Our approach closely resembles Deckard in the intrusion detection architecture. However, we focus beyond change in tag ownership and provide a more generic security framework to detect various RFID attacks. We make use of the reader-to-reader communication to obtain the audit data needed for detection. We use the RFID reader as a watchdog to observe and gather information from multiple neighboring readers and tags. 3. S ECURITY T HREATS

AND

V ULNERABILITIES

Despite the effectiveness of RFID systems in automation and other myriad applications, the technology also

introduces a range of security and privacy challenges. For instance, RFID readers and tags that optimize a supply chain management may also disrupt the whole system through malicious readers disabling tags on the shipment of the containers. A malicious reader might be used in conjunction with a malicious tag to take the data a legitimate tag is sending, and transmit it at a later time. If a shipment is showing up thousands of miles away from the expected location, it can throw the system into total disarray. In this section, we describe some of the security threats in RFID systems. Since the wireless channel is prone to vulnerabilities, an adversary can intercept the RFID communication between the tag and the reader. An attacker may also disrupt the communication by assuming false identity either as the reader or the tag. 3.1. Sniffing/Eavesdropping RFID tags are commonly designed to be read by any compliant reader. However, when a passive tag is powered on by a legitimate reader, a second malicious reader in the read range can scan the tag-reader communication without any effort. Sniffing is a powerful attack as the malicious reader can eavesdrop and obtain critical information contained on the tag. 3.2. Spoofing/Unauthorized Tag Cloning In spoofing attack, adversaries can mimic authentic RFID tags by writing appropriately formatted data on blank RFID tags. The attacker can obtain ID and any security information of a tag and use them to deceive a reader into accepting the identity of this particular tag. Tag cloning is a type of spoofing attack where a rogue reader can scan the tag to obtain the data and create unauthorized copies of the legitimate tag. This is a serious threat as the cloned tags can establish communication with any reader and obtain services and products using someone else’s identity. 3.3. Man-in-the-Middle (MIM) Attack An adversary in RFID may exploit the vulnerabilities of the wireless channel to launch man-in-the-middle (MIM) attacks. In this attack, the malicious entity intercepts the communication between an RFID tag and the reader by falsely pretending to be the authentic reader and/or the tag. 3.4. Unauthorized Tag Disabling Malicious readers can render a tag useless through the unauthorized application of delete commands or kill

commands, or through physical destruction. Tag disabling can be a serious threat to inventory applications, military shipments as it causes sabotage in the entire system.

4.1. Tag Layer

3.5. Unauthorized Tag Manipulation Critical RFID tag data can be falsified by unauthorized write access to the tag. Tags that are provided with a rewritable memory in order to update its contents and notify updates can be subject to this attack. By acting as an authentic reader, a malicious node can manipulate tag data. 4. RFID S ECURITY - L IMITATIONS R EQUIREMENTS

the RFID system is comprised of different components such as Tag layer, Reader layer and Middleware layer. We first investigate the suitability of different RFID layers to support intrusion detection functionalities.

AND

The increasing threats and challenges have led to several proposals aimed at enhancing the security features in RFID systems. However, most of the current security solutions are focused on providing technical security controls through authentication and integrity services to various components of the RFID systems such as tags and readers [8]. Common authentication techniques such as password control, keyed HMAC and digital signatures have inherent weaknesses as they have been broken or compromised. For instance, passwords transmitted through air can be intercepted or broken by brute force attack. HMAC algorithms and digital signatures used to perform reader authentication on tags, require memory and complex cryptographic functions to be supported on tags. Such on-tag cryptographic security solutions may not be always feasible due to the low power, storage and processing capabilities of RFID tags. Also, it is difficult to implement complex algorithms in passive tags that are mainly powered by RFID readers. Moreover, these techniques cannot hold if the adversary node physically compromises the tag and obtains the secret key (in case of HMAC). Existing proposals towards securing RFID are mostly implemented in the tag or the reader. However, due to the above mentioned limitations, these security solutions are not fool-proof and most often ineffective. Hence, it becomes necessary to support an additional line of protection in these systems. Similar to wired/wireless networks, where an intrusion detection system (IDS) is often used to detect intruders when cryptographic mechanisms fail or are infeasible, it becomes necessary to provide a second line of defense for increasing RFID security measures. The question of integrating the intrusion detection module into RFID security now arises as

As the underlying RFID component, tags are used to store useful information that can be transmitted through wireless RF and hence widely used in applications such as tracking and inventory management. But the tags are also the most vulnerable component as its wireless communication makes it a potential target for varying range of attacks including disrupting tag functionalities and tag destruction, as discussed earlier. This makes the tags weakest link in the RFID chain. Insufficient power and memory resources with low processing capabilities further limit the security functionalities that can be placed on board the tag. Hence, it is difficult to provide additional layer of security at the tag layer. 4.2. Reader Layer RFID readers are the devices responsible for detecting tags when they are in the read range and reading the data information stored in the tags. As the communication methods between the tag and reader operate on the wireless RF interface, providing security presents complex difficulties. For instance, it is challenging to prevent malicious readers from attacks on tags such as blocking or data manipulation on a wireless channel. Readers are however rich in information as it can read data from multiple tags in its range. Readers may also be modified to read and observe data from other neighboring readers in its read range. Hence, there is a potential for the reader layer to collect information from tags as well as other readers through RF interface and form an audit database. Information from the database can be used at higher RFID layers for further processing to detect adversarial behavior in the network. 4.3. Middleware Layer Middleware is the software component between the readers and the backend applications. This module is often responsible for processing streams of tag and reader data coming from its reader devices. As this layer is rich in computational resources, data gathered from reader layer auditing may be processed for security violations using a detection module. Hence, this layer is promising and most suitable to place the intrusion detection server for RFID systems. Thus, integration of data from the reader layer and detection module at the middleware layer can be used to identify and detect malicious RFID components.

BACKEND DATABASE BACK END SECURITY

RFID Intrusion Detection Server

Middleware Reader Layer Security

Authentication, Data Encryption

RFID Reader Wireless Interface

Tag Layer Security Authentication, Data Encryption

RFID Tag

Fig. 1.

5. S ECURITY F RAMEWORK

FOR

RFID System Model

RFID S YSTEMS

In this section we discuss the design framework of the intrusion detection system for detecting malicious reader and tag behavior in RFID. In addition to the ontag cryptographic security solutions and authentication schemes, our proposed intrusion detection model provides the second line of defense against security attacks. As the tag layer is the weakest link in the chain, we focus on providing security measures at the reader layer and middleware layer. Our intrusion detection system is placed at the middleware layer between the RFID reader and the backend database. We also provide added security functionality at the reader layer to monitor the network for any irregularities. Security server at the middleware layer analyzes RFID tag data as well as the reader data obtained from the reader in bands to detect any malicious behavior in the system. The core of our proposed security framework consists of the following components as shown in Fig. 2. 1) Auditing Module at the reader layer 2) Detection Module at the middleware layer 3) Action Module

TABLE I RFID F EATURES FOR I NTRUSION D ETECTION 1 2 3 4 5 6

Feature Description Reader Id, Location Tag Id, Location Number of Read Requests Sent Number of Tag Data Received Number of Tag Data Sent Number of Tag Updates by Reader

5.1. Auditing Module

5.1.1 RFID Reader Audit: In order to detect a wide variety of attacks launched by malicious reader in the network, our detection system should be capable of monitoring the readers. We provide a watchdog based monitoring mechanism at the reader to passively observe the behavior of other readers in its radio range. In order to detect a reader anomaly, we must first define a set of suitable features that can be used to identify and profile a valid reader. These features may represent the reader node id, describe the traffic conditions in the RFID network, and whether the reader is used to only scan the tags in the radio range or write data onto the tags as well.

Our first task in intrusion detection is to identify suitable features that are useful in detecting attacks on RFID readers and tags. Auditing component in the detection server is responsible for monitoring the activities in the RFID network to gather evidence against anomalous behavior. It essentially acts as the data collection component by logging the audit features of RFID tag as well as RFID readers. We have identified some of the features that can be extracted from the network by monitoring the communication between the readers and the tags as shown in Table I.

5.1.2 RFID Tag Audit: Security violation in RFID can occur through malicious tag attacks such as tag cloning. As discussed earlier, primitive cryptographic measures may not be effective against such attacks when authentic tags are physically compromised. We can reasonably assume that when an authentic tag is cloned or physically captured by a malicious entity, its behavior profile will change significantly from the tag attached to the valid user. Monitoring and logging the tag audit data features can be used to detect anomalous tag activities in the network.

ACTION

INTRUSION DETECTION SERVER

DETECTION

AUDITING

READER DATA

Fig. 2.

RFID Intrusion Detection System Model

5.2. Detection Module In this work, we use statistical intrusion detection model based on activity profiles to determine abnormal behavior. Observations from audit records collected from the RFID reader/tag transactions are used together with mean-standard deviation model to determine anomalies. We illustrate our intrusion detection model by studying Man-in-the-middle attacks in RFID. Case Study: Man-in-the-Middle Attack (MIM) Let us consider the example of a man-in-the-middle attack in a RFID network with dense readers. Let hT, Ri denote the authentic tag and reader components and hT 0 , R0 i be the malicious tag and reader emulators. For the scenario shown in Fig. 3, there are two possible cases of MIM attacks.

Tag T

intercept data

Attacker Reader R'

Fig. 3.

Attacker Tag T'

sends data using Tag T's identity

TAG DATA

Reader R

MIM Attack Scenario

5.2.1 Case 1: Malicious reader R 0 intercepts the read request from R and communicates to tag T posing as the authentic reader R. R0 receives the data and security information from tag T and relays this information to R using the tag emulator T 0 . Thus the communication between T and R is disrupted and malicious users gain access to the reader’s services. 5.2.2 Case 2: MIM attack can also be used to manipulate the contents of an authentic tag. In the above scenario, R0 can identify itself as valid reader R and write false data onto the rewritable tags. Data falsification can be used to disrupt the entire RFID network or allow an illegal entity to gain access.

WatchDog Reader : We propose the use of monitoring Reader agent Rm lies in the range of both the readers R and R0 . In compliance with our proposed intrusion detection model, reader Rm monitors the activities of readers and tags in its reading range. The monitoring reader observes both the tag data from T as well as the rebroadcasted data from T 0 from different locations with same identity. For every reader-tag association, we generate the following audit record profile < T agID, READ, ReaderID, Location, T imeStamp > < T agID, W RIT E, ReaderID, T imeStamp > The data thus observed from the watchdog reader Rm and reader R are passed to the middleware layer for processing. Using the statistical detection method discussed, deviation in the observed profile from the normal profile is characterized as an intrusion. Based on the activity profile, we define the metrics for detecting MIM attacks: • Event Counter: Based on the IDS model by Dennings et al [16], this metric denotes the number of audit records for a particular type of event. For RFID transactions, read and write profiles can be created for a tag using statistical mean and standard deviation model. To signal an anomaly in these events, we use the following metrics. Read Frequency: Mean number of read operations on Tag T and Write Frequency: Mean number of write operations on Tag T • Time Interval: Length of time between two events of the same type can be used to observe any inconsistent activity. For instance, if the same tag is read by the same reader consecutively (contrary to the tag-reader profile), we signal an anomaly. • RSS value: MIM (Case1) attack causes relaying and rebroadcasting of data from different locations. Identifying the tag location can be helpful to address such masquerading attacks. Most RFID readers

Tag ID

Time Interval (S)

Mean # of Read Operations

Mean # of Write Operations

Received Signal Strength (RSS) (dB)

Time Period (seconds)

3

100

15

5

-75

100

3

150

30

7

-90

200

3

200

22

11

-84

300

3

300

42

13

-76

400

3

450

36

17

-63

500

3

500

23

21

-55

600

3

600

37

24

-40

700

Fig. 4.

Audit data - To measure RFID events

are now capable of estimating the received signal strength (RSS). Using RSS metric, it is possible to determine the location of tag to a significant accuracy. 6. S IMULATION E XPERIMENTS We have simulated the RFID network using RFIDSim [17]. The simulator is custom rfid-oriented network simulator and is written in C++. RFIDSim implements several propagation models (free space, two-ray) and different fading models (Ricean, Rayleigh), and handles multiple interfaces per nodes, multiple channels, active and passive tags. We have enhanced the basic functionalities of rfidsim to model and detect MIM attacks. We developed functional modules to collect tag and reader audit data periodically and to detect the attack using statistical detection techniques. We have used the following simulation set up for running the experiments: • Tag/Reader Setup: We used a uniform random distribution for the tags in the field area of 6 by 6 meters. All the readers were randomly distributed in the area. • Propagation Model : free space • Fading Model: Ricean (6 db) • MAC protocol: Slotted Aloha • Reader Power: 3300 mW 6.1. Experiment scenario We defined a system of 100 tags and the number of readers varying from 5-30. Based on the traffic and application requirements, number of times a reader reads the same tag differs at different time periods. Also, using the RSS value read at consecutive time periods, we calculated the standard deviation in the relative location range of the tag. In our simulation, we first built a normal profile without any malicious readers or tags. Table 4 and 5 shows the normal profile built by using the audit records.

Fig. 5.

RSS Data - To Calculate location

In Experiment 1, we introduced malicious readers/tags in the system to launch varying number of MIM attacks. For a fixed number of watchdog readers in the system, we build a new observation profile using the same audit data. When the observation record deviated from the normal profile, then we signaled an anomaly. Figures 6 and 7 show the detection performance in terms of detection rate and the rate of false alarms. From the results, we observe that our scheme has a high detection rate. Even as the detection rate lowers with increase in large number of attacks, we are still able to achieve 60 % detection rate for the worst attack scenario considered in the simulation. In Experiment 2, we varied the number of watchdog readers in the system. With more number of readers available for monitoring the reader-tag communication, we were able to achieve a higher detection accuracy as shown in Fig.8. 7. C ONCLUSION In this work, we identified the various security threats and vulnerabilities to RFID components. We discussed the limitations and weakness of on-tag cryptographic security solutions. We investigated the importance and the need for a second line of defense through an intrusion detection system in RFID networks. We developed a security framework with an IDS module comprising of the reader layer and the middleware layer. We performed statistical analysis to profile the normal behavior and detect intrusions. We presented an example case study using man-in-the-middle attack to demonstrate our approach. Using simulations, we evaluated the proposed intrusion detection mechanism and obtained high detection accuracy. R EFERENCES [1] P. Rotter, “A framework for assessing RFID system security and privacy risks,” IEEE Pervasive Computing, vol. 7, no. 2, pp. 70–77, 2008.

Percentage of False positives

1

1

0.8

0.8

False alarm Rate

Detection Rate

Percentage of Attacks Detected

0.6 0.4 0.2 0

0

50

100 150

200 250

0.6 0.4 0.2 0

300 350

0

50

Number of Attacks

Fig. 6.

100

150

200

250

300

350

Number of Attacks

Watchdog Readers n = 10

Fig. 7.

Watchdog Readers n = 10

Detection Rate

Percentage of Attacks Detected 1 0.8 0.6 0.4 0.2 0

0

5

10

15

20

25

30

Number of Watchdog Readers

Fig. 8.

For varying number of Watchdog Readers

[2] J. Yoshida, “Tests reveal e-passport security flaw,” Electronic Engineering Times, (1336):1, 30 August 2004. [3] S. C. Bono, M. Green, A. Stubblefield, A. Juels, A. D. Rubin, and M. Szydlo, “Security analysis of a cryptographicallyenabled rfid device,” in SSYM’05: Proceedings of the 14th conference on USENIX Security Symposium, 2005. [4] L. Mirowski and J. Hartnett, “Deckard: A system to detect change of RFID tag ownership,” International Journal of Computer Science and Network Security, vol. 7, pp. 89–98, July 2007. [5] M. Mitra, “Privacy for RFID systems to prevent tracking and cloning,” International Journal of Computer Science and Network Security, vol. 8, pp. 1–5, January 2008. [6] J. Ayoade, “Privacy and RFID systems: Roadmap to solving security and privacy concerns in rfid systems,” Computer Law and Security Report, vol. 23, no. 6, pp. 555–561, 2007. [7] M. Rieback, B. Crispo, and A. Tanenbaum, “The evolution of RFID security,” IEEE Pervasive Computing, vol. 5, pp. 62–69, January–March 2006. [8] T. Karygiannis, B. Eydt, G. Barber, L.Bunn, and T. Phillips, “Guidelines for securing radio frequency identification (RFID) systems,” NIST Special Publication 800-98, April 2007. [9] A. Juels, “RFID security and privacy: a research survey,” Selected Areas in Communications, IEEE Journal on, vol. 24, pp. 381–394, Feb. 2006. [10] D. Konidala, Z. Kim, and K. Kim, “A simple and cost-effective

[11]

[12]

[13]

[14] [15]

[16] [17]

RFID tag-reader mutual authentication scheme,” in Conference on RFID Security, (Malaga, Spain), pp. 141–152, July 2007. S. Karthikeyan and M. Nesterenko, “RFID security without extensive cryptography,” in Workshop on Security of Ad Hoc and Sensor Networks – SASN’05, (Alexandria, Virginia, USA), pp. 63–67, ACM, ACM Press, November 2005. H.-Y. Chien, “SASI: A new ultralightweight RFID authentication protocol providing strong authentication and strong integrity,” IEEE Transactions on Dependable and Secure Computing, vol. 4, pp. 337–340, December 2007. P. Peris-Lopez, J. C. Hernandez-Castro, J. Estevez-Tapiador, and A. Ribagorda, “M2AP: A minimalist mutual-authentication protocol for low-cost RFID tags,” in International Conference on Ubiquitous Intelligence and Computing – UIC06, vol. 4159, pp. 912–923, September 2006. T. Li and G. Wang, “Security analysis of two ultra-lightweight RFID authentication protocols,” in IFIP SEC 2007, 2007. M. Rieback, B. Crispo, and A. Tanenbaum, “RFID guardian: A battery-powered mobile device for RFID privacy management,” in Australasian Conference on Information Security and Privacy – ACISP’05, (Brisbane, Australia), pp. 184–194, July 2005. D. E. Denning, “An intrusion-detection model,” IEEE Transactions on Software Engineering, vol. 13, pp. 222–232, 1987. M. J. Miller, “Rfidsim - a simulator for rfid networks,” 2006. http://www.matthewjmiller.net/files/ rfidsim_doc/html/.