RFID Guardian

Radio-frequency identification chips (often called RFID tags) are passive, inductively powered chips that are used for many applications, from replacing bar codes on supermarket products to identifying lost dogs and cats. Their small size and low cost makes them ideal for tracking objects, animals and people.However, the ease with which RFID tags can be tracked opens the door to invading people's privacy.

The RFID Guardian was designed as a defense against unwanted RFID snooping. It is a small, battery-powered electronic device that can be carried around to warn its owner that a new RFID tag has been placed in his or her vicinity or that his or her tags are currently being scanned. The device can also be set up to block unknown scans. It has also been designed to deal with future RFID readers that are RFID Guardian aware and can negotiate with it. The RFID Guardian's functions include auditing, key management, access control and authentication. One can think of it as a personal RFID firewall.

Introduction to RFID

RFID is the latest phase in the decades-old trend of the miniaturization of computers. RFID tags are tiny resource-limited computers that do not have a battery that needs periodic replacement. RFID tags are inductively powered by their external reading devices, called RFID readers. The radio wave put out by the reader provides the electricity needed to power the tag, which then decodes the incoming query and produces an appropriate response by modulating the request signal, using one or more subcarrier frequencies. RFID Tags can do a limited amount of processing, and have a small amount of storage, sometimes as little as 128 bytes. However, improvements in technology will no doubt raise this limit in the future

RFID tags are useful for a huge variety of applications. Some of these applications include: supply chain management, automated payment, physical access control, counterfeit prevention, and smart homes and offices. RFID tags are also implanted in all kinds of personal and consumer goods, for example, passports, partially assembled cars, frozen dinners, ski-lift passes, clothing, and public transportation tickets. Implantable RFID tags for animals allow concerned owners to label their pets and livestock. VeriChip Corp. has also created a slightly adapted implantable RFID chip, the size of a grain of rice, for use in humans. Since its introduction, the VeriChip was approved by the U.S. Food and Drug Administration, and this tiny chip is currently deployed in both commercial and medical systems.

Privacy threats

The rapid adoption of RFID technology has raised concerns with numerous groups involved with privacy such as the Electronic Frontier Foundation [http://www.eff.org/Privacy/Surveillance/RFID/] and the American Civil Liberties Union [http://www.aclu.org/privacy/spying/15780res20050426.html] . Many of these concerns relate to the ability of unauthorized third parties to read the tags on objects carried by people walking on the street or entering a building. These tagged objects might include banknotes, library books, drivers licenses, passports, airline boarding passes, clothes, and many other things. In some cases, (some of) the information is encrypted, but in others it is not to keep the cost down. A second class of threats involves using information collected for one purpose being used for an entirely different one. For example, RFID-based public transit tickets and RFID-based toll collection systems such as E-ZPass result in the history of a person's whereabouts being logged, either on the tag itself or in a central database. Divorce lawyers might subpoena these records to build a case that the other spouse has been unfaithful. Or, abuse may include wireless kidnapping of people for bribery and/or extortion if our government will not even admit to having the technology available.

Design goals

The RFID Guardian is a portable, battery-powered device that creates a zone of privacy around its owner by acting both like an RFID reader and as an RFID tag, as needed. It constantly monitors the radio spectrum for incoming scans. When it detects a scan, it checks to see if the tag being addressed is one of the owner's protected tags, and if so, sends out a jamming signal to obliterate the response from the actual tag (which it cannot control). In addition, it also sends out periodic active probes to see if any new and unknown tags have been placed around the owner's person. If it detects new tags, it can respond in various ways, depending on how it has been configured. For example, it could sound an alert.

In addition, the RFID Guardian has been designed to work with future RFID readers that are aware of RFID Guardians and can negotiate with them. In this scenario, if a Guardian-aware reader tries to query a tag and the scan is blocked, it can send out a second query essentially saying "Is there an RFID Guardian out there? If so, I would like to be authenticated and get permission to query one of your tags." When the Guardian receives such a query, it can enter into a cryptographically-secure authentication protocol with the reader. If the reader is approved, it will be allowed to query one or more tags. In this way, friendly readers will be allowed to do their work. For example, in an office building, employees could have RFID chips in their company badges and allow known, approved, company readers scan them to open locked doors automatically, while prohibiting unknown readers from querying the badges and also prohibiting company readers from querying chips other than the one on the company badge. In this way the RFID Guardian's owner can control who can read which tags he or she is carrying.

To achieve this functionality, the design had four goals as follows. First, the RFID Guardian centralized control of the RFID environment in a single device (in contrast to other proposals which block RFID scans using multiple devices and tags [http://www.wired.com/techbiz/media/news/2004/03/62468] ). Second, the RFID Guardian is aware of its environment (friendly or hostile, which readers and tags are out there, etc.). Third, the device had to be easy to carry around and use. The version 3 prototype will consist of a radio unit that uses the owner's cell phone as its interface, talking to it via Bluetooth. A production version could be integrated entirely into a cell phone or PDA. Fourth, it had to work in the real world, which means it had to work with existing RFID technology. In particular, the prototype works with standard 13.56 MHz chips that are compatible with the ISO 15693 standard.

ystem functionality

When operating with standard (i.e., Guardian-unaware) readers, the RFID Guardian has a limited set of responses to a query: basically, do nothing (i.e., let the query be answered) or jam the response. However, when a Guardian-aware reader is encountered, the functionality can be greatly expanded. In general, the RFID Guardian has four operational functions that can be invoked, depending on the reader and the tags. First, it can do auditing. The Guardian can keep a record of all scans and tags it encounters. It can be configured to discard scans and tags known to be friendly, to limit the size of the log. Second, it can do key management. More expensive tags, such as those used in passports, protect their information cryptographically and Guardian-aware readers can do key exchange with the Guardian over a secure channel. Third, it can do access control, which means carrying out the owner's security policy. The owner can enter the policy on the interface's keypad, specifying rules in Guardian Language, telling what to do in any situation. For example, a rule could state that when at home, all queries from all readers are allowed, but away from home other rules apply. Fourth, while high-end RFID chips can do authentication, cheaper ones cannot. The Guardian can handle this authentication for them, thus giving low-end chips in clothes the same ability to selectively respond as high-end ones in passports.

Implementation

The RFID has gone through two prototypes, with a third one expected in June 2007. Version 2 is pictured left and right. The heart of the RFID Guardian, used in all prototypes, is an Intel XScale PXA270 processor with 64 MB of SDRAM and 16 MB of flash memory. The XScale was chosen because it is widely used in mobile phones and PDAs, which eases later integration into these devices. Also, due to its considerable computing power, it was easy to meet all real-time constraints.

The front end of the Guardian consists of chips and other components that act as an RFID reader (to query nearby tags) and additional circuits for emulating a tag (to handle incoming scans). The reader part is based on the Melexis MLX90121 reader-on-a-chip, along with amplification circuitry to increase the reading range. The tag emulation is based on the Philips SA615 chip, which can detect readers up to 50 cm away. Future improvements could increase the range.

When a normal RFID tag detects an incoming query, it encodes its response by turning a resistor on and off in synchrony with the incoming 13.56 MHz radio wave. This technique generates RF sidebands, which is where the response information is carried. In contrast, the RFID Guardian uses its battery power to generate these sidebands artificially, thus providing far more power than a normal tag (and thus giving it the ability to obliterate a tag's response when the Guardian has determined that the query is unauthorized).

The software is event driven and runs on top of the e-Cos real-time operating system [http://ecos.sourceware.org/] . Typical events are the arrival of an incoming packet (as a result of a reader query), a clock event (indicating that it is time to inspect the environment for new tags), or a user event (for example, to update the access control rules). When an event occurs, the software calls the appropriate handler to process it.

For incoming packets, they have to be checked for validity (using the packet checksum) and if valid, then parsed for the parameters. Depending on the nature of the query, information may be looked up in one or more internal tables and a response sent (tag emulation).

For clock events, inventory query packets are constructed and sent. These packets ask all tags in the vicinity to announce their presence and identify themselves. The responses have to be analyzed to see if any new, unknown tags, are present. Because multiple tags might be within reading range, a way is needed to avoid (or at least minimize) collisions. This mechanism is part of the ISO 15693 protocol, which the Guardian obeys.

When a user event (such as a key press) happens, the software has to see what the user is doing and carry it out.

The Guardian has been designed to withstand modest attempts to defeat it. For example, an attacker could launch a denial of service attack by flooding the Guardian with so many queries as to exhaust the radio bandwidth. While this could work, it would also make it impossible for any tags to respond, which is presumably what the attacker wanted. Attack scenarios are discussed in Reference 2 below.

Although not directly related to the RFID Guardian, its designers also created the first RFID virus, described in Reference 3 below.

External links

* [http://www.rfidguardian.org/ The RFID Guardian Website]
* [http://www.cs.vu.nl/~melanie/rfid_guardian/papers/lisa.06.pdf Technical paper on the RFID Guardian]
* [http://www.rfidvirus.org The RFID Virus Website]