24
Security, RFID and Consumers RFID Security, Theory and Practice mr. dr. Bart Schermer RFID Platform Nederland
Security, RFID and Consumers
RFID Security, Theory and Practicemr. dr. Bart Schermer
RFID Platform Nederland
About me
• Secretary RFID Platform Nederland• Privacy specialist at ECP.NL
• Partner at Considerati• Assistent professor at the University of Leiden
(faculty of law)
Board RFID Nederland
RFID Nederland
“Stimulating the uptake of RFID technology and ensuring its
responsible use”
• Market initiative• 50 participants• www.rfidnederland.nl• www.watisrfid.nl
Business drivers for RFID
Realtime insight into business processes increases:
• Efficiency• Security• Customer loyalty
Why are these similar?
Source: ADT Tyco
Opposing views...
RFID and the Public Opinion
RFID vulnerabilities
• Skimming / eavesdropping• Weak crypto• Tag reader authentication
Security risks
• Access to data on the chip (including possible keys)• Access to associated databases• Access to communication between tag and reader• Attack vector for databases (e.g. viruses, SQL injects)• Cloning (!!!!)
• Possibility to follow / track trace people
“Big Brother is watching you!”
Privacy risks
• Due to its invisible nature RFID can be used to surreptisiously gather personal data.
• Companies can use this information to profile and classify customers
• Companies can use this information to follow and track consumers throughout their daily lives
• Companies can use invasive Minority Report style advertising
The role of privacy
• Information is power
• (Personal) data is used to profile and classify consumers
• Privacy is a means to maintain ‘economic equality’ between companies and consumers
• Consumers (should) have a say in the processing of their personal data
EU Privacy Law
• Data Protection Directive (95/46/EC)
• Telecom Privacy Directive (2002/58/EC)
EU Privacy Law
• Surreptitious gathering of personal data is a violation of the data protection directive (95/46/EC).
• Using personal data for other purposes than for which they have been gathered is a violation of the data protection directive
• Surreptiously monitoring and following people is a criminal offence (and where not, it should be).
• Targeted advertising without prior permission from consumers is a violation of the data protection directive and the Telecom Privacy Directive (2002/58/EC).
Example I: OV chipkaart
• Mifare Classic (subscriptions etc.) / Mifare Ultralight (day tickets)
• Hack Plotz & Nohl (reverse engineering -> skimming -> cloning)• Hack Radboud I (Mifare Ultralight) (skimming -> cloning)• Dutch Data Protection Authority warns GVB, NS• Hack Radboud II (Mifare Classic) (cryptoanalysis -> skimming -> cloning)
• Press coverage differs from the facts• NXP (wrongfully) bashed for providing insecure chip• Security through obscurity worked for 13 years...
See also: https://ovchip.cs.ru.nl/Event_history
Example II: retail
Privacy or security?
Incident driven response...
• Consumer backlash (boycott) against technology
• Motion to cancel the OV chipkaart
• EU Recommendation on RFID & Privacy:- Mandatory privacy impact assesment- Opt-in for retail environment
Observations
• Emphasis on technology instead of application
• Security issues and privacy issues are often confused
• Business reality can differ from security reality- security through obscurity may make sense for a business- cost/risk analysis is leading, not 100% security
• Solutions are currently viewed as either/or(e.g. opt-in for retail)
• There is no integrated approach towards security and privacy
The right tool for the job
• 100% security is not always the most optimal economic decision
• RFID should not be the only security measure
• Focus on the problem, not the technology
• What tool is most effective
Suggestions
• Clear(er) distinction between privacy and security
- strengthen overall system security
- create tools to enhance privacy (Privacy by design, PETs)- create tools to effectuate legal safeguards (consumer in control)
• Security experts must educate businesses, consumers, policymakers and politicians (in English please)
• Security, business processes, and legal safeguards must strengthen each other
The way forward
Companies should:• Use RFID in a responsible manner• Provide benefits not only to themselves, but also to consumers• Provide openness and transparency about the use of RFID• Provide a truly free choice for consumers
Government should:• Create tools for the protection of privacy (PETs, RFID guardians, logo
system)• Place the consumer in control• Monitor possible shifts in the balance of power, and correct where
necessary
Security experts and researchers should:• Try to translate their work in proper English (e.g. Jip and Janneke)• ...Keep up the good work
Bart SchermerECP.NL / RFID Platform Nederland
Overgoo 112260 AG Leidschendam
“RFID zal een grotere impact op onzesamenleving hebben dan Internet heeft gehad”
-- Prof. Cor Molenaar, voorzitter RFID Nederland
Questions?
