Evaluation of Current Practical Attacks Against RFID Technology

Abstract: Radio Frequency Identification (RFID) is a technology that has been around for three decades now. It is being used in various scenarios in technologically modern societies around the world and becoming a crucial part of our daily life. But we often forget how the inner technology is designed to work, or even if it is as trustable and secure as we think. While the RFID technology and protocols involved with it has been designed with an acceptable level of security in mind, not all implementations and use cases are as secure as consumers believe. A majority of implementations and products that are deployed suffer from known and critical security issues.      This thesis work starts with an introduction to RFID standards and how the technology works. Followed by that a taxonomy of known attacks and threats affecting RFID is presented, which avoids going through too much of technical details but provides references for farther research and study for every part and attack. Then RFID security threats are reviewed from risk management point of view, linking introduced attacks to the security principle they affect. We also review (lack thereof) security standards and guidelines that can help mitigating introduced threats. Finally to demonstrate how practical and serious these threats are, three real-world case studies are presented, in which we break security of widely used RFID implementations. At the end we also review and highlight domains in RFID security that can be researched farther, and what materials we are currently missing, that can be used to raise awareness and increase security of RFID technology for consumers.      The goal of this thesis report is to familiarize readers with all of the publicly documented and known security issues of RFID technology, so that they can get a sense about the security state of their systems. Without getting involved with too much technical details about every attack vector, or going throw tens of different books and papers, readers can use this report as a comprehensive reference to educate themselves about all known attacks against RFID, published to the date of writing this report.