Transcript Security and Privacy in Library RFID: Issues, Practices

Privacy in Library RFID
Attacks and Proposals
David Molnar
David Wagner
{dmolnar, daw}@eecs.berkeley.edu
Privacy in Libraries
• Must protect what patrons are reading
• Library only source of info for many
• FBI Library Awareness Program
– 1973-1988, official policy to monitor
“suspicious” persons’ reading habits
– Library privacy laws passed as backlash
– Even with PATRIOT act, need court order
• Privacy adversaries not limited to FBI
– Marketers, Scientologists, pick your favorite…
RFID & Library Overview
• RFID = Radio Frequency IDentification
• One RFID tag per book
• Each RFID tag has ``bar code” ID number
– Unique to each book, may identify library
• Exit gates read RFID for anti-theft
• 13.56MHz passive RFID
– ISO 15693, Checkpoint, TAGSYS C220
– Read range depends on antenna size
• Deployed in Oakland, Santa Clara, 130+
Pictures courtesy
Santa Clara City Library
Privacy and Ubiquitous Readers
• Read range not whole privacy story
• Even full in-view readers can be problem
– Scan at airport security, events, etc.
– Like metal detectors now
– Not clear what read or how used
• Readers easy to camouflage
– RFID reader looks like store anti-theft gate
Library RFID Architecture
Library database
Bar code
•No authentication between reader and tag
•Database maps bar code  (title, status)
Attack: Book Scanning
•
•
•
•
Can scan me and tell what I am reading?
No reader – tag authentication
Anyone can read tag data
Most deployments data limited to bar code
– Some vendors suggest more
• Need library database
• In CA, database protected by law
– Varies by state
Attack: Hotlisting and Profiling
• Hotlisting  is book on special list?
• Hotlisting is real – FBI and almanacs
• Profiling – bar code prefix identifies library
– Is library in predominantly minority area?
•
•
•
•
Bar code never changes so hotlisting easy
Walk into library, read bar code
See the book again, recognize book
Does not need library database
Attack: Book Tracking
• Bar code never changes
• Can link different sightings
• Track book movement
– Spatial movement
– Combine w/video for person-to-person
• “This person checked out same book as terrorist”
• Does not need library database
“Security Bit” Denial of Service
• RFID used for anti-theft
• Some vendors store “security bit” on tag
– Security bit = checked out/not checked out
– Bit re-written each checkout
• ISO 15693 tags have “write, then lock”
– No way to unlock data, no password on lock
• Adversary can lock security bit data page
• Can’t change security bit  tag useless
Collision Avoidance and Privacy
• Collision avoidance protocols identify tag
• Example: ISO 15693 mandates MFR ID
Mask
Does mask match MFR ID?
Respond if yes
• Read passwords,changing ID,etc. don’t help
• Privacy requires attention to all layers
RFID Limitations
• RFID powered only when near reader
– No precomputation, no caching
• RFID have few gates (< 5,000 for security)
• Randomness difficult on RFID
• “Cryptography” extremely hard on RFID
– Best we can do is a few XOR
• Future generation tags focus on price, not
on security features
Problem: Private Authentication
• Reader does not know tag ID
• Authentication must preserve privacy
• Privacy and authentication in tension
Solving Private Authentication
• We have an efficient solution
• Example parameters:
– 10^6 tags
– Tag stores 192 bits
– Tag sends 168 bits total
– Only 4 XOR operations for tag
– 4096 XORs for reader
– Adversary needs 2^60 work to break
– All parameters can be traded off
Summary
•
•
•
•
Library RFID is here now
All today’s technology has privacy flaws
Privacy is achievable efficiently
Work still ongoing
Acknowledgements
•
Many, many people to thank!
In no particular order:
Peter Warfield, Karen Duffy (Santa Clara City Library), Karen Saunders (Santa
Clara City Library), Susan Hildreth (San Francisco Public Library), Al
Skinner (Checkpoint), Paul Simon (Checkpoint),Doug Karp(Checkpoint),
Rebekah E. Anderson (3M), Jackie Griffin(Berkeley Public Library), Elena
Engel (BPL), Alicia Abramson(BPL)Lee Tien (Electronic Frontier
Foundation), Dan Moniz (EFF), Laura Quliter (Boalt Hall School of Law, UCBerkeley), Jennifer Urban(Boalt), Nathaniel Good (SIMS), Samuelson
Technology and PolicyLaw Clinic at Boalt Hall School of Law, Elizabeth
Miles (Boalt),John Han (SIMS), Ross Stapleton-Gray, Eric Ipsen, Oleg
Boyarsky(Library Automation/FlashScan), Laura Smart (Library
RFIDWeblog/Cal State Pomona), Craig K. Harmon (ISO 18000
committee),Justin Chen (SVCWireless RFID SIG), Steve Halliday(ISO
18000 committee), Zulfikar Ramzan (NTT DoCoMo), Craig Gentry
(NTTDoCoMo), Hoeteck Wee, Matt Piotrowski, Jayanth Kumar Kannan,
Kris Hildrum, David Schultz, and Rupert Scammell(RSA Security).
Questions?