Conference PaperPDF Available

Covert Channel Communication in RFID



Content may be subject to copyright.
Covert Channel Communication in RFID (Short Paper)
Md. Sadek Ferdous, Farida Chowdhury
Department of Information & Communication Technology, Metropolitan University, Sylhet,
Department of Computer Science & Engineering, Shah Jalal University of Science &
Technology, Sylhet, Bangladesh,
Abstract. Radio Frequency Identification (RFID) is being considered as one of
the most pervasive computing technologies in history. It is believed that tags
based on RFID technology will be attached to every consumer products
replacing the bar codes as RFID tags provide some excellent facilities such as
location tracking by which several ubiquitous services can be facilitated. It is
assumed that even every person will carry RFID tag in future for obtaining
those ubiquitous services. But this provision has opened up a new arena of
security concern in which this tracking facility can be abused and personal
privacy can be compromised. Different mechanisms have been proposed and
applied to get around this situation. This paper presents a novel approach to
increase security in RFID by introducing covert channel communication in
RFID. Covert Channel communication in Computer Network has been a topic
of both discussion and active research for more than three decades. Here in this
paper, we’ve outlined the mechanism for covert channel communication in
RFID and proposed how Covert Channel communication can be used to
enhance security and protect privacy.
1 Introduction
Radio-Frequency Identification (RFID) is a pervasive technology that provides
automatic identification facility of objects. In a few ways it can be considered as
‘Radio Barcode’, but unlike barcodes, RIFD provides some excellent additional
facilities, eliminating the need of human involvement [1]. It is believed that in near
future RFID will enable us, humans, to interact with computing environment
automatically and subconsciously and thus providing ‘Ubiquitous Computing’
capability [2]. These unique features have led many concerned peoples to adopt
RFID for many intelligent application scenarios such as counterfeiting of goods,
automatic checkout system, infectious animal disease tracking, managing supply
chain and super market, access control, pet identification, automatic toll collection,
remote keyless entry for automobiles, etc [2], [3]. But due to its wireless nature,
information revealed during the RFID communications can be abused by any
knowledgeable party and individual privacy can be threatened. In this paper we’ve
introduced a unique approach to fight back the ‘Violation of Privacy’ problem by
proposing Covert Channel communication in RFID for the first time.
Published in the proceedings of the First International Conference on Security of
Information and Networks (Sin 2007)
2 Covert Channel Communication in RFID (Short Paper)
Following this introduction, this paper is organized as follows: Section 2
introduces the basic concept of RFID system, the threat model in RFID and depicts
the concept of Covert Channel communication in terms of wired networks. Section 3
outlines the previous works. We have proposed the algorithms for Covert Channel
communication for RFID in Section 4, exemplified how Covert Channel can be used
to increase security and analyzed other performance issues and we conclude in
Section 5.
2 RFID Concept, Threat Model & Covert Channel
An RFID System has two basic components: RFID Tag or Transponder, RFID Reader
or Transceiver and the system is supported by a backend database. RFID tag is
attached to any object to provide its identification and usually contains a microchip
with small computation and storage capability and a coupling antenna to
communicate through Radio-Frequency [4], [5]. Transponder usually is the data
provider in RFID system. On the other hand transceiver/reader is usually the data
seeker. As the RFID system uses RF for communication, data can be read by the
reader from the transponder within a limited distance automatically and thus
eliminating the need of any human interaction for data collection.
The general format of a packet for RFID response by the transponder derived from
the EPC (Electronic Product Code) Network is given in fig. 1 [6].
EPC is meant to replace UPC (Universal Product Code) used in bar code to
identify an object. For different possible situations, there are different packet formats
for EPC and usually consist of 64 or 96 bits [7].
Due to its RF Communication RFID system is open in nature. That means traffic
generated by the RFID Transponder and reader can be read and analyzed. Several
attack methods on security and privacy have been brought into existence. Some of
those methods are Sniffing/Eavesdropping [8], Tracking [2], Spoofing/Cloning [2],
[3], Replay/Relay Attack [9], Denial of Service [2], etc.
Covert Channel Communication has been in security paradigm since 1973 when B.
W. Lampson published a paper titled "A Note on the Confinement Problem"
published by ACM in which the term Covert Channel was introduced for the first
time [10], [11]. But the widely accepted definition for Covert Channel comes from the
US Department of Defense Trusted Computer System Evaluation Criteria [12]. But
different kinds of schemes classifying the Covert Channel communication exist today.
Here we’re adopting the classification model proposed in [13]. According to that,
EPC Manager
Object Class
Serial Number
8 bits
28 bits
24 bits
36 bits
Code of
Fig. 1. The General EPC Format Specified for Retail
Covert Channel Communication in RFID (Short Paper) 3
Covert Channel can be classified into: Value Based Spatial Channel, Transition Based
Spatial Channel, Value Based Temporal Channel & Transition Based Temporal
Channel [13], [14].
3 Related Work
Increasing security in RFID by using Convert Channel communication is a novel
approach and to the best of the knowledge of the authors of this paper is not
implemented elsewhere.
4 Proposed Approach
Assumption: One of the main features of the RFID Communication is that
information provided by the tag/transponder is static. But this is not true in wired or
wireless LAN where two consecutive packets in the same communication are never
same. So covert communication based on spatial channel (both value based and
transition based) can be implemented in the wired or wireless LAN by changing one
of the header data on the packets [15]. But such covert channel can’t be implemented
in RFID System. That’s why we’ve adopted Temporal Channel Based Covert
Communication. That is, our proposition will not alter any bit of the packet, rather it
will depend either on the frequency of event (Value based) or on the delay in-between
the frequency of events (Transition Based). Our proposition will assume packet
arrival time as the frequency of event.
Proposition: Our proposed algorithm goes below:
Value Based Temporal Channel:
At the Transponder’s End.
Algorithm SendingVBTCCommunication
At the Reader’s End.
Algorithm ReceivingVBTCCommunication
Start Covert Channel communication by initiating an interrogation request
towards the transponder. Repeat lines 2 to 5 until communication ends.
If a response packet arrives within a defined time:
4 Covert Channel Communication in RFID (Short Paper)
Transition Based Temporal Channel.:
At the transponder’s End.
Algorithm SendingTBTCCommunication
At the Reader’s End.
Algorithm ReceivingTBTCCommunication
Illustration: Let’s illustrate the algorithm by an example. Suppose in a RFID system,
the transponder wants to send a data packet (Assumed) like Fig. 2:
Wait for any interrogation request initiated by the reader.
If a request is initiated by the reader:
Start Covert Channel communication. Repeat lines 4 to 8 until the
communication ends.
Build a false EPC packet of 96 bits with any value.
Build an original EPC packet of 96 bits with original value.
At first send a false EPC packet.
To transmit a bit with value 1 of the original packet, send the next
packet in such a way that interval time between two packets exceeds a
threshold time.
To transmit a bit with value 0 of the original packet, send the next
packet in such a way that interval time between two packets remains
below the threshold time.
End If.
Start Covert Channel communication by initiating an interrogation request
towards the transponder. Repeat lines 2 to 6 until communication ends.
Ignore the value of the EPC packets as it contains false value regarding the
transponder. If the interval of arrival time between two consecutive packets
exceeds a certain threshold value:
Interpret that interval time as a single bit with value 1 and stores it into
a queue.
Else if the interval of arrival time between two consecutive packets does not
exceed a certain threshold value:
Interpret that interval time as a single bit with value 0 and stores it into
a queue.
End If.
At the end of communication, the queue will hold the valid EPC packet
containing original EPC data.
Fig. 2. A Valid EPC response packet (Assumed)
Ignore the value of the EPC packet as it contains false value regarding
the transponder, interpret the whole packet as a single bit with value 1
and stores it into a queue.
Else interpret the absence of packet within that defined time period as a
single bit with value 0 and stores it into a queue.
End If.
At the end of communication, the queue will hold the valid EPC packet
containing original EPC data.
Covert Channel Communication in RFID (Short Paper) 5
At first the transponder will build a false EPC packet. A false EPC packet may
look like Fig. 3 (Assumed):
So according to the Value Based Covert Channel algorithm, to send a bit with
value 1 of the original packet (Fig. 2) the transponder will send the false packet (Fig.
3) at defined time interval and to send a bit with value 0 the transponder will not send
the false packet at that interval. So, to send the 96 bits of the EPC packet, the
transponder will go though 96 transition periods.
Now according to the Transition Based Covert Channel algorithm, to send a bit
with value 1 of the original packet (Fig. 2) the transponder will send two consecutive
false packets (Fig. 3) in such a way that the time interval between two packets
exceeds a threshold value and to send a bit with value 0 of the original packet the
transponder will send two consecutive false packets in such a way that the time
interval between two packets does not exceed the threshold limit.
Performance Analysis: It is obligatory in our proposed approach that
synchronization between the transponder and the reader should be set up at first, that
is they should be synchronized by defining a definite time interval for Value Based
algorithm and a threshold time for Transition Based algorithm. Some of the attack
methods in RFID such as Sniffing, Tracking, Spoofing, etc. require the interaction
with the direct RFID response. In our proposed approach, valid RFID response is
never transmitted, only the false response is transmitted. So if any attack tries to build
an attack model based on RFID response, he will build a false model and won’t be
able intercept the legitimate data until he knows/assumes the underlined approach and
required synchronization. According to our algorithms, QoS will mainly depend on
synchronization. As long as synchronization is maintained, QoS can be ensured. As
RFID operates normally in small range, the packet will have to travel a short distance.
This property will ensure two things: Minimal chance for a packet to be lost and short
time for a packet to reach the destination which almost eradicates the possibility of
losing a RFID packet or taking longer time for a RFID packet to reach the reader, for
any or both of which synchronization could be lost between the reader and the
transponder. So if synchronization is set, it is most likely to prevail during the whole
communication and thus maintaining QoS.
5 Conclusions
Lack of security in RFID system can threaten a whole group of invasive computer
applications. So it is very important to enhance the security aspects of RFID.
Different approaches have been proposed, illustrated and implemented by researchers
around the world. This paper presents a novel approach to apply security in RFID by
proposing the possibility of Covert Channel communication in RFID which is first of
Fig. 3. A False EPC response packet (Assumed)
6 Covert Channel Communication in RFID (Short Paper)
its kind. The authors believe that this approach will establish a new paradigm of
security in RFID system.
READER, Chapter From the book: Privacy and Technologies of Identity, A Cross-
Disciplinary Conversation (Eds K. Strandburg and D.Stan Raicu), Springer-Verlag, 2005.
2. Melanie R. Rieback Bruno Crispo Andrew S. Tanenbaum , Is Your Cat Infected with a
Computer Virus?, In Pervasive Computing and Communications, Pisa, Italy, March 2006.
IEEE, IEEE Computer Society Press.
3. Simson L. Garfinkel, Ari Jules, Ravi Pappu, RFID Privacy: An Overview of Problems and
Proposed Solutions, In IEEE Security and Privacy, 3(3):3443, May-June 2005.
4. Pedro Peris-Lopez, Julio Cesar Hernandez-Castro, Juan M. Estevez-Tapiador, and Arturo
Ribagorda, RFID Systems: A Survey on Security Threats and Proposed Solutions, In 11th
IFIP International Conference on Personal Wireless Communications PWC06, volume
4217 of Lecture Notes in Computer Science, pages 159170.Springer-Verlag, September
5. Sanjay E. Sarma, Stephen A. Weis, and Daniel W. Engels, RFID Systems and Security and
Privacy Implications, In Burton Kaliski, C¸ etin Kaya ¸co, and Christof Paar, editors,
Cryptographic Hardware and Embedded Systems CHES 2002, volume 2523 of Lecture
Notes in Computer Science, pages 454469, Redwood Shores, CA, USA, August 2002.
6. Thomas Hjorth, Supporting Privacy in RFID Systems, Master thesis, Technical University of
Denmark, Lyngby, Denmark, December 2004.
7. EPC Standard Speci_cation, version 1.1 rev. 1.24. April 1, 2004. technology/ EPCTagDataSpeci_cation11rev124.pdf
8. Biometrics deployment of machine readable travel documents, May 2004. deployment of Machine
Readable Travel Documents 2004.pdf
9. Gerhard Hancke, A Practical Relay Attack on ISO 14443 Proximity Cards, Manuscript,
February 2005.
10. Lampson, Butler: A Note on the Confinement Problem, KeyKOS/Confinement.html
11. Pukhraj Singh, Whispers On The Wire: Network Based Covert Channels Exploitation &
Detection (BETA Draft),
12. US DoD: Trusted Computer System Evaluation Criteria, 1985,
13. Wang, Zhenghong, New Constructive Approach to Covert Channel Modeling and Channel
Capacity Estimation, In ISC 2005, LNCS 3650, pp. 498-505, 2005.
14. Marc Smeets, Matthijs Koot, Research Report: Covert Channels, 2006
15. Steven J. Murdoch and Stephen Lewis, Embedding Covert Channels into TCP/IP, Draft for
Information Hiding Workshop 2005 proceedings (Revision 1159: July 29, 2005)
ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
Full-text available
Low-cost Radio Frequency Identiflcation (RFID) tags a-xed to consumer items as smart labels are emerging as one of the most per- vasive computing technology in history. This can have huge security im- plications. The present article surveys the most important technical se- curity challenges of RFID systems. We flrst provide a brief summary of the most relevant standards related to this technology. Next, we present an overview about the state of the art on RFID security, addressing both the functional aspects and the security risks and threats associated to its use. Finally, we analyze the main security solutions proposed until date.
Conference Paper
Full-text available
In this paper, we examine general mechanisms that a covert channel may exploit and derive new minimum requirements for setting up a covert channel. We also propose a new classification of covert channels based on our analysis. Unlike the non-interference approaches, our approach is constructive, allowing the direct examination of system architectures at different abstraction levels for the presence or absence of the mechanisms that can be exploited to create covert channels. Also, unlike past research on covert channel capacity estimation which employed a synchronous channel model, we point out that covert channels are generally non-synchronous. To capture the asynchronous nature of covert channels, we propose the deletion-insertion channel model as a more general basis for covert channel capacity estimation. This enables modeling the effects of system behavior on covert channel capacity, leading to a more accurate upper bound of the resulting channel capacity.
Conference Paper
Full-text available
RFID systems as a whole are often treated with suspicion, but the input data received from individual RFID tags is implicitly trusted. RFID attacks are currently conceived as properly formatted but fake RFID data; however no one expects an RFID tag to send a SQL injection attack or a buffer overflow. This paper is meant to serve as a warning that data from RFID tags can be used to exploit back-end software systems. RFID middleware writers must therefore build appropriate checks (bounds checking, special character filtering, etc.), to prevent RFID middleware from suffering all of the well-known vulnerabilities experienced by the Internet. Furthermore, as a proof of concept, this paper presents the first self-replicating RFID virus. This virus uses RFID tags as a vector to compromise backend RFID middleware systems, via a SQL injection attack.
Full-text available
Various problems posed by radio frequency Identification systems and their solutions are presented. RFID could help stamp out drug counterfeiting, trace contaminated beef products to eliminate supermarket checkout lines. RFID tags can be read at a distance without a person's knowledge. As a result, tags placed in consumer items for one purpose might be convertly used to track people as they move through the world. Most RFID systems operate in the radio spectrum's unlicensed portion, where regulations govern power output for readers. This characteristic, combined with physical limitations, limits the reading range for passive tags, which are powered by the radio signal that reads them.
Conference Paper
Full-text available
The Auto-ID Center is developing low-cost radio frequency identification (RFID) based systems with the initial application as next generation bar-codes. We describe RFID technology, summarize our approach and our research, and most importantly, describe the research opportunities in RFID for experts in cryptography and information security. The common theme in low-cost RFID systems is that computation resources are very limited, and all aspects of the RFID system are connected to each other. Understanding these connections and the resulting design trade-offs is an important prerequisite to effectively answering the challenges of security and privacy in low-cost RFID systems.
Full-text available
Introduction Designers of protection systems are usually preoccupied with the need to safeguard data from unauthorized access or modification, or programs from unauthorized execution. It is known how to solve these problems well enough so that a program can create a controlled environment within which another, possibly untrustworthy program, can be run safely [1, 21. Adopting terminology appropriate for our particular case, we will call the first program a customer and the second a service. The customer will want to ensure that the service cannot access (i.e. read or modify) any of his data except those items to which he explicitly grants access. If he is cautious, he will only grant access to items which are needed as input or output for the service program. In general it is also necessary to provide for smooth transfers of control, and to handle error conditions. Furthermore, the service must be protected from intrusion by the customer, since the service may be a proprietary
To improve on its supply chain management (SCM) one of US's largest chainof supermarkets, Wal-Mart, on June 11, 2003, announced that from January2005 its top 100 suppliers are required to put radio frequency (RFID) tags ontheir cases and pallets. This goal seems to be achieved as all of the a#ectedsuppliers have announced they will be ready. Other companies monitor thesituation closely, and due to the apparent success they are expected to followWal-Mart's example soon.Basically RFID...
Contactless smart cards are used in access control and pay-ment systems. This paper illustrates an attack which effectively allows an attacker to 'borrow' the victim's card for a short period without requir-ing physical access to the victim's card. As a result the legitimate owner will remain unaware of the attack. We show that our hardware success-fully executed a relay attack against an ISO 14443A contactless smart card, up to a distance of 50 m. Simply relaying information between the card and reader over a longer distance does not require the same techni-cal resources from the attacker as hardware tampering or cryptanalysis. This attack is therefore a feasible method for circumventing current se-curity protocols with little effort. Since application-level measures fail to protect against relay attacks, we discuss possible solutions involving characteristics of the physical communication medium.
Conference Paper
It is commonly believed that steganography within TCP/IP is easily achieved by embedding data in header flelds seemingly fllled with \random" data, such as the IP identifler, TCP initial sequence number (ISN) or the least signiflcant bit of the TCP timestamp. We show that this is not the case; these flelds naturally exhibit su-cient structure and non-uniformity to be e-ciently and reliably difierentiated from unmodifled ciphertext. Previous work on TCP/IP steganography does not take this into account and, by examining TCP/IP speciflcations and open source implementations, we have developed tests to detect the use of na˜ ‡ve embedding. Finally, we describe reversible transforms that map block cipher output onto TCP ISNs, indistinguishable from those generated by Linux and OpenBSD. The techniques used can be extended to other operating systems. A message can thus be hidden so that an attacker cannot demonstrate its existence without knowing a secret key.
An Overview of Problems and Proposed Solutions
  • L Simson
  • Ari Garfinkel
  • Ravi Jules
  • Rfid Pappu
  • Privacy
Simson L. Garfinkel, Ari Jules, Ravi Pappu, RFID Privacy: An Overview of Problems and Proposed Solutions, In IEEE Security and Privacy, 3(3):34–43, May-June 2005.