Literature Review of Security of RFID and GPS Devices
Introduction
The deployment of radio frequency identification (RFID) and global positioning system (GPS) is on the rise across several industries. RFID is used in traditional applications such as assets and inventory tracking. Presently, RFID technology is used in security services such as RFID embedded credit cards and electronic passports (Plunkett, 2012). RFID technology uses radio waves to identify objects and people. RFID devices read information contained in a wireless device commonly known as ‘tags’ from a distance without any physical contact. In a typical RFID communication, a clear line of sight is required. Although RFID technology was available from the 1970s, this technology has become a part of our lives in the last ten years. This technology is now widely used in daily life applications such as keyless entry into cars, employee identification, medical billing, highway toll tax, credit cards, and security access cards. GPS technology also came into existence in the early 1970s (Plunkett, 2012). GPS initially was widely used in military applications for tracking and surveillance purpose. However, since the 1990s with communication satellites available for commercial use, civilian applications also started using GPS technology (Pethakar, Srivastava and Suryawanshi, 2013). Presently, GPS technology is used in road transport, aviation industry, shipping and rail transport, environmental and atmospheric monitoring, civil security applications such as tracking of vehicles, covert tracking of suspects, and heavy vehicle guidance, surveying in Geophysics applications, financial services, and social activities such as social networking, geotagging, and geodashing (Sengupta, 2013). In a typical GPS technology, a GPS transmitter device emits the positioning signal processed by the nearest satellite. Receiver devices then can access the information from the satellite and decode the information to learn about the actual positioning coordinates. Both the technologies use multiple nodes to transmit data from one location to another, which makes it more vulnerable than typical wired systems. Additionally, both RFID and GPS enabled devices are available almost everywhere. Therefore, for a typical hacker, accessing a RFID or GPS device is of less concern.
In a typical RFID based system, because of wireless transmission of information from one device to another, the security required goes to a completely new level. RFID includes the full spectrum of wireless devices of varying capabilities, starting from vehicles, speed passes, and credit card information to electronics product codes and employee identification. It is important to have a clear idea of the meaning of data security in a RFID landscape. RFID data security should have three qualities. Firstly, RFID data should have controlled access. Only authorized entities can read and write information. Secondly, there should be proper control over the access to the system. Only authorized entities should be able to configure and add to the system and they should be validated for authentic and trustworthy sources. Finally, RFID system security should generate a perception of safety and security to the end users (Plunkett, 2012). This is more of a subjective criterion, but is probably the most important criterion for the development and sustainability of RFID technology. The definition of security in a GPS system is same as the RFID technology. Like the security definition of RFID system, GPS enabled devices should also be designed keeping in mind the same data security principles.
However, implementing higher level of security protocol for both RFID and GPS systems requires huge investment and overhead costs, which may not be justified for all kinds of applications. Presently, GPS security protocol is mostly used in military applications, whereas most of the civil applications do not use the highest level of security because of prohibitive cost of implementing the security technology (Pethakar, Srivastava and Suryawanshi, 2013). Similarly, for RFID technology, security measures are implemented only for a few applications such as financial operations, credit card identification, and security identification.
Security Issues
In a RFID system, security issues that can surface can be categorized into two broad groups; backend network security and frontend radio frequency (RF) security. After the RFID device collects data from tags, it sends information via internet protocol communication to a central server. A person who can hack into a communication channel between the RFID device and the central server can access all the information going through the network channel. A hacker with superior internet protocol technology knowledge and network hacking experience can hack into such systems. However, network security is a high developed area. Different forms of security protocol are available for internet protocol communication. Companies can use proven security technologies such as Secure Sockets Layer (SSL) and Secure Shell (SSH) (Plunkett, 2012). Even network ports can be secured using telnet protocols, certificate of authentication and encryption. In a typical RFID system, backend is often less vulnerable than the frontend. In front end communications, tag readers provide and collect to and from tags, using low frequency RF communication. This front end is the main reason for the RFID technology to flourish. However, this also opens the system to multiple security threats such as unauthorized access to tags, rogue and clone tags, and side channel attacks (Plunkett, 2012).
Like RFID technology, GPS enabled devices also face both backend and frontend security threats. Similar to the RFID technology, the backend communication happens over the internet protocol. As discussed in the above paragraph, backend security protocols are well developed and less vulnerable to security threats. GPS frontend communication is more vulnerable to security threats than RFID technology, because the frontend communication goes through multiple nodes. A typical GPS frontend communication starts from the device and reaches the nearest communication tower. The communication tower then sends signal to a central server or a nearby satellite (Pethakar, Srivastava and Suryawanshi, 2013). The satellite then sends signal back to the central server from where different applications can access the data. A hacker can hack a device and transmit false data to the satellite or the central server. Thereby, the hacker can create a false impression about the location of the device, whereas the actual location of the device may be completely different. This type of security threat is known as ‘spoofing’ (Bonebrake, 2014). Spoofing can have severe impact on some of the GPS applications. For instance, the airline industry uses GPS technology to track the location of aircrafts. If a hacker can hack this GPS enabled system and send false information to the airline navigation system, it may cause aircraft crash. Also, hackers can change the time in the major stock market transactions that use timestamp through a GPS enabled system by creating a false time in the server (Bonebrake, 2014). Thus, hackers can generate enormous profit by gathering knowledge of a transaction ahead of time. The New York Stock Exchange faced such threat in 2008 (Bonebrake, 2014).
Security Best Practices
Both GPS and RFID backend communication happen over internet protocol (IP) based technology. As IP based security protocols are cheap, widely available and easily implementable, all RFID and GPS systems irrespective of importance should implement backend security. Some of the standard practices used in the backend security are SSL, SSH, telnet security, certificate of authentication, and encryption. In terms of frontend authentication, the security required for RFID and GPS varies. The first level of security in a RFID system requires authentication of the tag and authentication of the reader. Present RFID tags are capable of holding information on passwords (Zhang and Zhang, 2013). Therefore, password authentication can be implemented between the tag and reader. Tags will emit critical information only if it receives the correct password from the RFID device. However, password maintenance involves high maintenance and high operation cost (Zhang, 2013). Another technology that can be used for RFID security is tag pseudonym (Zhang and Zhang, 2013). In this technology, tags change their serial number each time they are read by a RFID scanner. This approach will make unauthorized access of tags relatively difficult. Again, managing pseudonyms is a high maintenance job. For GPS enabled devices, security needs to be implemented at satellite level that receives the GPS signal. Common security techniques used are amplitude discrimination, polarization discrimination, and time of arrival discrimination (Zhang, 2013). The best method for preventing attacks in the frontend of a GPS system is cryptographic authentication technique in which the receiver and transmitter use mutual authentication process, thereby avoiding external interferences. However, cryptographic authentication technique is cost-intensive and therefore, it is only used in military applications (Zhang, 2013).
Conclusion
RFID and GPS systems are easily accessible to a potential hacker. Frontend communication of RFID and GPS systems is the most vulnerable part. RFID technology requires security measures such as tag authentication through encryption, passwords, or tag pseudonym. These techniques reduce the chances of frontend hacking considerably. In a GPS communication, in order to reduce the chances of spoofing, traditional methods such as amplitude discrimination, polarization discrimination, and time of arrival discrimination are used. However, cryptographic authentication is the best technique to avoid interference of external sources.
Bibliography
Zhang, R. (2013). A transportation security system applying RFID and GPS. Journal of Industrial Engineering and Management, 6(1). [Online] Available at < https://upcommons.upc.edu/bitstream/handle/2099/13112/Ruijian%20Zhang.pdf?sequence=1> [Accessed 31st December 2015]
Bonebrake, C. and Ross O'Neil, L. (2014). Attacks on GPS Time Reliability. IEEE Security & Privacy, 12(3), pp.82-84. [Online] Available at < https://www.computer.org/csdl/mags/sp/2014/03/msp2014030082.pdf> [Accessed 31st December 2015]
Pethakar, S.S., Srivastava, N. and Suryawanshi, S. D. (2013). GPS and GSM based Vehicle Tracing and Employee Security System. International Journal of Computer Applications, 62(6), 37-42. [Online] Available at <http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.303.7080&rep=rep1&type=pdf> [Accessed 31st December 2015]
Sengupta, S. (2013). An approach to provide a network layer security model with QR code generated with shuffled GPS parameters as embedded keys traveling over Internet using existing IPv4 mechanism. Computer Networks, 57(11), 2313-2330. [Online] Available at <http://dl.acm.org/citation.cfm?id=2493799&preflayout=tabs> [Accessed 31st December 2015]
Benssalah, M., Djeddou, M. and Drouiche, K. (2014). Security enhancement of the authenticated RFID security mechanism based on chaotic maps. Security and Communication Networks, 7(12), 2356-2372. [Online] Available at <https://www.researchgate.net/publication/259863299_Security_enhancement_of_the_authenticated_RFID_security_mechanism_based_on_chaotic_maps_Security_Comm_Networks_Internet> [Accessed 31st December 2015]
Erguler, I., Unsal, C., Anarim, E. and Saldamli, G. (2012). Security analysis of an ultra-lightweight RFID authentication protocol-SLMAP*. Security and Communication Networks, 5(3), 287-291. [Online] Available at <http://dl.acm.org/citation.cfm?id=2282328> [Accessed 31st December 2015]
Zhang, N. and Zhang, J. (2013). Research and security analysis on open RFID mutual authentication protocol. Journal of Computer Applications, 33(1), pp.131-134.
Li, C., Wang, G. and Zheng, J. (2013). An aggregated signature-based fast RFID batch detection protocol. Security and Communication Networks, 7(9), 1364-1371. [Online] Available at <https://www.researchgate.net/publication/260409389_An_aggregated_signature-based_fast_RFID_batch_detection_protocol> [Accessed 31st December 2015]
Najera, P., Roman, R. and Lopez, J. (2013). User-centric secure integration of personal RFID tags and sensor networks. Security and Communication Networks. 6(10), 1177–1197, [Online] Available at <http://onlinelibrary.wiley.com/doi/10.1002/sec.684/full> [Accessed 31st December 2015]
Plunkett, J. (2012). Plunkett's Wireless, Wi-Fi, RFID & Cellular Industry Almanac. Houston: Plunkett Research.