Data Exfiltration via Multipurpose RFID Cards and Countermeasures

TL;DR

This paper demonstrates a covert data exfiltration method via multipurpose RFID cards, quantifies its capacity, analyzes its causes, and proposes a new authentication protocol to prevent such covert channels, enhancing RFID security.

Contribution

It introduces a novel covert channel via RFID cards, quantifies its capacity, and proposes a new authentication protocol to counteract this security threat.

Findings

A bidirectional covert channel can leak data between RFID service providers.

The channel capacity can be significant over daily usage.

The proposed authentication protocol effectively prevents such covert channels.

Abstract

Radio-frequency identification(RFID) technology is widely applied in daily human life. The RFID cards are seen everywhere, from entrance guard to consumption. The information security of RFID cards, such as data confidentiality, tag anonymity, mutual authentication etc, has been fully studied. In the paper, using the RFID cards in MIFARE Classic and DESFire families, a bidirectional covert channel via multipurpose RFID cards between service providers is built to leak sensitive data between two simulation systems. Furthermore, by calculations and experiments, the daily channel capacity to leak data of the channel is obtained. Although the storage capacity of a single RFID card is very small, a large user base can still bring about a considerable amount to leak data. Then, the reasons for the existence of such channels are discussed. To eliminate this type of covert channels, a new authentication protocol between RFID cards and card readers are proposed. Our experimental results show a significant security improvement in prevention of such covert communications while keeping user convenience.