EPC Class 1 Generation 2 RFID tag specification available online

June 20, 2005

Spy Blog:

For those of you like us, who seem to read, and try to understand lots of highly technical documents, try the Class 1 Generation 2 UHF Air Interface Protocol Standard Version 1.0.9 (.pdf)

"This EPCglobal Board Ratified standard defines the physical and logical requirements for a passive-backscatter, Interrogator-talks-first (ITF), radio-frequency identification (RFID) system operating in the 860 MHz - 960 MHz frequency range. The system comprises Interrogators, also known as Readers, and Tags, also known as Labels."

This is the standard around which all the big electronics companies are producing their new RFID tag products, with promises of better, faster, more simultaneous tag reads per second, greater range etc.

Points of interest to Privacy / Security campaigners:

  • No Encryption of the data between the Tag and the Reader, apart from a 16 bit pseudo random number handshake which tries to hide the transmission of Password or Kill Codes. All the rest of the transmissions are in clear plaintext.
    "These commands use one-time-pad based link cover-coding to obscure the word being transmitted, as follows:
    Step 1. The Interrogator issues a Req_RN, to which the Tag responds by backscattering a new RN16. The Interrogator then generates a 16-bit ciphertext string comprising a bit-wise EXOR of the 16-bit word to be transmitted with this new RN16, both MSB first, and issues the command with this ciphertext string as a parameter.
    Step 2. The Tag decrypts the received ciphertext string by performing a bit-wise EXOR of the received 16-bit ciphertext string with the original RN16.
    An Interrogator shall not use handle for cover-coding purposes.
    An Interrogator shall not re-use an RN16 for cover-coding. If an Interrogator reissues a command that contained cover-coded data, then the Interrogator shall reissue the command unchanged. If the Interrogator changes the data, then it shall first issue a Req_RN to obtain a new RN16 and shall use this new RN16 for cover-coding. To reduce security risks, this specification recommends that (1) Tags use unique kill passwords, and (2) memory writes be performed in a secure location."

  • 32 bit Password (in two 16 bit chunks) - no "3 bad passwords and you are locked out" - brute force Password attacks are feasible - watch out for the theft of high value or restricted items (e.g. military weapons) by being electroncally "re-labelled" remotely, invisibly and undetectably.

  • 32 bit Kill Code (in two 16 bit chunks) - The specification suggests, but does not demand, that each RFID tag should have an individual Kill code. Since this implies a lookup to a central or distributed database, with all the logistical network problems that implies, many companies will be tempted to use a common Password and/or a common Kill Code on whole batches or product lines, increasing the risk of a remote, radio based, Denial of Service attack even through the walls of a warehouse or a sealed transport container.

  • Better collision avoidance in multiple reader situations - implies lots of possible deliberate Denial of Service attacks on the readers, or spoofing attacks on the stock control systems which the readers feed into.

  • Just like WiFi etc. - no authentication of the Reader by the RFID tag - lots of possible Man-In-the-Middle attacks, and there is no way for, say, item level Tesco RFID tags which have not been "killed" at the supermarket checkout till, to only be read by genuine Tesco operated readers, and not also by, say, Marks & Spencer ones, or ones operated by a malicious third party.

Obviously, based on past experience, the actual product implementations of this standard, may have other privacy or security issues, in addition to those listed above.

Please let us know if we are wrong in our interpretation of this standard.

Cross posted from Spy Blog


Posted by wtwu

Comments

So what if somebody reads a number? They'd still have to link the number to a product, and even then, what's the big deal? If you stand outside of a supermarket or at the checkout you can see just as easily (or easier) what everybody is buying...

Posted by: JJK at June 21, 2005 08:55 AM

The technology works by RADIO - you can be snooped on even when the items you are carrying are hidden out of line of sight, inside your shopping bags or inside your clothing.

Posted by: Watching Them, Watching Us at June 21, 2005 12:51 PM

There is no need to link back to the orginal supermarket's inventory database of goods, for you to be tracked elsewhere, by a single "unkilled" RFID tag. Several such tags provide a "signature" which a rival store or other malicious third party can use to log the time and date and location of your "unique visits", without you having given your prior consent or implied consent by virtue of a commercial transaction with a particular store.

The situation is analagous to the privacy issues surrounding web site "cookies". Many people do not object to "session cookies" used just by the website that they are actually visiting, but are furious about "3rd party" cookie profiling via adverts etc. collated by companies like DoubleClick etc. which do not ask your permission to sell information about you.

With "unkilled" item level RFID tags, this could happen to you in "the real world" , if this currently flawed technology ever becomes widespread.


Posted by: Watching Them, Watching Us at June 21, 2005 01:01 PM

Forst of this spec describes tags that are used at the pallet level, not item level. Itel level tags are far at least a couple years out. Additionaly, it is thought item-level tagging will be accomplished at a completely different frequency (13.56 MHZ vs ~900MHz).

Anyone with experience with the technology can tell you that ~900MHz technology failes miserably when beside the human body (70% H2O).

Further, if an item tag on a candy bar is not "killed" than the "malicious 3rd party" will know that an unidentified person is walking around with a candy bar. Whoa, what privacy concern. This would only be possible if the "3rd party" walks up to the candy bar holder and scans them within inches.

Finally, "killing a tag" is real difficult. Have you ever heard of a hammer?

Informed criticism is good to keep technology in-line, but this uninformed hype!

Posted by: MT at July 6, 2005 03:08 PM

You seem to be behind the times.

There have already been item level RFID tagging trials using 125 KHz, 13.56 MHz and the 860 to 930 MHz industrial scientific medical license free radio frequency allocations.

125 KHz is used by the notorious VeriChip implants into animals and humans, for exactly the water absorbrion problem you allude to.

How do you propose "killing" RFID tags with a hammer when they are embedded inside either the goods for sale e.g. the heel of a pair of sports shoes or the end user packaging like a shampoo bottle, without damaging the goods themselves ?

Have you actually read the EPC specification ? Do you understand that "killing" an RFID tag does not involve a hammer or a micrwave oven or any of the other hype, it is a simple protocol exchange involving a weak password.

You do not seem to have grasped the difference between an individual EPC tag id and an old fashioned bar code. A "candy bar" is only coded to the product line level with standard optical barcodes. When it is tagged with an EPC compliant RFID tag each individual "candy bar" will have a "unique" code number and it can serve as a "3rd Party" identifier, to enable tracking by people who are not concerned with sales of candy bars at all.

Where do you get the idea that the range of RFID tags is limited to only a few inches ? The 900 MHz ones are specifically intended for several metres range, and this increases if attackers are willing to break the radio power regulations which legitimate companies have to obey.

Posted by: Watching Them, Watching Us at July 6, 2005 05:07 PM

I Have read all the specifications documents (EPC and ISO), and I have used most of the HF and UHF technology available today.

Item level trials are just trials and are at least 3 years out. Common wisdom in the industry (TI, Philips, Tagsys) is that reliability is such a problem at ~900MHz, item-level will be done at 13.56 MHz where the range IS inches. Additionally, 13.56 MHz transponder ICs will be cheaper once they are produced using organic polymers instead of silicon making this frequency the ideal choice.

One has to agree to an implant, and if an implant is mandatory to free citizens I will be at the frontlines of that fight.

If you are aware of any project where a tag has been embedded in the heel of a shoe I'd love to hear about it. For the shampoo bottle, if end user packaging is the plastic wrapper> remove it. If end user packaging is the plastic bottle itself> place shampoo contents w/in a different container or do not but from vendor at all.

Thanks for the lesson on the Kill_tag feature, but despite the protocol, a hammer does kill a tag. Do you understand Newtonian Physics?

I understand very well what an EPC ID is, and that it is a globally unique ID number. Still, it does not make any sense how Big Brother can use the globally unique ID number to "link" to an individual; especially since the tag-containing wrapper will be discarded. Incidentally, the tag-containing wrapper is quite susceptible to the hammer Kill_tag operation.

Though ~900 MHz is able to work at several meters, it must be in very ideal conditions. Many, many companies have found that their dream of using 900 MHz for ID badges will simply not work because the ID badge is always close to the human body. The range at that point is close to nothing, I don't care if they crank the power to 15W EIRP (as the Pakistani Government was planning).

I could also take your picture as you make a purchase in a store, as you walk to your car, and as you drive away.

Your license plate is a globally unique ID number, but I don't have access to that database.

Posted by: MT at July 7, 2005 01:36 AM

"Your license plate is a globally unique ID number, but I don't have access to that database"

You are still missing the point with globally unique identifiers - a malicious person does not need authorised access to the back end database which the identifier is designed to report to.

They can build their own tracking database from their own independent, undetecable readings of the RFID tag or vehicle licence plate etc. beacon without your explicit permission.

A mythical omnipresent "Big Brother" is not the main threat to our privacy, there are lots of "little brothers" out there, but the cumulative effect is the same.

If you are working in the RFID tag industry or supply chain logistics etc. it is up to you to provide default privacy protection for consumers. We should not have to "opt out" or be forced to take extra expensive or inconvenient steps to protect our privacy or security from being exploited as a by product of the technologies which are supposed to make delivery of goods and services "better" or "cheaper" for us.

None of this is major problem right now, as RFID tags are not in widespread use, but now is the time to get the fundamentals right by design, or else you will face consumer boycotts and government red tape regulations.

Posted by: Watching Them, Watching Us at July 8, 2005 05:16 AM

Wait, so a license plate is not a globally unique ID?
Sounds like you have a lot of work to do buddy.

I am not working in the "RFID tag industry" or supply chain logistics, but if I were it would not be up to me to provide "default privacy detection".

I will not face consumer boycotts and gov red tape regs.

This idiotic ranting must stop, you simply have no clue. You do not understand the limitations of the technology and does not seem you ever will.

I hope you start the campaign to end license plates soon since globally unique IDs mean so much. This is really your only argument, and license plates are already in use. Beyond that there is no argument.

The sky is falling!

Posted by: MT at July 9, 2005 04:36 PM

We seem to be miscommunicating for some reason.

Perhaps you could read my posting and your reply again.

Posted by: Watching Them, Watching Us at July 9, 2005 09:07 PM

OK, miscommunications are best resolved by breaking down the questions to their components. The following is a true/ false question to be answered with true or false:

A license plate is a globally unique number?

FYI, I am an analytical chemist far removed from the industry in question. I simply have access to more info/ equipment because of my roomate.

Making assumptions like, "you will face consumer boycotts and government red tape regulations." and, "it is up to you to provide default privacy protection for consumers" is just plain ignorant.

Please answer the very simple question I've posed with a true or false, and we can take it from there.

Re-reading leads me to my original conclusion.

Posted by: MT at July 11, 2005 07:38 PM

MT - it seems unlikely that I will be able to convince you of anything, but, here goes:

A vehicle license plate is obviously *not* a *global* unique identifier, so the analogy with EPC compliant RFID tags is not an exact one, a better one would be the international telphone numbering system or the mobile phone International Mobile Electonic Identifier number.

There is no internationally agreed global standard format for vehicle number plates.

In most countries the vehicle licence plate and number is associated primarily with the *vehicle* itself. however, in countries like Switzerland, the licence plate is associated with the *owner* of the vehicle, and it is transferred to a new vehicle when he buys a new one.

Many countries, especially those with a long history of motor vehicles, have "cherished" or "personalised" number plate schemes, so there are multiple "R 1 CH" or "JJ 1" type plates around the world.

The London Congestion Charge 8 a day tax is enforced with Automatic Number Plate Reognition, so there are now numerous "cloned " vehicle number plates designed to avoid paying this tax.

Nevertheless, my previous statement still stands, you do *not* need authorised access to the back end database, in this case Driver or Vehicle licensing, in order to *independently* track the movements of people by compiling your own database of times, locations etc. *without* seeking an individual's *consent*.

That is also true for EPC compliant "unique global identifier" RFID tags which have not been "killed" at the point of sale.

I am sorry if you took my comments above using the word "You" to mean you personally, but this is the public open comments section of a web log, and not a personal private email.

You have clarified that you do not work in the
RFID tag industry or in supply chain logistics, but my comments about consumer boycotts and government red tape regulations still apply to "them".

You yourself actually advocated consumer choice i.e. a boycott:
"or do not but from vendor at all."


Posted by: Watching Them, Watching Us at July 12, 2005 01:16 PM

I knew a simple true or false answer was beyond you capability, and beleive it symptomatic of the weakness of your argument.

If there are multiple license plates with the same characters on them, then they can be distinguished by their state, province, or country.

You claim license plates are not gui, but then provide not justifications for you argument; save the mentioning of illegal actions to clone plates. Whether attached to a specific person or inanimate object a licens plate is unique. If it is too difficult, just think of the country as or state or whatever issuing entity as having a number associated with it (UK=001, Switzerland=007, etc.). For example, if someone in the UK has a plate of JJ 1, then no one else in the UK will have that same plate and one can distinguish by country.

I do not know how many peer review publications you've written for, but one uses the word "one" not "you" if the intention is to convey a generic "you".

Out of common sense I will always advocate choice as the final factor because it is when there is no choice that there is a major problem. Nobody has a gun to their head to purchase anything or ev en use money.

Because of your failure to allow the argument to be broken down to its components we have conintued down tha path of possible miscommunication.

Forget the backend database, I will "give" that one to you for the moment. If you could simply stick to the first question alone, and substantiate a viable argument we can go from there.

So, why is a license plate not a globally unique identifier when duplicates can be distiguished by country, province, or state?

Posted by: MT at July 12, 2005 02:41 PM

"Forget the backend database, I will "give" that one to you for the moment"

Thanks. QED

Posted by: Watching Them, Watching Us at July 12, 2005 03:32 PM

Very well done. The only thing you could offer was acknolowedgement of that which I granted for the sake argument, nothing more.

You have no argument. You could not even further claim that the license plate is not unique and give real reasons why.

A license plate is obviously a globally unique identifier, and is already in widespread use. You are not willing to admit this because people already accept its use; and you would like to scare people into believing that the use of an EPC will somehow increase the risk to privacy in a new and different way.

It does not, as your lack of argument clearly shows.

You have only demostrated one thing:
Ignorance!

Posted by: MT at July 12, 2005 06:42 PM

Wow. Well that was highly entertaining. I came here in hopes of learning something about RFID gen 2's performance and capabilities and witnessed a roasting. I think MT is correct, there are plenty GUI if you consider frame of reference, besides, what's the big deal if Target knows I prefer Walmart and I like to use Prell Shampoo over Vidal Sassoon???? I personally wouldn't care if all my purchasing habits were published on the web for everyone to read (and besides I don't think they'd find it very interesting).

Posted by: AR at August 25, 2005 09:24 PM

@ AR- "I personally wouldn't care if all my purchasing habits were published on the web for everyone to read (and besides I don't think they'd find it very interesting)."

So what ? There are millions of people who would object to that kind of intrusion, and you need to respect their rights as well as your own.

Posted by: Watching Them, Watching Us at September 1, 2005 03:37 AM

MT take a cold bath. This is the point. Say you have on your person, a mars bar, a mobile phone and a leather wallet, all with their unique identifying RFID sewn in or incorporated in them. Say someone wants to track you. All they need to track you is any of these numbers, and using readers advantageously placed, they could follow your movements with extraordinary accuracy.

As far as identifying you goes, they only need to do it once. They only need to get one photo of you as you pass them in the street; they only need to watch where you go to work and log on to the company website; they only need to hear one friend shout "hey andy" in the street. Once they've worked out your identity, they can put it in their own database, and track you for the rest of your life, carefully updating your identifiers as you throw away the old wallet and buy a new one etc.

And here's the crucial difference between RFID and a licence plate. Someone has to be standing in line of sight of a licence plate to read it, or have a camera. Not true of RFID. Even more simply, you can get out of your car - you can get rid of that GUI. Not true of RFID if it is embedded into everything you own and where. Don't bullshit about it only being in tests. If it can be done, it will be done unless there is legislation preventing it.

Posted by: ES at September 6, 2005 03:24 PM

ES - Can you come up with something logical other than straw man arguments and conspiracy theories?

"..any of these numbers, and using readers advantageously placed, they could follow..."

I would seriously question the government bodies in charge if they are going to waste my tax dollars in implementing readers every 2 meters (Or 4 cm in the case of 13.56 MHz), or even allow such a thing to happen to begin with.
I happen to be in an RFID implementation project, and what you are describing would take a monumental undertaking, both in cost and logistics for VERY little return. There are more common and cheaper methodologies for gathering the same basic information (With or without consent), such as tracking purchases by credit cards, photographic logging, or even exit polls would be more efficient. If you think any particular entity cares that much about where you are and what you are doing at all times, perhaps you should plan on making all of your purchases with unmarked cash bills, using latex gloves to prevent fingerprints, and wearing full lead-lined clothing with a mask to hide your face. You are of a paranoid mindset, and should seek assistance.

"If it can be done, it will be done..."

Correction: If it can be done, meets ROI goals, provides value/profit, and is feasible it might be done.

Posted by: BB at November 9, 2005 07:10 PM

Dear All,
I'm new in this field I have some diffculties undrestanding the sessions I mean if you take a look at the standard specially at page 38 I cant undrestand how are the inventory flags been set I would be grateful for an early reply

Posted by: Ali at November 21, 2005 08:03 AM

Has anyone looked at the Verichip.com/forum?

Please review and make any comments.

Is this an infraction on our inalienable rights?

How could it "Not Be"?

Posted by: lonesome1 at December 25, 2005 04:01 AM
Post a comment









Remember personal info?