Data Exfiltration via Multipurpose RFID Cards and Countermeasures
This addresses a security vulnerability in widely used RFID systems, posing a risk of data leakage for users and organizations, and offers a countermeasure to mitigate this threat.
The paper demonstrates that multipurpose RFID cards can be used to create a bidirectional covert channel for data exfiltration between service providers, with experiments showing a daily channel capacity for leaking data, and proposes a new authentication protocol that significantly improves security while maintaining user convenience.
Radio-frequency identification(RFID) technology is widely applied in daily human life. The RFID cards are seen everywhere, from entrance guard to consumption. The information security of RFID cards, such as data confidentiality, tag anonymity, mutual authentication etc, has been fully studied. In the paper, using the RFID cards in MIFARE Classic and DESFire families, a bidirectional covert channel via multipurpose RFID cards between service providers is built to leak sensitive data between two simulation systems. Furthermore, by calculations and experiments, the daily channel capacity to leak data of the channel is obtained. Although the storage capacity of a single RFID card is very small, a large user base can still bring about a considerable amount to leak data. Then, the reasons for the existence of such channels are discussed. To eliminate this type of covert channels, a new authentication protocol between RFID cards and card readers are proposed. Our experimental results show a significant security improvement in prevention of such covert communications while keeping user convenience.