Guide To The Security and Privacy of Rfid Technology - English Version. by INTECO

Guide to the security and privacy
of RFID technology
NATIONAL INSTITUTE OF COMMUNICATION TECHNOLOGIES

SPANISH DATA PROTECTION AUTHORITY
Edition: October 2010
The National Institute of Communication Technologies (Instituto Nacional de Tecnologías de

la Comunicación, INTECO), public cooperation assigned to the Ministry of Industry, Tourism and
Trade through the State Department for Telecommunications and for the Information Society, is
a platform for development of the Knowledge Society through projections in the scope of
innovation and technology.
The mission of INTECO is to provide value and innovation to citizens, to the SMEs, Public
Administrations and to the information technology sector through the development of projects
which contribute towards increasing confidence in our country’s Information Society services,
also promoting an international course of participation. For this purpose, INTECO will develop
proceedings, at least along the strategic lines of Technological Security, Accessibility, ICT
Quality and Training.
The Observatorio de la Seguridad de la Información (Information Security Observatory, available

at http://observatorio.inteco.es) falls within INTECO’s strategic course of action concerning
Technological Security, and is a national and international icon in service of Spanish citizens ,
companies and administrations in order to describe, analyse, assess and disseminate the
Information Society’s culture of security and confidence.
More information: www.inteco.es
The Spanish Data Protection Authority (Agencia Española de Protección de Datos, AEPD) is an
entity subject to public law with its own legal status and full public and private capacity, acting
completely independently of Public Authorities during the exercise of its duties, and whose
corporate purpose is security for compliance with and application of the provisions contained in
Organic Law 15/1999, of 13th December on the Protection of Personal Data (Ley Orgánica de
Protección de Datos, LOPD) and its regulations thereof.
Its functions are, generally, to safeguard compliance with the legislation on data protection and to
control its application - especially regarding the rights to information, access, rectification,
objection and cancellation of data – to attend to requests and complaints which may be made by
persons affected by these issues and the sanctioning legal authority for infractions which may be
committed on this matter, as well as the collection of statistical data and to report on draft
regulations which have a bearing on data protection issues, and to issue instructions and
recommendations for amending the records of the LOPD and the security and access controls to
the files.
More information: http://www.agpd.es
Guide INTECO-AEPD on the security and privacy of RFID technology. Page 2 of 38

CONTENTS
1. RFID TECHNOLOGY 4
1.1. What is RFID Technology? 4
1.2. How does it work? 4
1.3. Benefits of RFID technology 8
2. USES AND APPLICATIONS OF RFID 10
3. REGULATION AND STANDARDISATION 17
3.1. Electronic Product Code 17
3.2. RFID ISO Standards 17
4. OTHER AUTOMATIC IDENTIFICATION SYSTEMS 20
4.1. Bar Codes 20
4.2. Optical character recognition (OCR) 20
4.3. Biometric systems 21
4.4. Smart cards 21
4.5. Comparison with RFID 21
5. RISKS OF USING RFID 23
6. SECURITY RISKS 25
7. PRIVACY RISKS 28
8. REGULATORY COMPLIANCE 30
9. RECOMMENDATIONS FOR USERS 33
10. RECOMMENDATIONS FOR SUPPLIERS 34
11. GOOD PRACTICES 36
11.1. Good practices for guaranteeing security 36
11.2. Good practices for guaranteeing privacy 37

1 RFID TECHNOLOGY
1.1. WHAT IS RFID TECHNOLOGY?

Radio Frequency Identification is a technology that enables an object to be
automatically identified thanks to a radio transmitter incorporated into it, which transmits
the identifying data of the object via radio frequency.
Its origin probably dates back to the 1920s, although it seems that started to be used
during the Second World War in order for aircraft to identify themselves as “friendly” when
facing their own forces. In time, this idea moved to smaller-sized systems for monitoring
military personnel and equipment, until two North American companies began its civil
marketing at the end of the 70s.
At the present time, under the RFID acronym, technologies are joining forces in order to
identify objects using radio waves.
RFID technology makes self-identification possible of an object that contains a radio

transmitter. During the current state of development, their reduced costs and size allows
these transmitters to be sufficiently small so as to take the form of adhesive labels, and
they can easily be added to almost any object.
Thanks to these micro transmitters and transponders (hereinafter referred to as tags or

labels) the product can be located at variable distances, from a few centimetres up to
several kilometres. The reception distance, reliability and speed of transmission and the
capacity of transmitted information depends on several features of the tags such as the
frequency of the transmission, the antenna or the type of chip that is used for each
specific application. These features will be seen throughout this guide.
1.2. HOW DOES IT WORK?

This technology operates based on the radio signal generated by the RFID label, in which
the data identifying the object to which the label is attached has been previously recorded.
A physical reader receives this signal, transforms it into data and transmits the information
to the specific computer application which manages RFID (known as middleware).
Components of an RFID system
There are four components which form part of RFID technology: the labels, the readers,
the software that processes the information and the programmers:
• RFID Label: allows information to be stored and sent to a reader using radio waves.
Colloquially they are known as tags – which is the term in English – although they
are also known as transponders (this name comes from the joining of the words
transmitter (transmisor) and responder (contestador).

The RFID label is made up of an antenna, a radio transducer and a microchip (not
present in smaller-sized versions). The antenna is responsible for transmitting the
information which the label identifies. The transducer is what converts the information
that the antenna transmits, and the chip has an internal memory for storing the
identification number and in some cases additional data. The capacity of this memory
depends on the model. For tags with no chip, the information stored is quite limited
(up to 24 bits).
Illustration 1: RFID Label
The labels actually cost very little (just a few Euro cents) and they measure up to
0.4mm2, therefore they can be integrated into all kinds of object.
• RFID Reader: receives the information transmitted by the labels and transfers it to
the middleware or data processing subsystem. The reader parts are: antenna,
transceiver and decoder. Some readers include a programmer module which allows
them to write information onto the labels, if the labels allow it.
• Data processing subsystem or middleware: is software that resides in the server

and which serves as an intermediary between the reader and the business
applications. It filters the data it receives from the reader or the readers’ network, so
that only useful information reaches the software applications. Some programs
manage the network of readers.
• RFID Programmers: the RFID programmers are devices which write the information
onto the RFID label, that is, they encode the information on a microchip located inside
an RFID label. Programming of the labels is carried out only once if the labels are
read only, or several times if they are read/write.

The power that the programmer needs to write the information onto the labels is
greater than that needed by the reader, that is, the range of a piece of recording
equipment is less that the range of the reader. For this reason, in the majority of
cases, the programmer needs direct contact with the labels.
In Illustration 2: General operating diagram of the RFID technology
we can clearly see which way the general operating diagram is structured for an RFID
system: the labels or tags send information to the reader using an antenna which
transmits the information to the data processing subsystem or middleware so that the data
can be filtered. In this way, only valid information reaches the software applications.
Illustration 2: General operating diagram of the RFID technology
Types of labels
There is a huge variety of RFID labels, and the different types that exist depend on the
power source they use, their physical shape, the mechanism they use to store data, the
quantity of data they can store, their operating frequency or the communications they use
to transmit information to the reader. Thanks to this, it is possible to select the most
suitable label for each specific application.
Generally speaking, RFID labels can be classified according to two criteria:
According to the power source they use
a. Passive RFID labels: Do not need an internal power source. They are resonant
circuits, as all the power they need is supplied by the electromagnetic field created by
the reader, which activates the integrated circuit and powers the chip so that it can
transmit a response. In this type of label, the antenna must be designed so that it can
obtain the necessary power it needs to operate.

Illustration 3: Passive Label 1
The range of these labels will vary depending on many factors, such as the operating
frequency or the antenna they possess. They can reach distances of between a few
millimetres and 6-7 metres.
As they do not have an internal battery, these labels are very small in size (see
), and they are often inserted into stickers.
Passive RFID labels are the most economical labels on the market.
b. Active RFID labels: Have an internal battery, which powers its circuits and transmits
the response to the reader. Their broadcast coverage is greater thanks to the fact that
they have their own battery and their storage capacity is also greater.
On transmitting more powerful signals, its range is greater and it can be suitable for
use in hostile environments, as it can be immersed in water or in areas where there is
a lot of metal. These labels are much more reliable and secure.

Illustration 5: Active Label
These labels are the most expensive on the market and also the largest in size. The
possible effective range of these labels may reach several hundred metres
(depending on their features), and their useful battery life may extend to 10 years.
c. Semi-passive RFID labels: This type of label has a mixture of features of the two
previous types. On the one hand, the chip is operated by a battery (like the active
RFID labels) but on the other, the power that it needs to communicate with the reader
is sent by the reader itself via its radio waves, which, when captured by the label’s
antenna, provide sufficient power for transmitting the information (like the passive
RFID labels).
They are larger and more expensive than the passive labels (as they have a battery)
and cheaper and smaller than the active ones. Their communication capacity is
greater than the passive labels although they do not match the active ones in these
features.
According to the frequency on which they work
Depending on the operating frequency, labels can be classified as low, high, ultra-high
frequency and microwave. The operating frequency determines aspects of the label such
as the capacity to transmit data, the speed and reading time of the latter, the coverage
radius and the cost of the label.
Table 1: Frequency bands used in RFID technology
Frequency Name Range

125 KHz – 134 KHz LF (Low Frequency) Up to 45 cm.
13,553 MHz – 13,567 MHz HF (High Frequency) From 1 to 3 m.
400 MHz – 1000 MHz UHF (Ultra High Frequency) From 3 to 10 m.
2,45 GHz – 5,4 GHz Microwaves More than 10 m.
Source: red.es
Passive labels normally use the low frequency band. Both low and high frequency labels
operate using inductive coupling, that is, they use the magnetic field generated by the

antenna of the reader as the start of propagation. The UHF band, like the microwave
band, is used in active and passive labels.
1.3. BENEFITS OF RFID TECHNOLOGY

RFID technology has mostly been aimed at the logistic sector (storage, distribution, etc.)
and to the security and defence sectors; however, the benefits that it provides extend to
other fields related to the identification of processes:
• It allows a large volume of data to be stored using a small-sized device.
• It automates the procedures for maintaining traceability and allows a larger quantity of
information to be included on the label, thereby reducing human error.
• It facilitates the concealment and placement of labels into products (for passive
labels) to prevent their visibility in the event of a robbery attempt.
• It allows data to be stored without having direct contact with the labels.
• It ensures operability when subject to adverse conditions (dirt, humidity, high

temperatures, etc.).
• It reduces operating costs, given that scanning operations are not necessary for
identifying products which have this technology.
• It unequivocally identifies products.
• It enables the information stored on the label to be easily updated if the label is
read/write.
• Easier to withdraw a specific product from the market if a danger to security arises.
• Makes rewriting possible, so as to add and delete information as required when the
label is read/write (unlike bar codes which can only be written once).

2. USES AND APPLICATIONS OF RFID
Among Spanish companies, the use of RFID technology is still incipient. Therefore the
adoption level of this technology by small businesses stands at 0.8%, for small and
medium-sized companies and entities with 10 to 49 employees, this percentage rises to
3.1% and to 8.9% for 50 to 249 workers. If we are talking about large companies (more
than 249) the percentage is at 20% 1 .
Therefore we can clearly see how a company of larger size is related to greater usage of
RFID technology.
Graph 1: Use of RFID technology in relation to company size (%)
30%
25%
20.0%
20%
15%
10% 8.9%
5% 3.1%
0.8%
0%
Micro enterprises Small enterprises Medium enterprises Large enterprises
Source: ONTSI from INE data 2009
The reasons for using RFID technology varies also with respect to the size of the
company. In Graph 2: Objectives of use of RFID technology in relation to company size
(%)
we can see the huge differences in the number of employees.
By sector, regardless of the size of entity, companies with transport and storage activities
use RFID technology the most (12.2%). They are followed by the financial sector (8.2%),
IT, telecommunications and audiovisual media (7.5%) and the wholesale trade (6.2%) and
retail (5%).
For small businesses (less than 10 employees), the major applications for RFID
technology are related to payment systems – e.g.: highway tolls or passenger transport –
with 48.5%, followed by product identification (38.7%). By contrast, the main uses
1
"Information and Communications Technologies in SMEs and large Spanish companies” (2010) and “Information and
Communications Technologies in small Spanish businesses” (2010), both from the Ministry of Industry, Tourism and Trade

undertaken by small, medium and large Spanish companies are centred on monitoring
and control of the supply chain and inventories, in 44.4%, and in the identification of
persons and access controls, in 40.5% of cases.
Graph 2: Objectives of use of RFID technology in relation to company size (%)
Payment systems 29.6%

48.5%
Identification of the product 31.2%

38.7%
Supervision/control of the supply 44.4%

/inventory chain 26.8%
Asset management 24.2%

25.7%
Identification of people or access control 40.5%

18.0%
Observe and control the production 33.6%

9.4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Less than 10 employees 10 or more employees
Source: ONTSI from INE data 2009
Examples of the current applications of RFID technology are many and the predictions
indicate that they will grow exponentially in the next few years. All environments where
automatic, reliable, rapid and cheap identification can bring benefits are scope for the
application of RFID technology. Day by day, we are surrounded by diverse and varied
modes of application for this technology:
• In goods shops for identifying products (storage, prices, etc.) or as a security

measure for detecting an attempted theft. Manages and controls stock among the
different shops, increasing the rotation of products and improving product sales.
Illustration 6: RFID Label for clothing

• RFID technology is also used for access control and payment collection on public
transport. The tag is inserted into cards with user credits or for baggage control.
Illustration 7: RFID device on public transport
• Electronic identification for pets through subcutaneous implantation, by a

veterinary surgeon, of a microchip containing a unique numeric code. The identifier
code inserted corresponds to that of a record in which information will appear
relating to the animal and the owner, as well as any medical treatment.
Illustration 8: Microchip identifier for dogs
• Automatic payment of tolls. For example, in teletoll systems used on highways in

order to pay for the journey without the need to stop the vehicle. Thanks to a
device placed in the car and another electronic reading device located in the toll
stations, opening of the security barrier is controlled automatically, as well as the
payment.
Passive UHF (ultra high frequency) RFID technology is used to make exact
payment, so that change or cash returns are unnecessary and therefore no human
intervention is required. In this way, road congestion is reduced.
• In libraries, for cataloguing, arrangement and anti-theft protection of books. It is a

remote storage and recovery system for information using labels and readers,
which has the purpose of transmitting the identity of a book using passive, long-
range UHF RFID systems.

• In supermarkets, for automatic billing of a whole trolley-load of products without
having to move them from the trolley.
It is also used for controlling their fixed assets, made up of a number of

components distributed in its sales centres, warehouses and offices. These
components must be controlled and consistently used at all times in case the
competent authorities carry out inspections.
Illustration 9: Supermarket trolley with RFID reader
• Timekeeping at sporting events, for example, popular races or marathons, through

the distribution of the "timing chip" to thousands of runners to monitor their race
time.
These anklets/bracelets have a chip inserted and an antenna, allowing them to

communicate with a reader at a distance of some centimetres. These
anklets/bracelets are able to identify the person safely and securely, with no risk of
error.
Illustration 10: RFID device for transmitting the runner's data

• In the health environment, for medicines control, monitoring of instruments,
identification of medical samples or monitoring of patients in health centres.
Upkeep of pharmacy inventories and blood bags from the hospital controlled in
real time, preventing errors in transfusions or when administering pharmaceuticals
to the patient which could cause serious harm.
Illustration 11: RFID and eHealth
• As access control in residential areas, hotel rooms, car parks, industrial plants or
environments requiring security. Recognition of the identity of a person wishing to
access a specific area is made without physical contact, using radio waves
between a transmitter and receiver by means of a tag which may be presented in
different formats: Bracelet, card, etc.
• In logistics, storage and distribution in general. One example is its introduction into
the product inventory and monitoring system for textile companies, or its use for
identification, location and management of large pieces of concrete, or in postal
management systems for improving delivery times of mailings and in logistic
management.
Illustration 12: Value chain based on RFID technology

• In the food supply sector, so that farmers can ensure traceability of their products
from harvesting to the end consumer; or for control and identification of the
animals in farmyards. It allows functions such as automatic record of production or
knowing the reserves in real time or the production of a specific one.
This is possible thanks to tags included in the trolleys which transport goods from
each one of them. Lorries that transport the products have computers with RFID
technology which transfer the information using Wi-Fi.
Illustration 13: Labels on animals
• In the military sphere, the Department of Defence of the United States demands
that its providers use RFID technology in the supply chain. In this way, the United
States Air Force (USAF) has RFID devices for security and tracking activities on
board all types and class of aeroplanes transporting supplies for the Department of
Defence.
As well as these already-established and thoroughly tested applications, there are many
other applications being studied, for example:
• Electronic payment using mobile phones, through the NFC technology (Near Field
Communication) which allows a mobile telephone to recover information from an
RFID label. This technology, combined with electronic payment methods for mobile
phones (such as Mobipay, Playbox, etc.) allows products to be purchased and
paid for by simply moving the telephone closer to the information point of the
product, where RFID extracts the information it needs.
• In many countries, "electronic passports" are used, which store the information of
the holder and their photograph or fingerprint on an RFID chip.

Illustration 14: Electronic passport
• Operation of vehicles and industrial machinery. In this case, the RFID label acts as
staff verification control, allowing operation only after presenting such label.

3. REGULATION AND STANDARDISATION
Standardisation of this technology enables interoperability between applications and helps

ensure that the different products do not interfere, regardless of manufacturer.
Before standards were issued to regulate communication between labels and readers,
each company possessed a different system; therefore the labels of one manufacturer
could only be read by the readers of this same manufacturer.
Of all the frequencies used for working in the RFID world, the only band with world
acceptance was that of 13.56MHz, which became ISO standard.
World standardisation of RFID began because of competition between two rival groups:
ISO and Auto-ID Centre (better known as EPC Global).
3.1. ELECTRONIC PRODUCT CODE

The EPC Global organisation is the world organisation which assigns the RFID codes to
the entities and companies, ensuring that the number assigned is unique. As well as
regulating the system, it assesses and approves the applications available in the industry
as well as the companies recognised as integrated.
The Global EPC has developed the EPC or Electronic Product Code which solves the
standardisation problem as far as coding is concerned. The EPC code is a unique number
(24 hexadecimal digits in length) designed to exclusively identify any object on a world
level. This allows the efficiency and physical handling procedures for goods to be
improved, such as reception, accounting, classification and shipment. The suppliers
obtain information in real time on the consumption and status of their goods within the
supply chain, and can estimate delivery times and resolve, to a large extent, the theft of
goods.
A fundamental component of this organisation is the EPC Gen2 (EPCGlobal UHF

Generation 2), standard chosen by more than 60 of the main technology companies. It
includes 2 basic standards: one which defines the physical and logical requirements for
transmission of information between the labels and readers, and another which identifies
the specific coding plans of EAN.UCC 2 .
3.2. RFID ISO STANDARDS

The subject of RFID standards has an added complication, as many of the applications
are related to electronic payment and personal documentation. The RFID standards deal
with the following issues:
2
The EAN.UCC system is a collection of standards which allows efficient administration of the multi-sectorial and world
distribution chains through the unequivocal identification of products using product labelling with standard bar codes. It
allows procedures to be automated, enabling the route and location of products to be known using an automatic barcode
reader.

• Air interface protocol: the way in which the labels and readers are able to
communicate.
• Content of the data: organisation of the data which is exchanged.
• Approval: tests which the products must pass in order to satisfy the requirements of
the standard.
• Applications: how the applications can be used with RFID.
The International Organisation for Standardisation (ISO) is an international, non-

governmental organisation made up of a network of national institutions in 160 countries,
whose contribution is egalitarian (one member per country). Its main function is to seek
standardisation of product regulations and security for companies and organisations on an
international level.
The ISO standards relating to RFID are:
• ISO/IEC 11784-11785, ISO 10536, ISO 18000: on privacy and security of the data.
• ISO 14223/1: Identification by radio frequency of animals, advanced transponders

and radio interface.
• ISO 14443: directed towards electronic payment systems and personal

documentation. Standard HF is very popular, which is being used as a basis for
developing passports which have RFID added.
• ISO 15693: standard HF, also very widespread, is used in contactless credit and debit
cards.
• ISO 18000/-7: Industrial standard for UHF (for all products based on active RFID) is
promoted by the United States Department of Defence, NATO and other active RFID
business users.
• ISO 18185: industrial standard for monitoring of containers, at frequencies of 433

MHz and 2.4 GHz.
• ISO/IEC 15961: takes care of the data protocol and application interface.
• ISO/IEC 15962: about the data coding protocol and memory functions of the RFID
label.
• ISO/IEC 15963: about the tracing and monitoring system which affects the RFID
label.

• ISO 19762-3: establishes the terms and unique definitions of identification by radio
frequency (RFID) in the field of automatic identification and technical data capture.
• ISO 23389: standard for the containers (read/write regulations).
• ISO 24710: AIDC techniques for management of objects with ISO interface 18000.
Although the specifications and terminology are updated continuously, the RFID
standards created by the ISO establish all the regulatory requirements at world level. The
governments of each country regulate the permitted frequencies, emissions and other
operating characteristics.
The lack of standardisation is one of the most important factors to take into account at the
time of final introduction of RFID. Thanks to ISO and to EPC Global, standardisation is a
fact. However, the real problem is that the current standards are not one hundred percent
compatible with each other or with other technologies.

4. OTHER AUTOMATIC IDENTIFICATION
SYSTEMS
RFID technology is classified as part of the group of “automatic identification systems”,

used in applications which require identification and which monitor products, articles,
objects and living beings and which also wish to automate this monitoring using
information technology.
The majority of technologies for automatic identification are widely accepted by users and
are very well known. In view of the fact that RFID technology is called to replace them, in
some cases they are described only briefly.
4.1. BAR CODES

It is the most widely-used identification system. It is a code consisting of a series of bars
and spaces configured in parallel. The design of these fields represents some information
relating to a component. The sequence can be interpreted numerically or
alphanumerically, is read by a laser optical scanner and processed by a computer.
The bar code is the preferred technology of commerce for product identification, in spite of
its limitations:
• It requires direct visibility to operate.
• Its purpose is to identify a type of product, not the individual units.
• It is easily broken or damaged, as it is normally stuck to the surface of the product;

and it cannot be read if damaged.
Illustration 15: Bar codes
Nowadays there are several types of codes, with several lines of bars superimposed,
equal and varied in length, in several, even two-dimensional colours. Each of these
variants improves some of the features of the original system.
4.2. OPTICAL CHARACTER RECOGNITION (OCR)

The OCR system (Optical Character Recognition) was used for the first time in the 1960s.

The OCR systems automatically identify symbols or characters from an image in order to
store it in data form. Some of their applications are: number plate recognition using
radars, register of cheques on the part of the banks, etc. The problems with this
identification system lie in its high price and the complexity of its readers compared to
other identification systems.
4.3. BIOMETRIC SYSTEMS

These systems identify people by comparing univocal characteristics 3 . Their main quality
is that they transform a biological or morphological characteristic or the behaviour of the
individual, into a numeric value and store it for later comparison.
We can talk about identification systems by fingerprint, voice, pupil and shape of the face,
shape of the ear, physical shape or by style of writing, among others. In authentication
systems, different factors are usually used such as "what I have (E.g: a card), what I know
(E.g: a PIN number) and what I am (E.g: my fingerprint)”. Biometric systems would
represent the third factor: “what I am”.
4.4. SMART CARDS

A smart card is an electronic data storage system with capacity for processing the data
(microprocessor card). For security it is installed inside a plastic structure that is similar in
shape and size to a credit card.
One of the main advantages of smart cards is that they provide protection against
possible unwanted access as they have advance safety features and they are also more
economical.
Illustration 16: Chip inserted in electronic DNI
3
The technology has some inherent error rates.

4.5. COMPARISON WITH RFID
RFID is called upon to replace or compete with these four technologies and with others in
specific applications and environments. Comparing it with each of the previous
technologies, we can say that:
• The majority of studies and surveys carried out show a clear tendency for RFID to be
used instead of the bar code. It is expected that both technologies will coexist but,
generally speaking, RFID technology will win over bar codes, as it saves time and
staff, is more efficient and minimises losses and errors.
• The OCR reader is only maintained in locations where it is essential, as RFID

technology is clearly superior.
• Biometric systems provide great versatility in identification but they need to manage
private information of the individual. However, RFID technology allows a smaller
quantity of information to be used. Therefore, in environments where an extreme level
of security is not needed, this technology is a good alternative to what is being used.
• Finally, when compared with smart cards, the latter do not contain batteries, as it is the
reader, through electric contact, which supplies the power needed for it to operate;
contrary to RFID technology which does not require contact with the reader device.
Illustration 17: Another model of label

5. RFID ASSOCIATED RISKS
RFID technology sets out new opportunities for improving efficiency and convenience of
the daily use systems. These improvements, which affect many facets of life, from the
personal to the professional, can occasionally pose new risks to security and new
challenges for their prevention. In order to identify the new risks they pose, the two types
of user of this technology must be taken into account:
• Entities which use RFID to optimise their internal processes of management, storage,
inventories, production, staff management, security, etc.
• Entities which offer a service to users within the organisation, such as access control,
or specific users, such as product sales, hiring of health services, etc.
In both cases, there are risks derived from the nature of the technology which are
common although the applications are so different in their benefits and objectives. These
common risks are in the nature of attacks or breakdowns which affect the service, by
interrupting it, altering it, or even through any kind of fraud. These risks are analysed in
the following section under the heading “risks to security".
On the other hand, the possibility also exists that the technology will be used maliciously
to fraudulently gain access to personal information of the system users. This second type
of risk is mainly associated with systems that give service to users and which could have
serious repercussions for the organisations responsible. These risks are dealt with in the
section “risks to privacy”.
As well as these two types, there are other risks which may determine the use of the
RFID technology. So, with respect to RFID technology, the discussion will be raised on
the risks of exposing human beings to the radiation. This problem has been dealt with by
the OMS. Its Commission ICNIRP (International Commission on Non Ionizing Radiation
Protection) published regulations for exposure to the radiations that set out maximum
exposure times and power levels of the electromagnetic fields present. The health risks
presented by the fields created by the readers and RFID labels which are used
commercially today are minimal. As an illustrative piece of information, we note that the
energy emitted by a mobile telephone is 2W and that of an RFID label varies between 10
and 200 μW, that is, between 200,000 and 10,000 times less power than that emitted by a
mobile telephone.
Given their importance, the risks arising from RFID use must be confronted with the
greatest attention. In preventing these risks, all participants in the technology are
responsible, from those distributing the technology and those organisations which must
protect the public, to the users themselves.

In each of their fields, the agents involved must develop active policies. The role of the
authorities is key to this task, creating legislation, regulations and recommendations; also,
that of the research institutions through technical solutions that improve security. The
supply organisations which use the technology must apply these recommendations and
develop good practices. Finally, users must know and demand their rights in order to
preserve their privacy.

6. RISKS FOR SECURITY
The risks to the security of RFID technology arise from actions designed to damage,
interrupt or take advantage of the service in a malicious way. These kinds of acts seek
financial benefit or even damage to the service being offered.
The risks to the service occur during the most usual types of “attack” that the installation
can suffer, each of them with a different purpose and impact. The simplest way to attack
an RFID system is to prevent communication between the reader and the label, but there
are other, more sophisticated forms of attack, which target radio frequency
communications:
1) Insulation of labels: The simplest attack on RFID security consists of preventing

proper reader-label communication. This can be achieved by inserting the card into a
“Faraday cage 4 ” or by creating an electromagnetic field which interferes with the one
created by the reader.
This attack can be used to remove products protected by RFID labels. It may also be a
protective measure for users against readers of illegal labels. A very relevant example
of this case is that of the electronic passport, for which there are special covers with
metal wires that create a "Faraday cage” preventing uncontrolled readings of their
information.
2) Supplantation: This attack consists of sending false information which appears valid.
For example, a false electronic product code (EPC) could be sent when the system is
expecting a correct one.
This kind of attack can be used to replace labels which may allow expensive articles
with labels from cheaper products to be retained. Furthermore, when applied to a
distribution chain, this could result in a very large fraud through substitutions of large
volumes of goods. This attack could be used in other environments, such as the tele-
toll.
Illustration 18: Access control using RFID

4
A Faraday cage is an enclosed space lined with metal which prevents the influence of outside electric fields on its interior.
The radio waves cannot penetrate the inside of the cage.

3) Insertion: This attack consists of inserting executable commands into the data
memory of a label which usually awaits data. These commands can disable readers
and other system elements. The purpose of this attack is to deactivate the system or
invalidate part of its components, allowing any kind of fraud or a refusal of service.
4) Repetition: Consists of sending the RFID reader a signal which reproduces that of a
valid label. This signal will have been captured by listening to the original. The receiver
will accept the data sent as valid. This attack allows the identity of an RFID label to be
replaced.
5) Denial of service (DoS): This type of attack saturates the system by sending a
massive amount of data that exceeds its processing power (for example, paralysing
the operability of backscattering or return signal of the RFID technology). Also, there is
a variant, known as RF Jamming, the use of which will cancel or inhibit radio
frequency communication by transmitting sufficiently powerful noise. In both cases, the
system is invalidated for detection of tags. This attack manages to ensure that labelled
objects escape control of the system when moving. It may be used to remove goods
on a small or large scale.
6) Deactivation or destruction of labels: Consists of disabling the RFID labels by

subjecting them to a strong electromagnetic field. This system transmits an
electromagnetic pulse which destroys the weakest section of the antenna, which
renders the system useless. If the necessary technical media is available, the anti-
theft protection labels of the products can be rendered useless, favouring their theft.
This attack can also be used in systems used for the distribution chain.
7) Cloning of the RFID card: From the communications between a label and the reader,
the data is copied and replicated on another RFID label to be used later.
8) Risk of attack through injection of SQL consultation language: Through

communication between the label and the reader, the SQL language is passed to the
hardware that reads the label, which, owing to said attack, executes the orders
included on the label and these can be inserted into the database.
9) Malicious code (malware): Another possible risk to RFID technology consists of the
infection and transmission of malicious codes included in the RFID labels. For this to
happen, the malicious code must enter into the label, which means a complicated
action, given that the storage capacity of some labels is not very large.
10) Spoofing: Particular case for active labels (reading and writing). In this case, real data
is written onto an RFID label to replace the original information. This is more usual on
RFID labels for garments. The information can be replaced as many times as required,
as long as it is for reading.

11) Man in the Middle (MIM) attacks: Damage mutual trust during the communication
processes and replaces one of the entities. Given that RFID technology is based on
the interoperability between readers and labels it is vulnerable to this kind of attack.
12) Rendering labels useless: If the RFID label is subjected to a strong electromagnetic
field this will disable it. This technique is used to steal products if, for example, a highly
directional antenna is used which can render the product labels useless.
The possibility of these attacks and their technical simplicity is due to the maturity of the
technology, which allows access to RFID readers and recorders at a very affordable price.
This is why the technology must be further improved, the level of protection of access
increased and the possibilities for fraud reduced.
One of the features of the technology that must be improved to increase security is the
memory and processing capacity of the labels, which will restrict the opportunities for
implementing advanced security mechanisms and coding.
To simply prevent the modification of information on the labels, it is recommended to use

them as read only, or not to write the data directly onto them. In this way, a code is
included on the label and the remaining information is transferred to a database which has
greater security measures.
The authentication methods prior to deleting or disabling the labels can prevent these
unauthorised actions. Encoding of the labels is another good practice if they contain
private information.
Regarding security measures for the reader, authentication techniques can be used to
effect communication between reader and label, thereby preventing falsification of reader
identifiers.

7. RISKS TO PRIVACY
In addition to the possibility of attack on the technological components, there is also risk
for the privacy of users. This consists of unauthorised access to personal information
of the users who use the RFID technology. In this case, we are talking about attacks
which use similar techniques to those seen in the risks to security, but which access this
type of information, either because it is included on the label, or because it is associated
with the label and access is gained to the central system to consult it.
In 2006, the European Commission carried out a public survey on RFID which exposed
the opinion of European citizens regarding this technology. The majority expressed their
concern about possible interference to their privacy.
The most notable threats to personal privacy are:
• Unauthorised access to the labels: These may contain personal data, such as
names, dates of birth, directions etc. They may also contain personal data of any kind,
depending on the application.
• Research into persons and/or their actions, tastes, etc: A person carrying an RFID
label with their data and using it to pay for shopping, public transport, accessing
buildings, etc, may be observed and classified.
• Use of the data for analysis of individual behaviour: Using "data mining”
techniques, this analysis allows consumer profiles to be defined based on client
preferences, using this information to design and guide the marketing strategy and
advertising of companies.
Illustration 19: Other types of RFID label
The perspective of users on these systems is a very important factor for their success.
The main cause of suspicion is related to threats to the privacy and the perception of not
having control over this technology and its uses.
It is perfectly possible, for example, that the user, on acquiring an article, will be unaware
of the presence of the tag and that it can be read from a certain distance away without

their knowledge. If also paying with credit card, it is possible to associate, in a unique way,
the article with the purchaser and then to store this information on a database.
Therefore, suspicion is fed by the same features that RFID technology allows. This is not
merely a subjective question. Therefore, measures for preventing risks to privacy is a
priority task for organisations and requires correct planning of the information system. As
a general rule, we should ensure that personal data is not stored on labels, thereby
preventing a large part of the risk. If measures are not adopted which guarantee respect
for private life, there is risk of generating a negative social perception of technologies
based on RFID.

8. REGULATORY COMPLIANCE
The problem with the privacy of RFID technology has stirred great interest in the heart of
the European Union, which is reflected in the monitoring work carried out by the “Work
Group of Article 295”, in which Spain is represented through the Spanish Data Protection
Agency. In their reports, we can appreciate a growing number of jobs relating to RFID
data protection.
Furthermore, the European Commission has approved a Recommendation on RFID

Communications Privacy called “on the implementation of privacy and data protection
principles in applications supported by radio-frequency identification SEC(2009) 3200
final6” of 12th May 2009. This document establishes recommendations and good
practices at the time of implementing RFID communications within the framework of the
EU.
Of the different documents put forward by the European authorities, there is a clear
conclusion. In those cases where the label contains personal information, or can be
related with resources that link with information of this nature, the regulations on personal
data protection will apply. For example, this would occur when:
• The labels are used to compile information linked to personal data, for example,
related to a specific purchase with a client code or a loyalty card.
• The labels are used to store personal information.
• The labels are used to trace information on the users in the absence of other kinds of
identifier. For example, if a business traces the tags which are inserted into the
clothing worn by the client, or the products that have been purchased, with the aim of
tracing consumer profiles. Much more obvious would be the case in which the tag of a
daily used product is used, such as a watch, as an identifier for the client for
successive entry into the establishment.
So, although there is specific regulation, the Organic Law 15/1999 of 13th December for
protection of Data of a Personal Nature (LOPD) it is directly applicable to the RFID and
to each one of the principles, rights and obligations that it regulates.
Therefore both the producers and the developers of these types of product, as well as the
organisations that use them, notwithstanding the full application of the LOPD group, must
be very mindful that:
1) That the principles of LOPD article 4 are fully applied and therefore a prior
judgement must be carried out on the need to use RFID technology, clearly
defining the aims and uses of the latter which must be proportional to the aims that
5
Available at: http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp146_es.pdf
6
Available at: http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf

are pursued. Furthermore, provisions must be adopted in relation to subsequent
cancellation of the personal data compiled when no longer needed.
2) Those affected, such as clients, workers and generally any person whose
information has been indexed through the direct or indirect use of these labels,
must be informed of the existence of the processes under the terms of LOPD
article 5. To do this, the following recommendations on the information must very
specifically be taken into account:
a) It must be clear, and above all, accessible when the labels are used in
areas such as business, using, wherever necessary, clearly visible signs.
b) The use of labels must be indicated, their location on the product, the
existence of readers and if the tags will be monitored.
c) The method for deactivating or removing labels from objects must be

indicated.
d) Each and every one of the contents required by LOPD article 5.1 must be
included.
3) It must be analysed beforehand in which cases the labels may be used with
consent and in which cases this is unnecessary. Consent must be given
beforehand, free, specific and informed. Special care must be taken when dealing
with especially sensitive areas, whether due to the nature of those affected, such
as minors, or the nature of the data itself such as health related data.
4) The security of each and every one of the personal resources, organisational and
technical, hardware and software, related to the handling of personal data linked to
RFIDs must be guaranteed. In this regard, it must be specified that the introduction
of this kind of technology on Spanish territory must scrupulously respect the
provisions of Royal Decree 1720/2007, of 21st December, through which the
implementing Regulation of Organic Law 15/1999, of 13th December, for
protection of data of a personal nature, is approved. The security measures shall
be particularly relevant in those cases in which the nature of the data may call for
high level application, and when, due to the interoperability of these kinds of
products, the information could be read by organisations alien to the one
responsible for its handling, and must prevent unauthorised accesses at all costs.
More specifically, we can conclude from this regulation that certain design and security
parameters should always be taken into account:
• Every RFID label must be automatically deactivated if it passes into the hands of an
end customer.

• Data cannot be taken from RFID labels from that time.
• The customer or user must be informed of the time at which a product or technology
includes RFID labels.
• The option for keeping the user informed automatically, through screens or LEDs
which show the state of activation of the label, must also be included.
• Data of a sensitive nature may not be included on RFID labels, such as data relating
to political ideology, religion or health data, unless it is for a legal and lawful purpose
and the security measures have been adopted.
• Individual deactivation of the label must also be made possible, as required by the
user.
Finally, further development of Directive 2009/136/CE 7 must also be fully taken into
account, which shows the need to look after protection of fundamental rights, and
specifically the fundamental right to data protection, when the RFID labels are connected
to public, electronic communications networks or when they use electronic communication
services as a basic infrastructure. In this case, the provisions pertaining to Directive
2002/58/CE (Directive on privacy and electronic communications) must also be applied,
including those relating to security, traffic data and location, and to confidentiality.
7
Directive 2009/136/CE of the European Parliament and of the advisory of 25th November 2009 modifying Directive
2002/22/CE relating to universal service and the rights of users in relation to networks and electronic communications
services, Directive 2002/58/CE relating to the handling of personal data and the protection of privacy in the electronic
communications sector and the Regulation (CE) no 2006/2004 on cooperation in matters concerning the protection of
consumers. DOUE L377/11 of 18/12/2009.

9. RECOMMENDATIONS FOR USERS
Domestic users now use RFID technology and they are using it more often, in clothes
shops as an anti-theft system, in libraries, in personal identification systems for accessing
buildings, in passports, pet identification and are even implanted in humans. The use of
RFID will benefit other technological advances, provided that its proper use is ensured.
Users must get to know the technology and take an interest in the use they will make of it,
knowing how to exercise their rights and to communicate to those responsible for using
this technology, the need to respect their fundamental rights to data protection during the
design stages of new RFID services.
The main attack to a user’s privacy through this technology is the attempt to read
personal and private information stored on an RFID device in the user’s possession.
In order to prevent this sort of undesired access to information, there are different
measures whose application will depend on the needs of each user profile, as these
needs will not be the same for a small business client who purchases an item of clothing
as they are for an industrial business which invests in machines or products, the
knowledge of which could make them vulnerable to certain risks. These systems are:
• Use of watchdog labels: (“perro guardián" in Spanish) These labels report any
attempts to read and write which are made in their area of operation.
• Insulation. Prevents the reading of labels except when required. To do this, just insert
the label into a metal or plastic case, which will carry out the function of "Faraday's
cage".
• Use of devices which create a secure area around the user through the emission
of waves which cancel the effectiveness of the RFID. They are also known as
RFID firewalls or radio frequency inhibitors. This solution can be applied to maximum
security environments that are not compatible with situations in which certain readers
must be permitted and others not.
Illustration 20: RFID Firewall Prototype
• The cancellation of labels once the transaction has been carried out, destroying
them physically, or by the KILL command (code included on the tag which, when
activated by a reader is disabled permanently). This restricts the user’s traceability
once the purchase of the products has been made, guaranteeing their privacy.

10. RECOMMENDATIONS FOR SUPPLIERS
Many organisations have already opted to install RFID technology and the predictions
indicate that many more will do so soon. This is why the existence of a good practice
reference is very useful, which will provide guidance for the correct way to develop
and use these systems.
In the first place, it is essential to take the privacy of user information into account if these
aspects relating to the protection of personal data are not taken into account this could
cause damage to the users, as well as damage to the reputation of the entity, including
the financial costs associated with the loss of public image, compensation, sanctions etc.
Secondly, organisations must bear in mind, when creating their systems, that they are
“monitoring” objects, not the persons which carry them. Compliance with this idea reduces
the possibility of third parties being able to take advantage of the RFID technology to
access the private information of users.
The recommendations are summarised into three general principles as follows:
• Do not focus only on the labels or the technology when assessing an RFID system.
• The system should be analysed in its entirety as security or lack of privacy problems
can arise from combinations in the system or from components which are not directly
linked to the RFID readers/transmitters.
• The privacy and security must "work" from the initial installation of the system, as it is
a key part of the latter.
• Full agreement, participation and consent of the users of the system are necessary.
This is achieved through knowledge and participation.
Therefore, the four directives for organisations aimed at protecting privacy are as follows:
• Information. Consumers must be clearly warned of the presence of electronic codes

on products or packaging.
• Choice. Consumers must be informed when RFID is being used on a product, in case
they wish to throw out or remove the RFID labels.
• Education. Consumers must have the possibility of being properly informed on the use
of electronic labels, their technical possibilities and their application.
• Registry. Companies must store records of use, maintenance and protection of

information obtained with this technology, and must publish their policies in this
respect.

This group of partial recommendations must inspire a way of operating based on the
implementation of procedures for assessing the impact on privacy (Privacy Impact
Assessment-PIA) 8 which allows decisions to be made on:
1) The selection of the product most respectful of privacy.
2) The definition of their area of application.
3) The implementation of the technical and organisational security measures needed.
4) The methodology of regulatory compliance which ensures full respect for the
provisions of LOPD.
8
See ICO (2009): Privacy Impact Assessment (PIA) handbook (Version 2). Available at
http://www.ico.gov.uk/upload/documents/pia_handbook_html_v2/index.html

11. GOOD PRACTICES
11.1. GOOD PRACTICES FOR GUARANTEEING SECURITY

There are solutions which enable the security of RFID systems to be reinforced, by
improving their technical features. Furthermore, it is necessary to focus specifically on the
overall security of each system.
• Renaming: Avoiding the replacement of a label or similar attacks. In this case, the
RFID labels contain a collection of pseudonyms so that they can transmit a different
one every time they are interrogated by the reader. This way a malicious reader who
wants to supplant the label would have to know all the pseudonyms to carry out a
supplantation.
This defence can be offset by a malicious reader which can read each possible label
many times until the codes repeat themselves. To prevent this, the response of the
label is controlled, slowing down the response in the event of a rapid sequence of
interrogations.
Illustration 21: RFID Chip
• Encryption: Prevents unauthorised parties from being able to understand the

information sent using information encryption techniques. The encryption algorithms to
use are not the classic ones, as the processing capacity of labels is limited. The
manufacturers usually create encryption algorithms.
• Authentication: This prevents the falsification of readers or labels, by inserting a secret

key to validate reader-label communication which means that components alien to the
system will not be able to participate in the communication.
• Reduction of the information contained in the labels: Recording a unique identifier

code of the product onto the label. The remainder of the sensitive information (price,

type of product, etc.) associated with this code will be stored on a central server, thus
minimising the risk of the labels being rewritten.
• Other non-technical solutions: All the aforementioned technical measures must be

accompanied by human supervision, that is, the proper monitoring of shops,
preventing the insertion of label recording devices, exchange of labels from different
products or client use of Faraday cages to steal products.
11.2. GOOD PRACTICES FOR GUARANTEEING PRIVACITY

The main measures for protecting the privacy of users are:
• To provide notification that RFID is being used, clearly and with symbols displayed: on
the products, readers and areas in range of the readers.
• To make users aware, at all times, of when, where and why a tag is being read.
Including indication of the reader with any kind of luminous sign, inconspicuous to
prevent nuisances, but indicative of the activity.
• To have a privacy policy relating to the attainment, use and deletion of personal
information associated with RFID, which must be made public for the users, offering
them the possibility of knowing, accessing and modifying the personal information
associated with RFID that is stored.
• To have RFID-trained staff who know the features of the system installed and are
accessible to the public, and are capable of answering questions on security and
privacy correctly.
• Not to store personal information on RFID tags, destroying said information as soon as
possible, thereby reducing the risk of interference in the privacy of users.
• Withdraw, destroy or deactivate the tags when they have completed their task. If the
post-sales service is to be continued and maintained, it must be ensured that when a
product is returned, this will mean the deletion of any association of the tag with the
user.
• To offer the user the facilities for the withdrawal, destruction or deactivation of the tags
associated with products when the installations are going to be abandoned.
• Not to grant third parties information associated with RFID which could be used to
create profiles or carry out monitoring of users.
• To carry out security audits of RFID systems, periodically to guarantee their level of
security.

Instituto Nacional
de Tecnologías
de la Comunicación
www.inteco.es www.agpd.es

Guide To The Security and Privacy of Rfid Technology - English Version. by INTECO

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Guide To The Security and Privacy of Rfid Technology - English Version. by INTECO

Загружено:

Авторское право:

Доступные форматы

Guide to the security and privacy

NATIONAL INSTITUTE OF COMMUNICATION TECHNOLOGIES

The National Institute of Communication Technologies (Instituto Nacional de Tecnologías de

The Observatorio de la Seguridad de la Información (Information Security Observatory, available

More information: www.inteco.es

More information: http://www.agpd.es

Guide INTECO-AEPD on the security and privacy of RFID technology. Page 2 of 38

1.1. What is RFID Technology? 4

1.2. How does it work? 4

1.3. Benefits of RFID technology 8

2. USES AND APPLICATIONS OF RFID 10

3. REGULATION AND STANDARDISATION 17

3.1. Electronic Product Code 17

3.2. RFID ISO Standards 17

4. OTHER AUTOMATIC IDENTIFICATION SYSTEMS 20

4.1. Bar Codes 20

4.2. Optical character recognition (OCR) 20

4.3. Biometric systems 21

4.4. Smart cards 21

4.5. Comparison with RFID 21

5. RISKS OF USING RFID 23

9. RECOMMENDATIONS FOR USERS 33

10. RECOMMENDATIONS FOR SUPPLIERS 34

11. GOOD PRACTICES 36

11.1. Good practices for guaranteeing security 36

11.2. Good practices for guaranteeing privacy 37

Guide INTECO-AEPD on the security and privacy of RFID technology. Page 3 of 38

1.1. WHAT IS RFID TECHNOLOGY?

RFID technology makes self-identification possible of an object that contains a radio

Thanks to these micro transmitters and transponders (hereinafter referred to as tags or

1.2. HOW DOES IT WORK?

Components of an RFID system

Guide INTECO-AEPD on the security and privacy of RFID technology. Page 4 of 38

Illustration 1: RFID Label

• Data processing subsystem or middleware: is software that resides in the server

Guide INTECO-AEPD on the security and privacy of RFID technology. Page 5 of 38

In Illustration 2: General operating diagram of the RFID technology

Illustration 2: General operating diagram of the RFID technology

Generally speaking, RFID labels can be classified according to two criteria:

According to the power source they use

Guide INTECO-AEPD on the security and privacy of RFID technology. Page 6 of 38

), and they are often inserted into stickers.

Illustration 4: Passive Label 2

Guide INTECO-AEPD on the security and privacy of RFID technology. Page 7 of 38

According to the frequency on which they work

Table 1: Frequency bands used in RFID technology

Frequency Name Range

Guide INTECO-AEPD on the security and privacy of RFID technology. Page 8 of 38

1.3. BENEFITS OF RFID TECHNOLOGY

• It allows a large volume of data to be stored using a small-sized device.

• It ensures operability when subject to adverse conditions (dirt, humidity, high

• It unequivocally identifies products.

Guide INTECO-AEPD on the security and privacy of RFID technology. Page 9 of 38

Graph 1: Use of RFID technology in relation to company size (%)

Source: ONTSI from INE data 2009

we can see the huge differences in the number of employees.

Guide INTECO-AEPD on the security and privacy of RFID technology. Page 10 of 38

Graph 2: Objectives of use of RFID technology in relation to company size (%)

Payment systems 29.6%

Identification of the product 31.2%

Supervision/control of the supply 44.4%

Asset management 24.2%

Identification of people or access control 40.5%