Iztok Starc (2011) Security assurance in networked radio frequency identification system environment. MSc thesis.
Radio frequency identification is an information and communication technology for wireless identification and object labelling. A typical RFID system consists of a tag, a reader and a back-end system connected to a database. Nowadays these systems are present in the private sector industries as well as in the public sector. The RFID system deployment is increasing as high level of automation allows companies the opportunity to re-organize and adapt their business processes to reduce costs, increase revenue, improve services and increase the number of regular customers. However, this trend is also followed by increasing dependence on security, which is one of the system's quality most notable characteristic from the stakeholder's point of view. The technological structure of RFID system is complex, distributed, whereas components are heterogeneous and they are interconnected through internet. This allows hackers to mount remote and automated attacks by exploiting vulnerabilities in exposed systems and may cause unrecoverable damage to business. Further, the complexity of information security risk management process and difficulty in implementing an information security management system are negatively affected by the system's complexity and its diverse context of use. The current information security risk management is basically reactive as it is lagging behind incidents. This strategy has proven inefficient and the number of dissatisfied stakeholders is increasing. Stakeholders' concerns regarding security and privacy are one of the main barriers to RFID technology adoption. The Master's thesis hereof defines and develops a security assurance method and a tool for provisioning security. This tool is used in conjunction with the proposed method and enables simulated cyber attacks on a generic networked RFID system. The cyber attack selection criteria are based upon identified threats and allow the tester to have a complete RFID tag execution control and can overhear, intercept and synthesize any message on the communication channel between the tag and the reader as well. The RFID tag and the tool stub are implemented in the low-cost field programmable gate array FPGA. The second part of the tool is implemented in terms of using commodity hardware and software. This cost effective implementation makes the tool affordable to the security research community aimed at performing functional security testing, risk-based security testing and penetration testing. Furthermore, the security assurance method is aligned with the ISO/IEC 27005:2008 information security risk management process. The aforesaid gives companies the opportunity to change the information security management strategy from reactive to proactive and accordingly increases the odds of a timely risk identification and thus prevents the occurrence of incidents.
Actions (login required)