RFID Middleware

University of Houston
Bauer College of Business
Spring 2007

Source: Forrester, 2004; www.rfidvirus.org

Definition

 Middleware: Software that connects two

disparate applications, allowing them to
communicate with each other and to
exchange data (Laudon & Laudon, 2002)
Underlying Drivers of RFID Middleware

 Standards
 Integration
EPCglobal Network
 Set of global technical standards aimed at enabling
automatic and instant identification of items in the supply
chain and sharing the information throughout the supply
chain

 The EPCglobal NetworkTM consists of five fundamental

elements:

 ID System (EPC Tags and Readers),

 Electronic Product Code (EPC)
 Object Name Service (ONS)
 Physical Markup Language (PML)
 Savant
(http://www.csis.hku.hk/~clwang/RFID/rfid-main2004.htm)
Savant
 Middleware developed by Auto-ID to provide interface between
RFID reader and databases

 Sits between tag readers and enterprise applications to manage

the vast amount of information retrieved from the tags

 Manages and moves information in a way that does not overload

existing networks

 Has a hierarchical architecture that directs the flow of data by

gathering, storing, and acting on information and communicating
with other Savants

 Lower level Savants process, filter and direct information to the

higher level ones and, consequently, massive flow of information
and network traffic is reduced
Types of RFID Vendors

 RFID Pure Plays – offer products that

integrate with RFID readers, filter and
aggregate data, and may incorporate some
business rules
 ConnectTerra
 GlobeRanger
 OATSystems
 RF Code
Types of RFID Vendors

 Integration Specialists –add RFID features

like reader coordination and edge-tier filtering
go to their existing integration technology
 webMethods
 TIBCO
 Ascential Software
Types of RFID Vendors
 Application Vendors – offer software ranging from
RFID-enabled applications for warehouse and asset
management to more robust RFID middleware
solutions for reader coordination, data filtering, and
business logic capabilities
 Povia Software
 Manhattan Associates
 RedPrairie
 SAP
Types of RFID Vendors

 Platform Giants – extend their existing

platforms and middleware to accommodate
RFID
 Sun Microsystems
 IBM
 Oracle
 Microsoft
Middleware Functionality
 Reader and device management: RFID
middleware should allow users to configure,
monitor, deploy, and issue commands directly to
readers through a common interface.

 Data management. Once RFID middleware

captures EPC data from readers, it must be able to
intelligently filter and route it to the appropriate
destinations. This capability should include both low-
level logic like filtering out duplicate reads and more
complex algorithms like content-based routing
Middleware Functionality
 Application integration. RFID middleware
solutions should provide the messaging, routing,
and connectivity features required to reliably
integrate RFID data into existing SCM, ERP, WMS,
or CRM systems

 Partner integration. Some of the most promising

benefits of RFID will come from sharing RFID data
with partners to improve collaborative processes like
demand forecasting and vendor-managed inventory
Middleware Functionality
 Process management and application
development: Instead of just routing RFID data to
business applications, sophisticated RFID
middleware platforms will actually orchestrate RFID-
related end-to-end processes that touch multiple
applications and/or enterprises, like inventory
replenishment. Key process management and
composite application development features include
workflow, role management, process automation,
and UI development tools.
Middleware Functionality
 Packaged RFID content. RFID middleware platforms that
include packaged routing logic, product data schemas, and
integration with typical RFID-related applications and processes
like shipping, receiving, and asset tracking are major assets

 Architecture scalability and administration. This means that

RFID middleware platforms must include features for dynamically
balancing processing loads across multiple servers and
automatically rerouting data upon server failure. These features
should span all tiers of the architecture — even the edge devices
Forrester Research Conclusions
 Manhattan Associates, OAT, and SAP lead with strong
mandate solutions

 Pure plays like GlobeRanger and ConnecTerra also offer

viable solutions for early adopters. But unlike
OATSystems, these vendor offer “pure” middleware
solutions that provide strong reader integration
capabilities and APIs for publishing RFID data to back-
end applications and typically incorporate less packaged
application logic like EPC track-and-trace tools.
Forrester Research Conclusions

 Both Savi Technology and RF Code have

specialty capabilities and experience with
active RFID tags

 Most platform and integration vendors lack

generally available products
Single-Tier RFID Middleware
Architecture
Multitier RFID Middleware Architecture
RFID Middleware

 Sun
 SAP
 Microsoft
 Oracle
Sun’s RFID Software Architecture
Sun’s Event Manager
Sun’s Information Server
SAP
Threats to RFID Middleware
(Source: www.rfidvirus.org)
Why RFID systems are vulnerable to
attacks
 Lots of source code
 Generic protocols
 Back-end databases
 High-value data
 False sense of security
RFID-Based Exploits
 Buffer Overflows
 The life of a buffer overflow begins when an attacker inputs
data either directly (i.e. via user input) or indirectly (i.e. via
environment variables).
 This input data is deliberately longer then the allocated end
of a buffer in memory, so it overwrites whatever else
happened to be there.
 Since program control data is often located in the memory
areas adjacent to data buffers, the buffer overflow can
cause the program to execute arbitrary code
RFID-Based Exploits
 Buffer Overflows
 RFID tags are limited to 1024 bits or less

 Commands like 'write multiple blocks' from ISO-15693 can allow

a resource-poor RFID tag to repeatedly send the same data
block, with the net result of filling up an application-level buffer

 Meticulous formatting of the repeatedly sent data

 An attacker can also use contactless smart cards, which have a

larger amount of available storage space

 An attacker can really blow RFID middleware's buffers away, by

using a resource rich actively-powered RFID tag simulating
device, like the RFID Guardian
RFID-Based Exploits

 Code Insertion
 Malicious code can be injected into an application
by an attacker, using any number of scripting
languages including VBScript, CGI, Java,
JavaScript, and Perl
RFID-Based Exploits
 SQL injection
 SQL injection is a type of code insertion attack that tricks a
database into running SQL code that was not intended.
 Attackers have several objectives:
 They might want to enumerate (map out) the database
structure. Then, the attackers might want to retrieve
unauthorized data, or make equally unauthorized
modifications or deletions.
 Databases also sometimes allow DB administrators to
execute system commands. A system command can be used
to attack the system
RFID-Based Worms
 Worm is a program that self-propagates across a network,
exploiting security flaws in widely-used services

 A worm is distinguishable from a virus in that a worm does not

require any user activity to propagate

 Worms usually have a payload, which performs activities ranging

from deleting files, to sending information via email, to installing
software patches

 One of the most common payloads for a worm is to install a

“backdoor” in the infected computer, which grants hackers easy
return access to that computer system in the future.
RFID-Based Viruses

 One can develop RFID based viruses using

SQL language

 The SQL data can be transmitted to a system

via an RFID tag
Conclusion

 What is middleware
 EPC Global
 Savant
 Vendors
 Functionality
 Architecture
 Threats