Introduction

The constant introduction of new technologies (e.g., Internet of Things (IoT), wireless sensor networks (WSNs), and radio-frequency identification (RFID)) has provided cybercriminals with new opportunities to commit illegal activities and target victims (Rajan et al. 2017). In March 2019, the International World State reported that there were 173 million Internet users in the Middle East; 67.2% had been exposed to cyber penetration. Hence, cybercrime laws are necessary to address the threats, especially those that target RFID systems.

Statutes and regulations adopted by various country are closely related to particular cultural contexts that differ worldwide (Alkaabi et al. 2010). The Council of Europe’s 2001 Budapest Convention (Council of Europe 2002 ) provided the only global baseline in terms of cyberspace regulation (Sarre et al. 2018).

From this perspective, this research investigates the cybercrime laws of the UAE and attempts to answer the following research question, “Do UAE Federal cybercrime laws address emergent RFID security threats?” The remainder of this paper is organized as follows. In “Related Works: Milieu To UAE Cyber Regulatory Framework” section, related works are provided with regards to RFID security threats, highlighting the important role of statutes and regulations. In “Research Methodology” section, the methodology of this research is presented. In “Findings” and “Conclusion” sections, we analyze data by mapping 50 articles to the types of RFID attacks for analysis. Finally, in Section 6, we conclude our study and provide recommendations for future research.

Related works: Milieu to UAE cyber regulatory framework

United Arab Emirates (UAE) is a federation of seven emirates. The federation adopts a pluralistic legal system of Islamic Law and Civil Law legal traditions. With the establishment of International Financial Free zones in the Emirates of Dubai and Abu Dhabi, the federation has added English Common Law legal tradition as its Offshore legal system. One of the central features of UAE’s political and legal landscape is the type of federal system which the country operates. According to the UAE Constitution, legislative competencies are divided between the Federal Government on one hand and the individual emirates on the other hand. Criminal legislations generally fall under the legislative competence of the Federal Government in the UAE. Clearly, this entails that, laws dealing with cybercrimes can be promulgated by the UAE federal government.Footnote 1

Cybercrimes in the UAE, like any other rapidly developing economy, are in the rise. It was reported in McAfee's study (Radcliffe 2018) that the United Arab Emirates (UAE) is the second most targeted country in the world for cybercrime, costing the country an estimated $1.4bn loss per year. Against the background of rising cybercrime threats, the government, had put in place a robust regulatory framework and implemented measures aimed at curtailing the rise of cyberattacks in the UAE. According to the United Nations (UN) Global Cybersecurity Index Report 2020 (ITU 2020), UAE is ranked 5th globally in ensuring robust infrastructure towards cybersecurity (ITU 2020). The infrastructures are all anchored by the overall regulatory framework.

Indeed, UAE and Dubai emirate in particular are well known in innovatively digitalizing various services towards achieving smart city initiatives. As far back as 2007, UAE started using RFID to collect road toll known as Salik system (El Hendy et al. 2022). The government through Road Transportation Authority (RTA) mounted Salik toll gates. Salik system requires vehicle owners to open a prepaid Salik account and install Salik stickers on their vehicles. Once a vehicle drives through the Salik toll gate, the RFID technology will scan and charge the Salik account. In 2022, Law No. 12 of 2022 was issued by the Ruler of Dubai, establishing Salik as Public Joint-Stock Company (PJSC) with legal personality to conduct its activities as independent entity from RTA.Footnote 2 Similar RFID toll gate system was introduced in Abu Dhabi emirate in 2021. The toll system known as Darb operates similar to Dubai’s Salik system.Footnote 3 Indeed, both Salik and Darb systems, and the totality of all RFID deployed technologies in the UAE must be operated in accordance with the overall legal and regulatory framework of cyber related laws within the UAE.

In navigating the regulatory framework of cyber activities in the UAE, it is imperative to contextualize the pattern of the legislative style adopted by the UAE authorities. The main law governing cybercrimes in the UAE is the recent Federal Law No. 34 of 2021 Concerning the Fight Against Rumors and Cybercrime.Footnote 4 Prior to the promulgation of Law No. 34 of 2021, the first legislation dealing with cybercrimes in the UAE was the Federal Law No. (2) of 2006 on the prevention of information technology crimes.Footnote 5 The law is made of twenty-seven (27) articles. It emphasizes intention as sine quo non to criminal act. It also provides lesser punishments for cyber offenses. The 2006 law was abrogated in 2012 by the Federal Law No. 5 of 2012 on Combating Cybercrimes.Footnote 6 The law No. 5 of 2012 apart from removing intention as a condition to the commission of crime under its Article 2, it increases the penalty by specifying higher amounts as fines. The law also introduces additional cyber related offenses not provided for under the law of 2006. In 2018, the Federal Law No. 5 of 2012 was amended (Khlegal 2018). The amended may not be unconnected with the surge in financial and technology related activities in the UAE amidst newer dimensions of cyber related activities that were posing threat to the legal framework. The amendment affected Articles 26, 28, and 42. Primarily, the amendment enlarges the scope of Article 28 by criminalizing promotion of terrorism and other unauthorized groups using computer network, within the ambit of the Article, and further provided harsher punishments. In addition, the amendment also criminalizes use of any means of information technology to threaten national security or public order.

In 2021, a new law was promulgated and issued as Federal Law No. 34 of 2021 Concerning the Fight Against Rumors and Cybercrime which came into force on the January 2, 2022. The new law has repealed all the previous legislations dealing with cybercrimes and aims at providing comprehensive legal framework to combat all forms of abuse of digital technologies. The law is made of seventy-four (74) Articles. Articles 2–64 of the law address several cybercrimes and their related punishments. Overall, the law does not define cybercrime as a concept. It, however, defines cyber as anything regarding computer networks and the associated services performed by information programs, internet, and computer networks.

UAE cybercrime law in the light deficiencies of RFID technology laws

Deficiencies commonly associated with RFID technology laws are some of the signs that prompted the UAE legislators to develop a comprehensive legal framework. The deficiencies are diverse and multifaceted (Talidou 2006). Some of the notable deficiencies or gaps not commonly and decisively addressed by RFID laws include privacy issues, data (security, ownership, consent, flows, custody, deletion, breach, liability etc.), cross-border challenges, and standardization (Levary et al. 2005). Under the new law, adequate provisions have been provided to bridge this gap. Article 44 of the new law provides for punishment of fine and imprisonment on anybody who among other things invaded the privacy of another person through broadcasting, eavesdropping, transmitting, intercepting, etc. Articles 2–19 of the law provides for various types of offenses relating to hacking, harm, infringement of personal data, government data, financial, commercial, and economic establishment data infringements. In addition, to respond to the challenge of jurisdictional limitation, the law provides for extra-territorial application of its provisions.

Indeed, law No. 34 of 2021 is all encompassing. It envisages various conceivable scenarios relating to cybercrime. However, while the detailed provisions of the law are adequately encompassing, it need to be acknowledged that cyber related activities are also evolving in an ever-changing environment.

Research methodology

To measure the adequacy of UAE law in covering fraud reported in the literature, we adopted the following research process:

  1. 1.

    Data mapping: mapping UAE laws that protect against RFID attacks;

  2. 2.

    Data analysis: analyzing the data and drawing conclusions on the distribution of laws that address RFID attacks.

Data mapping

Known RFID cyber threats have been widely reported in the literature. In his recent research Miniaoui et al. (12) reported seven major categories and classified more than 15 threats as follows:

  • Physical: deactivation of communications between a reader and a tag or the destruction of a tag for the purpose of sabotage;

  • Spoofing: exposure of item data that seek to foul the integrity of the data items;

  • Eavesdropping and skimming: exposure of item data or identity information;

  • Clandestine tracking: loss of data confidentiality;

  • Relay: loss of data integrity;

  • Tag cloning: identity and account information theft;

  • Denial-of-service (DOS): deactivation or hampering of communications among RFID components.

Additionally, Miniaoui et al. (12) mapped RFID attack types and classified them into three categories (i.e., interception, blocking, and physical attacks), as shown in Table 1.

Table 1 Classification of RFID system attacks
Full size table

On the other hand, the UAE cybercrime laws include 50 articles that address cybercrimes and their related sanctions. In our research, we studied each article and interpreted the corresponding tort based on the classification established from the literature. Table 2 presents a sample of our mapping (Articles 2 and 50). We used the classification of Miniaoui 2021, which is based on European and UN guidelines Schjolberg and Ghernaouti-Helie (2011).

Table 2 Coding cybercrimes based on researches in the field
Full size table

The summary of our mapping of the 50 articles is listed in Table 3.Footnote 7

Table 3 Mapping of UAE Law articles with RFID attacks
Full size table

Data analysis

In this section, we discuss the severity of three types of attacks (i.e., interception, physical, and blocking) to assess the adequacy of UAE cybercrime law. The summary of our analysis is represented in Table 4. Overall, the UAE Law covers all type of RFID attacks with different levels. Physical attacks are the most common ones and UAE Law cover it with a high percentage of 16%. Blocking attacks are also sufficiently covered with 8% of UAE law. However, interception attacks are the least covered in the UAE Laws with 4%. In the next section, we will reveal in deep our findings of the UAE law coverage of RFID attacks and explain if needed amendments of UAE Law are required by refereeing to other Laws in countries like US and UK.

Table 4 Summary of the mapping of UAE Law article with RFID attacks
Full size table

Findings

The findings of our analysis will be structured in three parts as follows: physical attacks, blocking attacks, and finally interception attacks.

Physical attacks (16%)

Physical attacks are covered by 16% of UAE laws, which are sufficient because physical attacks can target both readers and tags. In a normal work environment, a hacker can illegally access a server room and compromise machines using several means, such as placing a universal serial bus (USB) that includes a virus that will block, copy, or falsify data. However, RFID physical attack is easier as blocking the RFID reader can be done by changing its angle of reading so that it cannot spot all the items placed for scanning.

Removing or interchanging RFID price tags on merchandise is also commonplace. In addition, for experimented hackers, tags can be cloned without physically removing or interchanging them because of readers that can manipulate data within a range of meters. Although some RFID manufacturers lock their tags at the physical level, this remains uncommon, owing to the cost overhead.

Blocking attack (8%)

Blocking attacks are quite easily executed by using an RFID transceiver that can neutralize a signal. Once jamming occurs, the official reader fails to read tags, and the entire RFID-based system is compromised. In addition, placing a large number of tags in the reader’s scope can lead to jamming, similar to DoS.

Several law documents address actions that directly or indirectly block devices using such methods. Therefore, we consider that blocking attacks are appropriately addressed in current law. However, bringing someone to justice requires video footage.

Interception attacks (4%)

In conventional CPS systems, intercepting communications is mainly achieved by compromising data or systems. This attack is mainly known as Man in the middle attack (Miniaoui et al., 12). It is achieved via the following actions:

  1. 1.

    Infiltrating a network by obtaining a static or dynamic IP address;

  2. 2.

    Gaining access to data in a network and intercepting communications;

  3. 3.

    Compromising data, such as when data are intercepted, the hacker decrypts them using tools, accesses them, and finally compromise them.

Network data filtering can reveal the machines connected to hacking activities. Hence, tracing the intercepted data is possible. However, with RFID systems, there is no way to trace such communications within a network (Liu et al. 2008). Indeed, RFID communications interception is simple. The hacker places an antenna within a radius of 10 m without connecting to the RFID network (Muammar and Miniaoui 2017). Then, the hacker can intercept RFID traffic between readers and tags without detection. Furthermore, encryption is not mandatory in RFID protocol. Such weaknesses have been widely reported in the literature related to businesses and governments.

Governmentally, Ozer argued that it is difficult to punish hackers as RFID technology makes it difficult to catch them when countermeasures fail (Ozer 2008). Because RFID technology does not alert administrators when information is accessed in an unauthorized fashion, it is difficult to ascertain whether the countermeasures are effective. Thus, according to a detailed report (Ozer 2008), the use of RFID for tracking government documents is strongly discouraged. In addition, concerns have been presented regarding the use of RFID technology in other contexts, such as with passports, driver licenses, toll collection, etc., leading to recommendations of RFID avoidance (Dalal 2006).

The US Department of Homeland Security proposed the following recommendationsFootnote 8:

  • Provide educational methods to explain why RFID is being used, the information collected, and by whom;

  • Use open standards to avoid stove-piped technologies;

  • Provide choice and consent options that allow users to opt out;

  • Secure RFID readers and data to mitigate skimming and relay risks;

  • Ensure that the data collected using RFID technology are strictly used for the stated goal.

In a business context, a more recent work (Farshidi 2016) advised that stores should develop their own regulations to address privacy concerns related to RFID loyalty cards and other tracking methods. This is because most regional laws do not address the abuse potential for such methods.

In summary, RFID interception attacks are simply executed and are not traceable through networks, which lead many different attacks. Laws must specifically dedicate articles to sanction all interception attempts, including spoofing, eavesdropping, and relay attacks. Doing so will help dissuade hackers, because they will know that they will be legally accountable and charged for their crimes.

Conclusion

In this paper, we presented the results of a quantitative analysis of UAE laws that address emergent RFID attacks. Based on an extensive literature review, we classified the attack types into three main categories: physical, interception, and blocking. Physical attacks are similar to CPS attacks where a person on site places a USB device or similar in a server port to cause changes to the server. In RFID systems, changing the scanning scope or damaging a tag constitutes a malicious physical attack. These attacks can be detected by reviewing video monitoring devices so that attackers can be charged. Total 16% of UAE laws in this context address this threat, which is satisfactory. Major problems otherwise exist for brining attackers (doing interception attacks on RFID data) to justice based on current laws. In the US, several commissioned reports recommend avoiding the use of RFID for human identification and tracking or for official documents, owing to the high risk of interception. In a recent amendment, the California State Law provided clear paths for combatting attacks on IoT devices (Fernandez 2020). The law specifically addresses the security of connected IoT devices (e.g., RFID, Raspberry Pi, and WSNs) by providing minimum original equipment manufacturer device security. By stipulating these requirements, the law places responsibility on the manufacturer in cases of litigation. However, no US laws articles charged directly the hacker for committing interception attacks.