RFID threats: Don't be alarmed, but be aware

RFID security holes can be a serious threat - but only if the information stored on these tags is valuable

The recurring topic of RFID security flaws has been making headlines again lately. But unlike new e-mail viruses or Internet worms that demand the immediate attention of the IT department, this threat isn't a front-burner security issue...at least not yet.

A few recent events have brought renewed attention to the fact that RFID is vulnerable. Earlier this month a security expert cracked one of the U.K.'s new biometric passports that use RFID to store personal information. Last month at the RSA Security '07 conference, a company called IOActive demonstrated an RFID cloner that can steal codes from building access cards. (IOActive was slated to show a similar demonstration at last month's Black Hat security conference, but the session was quashed by a leading RFID card maker and generated more headlines regarding fairness and disclosure than the original demo would have.)

Add those events to headlines from the past year that the U.S. Department of State plans to issue passports with RFID chips containing personal information -- to which the American Civil Liberties Union has expressed vehement opposition because of the potential for exposed personal information - and reports that an RFID virus could be developed that make tags vulnerable, and suddenly the technology seems about as safe as sending confidential data over Web mail.

Yet, unlike Internet threats that could affect every person using the Web, RFID security holes are only truly dangerous if the information stored on these tags is valuable. In most enterprise applications of RFID today - many of which are still in their early phases - that's not the case.

Nutritional product maker Schiff Nutrition launched an RFID pilot about three months ago to tag cases and palates of supplements and energy bars with basic information - what the product is, where it was manufactured, and what kind of item it is. Security has not yet factored into the project, says Rod Farrimond, manager of business analysis, because that data alone isn't valuable.

"How we're using this is almost just like the barcode, and in the same sense that people can spoof a barcode, people will figure out how to spoof RFID, but the question is why?" he says. All of the valuable information about the company's products are stored on a Web server that is password protected, Farrimond explains, so the data on the RFID tags only serves to identify the items.

"There's no reason to be alarmist about the situation, most implementations today ... are largely pilot implementations anyway," says Jeff Woods, a research vice president at Gartner. That's not to say security should be ignored. Enterprises embarking on RFID projects need to "...bring in the security people and apply good standard security practices to the project."

There are a number of reasons why RFID is vulnerable:

- The tags are physically small, making it technically difficult to engineer protection for them. "RFID is an extremely space-constrained environment, there are very few bits involved," Woods says.

- RFID tags are mobile; they roam corporate halls attached to building access badges and cross the country stuck on palettes loaded on freight trains, and are therefore exposed to more unauthorized users than most technologies.

- The tags aren't always carrying sensitive data. Going through the time and expense of elaborately securing an RFID tag for goods with information that only matters to the owner of the goods doesn't make a lot of sense. "Do you need [RFID security measures] on a can of Coke in Wal-Mart? Probably not in the short term. It could be used for tracking and identification, but I would argue I might not spend money on that technology yet," says Louis Parks, CEO of SecureRF, which develops RFID tags with integrated security that authenticates and encrypts reader-tag communications.

- The tags are used in hundreds of ways, making it difficult to standardize on when security is needed, and how much. In enterprises, RFID is being used in projects as varied as asset management, payment, retail floor management and supply chain management, Woods says.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Cara Garretson

Network World
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?