The recurring topic of RFID security flaws has been making headlines again lately. But unlike new e-mail viruses or Internet worms that demand the immediate attention of the IT department, this threat isn't a front-burner security issue...at least not yet.
A few recent events have brought renewed attention to the fact that RFID is vulnerable. Earlier this month a security expert cracked one of the U.K.'s new biometric passports that use RFID to store personal information. Last month at the RSA Security '07 conference, a company called IOActive demonstrated an RFID cloner that can steal codes from building access cards. (IOActive was slated to show a similar demonstration at last month's Black Hat security conference, but the session was quashed by a leading RFID card maker and generated more headlines regarding fairness and disclosure than the original demo would have.)
Add those events to headlines from the past year that the U.S. Department of State plans to issue passports with RFID chips containing personal information -- to which the American Civil Liberties Union has expressed vehement opposition because of the potential for exposed personal information - and reports that an RFID virus could be developed that make tags vulnerable, and suddenly the technology seems about as safe as sending confidential data over Web mail.
Yet, unlike Internet threats that could affect every person using the Web, RFID security holes are only truly dangerous if the information stored on these tags is valuable. In most enterprise applications of RFID today - many of which are still in their early phases - that's not the case.
Nutritional product maker Schiff Nutrition launched an RFID pilot about three months ago to tag cases and palates of supplements and energy bars with basic information - what the product is, where it was manufactured, and what kind of item it is. Security has not yet factored into the project, says Rod Farrimond, manager of business analysis, because that data alone isn't valuable.
"How we're using this is almost just like the barcode, and in the same sense that people can spoof a barcode, people will figure out how to spoof RFID, but the question is why?" he says. All of the valuable information about the company's products are stored on a Web server that is password protected, Farrimond explains, so the data on the RFID tags only serves to identify the items.
"There's no reason to be alarmist about the situation, most implementations today ... are largely pilot implementations anyway," says Jeff Woods, a research vice president at Gartner. That's not to say security should be ignored. Enterprises embarking on RFID projects need to "...bring in the security people and apply good standard security practices to the project."
There are a number of reasons why RFID is vulnerable:
- The tags are physically small, making it technically difficult to engineer protection for them. "RFID is an extremely space-constrained environment, there are very few bits involved," Woods says.
- RFID tags are mobile; they roam corporate halls attached to building access badges and cross the country stuck on palettes loaded on freight trains, and are therefore exposed to more unauthorized users than most technologies.
- The tags aren't always carrying sensitive data. Going through the time and expense of elaborately securing an RFID tag for goods with information that only matters to the owner of the goods doesn't make a lot of sense. "Do you need [RFID security measures] on a can of Coke in Wal-Mart? Probably not in the short term. It could be used for tracking and identification, but I would argue I might not spend money on that technology yet," says Louis Parks, CEO of SecureRF, which develops RFID tags with integrated security that authenticates and encrypts reader-tag communications.
- The tags are used in hundreds of ways, making it difficult to standardize on when security is needed, and how much. In enterprises, RFID is being used in projects as varied as asset management, payment, retail floor management and supply chain management, Woods says.