U.S. officials recommend better RFID security

Organizations that use RFID devices should systematically evaluate potential security and privacy risks posed by the technology, U.S. government officials say in a new report detailing best practices for retailers, manufacturers, hospitals and federal agencies.

RFID raises unique security concerns because, unlike a desktop computer or most devices overseen by a company’s network security crew, a single RFID tag may be handled by multiple organizations.

“When you go into RFID, the chain of custody is different,” says Tom Karygiannis, lead author of a 154-page report released by the Department of Commerce’s National Institute of Standards and Technology (NIST). “We’re talking about a global supply chain. You’re working with suppliers, manufacturers, retailers; different organizations may have possession of the merchandise that has the RFID on it throughout the life cycle. This raises new privacy and security risks.”

The publication, titled “Guidelines for Security Radio Frequency Identification (RFID) Systems,” includes recommendations such as the following:

* Use firewalls that separate RFID databases from an organization’s other databases and IT systems.

* Encrypt radio signals when feasible.

* Authenticate approved users of RFID systems.

* Shield RFID tags or tag reading areas with metal screens or films to prevent unauthorized access.

* Use audit procedures, logging and time stamping to help detect security breaches.

* Implement procedures for tag disposal and recycling that permanently disables or destroys sensitive data.

The report was mandated by Congress under the Federal Information Security Management Act of 2002. In addition to usage in the retail industry, RFID devices are matching hospital patients to lab test results and helping track dangerous materials, raising concerns about eavesdropping or unauthorized use.

The federal report includes hypothetical case studies, including one in which a government agency oversees supply chain management of hazardous materials that are handled by a number of organizations during transport. The risks involving RFID are numerous: adversaries could identify and target vehicles containing hazardous materials; eavesdrop on tag transactions to learn the characteristics of the materials; damage or disable a tag, making it easier to steal; or alter sensor or manifest data stored on the tag to undermine business processes.

The suggested solutions include shielding vehicles and containers to prevent electromagnetic emissions, establishing a 100-meter perimeter around storage locations, and using password protection to prevent unauthorized parties from reading tags or changing the information they contain. As a general rule, the report says, tagged items should be identifiable only during embarkation, debarkation and storage, but not during transport.

“The technical challenge is for each person along the supply chain to be able to securely access information related to that particular tag. You have to be authorized and authenticated. It has to be done securely,” Karygiannis says.

Karygiannis, a senior researcher with NIST’s computer security division in Gaithersburg, Md., said the division is trying to stay ahead of the curve on RFID security. For example, its electromagnetics team in Boulder, Colo. is trying to develop ways to detect counterfeit RFID tags, a task that is difficult with today’s technology, he says.