RFID holes create security concerns

The recurring topic of RFID security flaws has been making headlines again lately. But unlike new e-mail viruses or Internet worms that demand the immediate attention of the IT department, this threat isn’t a front-burner security issue…at least not yet.

A few recent events have brought renewed attention to the fact that RFID is vulnerable. Earlier this month a security expert cracked one of the U.K.’s new biometric passports that use RFID to store personal information. Last month at the RSA Security `07 conference, a company called IOActive demonstrated an RFID cloner that can steal codes from building access cards. (IOActive was slated to show a similar demonstration at last month’s Black Hat security conference, but the session was quashed by a leading RFID card maker and generated more headlines regarding fairness and disclosure than the original demo would have.)

Add those events to headlines from the past year that the U.S. Department of State plans to issue passports with RFID chips containing personal information — to which the American Civil Liberties Union has expressed vehement opposition because of the potential for exposed personal information – and reports that an RFID virus could be developed that make tags vulnerable, and suddenly the technology seems about as safe as sending confidential data over Web mail.

Yet, unlike Internet threats that could affect every person using the Web, RFID security holes are only truly dangerous if the information stored on these tags is valuable. In most enterprise applications of RFID today – many of which are still in their early phases – that’s not the case.

Nutritional product maker Schiff Nutrition launched an RFID pilot about three months ago to tag cases and palates of supplements and energy bars with basic information – what the product is, where it was manufactured, and what kind of item it is. Security has not yet factored into the project, says Rod Farrimond, manager of business analysis, because that data alone isn’t valuable.

“How we’re using this is almost just like the barcode, and in the same sense that people can spoof a barcode, people will figure out how to spoof RFID, but the question is why?” he says. All of the valuable information about the company’s products are stored on a Web server that is password protected, Farrimond explains, so the data on the RFID tags only serves to identify the items.

“There’s no reason to be alarmist about the situation, most implementations today … are largely pilot implementations anyway,” says Jeff Woods, a research vice president at Gartner. That’s not to say security should be ignored. Enterprises embarking on RFID projects need to “…bring in the security people and apply good standard security practices to the project.”

There are a number of reasons why RFID is vulnerable:

• The tags are physically small, making it technically difficult to engineer protection for them. “RFID is an extremely space-constrained environment, there are very few bits involved,” Woods says.

• RFID tags are mobile; they roam corporate halls attached to building access badges and cross the country stuck on palettes loaded on freight trains, and are therefore exposed to more unauthorized users than most technologies.

• The tags aren’t always carrying sensitive data. Going through the time and expense of elaborately securing an RFID tag for goods with information that only matters to the owner of the goods doesn’t make a lot of sense. “Do you need [RFID security measures] on a can of Coke in Wal-Mart? Probably not in the short term. It could be used for tracking and identification, but I would argue I might not spend money on that technology yet,” says Louis Parks, CEO of SecureRF, which develops RFID tags with integrated security that authenticates and encrypts reader-tag communications.

• The tags are used in hundreds of ways, making it difficult to standardize on when security is needed, and how much. In enterprises, RFID is being used in projects as varied as asset management, payment, retail floor management and supply chain management, Woods says.

SecureRF’s Parks adds to the list law firms tagging files so they’re easier to find, and luxury-goods makers including tags on items to prevent counterfeiting. He says currently there are 50 million people in the United States using some form of RFID.

“If it exists, someone has put an RFID tag on it,” Gartner’s Woods adds.

One way to gauge how much security to devote to RFID projects is by asking how much does the company value the information that is to be stored on these tags. If the information is at all sensitive – such as personal customer or employee information – or could be used to harm the company, say by allowing an intruder to break into the building, then security needs to top the list of requirements.

“There are RFID technologies that are secure enough for their uses, but there are also people who believe there is not sufficient security – since you’re never 100% secure and everything, with sufficient resources, can be broken – and so [they believe] you should not embed RFID in a passport, school ID card, credit card, anything that contains personal information,” says Paul Proctor, research vice president for RFID, also with Gartner.

Powerful organizations including retailing giant Wal-Mart and the U.S. Department of Defense are using the technology and requiring their suppliers to do the same, which will increase the technology’s adoption, and with that security concerns will mount. But, as with any form of new technology, implementers should understand what RFID is to be used for and build in security controls accordingly.

“Personnel responsible for designing RFID systems should understand what type of application an RFID system will support so that they can select the appropriate security controls,” reads a draft publication issued last September by the National Institute for Standards and Testing, a non-regulatory federal agency that’s part of the U.S. Department of Commerce’s Technology Administration, regarding securing RFID systems. “Organizations need to assess the risks they face and choose an appropriate mix of management, operational and technical security controls for their environments.”