The use of
radio frequency identification (RFID) chips
and devices will increase dramatically over the next few years,
as retailers, businesses and even the US federal government
makes use of this often discrete communication technology.
But do these small chips and systems, which usually broadcast
compact snippets of information, open a door to potential security
breaches and risks? Does their use also create yet another
entry point for viruses and malicious hacker
mayhem? These are the questions security experts and RFID users
are now wrestling with as these devices are called upon to
deliver much more than simple tracking and product data.
"Any sort digital technology that is networked can be infringed
upon or corrupted with malicious intent," said Srini Krishnamurthy,
vice president of strategy and business development for Airbee
Wireless Inc., a wireless solutions provider based just outside
Washington, D.C. "RFID data may be read-only and in some cases
read/write, but it lives in the same environment as viruses and
worms that permeate the Net."
"All of these things have the ability to bury malicious code,"
added Norm Laudermilch, chief technology officer for Trust Digital
Inc. "It doesn't take much malicious code to do things like an SQL
injection, or take advantage of vulnerabilities in a PHP Web
site."
Strength in numbers
What makes security gurus especially concerned is the sheer
number of RFID tagging devices in use today and the expected
millions that will be in place in just a year or two.
 | | | | | RFID data may be read-only and in
some cases read/write, but it lives in the same environment as
viruses and worms that permeate the Net.
Srini Krishnamurthy
Airbee Wireless |
| | | | | |
| |
|
Worldwide RFID spending totaled about $504 million in 2005, and is
expected to shoot past $3 billion by 2010, according to Stamford,
Conn.-based market researcher Gartner Inc.
Major retailers like Wal-Mart Stores Inc. have embraced RFID as
a means to better understand supply chain dynamics and control
costs. In fact, its was Wal-Mart that spearheaded the widespread
use of RFID tags to track product shipments about two years ago,
when it demanded that all its suppliers eventually use the
technology to keep tabs on products. As the company transitions
from tagging pallets to individual product mapping, RFID systems
are now installed in hundreds of Wal-Mart locations across the
U.S.
While RFID vendors and users have always thought about the
security and potential for abuse of these systems, reports about
potential vulnerabilities of these devices have caused some
concern.
In May, for example, the U.S. Department of Homeland Security
released a 15-page draft report outlining the possible use of RFID
to track people and profile their everyday activities. The report
specifically noted the use of RFID in identification cards and
tokens.
The American Electronics Association, a high-tech trade group
representing more than 2,700 companies, almost immediately issued a
formal statement refuting the report. It claimed that the report
slammed RFID without any supportive facts and mistakenly associates
the technology with the tracking of human beings. While RFID can be
used to track small bits of information, it is how that information
is used that should be of concern -- not the technology itself.
Inject and infect
Most companies are more worried about deliberate attacks and
corruption of the data stored temporarily on RFID devices and later
fed through networks and corporate databases. A hacker could, for
example, tuck malicious code within the 90 to 100 bits of data
contained on most RFID tags. Although minute, this data could be
used to perform an SQL injection, punching a hole in a database or
taking advantage of weaknesses in a PHP Web site, said
Laudermilch.
Airbee's Krishnamurthy pointed to possible problems that exist
in RFID readers and the middleware software that interacts with
tags. This processing software may not be designed to catch things
beyond obvious buffer-overflow errors on the tags, so malicious
code may be interpreted as database commands and create a chain
reaction of corrupted data that flows into the central information
resource.
Such a scenario is definitely "plausible," although not likely,
since a design flaw of this extent would be "like leaving the front
door unlocked at Fort Knox," he observed.
Concerns raised about the security of RFID devices are not
easily dismissed by those on the development and design side. RFID
device manufacturers are taking some positive steps in creating a
new generation of tags that are inherently more secure than earlier
systems.
Symbol Technologies Inc., for example, has focused its efforts
on developing Generation 2-type long-range UHF chips that can be
"locked down" to transmit nothing but a product identifier. The
data on these chips -- usually a string of numbers -- cannot be
changed or laser-etched during manufacture, Symbol claims, pointing
out that these new chips are now being tested in pharmaceutical
applications.
Semiconductor manufacturer Broadcom Corp. has also just unveiled a
secure RFID chip that includes embedded technology to protect the
personal data in its possession. The device will be used in ID
cards and key fobs, as well as contact-less credit cards, states
Broadcom.
Determined diligence
The best defense in
protecting RFID tags and other discrete wireless
devices from abuse, however, may be to keep a diligent watch
on their use and activities with a network. This is especially
critical as more mundane devices, like cell phones, are adapted
to interact with tagged devices.
"What you will see is that RFID and WiFi standards will include
the ability to do purchases," said Nathan George, a channel manager
with Trio Teknologies Inc., a Carrollton, Tx.-based developer and
distributor of wireless and mobile applications. While credit card
information will not be stored locally on the RFID chip, it will
contain some type of user authentication information.
"The sophistication and complexity of attacks are getting very,
very difficult to deal with and obviously create some sensitivity,"
noted Cal Slemp, IBM's vice president of security and privacy
services. As a result, he said, IBM is "taking a more holistic view
to focus on policies as well as technologies."
This view includes more scrutiny of wireless networks and
embedded devices like RFID and other "near-field" technologies, as
well as more of an emphasis on protecting identity systems and
customer information.
Most people often think of identity management and security in
defensive terms, said Slemp. But protection and management systems
can "help organizations to enable new services and business models
that might otherwise be too risky too implement."
Tim Scannell is a principle analyst with
Shoreline Research who specializes in mobile
and wireless security issues.