RFID security issues are cause for corporate concern

The use of radio frequency identification (RFID) chips and devices will increase dramatically over the next few years, as retailers, businesses and even the US federal government makes use of this often discrete communication technology.

Tim Scannell

But do these small chips and systems, which usually broadcast compact snippets of information, open a door to potential security breaches and risks? Does their use also create yet another entry point for viruses and malicious hacker mayhem? These are the questions security experts and RFID users are now wrestling with as these devices are called upon to deliver much more than simple tracking and product data.

"Any sort digital technology that is networked can be infringed upon or corrupted with malicious intent," said Srini Krishnamurthy, vice president of strategy and business development for Airbee Wireless Inc., a wireless solutions provider based just outside Washington, D.C. "RFID data may be read-only and in some cases read/write, but it lives in the same environment as viruses and worms that permeate the Net."

"All of these things have the ability to bury malicious code," added Norm Laudermilch, chief technology officer for Trust Digital Inc. "It doesn't take much malicious code to do things like an SQL injection, or take advantage of vulnerabilities in a PHP Web site."

Strength in numbers

What makes security gurus especially concerned is the sheer number of RFID tagging devices in use today and the expected millions that will be in place in just a year or two.

RFID data may be read-only and in some cases read/write, but it lives in the same environment as viruses and worms that permeate the Net. Srini Krishnamurthy Airbee Wireless

Worldwide RFID spending totaled about $504 million in 2005, and is expected to shoot past $3 billion by 2010, according to Stamford, Conn.-based market researcher Gartner Inc.

Major retailers like Wal-Mart Stores Inc. have embraced RFID as a means to better understand supply chain dynamics and control costs. In fact, its was Wal-Mart that spearheaded the widespread use of RFID tags to track product shipments about two years ago, when it demanded that all its suppliers eventually use the technology to keep tabs on products. As the company transitions from tagging pallets to individual product mapping, RFID systems are now installed in hundreds of Wal-Mart locations across the U.S.

While RFID vendors and users have always thought about the security and potential for abuse of these systems, reports about potential vulnerabilities of these devices have caused some concern.

In May, for example, the U.S. Department of Homeland Security released a 15-page draft report outlining the possible use of RFID to track people and profile their everyday activities. The report specifically noted the use of RFID in identification cards and tokens.

The American Electronics Association, a high-tech trade group representing more than 2,700 companies, almost immediately issued a formal statement refuting the report. It claimed that the report slammed RFID without any supportive facts and mistakenly associates the technology with the tracking of human beings. While RFID can be used to track small bits of information, it is how that information is used that should be of concern -- not the technology itself.

Inject and infect

Most companies are more worried about deliberate attacks and corruption of the data stored temporarily on RFID devices and later fed through networks and corporate databases. A hacker could, for example, tuck malicious code within the 90 to 100 bits of data contained on most RFID tags. Although minute, this data could be used to perform an SQL injection, punching a hole in a database or taking advantage of weaknesses in a PHP Web site, said Laudermilch.

Airbee's Krishnamurthy pointed to possible problems that exist in RFID readers and the middleware software that interacts with tags. This processing software may not be designed to catch things beyond obvious buffer-overflow errors on the tags, so malicious code may be interpreted as database commands and create a chain reaction of corrupted data that flows into the central information resource.

Such a scenario is definitely "plausible," although not likely, since a design flaw of this extent would be "like leaving the front door unlocked at Fort Knox," he observed.

Concerns raised about the security of RFID devices are not easily dismissed by those on the development and design side. RFID device manufacturers are taking some positive steps in creating a new generation of tags that are inherently more secure than earlier systems.

Symbol Technologies Inc., for example, has focused its efforts on developing Generation 2-type long-range UHF chips that can be "locked down" to transmit nothing but a product identifier. The data on these chips -- usually a string of numbers -- cannot be changed or laser-etched during manufacture, Symbol claims, pointing out that these new chips are now being tested in pharmaceutical applications.

More on RFID security RSA crypto panel takes on RFID Will RFID technology help or hinder security? Low-cost way(s) to 'foil' low-tech RFID tags IT market hears RFID message loud and clear

Semiconductor manufacturer Broadcom Corp. has also just unveiled a secure RFID chip that includes embedded technology to protect the personal data in its possession. The device will be used in ID cards and key fobs, as well as contact-less credit cards, states Broadcom.

Determined diligence

The best defense in protecting RFID tags and other discrete wireless devices from abuse, however, may be to keep a diligent watch on their use and activities with a network. This is especially critical as more mundane devices, like cell phones, are adapted to interact with tagged devices.

"What you will see is that RFID and WiFi standards will include the ability to do purchases," said Nathan George, a channel manager with Trio Teknologies Inc., a Carrollton, Tx.-based developer and distributor of wireless and mobile applications. While credit card information will not be stored locally on the RFID chip, it will contain some type of user authentication information.

"The sophistication and complexity of attacks are getting very, very difficult to deal with and obviously create some sensitivity," noted Cal Slemp, IBM's vice president of security and privacy services. As a result, he said, IBM is "taking a more holistic view to focus on policies as well as technologies."

This view includes more scrutiny of wireless networks and embedded devices like RFID and other "near-field" technologies, as well as more of an emphasis on protecting identity systems and customer information.

Most people often think of identity management and security in defensive terms, said Slemp. But protection and management systems can "help organizations to enable new services and business models that might otherwise be too risky too implement."

Tim Scannell is a principle analyst with Shoreline Research who specializes in mobile and wireless security issues.