RFID continues to raise security concerns

As more applications are developed for radio frequency identification technology, CIOs need to pay closer attention to the potential security risks.

One of CIO Shelly Barnes' tasks is to find an efficient way to track vast stockpiles of granite slabs. Barnes oversees IT at Arizona Tile LLC, a fast-growing stone and tile company with 23 stores across seven states. The unique nature of each granite slab, the high volume of the inventory and its high value make the project a good candidate for passive radio frequency identification (RFID) tags, Barnes said. But the rough-hewn slabs are also subject to extremes in temperature and -- their hefty proportions notwithstanding -- they are often on the move, traveling from spot to spot within a given facility and from store yard to store yard by truck.

"We've had some challenges related to the ability to adhere the RFID tags to our very rough-edge slab material, so I'm working with tag companies and adhesive manufactures to find a solution for that first before we go full blown with the project," she said.

The problem Barnes faces now is minor compared with the problems she could face if the company expands its use of RFID. For companies like  Arizona Tile, using RFID tags as a "slap and ship" label -- or licence plate -- poses few security concerns, experts say. However, risks escalate when the tags are used to collect, carry and communicate additional and likely sensitive information.

Pointers for responsible use of RFID
Shore up business processes: Assign employees to physically monitor items to make sure RFID tags have not been removed or replaced.

Make middleware your trusted go-between: Put as much functionality in the middleware as possible, cutting down on the vulnerable communication between tags and readers.

Source: Forrester Research
A recent report from Forrester Research Inc. cautions that RFID is not mature enough to protect company secrets. The firm advises companies to carefully weigh the efficiencies offered by RFID against the security risks.

"If you can't maintain your security standards with the currently available hardware, wait until your RFID manufacturer improves its devices before you implement your system," the report warns.

The weakest link in the security chain is the RFID tag -- in particular, the so-called passive tag, Forrester said. Passive tags are identifiers with minimal memory and a smidgen of processing power. Because of their limited computing power, passive tags are unable to authenticate a reader, so they can be read by an intruder. Passive tags also are unable to prove their identity, so the "real" reader in turn can be fooled by fake cloned RFID tags.

For example, a retail store uses passive RFID tags to monitor inventory on its razor display shelf and prevent theft. With a device that costs $100, a thief listens in on the exchange between the tag and the shelf reader and writes identical tags. The thief destroys the real tags and dumps the forged tags on the shelf. The reader thinks the razors are still on the shelf, and the thief walks out with the booty.

Active tags, or RFID identifiers with more brainpower, can employ cryptographic protocols that provide confidentiality, but even those aren't impossible to crack, said Jennifer Albornoz Mulligan, one of the authors of the report.

Active tags are susceptible to a different line of attack. While many passive tags can only be written once, assuring a permanent identity, active tags are designed to be modified over time. Using a low-cost tag writing device, a criminal could maliciously alter or delete the data on the tags. An attacker, for instance, could sabotage a food company's warehouse by changing the harvest date on items. Thinking the data tags are valid, warehouse employees throw away fresh food or dispatch rotten goods to the stores.

The third little RFID shop of horrors, according to Forrester, involves a denial-of-service attack. A perpetrator walks through a store broadcasting an "overwhelming number of tags" while helping himself to some items. The system is deluged by the flood of data and doesn't notice the missing items until the thief is out the door.

Mulligan said the push to make cheap RFID devices for companies will also put the technology within reach of thieves. "Will a criminal spend $100 for a tag reader? They will if they can walk out of your warehouse with all your stuff," she said.

Scientists are working on authentication mechanisms for passive tags, but these are not available yet, Mulligan said.

Still, she said, it is difficult to accurately assess the potential security risks of current RFID systems, because companies using RFID are reluctant to talk about security and vendors are saying one thing, but doing another.

"Oh, they say, everyone is using RFID exactly the way EPC Global says to, as in using them as license plates," she said, referring to the industry organisation that is devising standards for the use of RFID. "Then they talk out of the other side of their mouth, saying, look at all these great things we can do, all these new applications. While it is really exciting, you wouldn't want to open up your business to this type of risk without giving the technology a really good examination."

"The problem with RFID is that a lot of the mistakes we made with regard to security when we were building the Internet are being made again," said Ari Juels, principal research scientist at RSA Laboratories, the research arm of RSA Security.

"Often the people who are designing RFID systems don't have mature security expertise," Juels said.

"To be fair, they are just trying to get the technology to work now and push off the question of security and privacy," he said, but added that this as a serious error. "It will just cost more in the end. It is very hard to patch systems after the fact, particularly hardware systems. You can't push out 5 billion little patches for every device."

Juels said passive tags that offer "fairly good security" do exist. The problem, in his view, is that the passive tags likely to become the de facto standard for industrial use -- electronic product code (EPC) tags -- come up short on privacy and security.

"The aim of low cost has dictated the design for EPC tags that has excluded a range of possible privacy and security protection," he said.

Juels said RSA is working on methods to protect consumer privacy and enhance security of the tags, but thus far they have not been approved by EPC Global, the nonprofit consortium created to set standards for and commercialise EPC technology, including RFID.

In the meantime, he is seeing people deploy systems that lack sufficient protections. "I think that over the next few years we'll probably see a number of systems broken. Those are the growing pains of any new technology. We have to hope that will pass through that stage as quickly and intelligently as possible."

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

This article originally appeared on SearchCIO.com

Read more on Wireless networking