RFID Security

Contributed by Joanne C. Kelleher

SecureRF has two new videos that highlight some of our older work along with our latest focus:

SecureRF’s Public Key Encryption Demo on an Active RFID Development Platform 

SecureRF’s Public Key encryption methods are suitable for wireless communication, active and passive RFID, Near Field Communications (NFC) and the Smart Grid. This demonstration shows these methods running on an active RFID development platform.

Veridify™ Demonstration – Highly Secure NFC-based Anti-counterfeiting solutions.  

Veridify™ is an anti-counterfeiting, product authentication solution from SecureRF Corporation which uses secure NFC tags and a NFC-enabled devices to authenticate products anywhere. The solution enables consumers and commercial users to confirm an item’s identity and optionally retrieve or collect additional data from Veridify’s cloud computing platform.

Thanks to our friends at The Grid, the New Haven Hub of the CTNext program, for help with the Veridify video and inspiring us to make one of our own.

Contributed by Joanne C. Kelleher

There has been a lot of discussion about using RFID tags to track pharmaceuticals through the supply chain.  In an effort to reduce drugstore theft, a different kind of tracking device is being used.  The New York Times reports that decoy pill bottles with GPS tracking devices are being put on the shelves in New York City - Police to Use Fake Pill Bottles to Track Drugstore Thieves.

The decoy pill bottles are designed to look like sealed bottles of oxycodone and even shake and weigh the same as an authentic bottle.  When a theft occurs the decoy bottle is removed from its base which triggers the GPS unit in the bottle to start broadcasting.  The NYPD will then monitor the signal and attempt to catch the criminal.

These decoys won’t physically stop a theft but could act as a deterrent, similar to the fact that robbers know banks put exploding dye-packs with stolen money.

The story concludes with this statement: “The advent of the decoy bottles has led the New York Police Department to consider a somewhat fanciful idea: that the police may one day be able to track not just bottles, but also individual pills.”  Knowing the size of current tracking devices, this is a technologically fanciful idea indeed.

We have launched a new blog: the Anti-counterfeiting Update.

This blog will discuss views and news about authentication solutions, anti-counterfeiting and brand protection.  Topics will include issues and current anti-counterfeiting/authentication approaches.

The RFID Security Blog will continue to focus on the more technical side of cryptography and security issues along with applications such as tracking, secure driver’s licenses, building access, food safety, defense, etc.

Commercial and government markets are facing counterfeiting issues, estimated to currently be a $646 Billion problem annually, especially in the pharmaceutical, electronics, liquor, and high fashion goods markets. The U.S. pharmaceutical market is approaching 4 billion prescriptions annually and the number of counterfeit drug investigations opened by the FDA has grown from six in 2000 to 72 in 2010. Similar counterfeit stories can be found in the liquor, electronics, and the high fashion markets. The estimated annual counterfeiting activity for electronics is $100 Billion, pharmaceuticals $200 Billion, liquor $5.3 Billion, and high fashion products $24.7 Billion.

Counterfeit electronic parts have become a major integrity issue in the U.S. Department of Defense, as well as, in the commercial and industrial marketplace. A February 2012 report by the General Accounting Office (GAO) reported that 16 military-grade parts ordered in a blind test could not be confirmed as legitimate after extensive testing. In related news, Customs Border Patrol has seized over 1.6 million counterfeit semiconductor chips in the last 24 months.

Visit the Anti-counterfeiting Update blog at http://veridify.com/anti-counterfeiting-blog/.

Contributed by Joanne C. Kelleher

Do you rush home from the grocery story so your milk, eggs and meat don’t sit too long in the warm car?  I know I do.  In the summer, I sometimes I even pack them in a cooler or wrap them in a blanket to keep them at the proper temperature for the 12 minute ride home.

How safe to eat do you think your groceries would be if they were left in the hot car for hours?  Unfortunately, this is what is happening with food transported by some trucks that are delivering to local restaurants or grocery stores.  TODAY National Investigative correspondent Jeff Rossen reported on this issue on 8/23/2012.

Rossen Reports: Some trucks carry unsafe food, authorities say

A hidden health hazard in some of the food you buy: Authorities say the trucks delivering that food to stores may be putting your family at risk.

This Today/MSNBC story generated a lot of conversation in our office both from a disgust factor, as well the fact that this problem could easily be monitored.  For example, there are sensors that attach to the inside of the truck and can monitor the overall interior temperature.  Because of the way the pallets are packed, the products in the center of the truck may be insulated by the products along the outer edge. To get a more accurate picture, another option is to put a temperature sensor, such as SecureRF’s LIME 2 RFID tag, on at the case or individual product level to monitor cold-chain shipments.  When a store is presented with the delivery, they could check to see if the products were every outside of the acceptable temperature limits and then decline to accept them if there is an issue.

As the Rossen Report discusses, the FDA was directed by Congress in 2005 to come up with stricter guidelines for food trucks with an updated deadline of July 2012.  As of January 4, 2013, two rules to implement the FDA Food Safety Modernization Act (FSMA) have finally been released and are open to a public comment period for 120 days.

FDA proposes new food safety standards for foodborne illness prevention and produce safety

http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm334156.htm

The first rule proposed, Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for Human Food, “would require makers of food to be sold in the United States, whether produced at a foreign- or domestic-based facility, to develop a formal plan for preventing their food products from causing foodborne illness. The rule would also require them to have plans for correcting any problems that arise.”

The second rule, Standards for the Growing, Harvesting, Packing, and Holding of Produce for Human Consumption, “proposes enforceable safety standards for the production and harvesting of produce on farms.”

“Additional rules to follow soon include new responsibilities for importers to verify that food products grown or processed overseas are as safe as domestically produced food and accreditation standards to strengthen the quality of third party food safety audits overseas. … The FDA will also propose a preventive controls rule for animal food facilities, similar to the preventive controls rule proposed today for human food.”

The ‘holding’ portion of these rules addresses cold storage, but none of these rules addresses the shipment of food products.  So, for the foreseeable future, there will continue to be little federal oversight over maintaining foods at the proper temperature during transportation.   In the meantime pay attention to the packaging of the food you purchase.  Meat dripping stains or soggy cardboard may indicate the product wasn’t stored at the proper temperature.  Let the buyer beware.

Contributed by Joanne C. Kelleher

When I was interviewing for my job at SecureRF, one of the questions I was asked was “How do you learn about new technical subjects?”  I thought it was a strange question at the time and talked about reading, classes, online research, etc.  Once I learned more about all of the technical areas and industries that SecureRF’s technology incorporates or touches upon I understood why the question was asked.

Cryptography is one of those areas that I had to learn about and I wish this resource was available when I first started at SecureRF.  Within Khan Academy’s Applied Mathematics section are several lessons on cryptography.  Khan Academy is a not-for-profit organization that provides education via free videos.  Their “library of videos covers K-12 math, science topics such as biology, chemistry, and physics, and even reaches into the humanities with playlists on finance and history.”  The videos are about 10 minutes each making them easily digestible.

The cryptography training includes:

Ancient Cryptography

1. What is Cryptography?
2. Probability Space
3. The Caesar Cipher
4. Polyalphabetic Cipher
5. The One-Time Pad
6. Frequency Stability
7. The Enigma Encryption Machine (case study)
8. Perfect Secrecy
9. Pseudorandom Number Generators

 Modern Cryptography

1. The Fundamental Theorem of Arithmetic
2. Public Key Cryptography: what is it?
3. The Discrete Logarithm Problem
4. Diffie-Hellman Key Exchange
5. RSA Encryption: step 1
6. RSA Encryption: step 2
7. RSA Encryption: step 3
8. Euler’s Totient Function
9. RSA Encryption: step 4
10. What should we learn next?

New videos are constantly being added in all topic areas, so check out Khan Academy.

Want to learn more about cryptography?  SecureRF offers this paper:

An Introduction to Cryptographic Security Methods and Their Role in Securing Low Resource Computing Devices - An Overview of Public-key Cryptosystems based on RSA, Diffie-Hellman and the Next Generation of Public-key Cryptographic Security for Low-Resource Computing Devices – the Algebraic Eraser™

Contributed by Joanne C. Kelleher

Four years ago I wrote a blog post about the use of RFID at the 2008 Olympics in Beijing – “Olympic Tickets: RFID Security in Sports Illustrated” - http://www.securerf.com/RFID-Security-blog/?p=61.

RFID technology was used in 2008 Olympic event tickets and the chips contained the bearer’s photograph, passport details, addresses, e-mail and telephone numbers.  These RFID enabled tickets were touted as a deterrent and an anti-counterfeit device despite the fact that there appeared to be no security features incorporated into the RFID tags themselves.  The publicity about these tickets focused on the fact that this technology was being used; most of the articles used the word “RFID” in the headline.

I was curious about how things have changed for the 2012 Olympics in London.  This year, Near Field Communications (NFC) is being used for a variety of applications, but the word “NFC” isn’t in the headlines, and is often not mentioned at all.

Here are several examples of NFC applications being used at the 2012 Olympics:

“Identive Provides Secure ID Solutions at London 2012 Olympics: Innovative Technology Includes Entry Systems for IOC Members and Guests at the Olympic Club and Cashless Payment for 100,000 Visitors at Alexandra Palace Hospitality Events” – http://www.nasdaq.com/article/identive-provides-secure-id-solutions-at-london-2012-olympics-20120726-00046

NFC does gets mentioned in Identive’s announcement: “ the contactless cards utilize Identive’s innovative tomPAY™ near field communication (NFC) tag technology, which allows them to be used both as conventional cashless payment cards and as NFC payment stickers for mobile phones.”

This technical description contrasts with Visa’s announcements which only refer to chip-enabled contactless cards, not NFC.  “Visa showcases future of payments at the London 2012 Games” – http://www.nfcnews.com/2012/07/25/visa-showcases-future-of-payments-at-the-london-2012-games

The firm I-DENTI-FIED, which is providing to some US Olympic teams ID cards that access health care records, doesn’t even get that technical.  Their CEO is quoted as “…when that ID is scanned or accessed via some technology that we provide,…”  (really, “some technology”?) Based on the description of the ID cards which was found on their website, that technology could be a RFID reader, QR or bar codes, a web based form or a phone number.   “Olympic Teams To Use Indiana Technology For Medical Records” - http://indianapublicmedia.org/news/olympic-teams-indiana-technology-medical-records-33180/.

I found a number of generic references to RFID ticket usage at the Olympics on the websites of vendors that provide these products.  For example, “RFID entrance tickets are being used at concerts, major global sports events, including the Olympic Games, as well as at theme parks, and many more.” Or “Major sports events like the Olympic Games use RFID entrance tickets.”  But there was nothing specific about RFID tickets for the 2012 Summer Olympics, and these promotions could have been referring to the Beijing Games.  It is unclear if RFID is not being used in this summer’s tickets or if it is no longer news worthy.

Here is the only application promoting the use of RFID at the 2012 Olympics that I could find.

“Cadbury Offers RFID-enabled Treats During Summer Olympics:  The candy company is using a UHF solution from Dwinq at Cadbury House, its temporary exhibit in London’s Hyde Park, to allow visitors to share pictures with their Facebook friends” – http://www.rfidjournal.com/article/articleview/9776/1/1/

Sharing photos via Facebook is a far cry from the aim of the Chinese to use RFID to prevent counterfeit tickets.

At the 2008 Games no one was talking about NFC, and in 2012 RFID is barely mentioned, so I look forward to seeing the technology that is selected for use at the 2016 Olympics in Rio de Janeiro, Brazil.

Contributed by Joanne C. Kelleher

When SecureRF first started getting involved with putting our cryptographic technology on RFID tags there was much concern about the privacy issues related to RFID.  It was a topic that we wrote about a lot, for example, this 2009 blog post “Talking About Privacy Issues” –  http://www.securerf.com/RFID-Security-blog/?p=99.

But around the office we often commented about how there were much larger privacy issues surrounding the use of cell phones and the Internet, yet there wasn’t as much of a backlash as there was about RFID tags.  Years later that seems to have changed.  RFID tags are much more accepted then 4 years ago, even for applications such as student tracking.  Recently there has been a lot of buzz around privacy related to other technologies.

The New York Times’ June 4, 2012 piece “Rethinking Privacy in an Era of Big Data” quotes Danah Boyd, a senior researcher at Microsoft Research.  “Privacy, Ms. Boyd notes, is not the same as security or anonymity. It is an ability to have control over one’s definition within an environment that is fully understood. Something, arguably, no one has anymore.”  http://bits.blogs.nytimes.com/2012/06/04/rethinking-privacy-in-an-era-of-big-data

This July 24, 2012 TED Blog “What data is being collected on you? Some shocking info” highlights a politician’s multiple-year quest to receive the data collected about him from his phone company.  It also features other privacy articles in The New York Times, The Atlantic and additional TED Talks.  Resources to protect your privacy are also suggested.  http://blog.ted.com/2012/07/24/what-data-is-being-collected-on-you-some-shocking-info/

It is interesting to see that the privacy discussion has not only changed focus, but moved from more obscure blogs and publications to mainstream media.