RFID Security

Contributed by Joanne Kelleher

I ran across an article in the June/July 2007 issue of Supply & Demand Chain Executive called RFID Security: Retail and Beyond – A look at the challenges posed by radio frequency identification technology at the store level and in the warehouse.

http://www.sdcexec.com/print/Supply-and-Demand-Chain-Executive/RFID-Security–Retail-and-Beyond/1$9700

It was written by Judith M. Myerson, a systems architect and engineer and the author of RFID in the Supply Chain: A Guide to Selection and Implementation. She addresses RFID security concerns for retailers implementing an RFID based supply chain system. Unfortunately, several of her comments are misleading.

Myerson says with an RFID transmitter implanted between his thumb and finger, “a hacker can wave his hand to unlock a door to enter a warehouse filled with RFID-tagged pallets and cases, and then alter the tags. Or the hacker could send a malicious virus to the reader for transmission, for example via a method called “SQL injection,” to an RFID tag affixed to case of, say, Kleenex boxes.”

It is possible for a hacker to unlock a door secured by RFID, but not with today’s human implanted devices.

Seattle-based IOActive gained lots of press last spring when they planned to show off an RFID “cloning” device at the Black Hat security trade show that could be used to steal access codes from proximity cards, store them, then use the stolen codes to fool a card reader such as those used to open doors. In an ABC news report, Jonathan Westhues, RFID hacker, demonstrates a device he built for cloning RFID tags used for building access at the California state Capitol – http://www.youtube.com/watch?v=4jpRFgDPWVA.   Both of these devices, which attach to a laptop, are far larger than anything I would want implanted in my body.

VeriChip Corporation – http://www.verichipcorp.com - holds the patent on producing human-implantable RFID microchips. “About the size of a grain of rice, the microchip inserts just under the skin and contains only a unique, 16-digit identifier. The chip itself does not contain any other data other than this unique electronic ID.”  There is not enough memory or computing power on this type of passive RFID tag to alter other RFID tags or send a malicious virus. In order for a hacker to use a VeriChip to open the warehouse door, the 16 digit code on the chip he had implanted would have to be the same as the access code on the reader at the door. I suspect the chance of that randomly happening is much less than the chance that the house or car key I have in my pocket could be used to open a traditional lock on a warehouse door.

Myerson also says “another security threat comes from hackers who are able to eavesdrop on, and jam, RFID tags. The problem with RFID tags to date is that they are not conducive to using standard means of cryptography to protect them.” Threats such as eavesdropping (the interception of legitimate communication between a reader and tag), skimming (the interrogation of the tag by a rogue reader, which can be used to identify high value items for divergence or attack), cloning (the copying of the data or data, thus increasing potential counterfeiting), data tampering, tracking and denial of service attacks are may be issue when the correct level of security is not used on the tag. But despite what Myerson says, there are cryptographic solutions that can protect against these attacks and fit on passive, semi-passive and active RFID tags. For some business applications, these threats may be not worth the ROI to prevent.

I agree with Myerson’s opinion that “RFID technology offers great promise for improving supply chain efficiencies… and companies that are serious about leveraging this still-emerging technology must take into consideration the various security issues inherent to RFID.” But, companies should concentrate on the threats that are realistic and on addressing consumer privacy. They should not be distracted by less likely situations such as Myerson’s example of a cat walking into the store while carrying an unseen transmitter that could be used to block radio signals, causing the store’s systems to shut down.

A few days after I read Myerson’s article, the next issue of RFID Connections, a newsletter from AIM Global, was released (Thursday, July 26, 2007) – http://subscriptions.aimglobal.org/htmlframeset.asp?article=983&list.

Editor Bert Moore wrote a column called RFID: Critiquing the Critics which gives some guidelines to use when evaluating criticism of RFID technology. His first point is to ask if the scenarios are based on realistic probabilities. Was he thinking of a RFID tag implanted hacker or a transmitter wearing cat?