Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Security issues swamp RFID

How much bad news can RFID take, before its backers start to listen?

Article comments


Radio frequency identification is a part of the present and may well be a major part of our future. This situation is, at best, a mixed bag (see Wal-Mart's RFID plans will fail, and RFID doesn't work - so live with it!).

It would not be quite so bad if vendors of RFID products and companies that say they want to use them better understood security and privacy.

For those of you who have been cave dwellers over the last few years, RFIDs are small electronic devices, normally with no battery or power supply, that can interact wirelessly to identify themselves to a scanner.

The best-known examples are the very simple devices that companies such as Wal-Mart are asking suppliers to put on pallets of goods and that drug companies are beginning to attach to containers in the distribution chain. These RFIDs are basically wireless bar codes that respond with a unique serial number when queried by a wireless scanner. Companies with large database infrastructures, like Wal-Mart, can keep track of where individual cartons of goods are in their supply chain or, someday far too soon, what individual products are in a shopper's physical cart.

But not all RFIDs are that simple. Some, like those being considered for the next generation of US passports, can report back a bunch of passport-holder-specific data. Others, like the electronic key used in some cars and the ExxonMobil SpeedPass, include a cryptographic challenge-response interaction in an attempt to make sure that the RFID is not counterfeit.

Ford chose weak security for its keys
These have not been particularly good days for the RFID business. Researchers at Johns Hopkins University and RSA Laboratories have shown that the RFID used in the SpeedPass and in the keys for some Ford vehicles can be spoofed reasonably easily (see http://rfidanalysis.org). The researchers demonstrated that the RFID chips used weak encryption keys that can be broken within a few hours. Imagine thieves scanning for car owners' encrypted keys while standing next to the car owners on elevators. The thieves then could break the encrypted keys and steal the car using normal car burglary tools, knowing that they could fool the electronic interlock into thinking they had the right key.

Texas Instruments, which makes the circuits used in the Ford keys and the SpeedPass, makes similar circuits with longer and harder-to-break keys. But Ford and Exxon Mobil decided to use the less expensive, weaker chips. Texas Instruments is not immune from blame here, as it is using a secret encryption algorithm, which violates the most basic of good encryption rules.

Passports that can be covertly read from 30 feet
At the same time, the US National Institute of Science and Technology (NIST) has shown that RFIDs to be used in US passports can be read from as far away as 30 feet. This would make it easy to spot people carrying US passports and capture information about them, and maybe even the passport holders themselves (a problem highlighted by the American Civil Liberties Union).

Retailers will snoop your clothes and baskets
Finally, Wal-Mart, the UK's Tesco, and other merchants investigating the use of RFIDs seem to be genetically blind to privacy issues inherent in setting up a system that would let individuals be singled out by wirelessly determining the pattern and values reported back by the RFIDs embedded in their clothing and possessions (visit Spychips.com for the privacy advocates' campaign against the retailers).

I wonder how much bad news the RFID business can absorb before it begins to figure out that there are still problems to be solved before it's time to deploy. So far, the RFID business has shown a remarkable level of absorbency.

Bradner is a consultant with Harvard University's University Information Systems. He can be reached at sob@sobco.com.


Share:

More from Techworld

More relevant IT news

Comments




Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *