Security issues swamp RFID

Radio frequency identification is a part of the present and may well be a major part of our future. This situation is, at best, a mixed bag (see Wal-Mart's RFID plans will fail, and RFID doesn't work - so live with it!).

It would not be quite so bad if vendors of RFID products and companies that say they want to use them better understood security and privacy.

For those of you who have been cave dwellers over the last few years, RFIDs are small electronic devices, normally with no battery or power supply, that can interact wirelessly to identify themselves to a scanner.

The best-known examples are the very simple devices that companies such as Wal-Mart are asking suppliers to put on pallets of goods and that drug companies are beginning to attach to containers in the distribution chain. These RFIDs are basically wireless bar codes that respond with a unique serial number when queried by a wireless scanner. Companies with large database infrastructures, like Wal-Mart, can keep track of where individual cartons of goods are in their supply chain or, someday far too soon, what individual products are in a shopper's physical cart.

But not all RFIDs are that simple. Some, like those being considered for the next generation of US passports, can report back a bunch of passport-holder-specific data. Others, like the electronic key used in some cars and the ExxonMobil SpeedPass, include a cryptographic challenge-response interaction in an attempt to make sure that the RFID is not counterfeit.

Ford chose weak security for its keys
These have not been particularly good days for the RFID business. Researchers at Johns Hopkins University and RSA Laboratories have shown that the RFID used in the SpeedPass and in the keys for some Ford vehicles can be spoofed reasonably easily (see http://rfidanalysis.org). The researchers demonstrated that the RFID chips used weak encryption keys that can be broken within a few hours. Imagine thieves scanning for car owners' encrypted keys while standing next to the car owners on elevators. The thieves then could break the encrypted keys and steal the car using normal car burglary tools, knowing that they could fool the electronic interlock into thinking they had the right key.

Texas Instruments, which makes the circuits used in the Ford keys and the SpeedPass, makes similar circuits with longer and harder-to-break keys. But Ford and Exxon Mobil decided to use the less expensive, weaker chips. Texas Instruments is not immune from blame here, as it is using a secret encryption algorithm, which violates the most basic of good encryption rules.

Passports that can be covertly read from 30 feet
At the same time, the US National Institute of Science and Technology (NIST) has shown that RFIDs to be used in US passports can be read from as far away as 30 feet. This would make it easy to spot people carrying US passports and capture information about them, and maybe even the passport holders themselves (a problem highlighted by the American Civil Liberties Union).

Retailers will snoop your clothes and baskets
Finally, Wal-Mart, the UK's Tesco, and other merchants investigating the use of RFIDs seem to be genetically blind to privacy issues inherent in setting up a system that would let individuals be singled out by wirelessly determining the pattern and values reported back by the RFIDs embedded in their clothing and possessions (visit Spychips.com for the privacy advocates' campaign against the retailers).

I wonder how much bad news the RFID business can absorb before it begins to figure out that there are still problems to be solved before it's time to deploy. So far, the RFID business has shown a remarkable level of absorbency.

Bradner is a consultant with Harvard University's University Information Systems. He can be reached at sob@sobco.com.