RFID: A Bad Rap?
Concerns over RFID security were stoked last year when a team of university researchers in the Netherlands published a paper describing how RFID tags could provide a conduit for miscreants to launch attacks on back-end network infrastructure. But in most RFID systems, tags contain small amounts of fixed, read-only data, making them unlikely conduits for infecting the middleware and back-end databases that power RFID systems, according to many industry experts.
Poorly configured RFID systems have the potential to be targeted by hackers, but all it takes are rudimentary skills to properly architect and make an RFID network secure, said Patrick Sweeney, president and CEO of Odin Technologies, an RFID integrator in Herndon, Va. "If a network is set up with a base-level security configuration, there is no way those types of things can happen."
When RFID attacks do materialize, hackers will probably do things like access middleware servers and put wireless packet sniffers on the network, Sweeney added. "The good thing is that most RFID tags are basically just a 'license plate' [with fixed data], so if the attacker does manage to get the data it's not a serious breach," he said.
But while industry experts insist that RFID is no more vulnerable than other network infrastructure, they say the emerging technology presents its own unique set of security challenges.
Some organizations are wary of adopting RFID technology because of the perceived risk of personal information being compromised, said Joe Bardwell, president and chief scientist of Connect802, a solution provider in San Ramon, Calif.
As RFID banking devices such as smart cards and fobs become more popular, it's possible that miscreants could find a way to interrogate the devices and possibly access users' personal information, Bardwell said.
Electronic Product Code tags, a standard for low-cost RFID tags, are expected to eventually become the most prevalent type of RFID device. EPC tags come with security features that prevent unauthorized writing and reading, but they're susceptible to cloning and counterfeiting, said Ari Juels, principal research scientist at RSA Laboratories.
RSA is working on a project to impart anticounterfeiting measures to RFID tags in order to overcome what Juels characterizes as "an important limitation" of the EPC standard. "You can clone an RFID device with a radio device that looks like the original tag, which can be problematic," Juels said.
The fact that RFID architecture requires elements to be situated on the network edge runs counter to the goal of many companies today that are seeking to consolidate corporate network infrastructure and situate data center operations in a central location.
Charlie Schmidt, professional services manager at AbeTech, a Rogers, Minn.-based integrator, said second-generation EPC devices, which are designed for use with palettes and boxes, are "fairly wide open" from a security standpoint. "I'd say that RFID hacking is a concern; anyone with a reader or interrogator that supports that protocol can pick up that data," Schmidt said.
Many organizations are wondering if encrypting RFID transmissions could be a way to avoid security issues. But encryption adds cost and complexity, and Schmidt said he usually tries to steer customers away from that option.
Even though serious RFID attacks haven't occurred yet, it's still important to contemplate defenses, Juels said. "We're developing a new critical infrastructure, and we don't want to be bolting on security and remediation only when attacks occur," he said.
Go to www.rfid-world.com for more information on RFID and the upcoming RFID World 2007 conference.