|
|
RFID's Security
Challenge
Nov. 15, 2004
Security -- and its high cost -- appears to be the next hurdle in the
widespread adoption of RFID.
By George V. Hulme, Thomas Claburn
No one has complained of a security breach related to an RFID
deployment--yet. Businesses and vendors alike acknowledge that
security remains a question mark and that it has taken a backseat to
the focus on bottom-line results and returns on investment for RFID-enabling
their supply chains, for now.
However, with a technology as ubiquitous as radio-frequency
identification will be, there's great potential for damage, warns
Salil Pradhan, chief technology officer of RFID technology at HP Labs.
"Today with bar codes, it's a city street, and you're going at 20 or
30 miles an hour. Now you can hit someone, but the damage is only so
much," he says. "With RFID, it becomes a freeway. You increase the
velocity of goods, you're relying on this system, and if the system
gets hacked, it will be a while before you even know about it."
That's why the industry needs to get its security house in order. "The
big issue that we face really is that the people driving the
applications--the retailers and the consumer-products
manufacturers--don't really understand what level of security they
want," says Tony Sabetti, director of supply-chain products for RFID
at chipmaker Texas Instruments Inc. "Or, I should say, what level of
security they're willing to pay for."
A number of security measures, including ISO standard 15693 for data
authentication, already are used in applications such as banking-card
authorizations and building- access systems, and could play a role in
RFID security, Sabetti says. But not all of them are being considered
for adoption by the EPCglobal Network, which provides the
infrastructure for sharing RFID-enabled information about products in
the supply chain. EPCglobal maintains the electronic-product-code
database, which identifies a manufacturer, product, and version and
serial number; provides middleware specifications for data exchange;
and administers the Object Name Service for matching an electronic
product code to information about the associated item. "I'm not
suggesting that they should adopt some of the other specifications.
I'm just saying there are a lot of great ideas in those other
specifications," Sabetti says.
Security breaches can happen at the RFID tag, network, or data level.
Part of the problem with adopting existing standards, at least at one
level, may be "the extremely low cost and therefore extremely light
functionality on the tags," says Burt Kaliski, chief scientist and
director at RSA Laboratories, the research center of security vendor
RSA Security Inc. All of the good security tools developed over the
last 20 years won't fit into the hardware that's available on most of
these RFID tags, he says. Encryption on a tag, for instance, would
chew up too much of a tag's processing power, as well as add extra
cost to tags that need to be lightweight and inexpensive for companies
to keep costs in line.
The good news is that the industry is paying more attention to the
security issue. Even Sabetti says these issues are being resolved. The
EPCglobal UHF generation 2 protocol, due to be ratified later this
year, is expected to work with ISO 18000-6C RFID wireless interface
specifications. EPCglobal was wise to enlist security vendor VeriSign
Inc. as its infrastructure provider to sort out issues surrounding
security and data sharing, Sabetti says. "I'm optimistic they can get
there," he says. "It's not a technology issue or even a concept issue.
It's just an implementation issue."
Despite the questions that revolve around security, you can't ignore
the fact that RFID ultimately provides a tremendous security boost.
"If you look at most supply chains today, truth be told, it's almost
security by obscurity," says Arvind Parthasarathi, director of product
management at supply-chain software vendor i2 Technologies Inc. "Bad
things are more likely to happen in the dark, and, in some sense,
[with RFID] you're reducing the amount of darkness out there." RFID's
ability to pinpoint the exact location of an item in inventory lowers
the risk of insider theft, because workers will know the inventory is
carefully tracked and up to date. "If you know for certain that the TV
arrived at a warehouse at a specific time, and then it ends up missing
there," he says, "that's a great deterrent."
The Tag
Such a tiny tag. So much potential for mischief.
For starters, RFID tags can be manipulated easily by hackers,
shoplifters, or disgruntled employees. That's what Lukas Grunwald, a
consultant with DN-Systems Enterprise Internet Solutions GmbH
demonstrated at the 2004 Black Hat security conference earlier this
year.
Using a small program he helped develop, dubbed RFDump, Grunwald
showed how the tags could be read, altered, and even deleted. RFDump
requires nothing more than an inexpensive plug-in tag reader attached
to a handheld, notebook, or desktop system running Windows or Linux.
The software shows how anyone could potentially destroy all RFID tag
information, change the price of an RFID-tagged item for sale, or even
switch data, which could lead to retailers having to do time-consuming
manual inventories to have an accurate count of their goods.
Most passive tags supporting EPCglobal standards are write-once, but
RFID tags that support other standards, such as ISO, provide multiple
write-to capabilities, and, by next spring, the market will be flooded
with EPCglobal UHF generation 2 protocol RFID tags that also support
multiple-write features. Because they're not write-protected, passive
tags can be changed or written to "a couple of thousand times,"
Grunwald says.
Tire manufacturer Michelin North America Inc., which is embedding RFID
tags in tires' sidewalls to help auto manufacturers and auto-parts
retailers identify them, says chip reprogrammability is a concern. It
needs to be "managed appropriately," says Pat King, Michelin North
America Inc.'s global electronics strategist. King also is a member of
the RFID Expert Group within the AIM Global Standards Action Group, a
global trade association concerned with managing the collection and
integration of data with information-management systems. "Companies
shouldn't assume or depend on keeping the data that resides in that
reprogrammable space on the tag secure. If you doubt the validity of
that information, you can always go back to the secure information on
the chip and verify it with data stored in a database."
The lack of support for point-to-point encryption (which is available
using existing standards such as ISO 14443/DESFire) and a PKI key
exchange contribute to tag vulnerability, according to IT advisory
services firm The Advisory Council. In an article on InformationWeek's
RFIDinsights.com site (informationweek.com/1011/tac_rfid.htm), The
Advisory Council also identifies other ways tags could be exploited.
"Rumors within law enforcement have reported that hijackers of cargo
trucks are already using RFID readers to help determine which shipping
pallets are worth stealing," The Advisory Council
But many say scenarios where supply-chain data could get corrupted by
"rogue" RFID tags, or that supply chains could be slowed by changing a
tag's data to random data in a denial-of-service attack, pose no
greater risk than what already exists today. "RFID provides more
security and more opportunities to prevent people from getting their
hands on the supply chain. I can't think of any scenario that could be
done because of RFID that doesn't already happen today," says Mani
Subramanyam, principal consultant for retail solutions at IT-services
company Wipro Technologies. For instance, retail customers have been
known to swap bar-code tags to try to cheat the system, he says. And,
unlike RFID tags, bar codes can be counterfeited on most any computer
and printer.
"That sort of thing is much more difficult with RFID tags than with
bar codes. You need specific technical knowledge and specific tools to
pull it off," agrees Peter Regen, VP of global visible commerce
solutions at Unisys Corp.
Security devices are being considered and are likely to ease many of
the security worries that center around RFID tags. For example,
unique, product-specific EPC codes, akin to a car's vehicle ID number,
could be created so that if anyone were to break the security, he or
she would get information for only a single product. And that's not
worth the time it will take to break the code, Regen says. "You're not
going to do it, the bar will be too high," he says.
Additionally, the new EPCglobal UHF generation 2 protocol standard
will provide enhanced security features for passive tags, says Sue
Hutchinson, director of product management at EPCglobal. The standard
provides password protection as well as the ability to encrypt the
data being sent from the tag to the reader, rather than having
encryption on the tag itself.
While companies are just starting to address security questions,
privacy advocates and legislators have for some time been attempting
to address the privacy issue, which primarily centers around the tags.
As the issue gains traction, the industry has started to focus on it,
as well. At Germany's Metro Group AG's Future Store in Rheinberg, RFID
tags on items lose their function outside the store, a spokesman for
the retailer says. A "deactivator" is available to the customer at the
exit of the store; this overwrites the numerical product code stored
on the chip and changes it into zeroes.
RSA Security developed ways to block RFID tag reader's, says Dan
Bailey, RFID solutions architect at RSA Laboratories.
RSA Security developed ways to block RFID tag reader's, says Dan
Bailey, RFID solutions architect at RSA Laboratories.
Earlier this year, RSA Security demonstrated its RSA Blocker Tag, a
specially designed RFID tag built into shopping bags that launches a
denial-of-service attack to prevent RFID readers from reading any tags
that might be attached to items in the bag. But the downside was that
the Blocker Tag also could provide a way for shoplifters to blind a
store's security efforts. So the company shifted gears, says Dan
Bailey, RFID solutions architect with RSA Laboratories. "We've come up
with ideas and refinements that are more suited to actual deployment,"
Bailey says.
One idea is the "soft blocker," which would enforce consumer-privacy
preferences, but only after an item actually has been purchased. At
the point of sale, a consumer could swipe a loyalty card, which would
link to data about his or her privacy preferences. "After the item is
purchased, the point of sale would update the privacy bit and note
that it should be ignored by certain readers, such as supply-chain
readers," Bailey says.
The soft blocker would be a good alternative to killing the tag with a
privacy bit, a capability available with the EPCglobal generation 2
tags. "Killing tags will stifle the development of downstream consumer
applications," he says.
Whether or how all these ideas will be embraced is up for grabs.
"These are ideas that are being tossed around," Hutchinson says.
"Frankly, the end-user community hasn't worked through on a process
level how a soft kill would be implemented in a real environment."
Maybe now is a good time to start.
The Network
As the examples above show, there are plenty of opportunities on
retail-store floors or during the transport of goods from one location
to another to uncover and even alter data on an RFID tag. But equally
vulnerable is the network at companies' distribution centers,
warehouses, and store back rooms where RFID-tagged cases, pallets, or
other items enter into the possession of a company or one of its
stores. Unsecured wireless networks present opportunities for
eavesdropping on data.
"Everything from the reader back is very standard Internet
infrastructure," says Kevin Ashton, VP of marketing at ThingMagic, an
RFID-reader manufacturer whose technology is sold through original
equipment manufacturers, includingTyco International Ltd.'s ADT
subsidiary and Zebra Technologies Corp. "So you have all the same
security issues and opportunities that you have with the Internet."
That includes having a rogue reader introduced by a competitor or
intruder onto an unsecured network and shipping all the data it scans
off to that person, says Forrester analyst Laura Koetzle. "Another
place to worry is having the data taken in by your readers hijacked
between the readers and the repository of that data," she says.
ThingMagic's RFID-reader technology includes built-in authentication
features to make sure rogue readers aren't eavesdropping, Kevin
Ashton, VP of marketing says.
Photo by Richard Schulz
The solution is to make sure all the readers on your network are
authenticated before they can pass on any information to middleware
that feeds enterprise systems and that the data traffic between the
reader and the back-end system is encrypted. "There are some very
sensible measures that should be taken when deploying RFID readers to
make sure that they authenticate themselves properly to the corporate
network and also that they're not broadcasting meaningful, useful
information through the air that could be subject to eavesdropping by
other people," Ashton says. For instance, readers based on technology
from companies such as Symbol Technologies and ThingMagic support
standard networking technologies, including built-in authentication
features to prevent unknown entities from getting access.
One way to deal with eavesdropping on the relatively high-powered
emissions of RFID readers is to use a method called "silent
treewalking," says Burt Kaliski, chief scientist and director at RSA
Laboratories. Within the confines of the continuously available
wireless interface of RFID installations, silent treewalking ensures
that the information on the tag is never repeated by the reader.
Rather than having RFID tag numbers broadcast by the reader, they
would instead be referenced indirectly, and the receiving middleware
would know how to interpret this reference, but an eavesdropper
wouldn't.
The Data
The key benefit of RFID is that it increases transparency along the
supply chain. But that very transparency brings added concerns about
data security. Businesses need "a very strong sense of comfort about
the level of security around all the data," says Beth Lovett,
solutions marketing manager for VeriSign. "And it's not just their
data. It's also their trading partners' data that includes information
that could relate back to their business."
As of now, no decisions have been made about which standards will be
used to secure data on the EPCglobal Network. For example, when it
comes to authentication, Lovett says that "this is still part of the
standards-development process under EPCglobal."
It's critical to have these in hand as more companies scale up their
supply-chain initiatives and start sharing data with one another, says
Forrester analyst Christine Overby. "Let's just say theoretically that
Wal-Mart uses the EPC Network to pass individual supply-chain
information back to both Procter & Gamble and Kimberly-Clark about
diapers," she says. "Kimberly-Clark and Procter & Gamble are
competitors in this category. So Procter & Gamble needs to know that
Kimberly-Clark can't see that supply-chain movement from Wal-Mart, and
vice versa. So when this information is all pointed to over a public
network, that does become a concern."
"The whole premise behind RFID is to have this item-level availability
of information about the whereabouts of any tag in the field," says
Burt Kaliski, chief scientist and director at RSA Laboratories. "And
that information needs to be available to authorized parties only. But
the set of authorized parties is constantly changing," making access
management a priority for businesses.
The expectation is that existing security methods such as firewalls
and other access-management technologies will be used to keep data
safe and available only to authorized parties as it's exchanged over
the EPCglobal Network, VeriSign's Lovett says. VeriSign is helping to
sort out these questions, and EPCglobal Network security standards
should be finalized by the first half of 2005.
In the meantime, companies with good data-security practices already
in place will be transferring them to their RFID projects. "The
problems we talk about in terms of sharing information between
companies--how do you make sure that the wrong company doesn't get the
information--all that is done through classical IT systems where we
understand the security quite well," says Pradhan of HP Labs.
And further developments are on the way. For instance, SAP is working
with partners on a new database-query technology that lets
manufacturers and retailers exchange RFID data without creating copies
of it on servers not controlled by the owner of the data, says Amar
Singh, VP of global business development at SAP. Some data is stored
in a central, virtual repository, but other key data is queried on an
individual basis. "Rather than the retailer publishing that
information in a virtual environment somewhere, our technology can
actually go in on an individual query basis to pull data for the
manufacturer and answer that question." The more places data resides,
the more places it's at risk.
And if companies really do want to see returns on their investments in
RFID, then they've got to be proactive about reducing risk--regardless
of the costs.
--with Laurie Sullivan
|
|
Back to Newsroom
|
|
WiMax
