RFID tag security and data privacy was a popular topic in 2006, so I am beginning 2007 with a review of the issues and a look ahead at some anticipated developments.
Major Controversies Last Year
The security topic made headlines in a big way at the March IEEE conference. European researcher Melanie Rieback became internationally famous by presenting her paper, Is Your Cat Infected with a Computer Virus? This paper demonstrated that, under contrived laboratory circumstances, the relatively small amount of data on a common retail RFID tag could be used to launch a computer virus.
Despite the gap between the lab test-case and real-world scenarios, this paper created a great deal of controversy and discussion in the RFID community. It's a safe bet to look for similar topics at this year's IEEE conference, so watch this space in March.
Another controversy was stirred by the US Government's decision to begin issuing passports with embedded RFID tags. Dubbed, "E-Passports," they were issued to diplomats in March. The RFID tags are supposed to speed processing and increase security. Privacy advocates (many of whom are based in Silicon Valley and the surrounding San Francisco area) immediately denounced the decision, with challenges to the policy issued by the Electronic Frontier Foundation (EFF) and EPIC, the Electronic Privacy Information Center. The privacy advocates are concerned that identity thieves could break the encryption of the RFID tags and steal sensitive passport information using hand-held tag readers.
The government responded by issuing further clarifications of the security features built into the E-Passports, including the addition of an RF-shield cover so that the tag can only be scanned when the passport is opened (thus depriving the RFID-nervous of the fun of wrapping their passport in tinfoil). The government has also announced that they will begin a general-public pilot test of the E-Passports in January at, of all places, San Francisco International Airport.
Finally, the VeriChip Corporation began a publicity campaign surrounding their FDA-approved human-implantable RFID chips. These chips, about the size of a grain of rice, are injected just below a person's skin. They are intended primarily for hospital use to provide secure ID, impossible-to-lose medical records, and other forms of secure personal data.
The publicity surrounding the chips spurred a backlash from privacy advocates concerned about the obvious potential for "Big Brother Is Watching You" abuses of the technology. Oddly, the VeriChips have been adopted as a badge of honor by a cadre of technical enthusiasts (they would say geeks) who want to be on the cutting edge of anything tech, using them as "bionic" key-cards to allow access to their homes or computers. The VeriChip tags have also spurred legislation in several states to guarantee that nobody can be forced to have a chip implanted by any employer or government agency.
Security Issues Follow Same Story Line
All of the security stories that broke last year share some common attributes. The first is the announcement of a new use of information technology. The second attribute is the announcement of a clever hack or a potentially dangerous misuse of the technology. Finally, the story is brought to a conclusion by either legislative action, or clarifications or improvements of the security elements within the technology.
The security problems surrounding RFID technology can be grouped in several classes:
- Data ownership and data-mining techniques. All methods of data collection involve questions of privacy, data ownership, and the ethical use of data-mining techniques to discover personal characteristics of an individual. For example, a drugstore's customer-loyalty card data could be used to deduce private medical information about a person. This problem pre-dates the use of RFID technology, but the sheer volume of data provided by RFID tags adds a new urgency to these discussions.
- Data theft. In the case of current databases, a would-be data thief requires computer access and considerable hacking skills to steal data. Given that RFID tags are made to broadcast information, the possibility of data theft by easily concealable RFID scanners is very real. Chip manufacturers counter this by adding security features to the chips and data, such as secure encryption schemes.
- Data corruption. Many tags are made with the ability to be re-writeable. This feature may be locked (turning the tag into a write-once, read-many device) or left active. For example, the RFID tags used in libraries are frequently left unlocked for the convenience of librarians in reusing the tags on different books or to track check-in and check-outs. When tags that should be locked are not locked (for example, in the supply chain), the potential does exist for pranksters or malicious users to re-write the tags with incorrect or fraudulent data.
These security problems are simply inherent in the technology. And I welcome the academic papers and alarmist popular-press articles on RFID, because they keep our industry's collective eye on the potential downside of this emerging technology.
Predictions For 2007
As we have seen from the growth of the Internet, anywhere a security hole exists, some hacker will find and exploit it for fun, profit, or both. The security problems summarized above are real and require real solutions. The RFID industry is working on technical solutions to all of the security problems noted above. Look for additional progress in security standards in 2007, coupled with increased RFID industry outreach to the general public in the form of press releases and advertising about security features. I can also confidently predict an increase in alarmist newspaper articles about RFID tags as the market presence of RFID increases. It should be a fun year!
Paul Faber is a Principal with Raleigh, N.C.-based Tompkins Associates, a supply-chain-solutions consulting firm. As the chief manager of RFID equipment implementation at Tompkins Emerging Technology Center, Faber possesses extensive experience in material handling solutions, systems integration, and installation. He has managed field integration and operations activities at material handling sites around the world.
Interested in information related to this topic? Subscribe to our weekly RFID eNewsletter.