Some people call them smart labels. Others call them ‘spy chips’. No matter which way you look at it, radio frequency identification (RFID) tags are proliferating at a rapid pace.
From business to personal use, theses tiny tags can grant access to premises, track transported goods and are even used for financial purposes. There’s little doubt that everybody would encounter RFID technology at least once a day without even knowing it.
RFID technology communicates data through electromagnetic waves from a tag to a reader. The tags long read range means it is more convenient to scan than the traditional barcodes and has been adopted for tracking goods in a supply chain, stocktaking in retail environments and even enterprise asset management.
But as RFID continue to penetrate our daily lives, security and privacy concerns have been raise about the potential abuse of the technology. Privacy groups are perturbed by the ability to use RFID tags to track an individual’s movement. Misuse of collected data is also an issue. Then there is the idea of using RFID to trigger bomb explosions.
Fact or fiction?
Let’s set the record straight…
There is a swathe of speculation regarding how RFID can be manipulated to do terrible things.
In 2006, a US company created a video which demonstrated how RFID embedded passports, or e-passports, could be used to trigger bombs. Many countries, including Australia, now use e-passports.
Sounds too extreme? It is, according to RSA senior technology officer, Ian Farquhar, who labelled it one of the biggest hypes attached to RFID technology.
“It’s technically feasible but it’s utterly and completely theoretical,” he said. Farquhar also downplayed the dangers of RFID tag skimming and eavesdropping on transmitted data even tough there are claims RFID tags can be read from up to 50cm away depending on the reader or antenna used to intercept the data between the tag and reader.
But a tag itself generally carries very basic information and the effort that goes into replicating a tag or intercepting its information may render it a worthless exercise.
Standard RFID tags are inherently passive and can only carry very little information on them. For more sophisticated battery powered variants, they are usually protected by cryptographic means.
“If you make the cost of doing it far higher than the value you could derive from doing so then you are fairly safe,” Farquhar said. But as security capabilities improve, RFID tags may be used to handle more confidential information.
RFID technology vendor, Intermec, is developing battery assisted tags with cryptographic security measures. This will allow the cards to have a larger read range. It hopes to eventually produce fully passive tags with encryption capabilities.
“As security measures come online for RFID, it opens up avenues such as tracking of people and tags carrying more sensitive data,” Intermec system engineering manager, Adam Barnier, said. These tags will potentially have government and military applications.
But beyond the tracking of supply chain, enterprise asset management and retail goods, credit card companies are adopting RFID as a quick payment option for customers.
MasterCard spruiks its PayPass as a ‘contactless’ way to pay for goods. Users can scan their cards on a PayPass reader (should a retail outlet carry one) to pay for items up to a value of $100.
For all the fear over losing information from RFID tags on things such as credit cards, people seem to forget – or perhaps are not aware – that each time they are scanned, the information is tracked and stored on a database.
For instance, the dozen donuts you bought at the service station where you paid via a PayPass enabled credit card; MasterCard now knows what how much the doughnuts cost and where you bought it.
Every time you scan your ID card to go into your office, a database logs the time you entered the premises and essentially tracks your movement. “RFID cards are not used in isolation and are typically linked up to some sort of system which contains a database,” Sourcefire security engineer manager of Asia-Pacific, Kelvin Rundle, said. “The database is where the business application enables RFID cards to operate and where all the value actually leads to.
“Protecting the applications is what is most commonly overlooked.”
Transaction records are perfectly legitimate information to keep. After all, it would come in handy during fraud investigations should your credit card be stolen. But what happens when that database’s security is breached?
“We are seeing recently an increase in application-based attacks,” Rundle said. “So that is what would be seen as legitimate traffic by the firewall, for example, coming through and actually compromise the application in the network that the RFID system runs over resulting in unintentional dataloss.”
These attacks certainly sound more sophisticated than somebody holding up an antenna trying to intercept data transmitted from an RFID tag. What is more concerning is an RFID system might also be connected with other systems such as one for customer management.
Protecting data from being stolen is paramount for any organisation that choose to gather RFID data. But handling the data appropriately is equally as important.
Essentially, RFID technology can be used for data mining purposes. Data mining is the process of taking a large amount of data and trying to extrapolate certain patterns from it.
Facebook is a prime example as it tailors what advertising appears when an individual logs on to the page based that person’s interest listed on their profile.
This system can also apply to retail outlets. A supermarket can decide to change the layout of the store in based on the buying habits of customers as deduced by data collected from RFID tags.
Collecting data isn’t illegal. But what is the definition of appropriate use? RFA’s Farquhar said there was a lack of dependable standards to address the issue.
“We have a number of privacy acts and they’re very inconsistently applied; there are both State and Federal versions,” he said. “I may be speaking out of turn but a lot of organisations don’t know what applies to where.”
In 2008, the Australian Law Report published a report on privacy practices. In the three-volume report, recommendations were made which covered the scope of how RFID data should be stored and used.
“The Attorney-General’s office has been sitting on this for a while,” Farquhar said. “The global financial crisis moved it off the priority list because the A-G office felt that companies didn’t want to be dealing with major changes in the middle of the economic crisis.
“In a couple of years, we want it to reappear as a focus for the government as some of the changes are sensible.”
One of these changes is mandatory disclosure of data breaches. Companies that collect RFID data and subsequently lose that data must publicly admit to it, Farquhar said. Since mandatory disclosure of data breaches is not a requirement Australia, there are no reliable statistics on how often such security breaches occur. “In the US, where they do have mandatory breach disclosure, you can see it does happen fairly regularly over there,” Farquhar said.
He conceded it was hard to compare the US to Australia due to varying market and economic conditions. But that doesn’t mean Australian organisations should brush of the dangers of potential data breaches.
“One of the things we need to be cautious about is the tendency to think because we are down here in Australia, the network security challenges which are being faced in other parts of the world doesn’t apply to us,” Rundle said. “We seem to think our geographic location precludes us from those challenges but that is not the case in a connected world.”
Sourcefire recommends what it calls the next generation intrusion prevention system (IPS) to combat potential security breaches on RFID databases. This is a product, which the vendor deals with, has smarts built into it and can monitor traffic and detect potential threats in the network.
This is where the channel comes in.
While products like the next generation IPS do exist, they made up but part of a wider solution and a single vendor is unlikely to carry all the goods required to take care of RFID data security concerns.
“Sure some vendors will tell you ‘Yeah, we’ve got everything you need’ but I’d challenge that,” Farquhar said. “It’s channel partners that can bring together a multi-vendor solution and that is why they are so valuable.”
Channel partners so also take the role of advising businesses on spending the right amount of money to protect the data.
“A lot of businesses do it well, some could improve and others are spending too much money,” Farquhar said. “But we’ve got the good technology, a good understanding of the problem and it’s just about deploying them in a cost effective way.”