What's the (RFID) Frequency Kenneth?

By John Carmichael

(Back to article)

Radio frequency identification (RFID) has officially arrived and seems destined to remain. This fairly new yet ubiquitous technology is integrated into payment cards, livestock tracking and myriad other places. However, several current and proposed uses have raised security and privacy concerns with consumers and businesses alike.

Are there obvious and/or hidden threats we are ignoring or may not even be aware of? My response is an unequivocal “yes.”

Tracking Commuters

Several RFID applications are being used on toll roads and for public transportation. “EZ-Pass” devices allow cars to move more quickly through toll booths via a quick RFID chip read. This chip is linked to the driver’s banking account, and the driver is billed based on his/her road usage (i.e. chip reads).

Boston recently rolled out an RFID system for its MBTA train system. Commuters carry a card, with an RFID chip embedded, which they tap against a reader to gain entrance to the train stations. The card is linked to a prepaid account which works like a debit system.

The risk? There is a theft problem here. If a thief takes an RFID reader for a train ride during rush hour or strolls through a parking lot, he or she can acquire enough information to clone a particular RFID card. This clone or dummy card would afford the intruder access to the train station or the toll road—all on the victim’s tab.

The solution? Some RFID implementations use a challenge-response system rather than having the chip in the card always broadcast the same signal. In this system, the response from the card is based partially on the signal from the reader and the information on the card, which allows the reader to identify the card but hinders a thief from cloning the card. This happens because the response from the card will change with each read rather than remain constant. As a result, the thief cannot copy and echo an ever-changing card.

Tracking Products

Many retailers are experimenting with RFID to track in-store purchases. The ability to produce low cost RFID tags allows retailers to easily manage inventory and potentially deter theft.

The Risk? There is a privacy issue here due to the fact that these tags are not disabled after the customer leaves the store. A reader located in the parking lot can detect exactly what the customer had purchased. Let’s take this scenario one step further. Consider the common case when you leave your bags in your car as you continue your errands. Even if you hide your bags from view, a thief needs only an RFID reader to determine which car contains the most lucrative goods.

The solution? One potential solution in this space is a “zombie” chip. This chip works while in the store but is deactivated outside the store perimeter. The zombie chip can be reawakened by a special process, hence the moniker. This is useful in the case of a consumer returning an item, which the store will need to rescan to validate the return.

Tracking Children

Some schools, and even public places such as Legoland, have begun using RFID tags as an effective means to track abducted and wandering children.

The risk? This advantage can be lost since by a criminal targeting a particular child, say the son or daughter of a politician or celebrity. He or she could use this same RFID technology to keep tabs on that child and determine the optimal spot for an attack.The solution? Here is another case in which challenge-response chips would be useful. As the response is constantly changing, it would not be possible to track an individual chip without knowing how to properly decode the response based on the challenge.

Tracking Travelers

RFID has recently been integrated into passports, allowing a traveler to move more quickly through security checks.

The risk? The problem again is that the chip will respond to any reader. What if that reader were attached to an explosive device? It could trigger a bomb simply by the person’s presence. But the current security in passport RFID is woeful. The latest security efforts by passport authorities were to include a wire mesh into the cover of the passport.

Like a tin-foil hat, it blocks the signal from the reader, rendering the chip unresponsive until the passport is opened. This is a good first step, but studies have shown that it only needs to be opened slightly to be readable. Furthermore, when the passport is slightly open, the mesh protection becomes an amplifier, making the chip readable from further distances.

The solution? The best security solution for this implementation is encryption. The payment card industry uses RFID technology in the new contactless payment technology (i.e., PayPass by MasterCard). This technology takes advantage of encryption capabilities in some RFID systems to ensure that a rogue reader cannot compromise the information sent from the card to the reader.

Tracking Security

Some of the risks with RFID are more easily solved than others. There are implementations in use today which prove that some of these solutions are possible. Part of the problem is that the RFID chips capable of these advanced security features are more expensive, and thus less desirable, for massive rollout, such as for tracking products in stores.

Do risks outweigh rewards? Certainly, RFID and its uses are innovative and can simplify daily life for people. However, it’s critical that the industry implements this technology mindful of the abundant threats that RFID inherently introduces. Considering the risks and threats early in the implementation and adoption stages will eliminate many of the security problems.

John Carmichael leverages his strong lab development, programming and security process skills to deliver secure software development training courses to some of the world’s largest organizations including Adobe, EMC and MassMutual. Prior to joining Security Innovation, John was a systems analyst who led various Web development labs and product training for both technical and non-technical audiences.