By Judith M. Myerson
Imagine you are a supply chain executive at a retail chain that has implemented radio frequency identification technology in its stores. One day, you find yourself in one of your company's RFID-enabled store wondering about the new security issues associated with the radio frequency technology. Then you look out of the window and see a shopper with a cat walking into the store. The next thing you know, the store's RFID infrastructure suddenly shuts down. RFID readers and checkout computers stop working. Thousands of dollars worth of sales are lost in one day. What would you do? Run out of the store? Not likely. You probably would take a closer look at the cat or the shopper.
The cat might be carrying an unseen transmitter, or the shopper might have a transmitter implanted between his thumb and finger so small that it would not be noticeable to the human eye. In either case, the transmitter could be used to block radio signals, causing the store's systems to shut down, or to send a malicious virus to an EPC Information Services (IS) server containing product RFID data.
It's a good thing you have a disaster recovery plan in place! The store reopens shortly, giving you the opportunity to consider other RFID security issues that have not been addressed. Walking about the store, you see very few shoppers carrying RFID mobile readers to scan products, but you know that someday soon more and more consumers will begin using personal RFID readers to scan goods before they get to the checkout counter. The more shoppers use these readers, the more likely that tag signal interference will occur, again raising security concerns.
The above scenarios point to three RFID security concerns: human implantable RFID tags, signal interference, and RFID tag eavesdropping and jamming. Although you can never completely remove vulnerabilities that the hackers can exploit, you can provide leadership in defining and understanding the RFID security concerns and vulnerabilities facing your company, how the risks can be mitigated, and which safeguards will yield the best returns on investment (ROI). The ROIs will reflect how well your security policy is enforced and the resulting security program is implemented. The safeguards offered below are recommendations, and you can either change them or build upon them according to your organizational and security requirements.
Watch Out for Implantable RFID Tags
How do you detect if the hacker (e.g., the shopper) has an RFID transmitter implanted in his hand? With this tool, a hacker can wave his hand to unlock a door to enter a warehouse filled with RFID-tagged pallets and cases, and then alter the tags. Or the hacker could send a malicious virus to the reader for transmission, for example via a method called "SQL injection," to an RFID tag affixed to case of, say, Kleenex boxes.
I call this tool "war-waving," a more daring and bold strategy than "war-walking" or "war-driving." In war-walking, the hacker walks up to the building and physically forces open the locked doors in order to lift and switch tags from one merchandise type to another. In war-driving, the hacker driving by a facility uses a wireless device to scan the signals emitted from a mobile PDA or a wireless-based laptop for illegal use. One way of mitigating the risks of war-waving is to set the reader to validate a user permission code in the tag. Another way is to develop means of preventing the execution of SQL injections via a standard tag data dictionary and validation schemes. A reader should set off an alarm when it detects an invalid permission code.
Can You Hear Me, RFID Tag?
Another security threat comes from hackers who are able to eavesdrop on, and jam, RFID tags. The problem with RFID tags to date is that they are not conducive to using standard means of cryptography to protect them.