Analyst Focus: GAO Misdiagnosed RFID?

Government report overplays security flaws in radio frequency identification, understates health of market and technology's benefits, VDC researcher charges

Government report overplays security flaws in radio frequency identification, understates health of market and technology's benefits, VDC researcher charges

Natick, MA — June 17, 2005 — It is common to get a second opinion in medicine. Another doctor may consider different factors, perhaps leading to a different — better or worse — diagnosis. After reading a recent Government Accountability Office (GAO) report on radio frequency identification (RFID) in federal government, one may want to get a second opinion.

The GAO report, "Information Security: Radio Frequency Identification Technology in the Federal Government," discusses privacy and security aspects of RFID transponders used to support inventory control and "contactless" smartcard applications. The GAO calls attention to a primary ailment: RFID data security. But understated in the GAO assessment are: the overall health of market, the RFID value proposition, and the progress the industry has made in addressing performance, standards and cost reduction.

The GAO report is flawed and provides a relatively unfavorable, potentially damaging view of RFID. The report cites several security-related issues that RFID can present, such as tracking individual movements, preferences, confidential personal information, etc. The report also suggests that interest from government officials in RFID is increasing, especially as costs fall and application uses expand. To compile the report the GAO focused on responses received from a variety of government agencies — 24 in total — including, the departments of State, Energy, Homeland Security, Labor and others.

Security Issues Plague RFID

On the whole, it is difficult to disagree with the GAO report's basic diagnosis: RFID must provide enhanced physical and logical security and be backed by harmonized standards that ensure interoperability and safe communication.

Critics say RFID could reduce or eliminate purchasing anonymity and could even threaten civil liberties. The issue becomes even more acute in plans to deploy RFID-enabled identification, payment and loyalty cards. Privacy advocates are concerned that information stored on tags could be read "by anyone with an RFID reader" — data thieves, hackers or worse.

Right now, this isn't much of a threat, but as RFID becomes more widely adopted, the pressure to address the security issue is sharply increasing. It is a daunting challenge that touches all links in the RFID value chain from RFID integrated circuits (ICs) to the system infrastructure, including the Internet.

No one has complained of a security breach related to an RFID deployment — yet. Like the GAO, businesses and vendors alike acknowledge that security remains a question mark. For now, security has taken a backseat to the focus on improved performance, bottom-line results and returns on investment for RFID. However, with a technology as ubiquitous as RFID will be, admittedly there is great potential for damage.

Security a Tough Nut to Crack

To be fair, RFID data security is an extraordinarily difficult problem to solve. There is no panacea. Not only is it extremely challenging to build any kind of cryptosystem into an RFID chip that is small and weak, but also the system itself would remain utterly defenseless against electrical deception. Manipulating an IC power source is one of the definitive ways of culling its cryptographic secrets — in fact, satellite TV hackers have employed this method over the last few years.

In addition, most passive tags supporting EPCglobal standards are write-once, but RFID tags that support other standards, such as ISO, provide multiple write-to capabilities. And the market will soon be flooded with EPCglobal UHF generation 2 (Gen2) protocol RFID tags that also support multiple-write features. Because they are not write-protected, passive tags can be changed or written to up to a couple of thousand times. However, the Gen2 protocol will provide enhanced security features for passive tags. The standard provides password protection as well as the ability to encrypt the data being sent from the tag to the reader, rather than having encryption on the tag itself.

Further, there is a lack of support for point-to-point encryption (which is available using existing standards such as ISO 14443/DESFire), and a "public key infrastructure" (PKI) key exchange contributes to tag vulnerability. However, a number of security measures — including ISO standard 15693 for data authentication — are already used in payment and security/access applications and could play a role in RFID security.

Part of the problem with adopting existing standards, at least at one level, may be the extremely low cost and therefore extremely light functionality on the tags. Encryption on a tag, for instance, would chew up too much of a tag's processing power, as well as add extra cost to tags that need to be lightweight and inexpensive to keep costs in line.

The good news is that the industry is paying more attention to the security issue. RFID technology can help maintain the balance between those concerned about business efficiency and those concerned about data integrity and privacy. However, the level of security and privacy needs to grow in proportion with deployment.

Missing from the Chart

The exclusion — either by definition or methods of reporting — of critical, large-scale federal RFID deployments makes the GAO security argument a tough pill to swallow. Two glaring omissions are discussions of the Department of Defense's (DoD) use of RFID and the General Services Administration's planned deployment of ISO 14443 contactless smartcards.

The DoD — which touts the world's largest supply chain and is a leading early adopter of RFID — was not issued a survey because the GAO collects relevant data through other ongoing work. And, ISO 14443-based cards were not covered because they are not considered RFID technology under the GAO report. However, ISO 14443 cards are widely used throughout federal agencies to support security/access control and employee identification.

These two omissions give examples of areas where RFID provides demonstrable ROIs, offers solid value propositions and yields benefits. In essence, the GAO report was handicapped from the start. Congress requested an in-depth analysis of the use of RFID across federal agencies, but notable pieces of the puzzle are missing.

Overall Health of RFID is Good

Regardless of what the GAO report may lead one to believe, it must be stated that the RFID market is healthy. According to research by Venture Development Corporation (VDC), the industry reached nearly $1.8 billion last year. This dollar figure provides evidence that the RFID market is quite healthy and lucrative. And RFID continues to make inroads into traditional and new application arenas, especially as costs decline, technology improves and standards codify.

Security issues aside, the RFID industry has made much progress — and that must not be understated. For example, technology performance, particularly for EPC UHF solutions, is increasing with each new product release and installation. Read accuracy rates are higher, read ranges are longer and transmission times are faster.

In addition, users are stepping up their efforts to determine the value proposition for RFID based on how it impacts their business operations. The cost of RFID is becoming more easily justified as users realize the benefits RFID can have for an enterprise.

By concentrating on the key areas of weakness (security) and failing to highlight RFID's successes, the GAO has done a disservice to the industry. The GAO report is primarily flawed because it omits discussions of RFID and federal policies for credentialing programs. It fails to provide a crisp, clear and comprehensive analysis of the strengths, weaknesses, opportunities and threats for RFID in federal government.

VDC's Prescription

Without question, RFID data security is a serious issue. This is why the industry needs to get its security house in order. The big issue facing the industry is that the people driving the high-profile applications — the retailers, consumer products goods (CPG) manufacturers and government agencies — do not truly understand what level of security they want, or rather what level of security they are willing to pay for.

Data security issues, however, have not been left completely unaddressed by the RFID industry. Solutions providers are well aware of the problems and have attempted some maneuvers to compensate. And cryptographic researchers are working out ways to make RFID technology more palatable to users (and the public) ahead of its expected widespread deployment over the coming years. RFID security solutions do exist, but more development needs to occur to pacify opponents. Current and new standards and regulations then need to be harmonized across agencies and/or partners to ensure consistency and interoperability.

Certainly the GAO's assessment of RFID in the federal government adds fuel to the burning debate over privacy and data integrity, but it must be read with caution. A premature, incomplete diagnosis of the ills of RFID does not help cure the security ailment nor serve the industry well. It feeds privacy naysayers and potentially taints the legislative view of RFID.

Without question, the potential damage of misinformation in the RFID industry must be addressed. One of the biggest complaints is over-hyping the technology, often misrepresenting the benefits of RFID, misstating privacy and security issues, and creating confusion over which RFID applications are "real" versus "potential." This information can negatively impact user expectations and ultimately adoption.

VDC argues that the GAO report offers an invalid diagnosis. Perhaps a more comprehensive picture of RFID and its security implications across federal agencies may be just what the doctor ordered.

Venture Development Corporation (VDC) is an independent technology market research and strategy consulting firm that specializes in a number of retail automation, RFID, AIDC, embedded, component, industrial, and defense markets. VDC provides support in refining, building and creating solutions, strategies and go-to-market plans for RFID.

Additional Articles of Interest

— RFID technology has the potential to change the way supply chains are managed, but in order to be effective businesses need to take a holistic look at the deployment. Read more in the article "Time for RFID: Applying RFID in the Supply Chain."

— For a contrary view of the future of the RFID market, see the article "The O'RFID Factor: A 'No Spin' Look at Where Radio Frequency Identification Is Headed," in the October/November 2004 issue of Supply & Demand Chain Executive.

— For more information on trends relating to radio frequency identification (RFID), follow this link for an extensive listing of articles, featuring the latest research findings on the RFID, including adoption, return on investment and barriers to implementation.