This article can also be found in the Premium Editorial Download "Information Security magazine: Keep today's threats close and tomorrow's closer."
Download it now to read this article plus other related content.
Trouble is in the Air The current standard for supply-chain RFID, EPC Gener-ation 2, has built-in features that some believe can be exploited. According to Ashton, EPC Gen 3 will address the weaknesses of existing EPC tags "as we learn that we can do more and more with silicon for same amount of money. No one can seriously claim [EPC Gen 2] is it for EPC."
"There is not a lot of technology for detecting RFID hacking," says Chris Novak, a principal consultant for the investigative response team at Cybertrust. "Workers unfamiliar with RFID will not even know they've been hit." Even if a cashier caught the discrepancy, it's unlikely he'd blame the customer for it.
Ashton's version of EPC Gen 3 would add authentication and encryption to the communications between RFID tags and reader devices--the flashpoint for security threats to containers in warehouses and individual items in stores. He's less concerned with RFID hacks threatening back-end databases; he regards the IP communication between readers and the network as secure "because IP security protocols (such as SSL) are sufficiently advanced."
The potential threats to supply chains are clear and will grow proportionally with the RFID industry in the coming years, he says.
Most of the experts we talked to agree that businesses must first assess the risks RFID might introduce to their individual supply chains and internal operations, such as RFID personnel management
Companies tracking toothbrushes may need little more than the unencrypted, unique "wireless barcode" that EPC provides. "But companies worried about the counterfeiting of tags will find that the mass majority of tags today do not do a good job of [preventing] that," says University of Massachusetts Amherst assistant professor Kevin Fu.
Fu was among the researchers last fall who issued a study describing how they used RFID readers to skim the account numbers and personally identifiable information off credit cards using the smart card RFID standard, which is not governed by EPCglobal. The RFID chips Fu and others skimmed, on cards from American Express, Visa and Master-Card, are capable of using encryption. However, many of the chips leaked personal information in plain text, suggesting that the credit card companies did not program them correctly.
"Encryption is like pixie dust," says Fu. "You can take a perfectly good cryptographic standard and not use it properly."
This was first published in January 2007