This article can also be found in the Premium Editorial Download "Information Security magazine: Keep today's threats close and tomorrow's closer."
Download it now to read this article plus other related content.
|Ask the Experts|
|RFID security experts have
three high-level rules to guide you as your company prepares to deploy RFID:
Assess the risk. Study the environment in which you will implement RFID, says Cybertrust's Chris Novak. Some companies even decide to forgo the technology because barcode labels are giving them the supply chain visibility they believe they need. "Be mindful of where you are putting this technology," he says. "Don't relinquish your responsibility to do a full risk assessment."
Don't cheap out. EPC is for tagging products, not people. While it is tempting to use the cheapest possible tag for tracking or people, "you get into trouble when tags meant for one application are repurposed for situations like the Department of Homeland Security's PASS Card," said RSA's Ari Juels, speaking of DHS's plan to use EPC tags in identity documents.
Don't hesitate. For most jobs, particularly asset tracking, RFID is a safe bet. And don't fret--your EPC investment today will not go to waste. Rather, you will be able to seamlessly upgrade to any new EPC specifications or protocols. "There's no horrible legacy infrastructure," says Auto-ID Center co-founder Kevin Ashton.
The RFID Horizon
The security debate notwithstanding, there is probably no need for corporations to avoid deploying RFID in their supply chains. There simply aren't enough EPC Gen 2 tags out there to make hacking them profitable.
"We are a long way off from ubiquity, when the [RFID] security risks to the supply chain will be unacceptably high," says Ashton. "The risk is not so great at the palette and case level." (See "Ask the Experts".)
Organizations may be more interested in finding cost savings through RFID and may only start looking for security remedies after the technology has been widely deployed and exploited, says Cybertrust's Novak.
"It's like the early stages of Wi-Fi, which made everybody's life easier," he says, referring to the introduction in recent years of Wi-Fi-enabled barcode scanners and mobile carts. Wi-Fi hackers, or war-drivers, have since been caught siphoning credit card numbers from Wi-Fi networks at retail stores.
There is some good news regarding EPC Gen 2 security because, Sarma says, the standard is "open to extensions for far more advanced commands," including security.
RSA's Juels is working on a way to use the Gen 2 tag's kill command as an authentication tool. By sending "just the right amount of power" from an RFID reader to a tag, says Juels, "you can get the tag to recognize the kill pin." The trick is to avoid sending so much power that you kill the tag. "Right now, we're playing around with the power levels."
This was first published in January 2007