SAN DIEGO -- Though RFID devices come in all shapes and sizes, it's the tiniest tags using the technology that are bound to cause the biggest headaches, according to a presenter at Wednesday's USENIX Security Symposium.
Essentially small silicon chips attached to antennae and wrapped in paper or plastic, RFID tags, or "smart labels," can come with chips as small as a half millimeter. And though currently holding little virtual memory and limited computational power, retailers like Walmart and agencies like the Department of Defense are anxious to use the tags to track inventory. Part of the lure is the cost, currently about a nickel per tag.
But, warned Ari Juels, principal research scientist for Bedford, Mass.-based RSA Laboratories, "the very simple technology can give rise to a whole host of problems."
Declaring that "we're on the brink of an explosion in RFID use," Juels cautioned that the security community must find ways to quell privacy issues associated with potential uses of the tags, which can broadcast information to anyone with the right reader.
Some proposed solutions, such as carrying a protective mesh or aluminum foil to make detection difficult, aren't practical, he says, since tags can be placed in apparel from head to toe. An alternative is to "kill" the tags, essentially letting them self-destruct once they leave a store.
However, Juels said, "RFID tags are extremely beneficial devices and much too useful in their 'live' state." Killing
Among the challenges for security circles to solve: the cheap tags' minimal cryptographic abilities make it hard to scramble information for privacy protection. Therefore, one avenue may be creating "rotating "pseudonyms to protect against the theft of tags' true unique identifier. But the limited storage of the tags also limits the number of pseudonyms, a setback if an attacker launches rapid-fire queries and can determine the real data. Therefore, researchers should look into creating query throttling to prevent such compromises.
Juels also discussed fledgling technology to block illegal tag reading by essentially spoofing all possible tag identifiers worldwide. This swamps a reader with data, essentially causing a denial of service.
"Polite blocking" lets a tag stop functioning in certain "privacy zones" and turn back on upon leaving. "Soft blocking" uses software to determine if a tag-holder has opted in or opted out of being identified, Juels said.
While current technology has plenty of wrinkles to iron out -- technical problems and growing privacy concerns chief among them -- RFID is not going away.
"Corporate privacy is not as colorful as consumer privacy," Juels said. "But it's just as important." Maybe more so, he added, since that's where RFID is being deployed at the moment.