Published: 12 Jan 2007
RFID gives businesses--and bad guys--an easy way to track and change information.
As one of the fathers of the RFID industry, Kevin Ashton never seems to be far from controversy. Three years ago, he helped introduce the Electronic Product Code (EPC), an RFID specification, to the suppliers of Wal-Mart and Best Buy, and the U.S. Department of Defense, which manages the largest supply chain on the planet.
Now, as security experts demonstrate with alarming regularity how easy it is to hack RFID-enabled credit cards and e-passports, Ashton is calling for a new standard from EPCglobal, the EPC standards body, to secure RFID tags on shipping containers, palettes and individual store items.
The new standard, EPC Generation 3, would add the security features suppliers and retailers need to prevent attacks from rogue RFID reader devices, which, along with RFID tags, will become cheap and ubiquitous in the coming years, says Ashton, vice president of marketing at the RFID reader maker ThingMagic. He's also co-founder of the MIT-based Auto-ID Center, a nonprofit collaboration of private industry and academia to develop a global infrastructure for tracking goods via RFID tags.
At first, the idea of replacing barcode labels on individual items--the ultimate goal of the EPC effort--infuriated privacy advocates, who said RFID would allow corporations and governments to spy on consumers bearing radio-tagged products. Even end-time Christians attacked Ashton for advocating a technology they suspect to be a precursor to the radio-tagging of people, just as people are branded with the mark of the beast in the Book of Revelation.
Many of Wal-Mart's suppliers also grumbled that EPC was a way for the retailer to improve its supply chain visibility at their expense, since the retailer was requiring that they place RFID tags on their palettes and cases by the end of 2006.
Since then, however, many manufacturers and suppliers have started experimenting with RFID tags as a tool to track their own inventories and their employees.
Ernest Ostro, IT director at GlobalWare Solutions, says that medical device companies and a bike manufacturer using GlobalWare's supply chain management software are using RFID tags as tracking tools. (GlobalWare Philips Medical and Fuji Medical are among GlobalWare's supply chain outsourcing clients.)
GlobalWare is prepared for a future that will include "greater lumps of data" from RFID, says Ostro, from asset tracking and employee ID badges. "We've built hooks into our software for [RFID tags]."
Trouble is in the Air The current standard for supply-chain RFID, EPC Gener-ation 2, has built-in features that some believe can be exploited. According to Ashton, EPC Gen 3 will address the weaknesses of existing EPC tags "as we learn that we can do more and more with silicon for same amount of money. No one can seriously claim [EPC Gen 2] is it for EPC."
"There is not a lot of technology for detecting RFID hacking," says Chris Novak, a principal consultant for the investigative response team at Cybertrust. "Workers unfamiliar with RFID will not even know they've been hit." Even if a cashier caught the discrepancy, it's unlikely he'd blame the customer for it.
Ashton's version of EPC Gen 3 would add authentication and encryption to the communications between RFID tags and reader devices--the flashpoint for security threats to containers in warehouses and individual items in stores. He's less concerned with RFID hacks threatening back-end databases; he regards the IP communication between readers and the network as secure "because IP security protocols (such as SSL) are sufficiently advanced."
The potential threats to supply chains are clear and will grow proportionally with the RFID industry in the coming years, he says.
Most of the experts we talked to agree that businesses must first assess the risks RFID might introduce to their individual supply chains and internal operations, such as RFID personnel management systems. Security officers should be sure they are choosing the right tags for their unique applications, and use the encryption and authentication features available to them through the technology.
Companies tracking toothbrushes may need little more than the unencrypted, unique "wireless barcode" that EPC provides. "But companies worried about the counterfeiting of tags will find that the mass majority of tags today do not do a good job of [preventing] that," says University of Massachusetts Amherst assistant professor Kevin Fu.
Fu was among the researchers last fall who issued a study describing how they used RFID readers to skim the account numbers and personally identifiable information off credit cards using the smart card RFID standard, which is not governed by EPCglobal. The RFID chips Fu and others skimmed, on cards from American Express, Visa and Master-Card, are capable of using encryption. However, many of the chips leaked personal information in plain text, suggesting that the credit card companies did not program them correctly.
"Encryption is like pixie dust," says Fu. "You can take a perfectly good cryptographic standard and not use it properly."
The reported attacks of RFID tags--such as RSA Security's 2005 hacks of the tag used in the Exxon Mobile Speedpass, and the fall 2006 hack of RFID credit cards--have been by computer scientists tinkering in laboratories. Since some of these scientists are among the world's leading cryptographers, the industry is taking notice.
Here are two well-documented developments in EPC hacking:
As it has been with the RFID credit cards, demo attacks by researchers such as Fu will be the first we will see against EPC. "Now is the time to start worrying about this," says Ashton. Backers of the EPC standard want to eventually go beyond shipping containers and palettes and replace all of the barcode labels on individual store items with EPC RFID tags. That way, companies will be able to track an item from the assembly line to the register, and even into a consumer's home.
But EPC Gen 2 tags can be cloned and spoofed by counterfeiters and thieves targeting the supply chain, says Ashton. (See "RFID Attacks") For example, crooks could clone tags from authentic Louis Vuitton handbags and place them on fake items. In a spoofing scenario, a laptop emitting RF signals could tell a warehouse reader that a shipment of video game consoles is accounted for, long after thieves have made off with the units. Or, criminals lurking outside a retail store could intercept transmissions between EPC tags and checkout readers--called a side-channel attack--to snag the details of a transaction, such as potentially sensitive drug purchase information.
Eventually, more sophisticated attacks against RFID tags will take place within stores, says Novak. For example, early retail store hackers might be able write new item descriptions and prices to RFID-tagged items. Rather than paying $2,500 for a flat screen HDTV, for example, "an RFID hacker could program the tag to ring up as a less expensive product."
U.S. Department of Homeland Security is planning to use the EPC Gen 2 tags in its PASS Card border ID system. The PASS Cards will be an accepted substitute for passports at some U.S. border checkpoints.
That's not a good idea, says Ari Juels, principal research scientist and manager at RSA Security's RSA Labs.
"Using EPC tags for border control--that's worrisome," says Juels, who is among the coauthors of the RFID credit card hacking study with Fu. Unlike the RFID technology used in credit cards, EPC Gen 2 tags "have very few explicit security features," he says.
Juels says that someone could possibly scan the EPC tag on a PASS Card border ID several feet away and create a makeshift radio device, if not a cloned tag, which emits the same uniquely identifiable data as that tag.
|Gen 2 vs. Gen 3|
By the time the Auto-ID Center at MIT released EPC Generation 1 (and set up the EPCglobal standards body), many in the RFID industry were already talking about Generation 2. Perhaps that's one reason co-founder Kevin Ashton is confident that he will rally technologists and EPCglobal board members, including Sanjay Sarma, to his proposed EPC Generation 3 standard.
EPC Gen 2 does more to improve on privacy than security, says Ashton. EPC Gen 2 includes a kill command, for example, with a 32-bit tag-specific password that most cryptographers agree can be picked up via a side channel attack.
EPC Gen 3 tags might include stored encrypted serial numbers and tag-and-reader authentication. Such measures would foil would-be tag counterfeiters and operators of rogue reader devices.
Once again, Ashton, a former brand manager for Proctor & Gamble, has his critics. But this time, the ACLU and end-time Christians are not among them. Rather, it is Ashton's RFID industry colleagues who are objecting to the EPC Gen 3 proposal, which he and his ThingMagic co-workers made in a recent EPC security whitepaper (http://thingmagic.com/ html/pdf/generation%202%20-%20security.pdf). (See "Gen 2 vs. Gen 3")
"P&G is wholly satisfied with Gen 2, and discussion about the evolution of Gen 3 at this time is misplaced and premature," P&G spokesman Paul Fox wrote in an email. Fox called the threats to most RFID deployments "theoretical."
Other retailers and their suppliers, at least for the moment, apparently consider the security provided by EPC Gen 2 tags to be adequate for their needs.
"So far, we did not experience any problems with hacks or comparable attacks," says Christian Maas, spokesman for European retailer Metro AG, also via email. "We are applying EPC Gen 2 standard in our logistical processes, which is secured in several ways, for instance, random number masking."
Random number masking is an EPC Gen 2 feature that adds a random number to a tag's ID to deter eavesdropping, and requires the tag and reader to exchange a digital handshake before they can exchange any data. The aim is to lock a tag so that only an authorized interrogator can write any data to it. But Ashton and others feel the random number masking is ineffective against a side-channel attack because the number is not encrypted.
Many retailers and long-time RFID backers, including Wal- Mart and Best Buy, did not respond to interview requests. Several of Wal-Mart's leading suppliers, including Unilever and Kimberly-Clark, also declined to be interviewed. That may be because some companies have actually come to see EPC Gen 2 tags as security devices. The drug manufacturer Pfizer, for example, is using EPC Gen 2 as an anti-counterfeiting tool by placing RFID tags on bottles of Viagra.
The EPC Gen 2 tags themselves are easy to clone and scan surreptitiously, however, says RSA's Juels.
Sanjay Sarma, who co-founded the Auto-ID Center with Ashton, believes that people have unrealistic expectations about how secure RFID will ever be. The demo hacks of credit cards and other smart card and near field communication (NFC) systems show that companies are fooling themselves into thinking that RFID tags can act as mini-computers capable of high levels of network security.
"When people see [RFID credit cards] capable of being able to pass more data back and forth with a reader," says Sarma, "people start to salivate. But it will never be the same as a PC."
And unlike the smart card and NFC specifications, EPC was never designed to be more than a way for tags to wirelessly emit a unique numerical code to identify an item.
"EPC has never held such illusions," said Sarma, who is also chief scientist at RFID software company OATSystems, whose customers include P&G, GlaxoSmithKline and Kimberly-Clark.
|Ask the Experts|
RFID security experts have three high-level rules to guide you as your company prepares to deploy RFID:
Assess the risk. Study the environment in which you will implement RFID, says Cybertrust's Chris Novak. Some companies even decide to forgo the technology because barcode labels are giving them the supply chain visibility they believe they need. "Be mindful of where you are putting this technology," he says. "Don't relinquish your responsibility to do a full risk assessment."
Don't cheap out. EPC is for tagging products, not people. While it is tempting to use the cheapest possible tag for tracking or people, "you get into trouble when tags meant for one application are repurposed for situations like the Department of Homeland Security's PASS Card," said RSA's Ari Juels, speaking of DHS's plan to use EPC tags in identity documents.
Don't hesitate. For most jobs, particularly asset tracking, RFID is a safe bet. And don't fret--your EPC investment today will not go to waste. Rather, you will be able to seamlessly upgrade to any new EPC specifications or protocols. "There's no horrible legacy infrastructure," says Auto-ID Center co-founder Kevin Ashton.
The RFID Horizon
The security debate notwithstanding, there is probably no need for corporations to avoid deploying RFID in their supply chains. There simply aren't enough EPC Gen 2 tags out there to make hacking them profitable.
"We are a long way off from ubiquity, when the [RFID] security risks to the supply chain will be unacceptably high," says Ashton. "The risk is not so great at the palette and case level." (See "Ask the Experts".)
Organizations may be more interested in finding cost savings through RFID and may only start looking for security remedies after the technology has been widely deployed and exploited, says Cybertrust's Novak.
"It's like the early stages of Wi-Fi, which made everybody's life easier," he says, referring to the introduction in recent years of Wi-Fi-enabled barcode scanners and mobile carts. Wi-Fi hackers, or war-drivers, have since been caught siphoning credit card numbers from Wi-Fi networks at retail stores.
There is some good news regarding EPC Gen 2 security because, Sarma says, the standard is "open to extensions for far more advanced commands," including security.
RSA's Juels is working on a way to use the Gen 2 tag's kill command as an authentication tool. By sending "just the right amount of power" from an RFID reader to a tag, says Juels, "you can get the tag to recognize the kill pin." The trick is to avoid sending so much power that you kill the tag. "Right now, we're playing around with the power levels."
One company, SecureRF, announced in November that it had developed an encryption and authentication protocol for EPC Gen 2 tags.
"There's enough for us to work with on the [EPC Gen 2] tags to add this security protocol," says SecureRF CEO Louis Parks. A working version of SecureRF's Gen 2 tag, with onboard security, is expected to be available this month. The tag is aimed at the pharmaceutical industry.
RSA, Cybertrust and Accenture are among the companies engaging in "social engineering," providing advice on creating physical barriers to rogue readers that may lurk outside warehouses. They are also telling companies how best to shield their RFID-tagged ID cards from readers outside the office.
Ashton says that the EPC network of tags and readers is "nicely architected for upgrades, so companies need not fear making a Gen 2 investment. Readers can be made compatible with new tags, and old tags, made for pennies apiece, are meant to die once they leave the supply chain.
"They are like the little fruit flies of the computer world."