News Stay informed about the latest enterprise technology news and product updates.

RSA researcher Ari Juels: RFID tags may be easily hacked

Ari Juels, chief scientist and director of RSA Laboratories, is one of the world's foremost cryptographers. He is well-known for his research and publications on biometric security, RFID security and privacy, electronic voting, browser security, combinatorial optimization and denial-of-service protection. caught up with Juels at the 2009 RSA conference to discuss RFID, advances in multifactor authentication, cloud computing security, and his first novel, Tetraktys, which was launched at the conference.

How might RFID be compromised, and in what cases would it be worth an attacker's while?
If we're talking about what may be the most prevalent form of RFID, the wireless bar code, the interest in attacking the tags may be motivated by interest in attacking supply chains. And that can be for economic gain, out of interest in disrupting commercial operations, or even done with political motivation. The technology's still in its nascence, so we don't understand all the modalities of attack. But these are the reasons, in principle, people might attack these devices.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
What are the defenses against such attacks? These devices are very limited by their low power.
What makes research in RFID security so interesting is precisely the fact that RFID tags can't do very much. For instance, the barcode-type ID tags I've described are meant to be extremely cheap, and that's why their capabilities are so austere.

But, in fact, it's possible to shoehorn in capabilities for which these tags were not explicitly designed. For example, in RSA Labs, we proposed techniques to commandeer access control features on the tags -- those are an optional security mechanism -- and even the privacy feature on the tags, what's called the "kill" function, a self-destruct feature that's meant to protect consumer privacy. We've shown ways the tags can be commandeered for authentication. So, what's really required is a very flexible mindset; the constrained capabilities of RFID tags pose a design challenge to security architects. That's not intractable. Multifactor authentication has been a tough sell outside of specific environments. It's expensive, hard to manage; users, especially consumers, don't like to use it. Can you talk about RSA's research and the Wireless Access Research Project (WARP), which uses mobile phones for strong authentication?
The idea behind WARP is that users already have a device that can serve to authenticate them very nicely—the mobile phone. They have properties that make them particularly well-suited to convenient authentication. For example, mobile phones are increasingly equipped with Wi-Fi capabilities. What we've done in the WARP project is enable users to transmit a token code via Wi-Fi to their PCs. It eliminates the need to transcribe digits from a one-time passcode token to a keyboard. It's great from the standpoint of security, because if you don't have to type the token code in, the code can be as long as you like. That opens up the possibility of transmitting full-blown cryptographic keys.

RSA Conference 2009

For all the latest news, podcasts and more direct from the show floor in San Francisco, visit our RSA Conference 2009 special news coverage page.

What current research projects get you excited?
We've been spending a lot of time on a project called HAIL (High Availability and Integrity Layer). Cloud storage posed some very knotty security problems. The one that we've focused on, in particular, is the problem of enabling a user to determine that a file or archive stored in the cloud is actually still there. You have no idea what physical platform your data resides on. You don't know what the quality of administration is; you don't know how reliable the platform is from a standpoint of degradation or vulnerability. We were able to achieve a kind of challenge-response protocol to receive a cryptographic assurance that the file was actually there. And, you're a novelist now. Tell us a little about Tetraktys.
My objective was to turn the usual formula of authorship on its head. Generally, novels about cryptography are written by people who just dip their toes into the subject of cryptography. I thought it would be interesting to write a novel as a scientist; rather to dip my toes into the writing and use the immersion in cryptography as a platform to write the novel.

Dig Deeper on Two-factor and multifactor authentication strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.