What ever happened to all the hype over radio frequency identification (RFID)? Driven by Wal-Mart mandates and post-9/11 concerns, RFID was all the rage just after the turn of the century. Many people saw the positive side — RFID’s promise to maximize supply chain efficiencies and minimize inventory and related costs. However, others saw only saw the negatives associated with the technology. With references to Big Brother and George Orwell’s 1984, security pundits and privacy advocates alike spelled out the gloom and doom RFID would eventually facilitate. But it seemed to leave the spotlight as quickly as it entered it. Like most things the bandwagon jumpers make a big deal out of for a year or two, RFID has faded into the background.
Without people on the streets ranting and raving about RFID’s pros and cons, is it still legit? More importantly, as an IT or security leader in your organization, should the security implications of RFID be on your radar? The answer to these questions is yes, but it will pay to think things through before jumping to any conclusions.
Lack of Security Controls
Looking at RFID resources and statistics on the Web (most of which are dated) it is clear that one of the biggest concerns with the technology is its lack of general security controls. I’m not sure why anyone would be surprised at this. For starters, any reasonable business person knows the process and evolution of technology standards: the standards are developed and subsequently released, we find out about their security problems, people demand a fix and the issues are (hopefully) rectified.
I think we are finally entering an era where security gets baked into standards and technologies up front, but we still have a long way to go. Furthermore, the original intent of RFID as we know it today was to enhance supply chains and business commerce. You can’t blame the standards bodies and vendors for not wanting to waste cycles on locking down the 21st century equivalent of the bar code label.
The problem now is that the technological “benefits” to businesses and government agencies are becoming more apparent. We’ve opened an entirely new can of worms, and by and large, once a technology such as RFID is determined to be exploitable for personal or political gain it’s going to be abused whether we want to believe it or not.
For instance, RFID technology is a big (and controversial) part of the U.S. Department of Homeland Security’s Western Hemisphere Travel Initiative. Specifically, the passports now required to enter the U.S. from other Western Hemisphere countries contains an RFID tag. It is “high-tech” and “fancy” — which sounds good on the surface.
The problem is that these RFID tags can be cloned. Using just a few hundred dollars worth of parts purchased off the Internet and some RF know-how, security researcher Chris Paget — who once demonstrated how easy it was to clone HID access cards — has demonstrated just how easy cloning these passports can be. It is unbelievable. Eye-opening videos for Paget’s demonstrations can be found on YouTube by simply searching for name.
RFID Exploits
One of the biggest problems with RFID from a security perspective is that it is readable from relatively long distances — up to 30 feet. That’s not quite the centimeter ranges originally quoted. This can lead to numerous problems for businesses including:
• Identity theft (someone capturing passport data and reusing it elsewhere);
• Executive security (someone capturing passport data to track down a certain person or residents of a certain country);
• Rogue monitoring of people and systems (someone capturing data inside a business for illicit tracking of who’s doing what);
• Service abuse (someone cloning public transportation system access cards);
• Unauthorized access to sensitive systems (someone cloning proximity cards and gaining access into systems such as a hospital’s electronic medical records system);
• Unauthorized access to sensitive physical assets (someone scanning for information tagged as sensitive in and around office space — even the garbage — inside the building);
• Unauthorized access to sensitive physical areas (someone cloning proximity cards and gaining access into secured locations such as data centers);
• A facilitator of social engineering (someone using cloned information that appears legitimate to a computerized access control system but obviously fraudulent to an experienced eye had a person been involved in the process);
• Denial of service attacks that lead to business continuity issues (someone attacking the RFID network infrastructure or zapping RFID tags altogether using homemade tools); and
• Malware exploits that lead to sensitive information exposure (someone uses a malicious RFID chip to cause software to crash exposing sensitive information on the supporting RFID infrastructure — see www.rfidvirus.org).
Look at what really matters here:
1. Are any of these RFID attacks possible in your environment and in the context of your systems?
2. Are there known threats that can and will exploit any weaknesses?
3. What can you do to protect the business assets under attack?
You may find out that RFID isn’t really a concern for your business yet and may seem to be more of a threat to your personal life. Either way, it pays to educate yourself in this area and to be prepared with a plan of action.
The good news is there are a lot of smart people working on ways for us to get our arms around RFID security. From rolling codes, to challenge/response authentication, to shielding to localized RFID jamming — the solutions are on the way. It is just a matter of whether or not they are too late to the punch and if anyone will bother implementing them.
In the not-so-distant future, we are not only going to have networks of information but also networks of “things” all throughout our business environments. We now have to look at protecting our business assets below the traditional information security level that we are accustomed to. I’m not saying that everything containing an RFID tag is going to be hacked or abused, but I do believe that the realm of information security control is going to grow by leaps and bounds in the coming years.
It would be wise of us to broaden our time perspective and start thinking about how we are going to keep everything in check. This stuff is not going away.
Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments. He has authored/co-authored seven books on information security including “Hacking for Dummies,” “Hacking Wireless Networks for Dummies,” and “Securing the Mobile Enterprise and Laptop Encryption for Dummies” (Wiley). He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at [email protected].
