What ever happened to all the hype over radio frequency identification (RFID)? Driven by Wal-Mart mandates and post-9/11 concerns, RFID was all the rage just after the turn of the century. Many people saw the positive side — RFID’s promise to maximize supply chain efficiencies and minimize inventory and related costs. However, others saw only saw the negatives associated with the technology. With references to Big Brother and George Orwell’s 1984, security pundits and privacy advocates alike spelled out the gloom and doom RFID would eventually facilitate. But it seemed to leave the spotlight as quickly as it entered it. Like most things the bandwagon jumpers make a big deal out of for a year or two, RFID has faded into the background.
Without people on the streets ranting and raving about RFID’s pros and cons, is it still legit? More importantly, as an IT or security leader in your organization, should the security implications of RFID be on your radar? The answer to these questions is yes, but it will pay to think things through before jumping to any conclusions.
Lack of Security Controls
Looking at RFID resources and statistics on the Web (most of which are dated) it is clear that one of the biggest concerns with the technology is its lack of general security controls. I’m not sure why anyone would be surprised at this. For starters, any reasonable business person knows the process and evolution of technology standards: the standards are developed and subsequently released, we find out about their security problems, people demand a fix and the issues are (hopefully) rectified.
I think we are finally entering an era where security gets baked into standards and technologies up front, but we still have a long way to go. Furthermore, the original intent of RFID as we know it today was to enhance supply chains and business commerce. You can’t blame the standards bodies and vendors for not wanting to waste cycles on locking down the 21st century equivalent of the bar code label.
The problem now is that the technological “benefits” to businesses and government agencies are becoming more apparent. We’ve opened an entirely new can of worms, and by and large, once a technology such as RFID is determined to be exploitable for personal or political gain it’s going to be abused whether we want to believe it or not.
For instance, RFID technology is a big (and controversial) part of the U.S. Department of Homeland Security’s Western Hemisphere Travel Initiative. Specifically, the passports now required to enter the U.S. from other Western Hemisphere countries contains an RFID tag. It is “high-tech” and “fancy” — which sounds good on the surface.
The problem is that these RFID tags can be cloned. Using just a few hundred dollars worth of parts purchased off the Internet and some RF know-how, security researcher Chris Paget — who once demonstrated how easy it was to clone HID access cards — has demonstrated just how easy cloning these passports can be. It is unbelievable. Eye-opening videos for Paget’s demonstrations can be found on YouTube by simply searching for name.
One of the biggest problems with RFID from a security perspective is that it is readable from relatively long distances — up to 30 feet. That’s not quite the centimeter ranges originally quoted. This can lead to numerous problems for businesses including:
• Identity theft (someone capturing passport data and reusing it elsewhere);
• Executive security (someone capturing passport data to track down a certain person or residents of a certain country);
• Rogue monitoring of people and systems (someone capturing data inside a business for illicit tracking of who’s doing what);
• Service abuse (someone cloning public transportation system access cards);
• Unauthorized access to sensitive systems (someone cloning proximity cards and gaining access into systems such as a hospital’s electronic medical records system);