The report said the limited storage buffer of an RFID tag -- typically ranging from 90 to just over 100 bytes -- offers just enough legroom for damaging code to hide out and wait for a connection to the network.
Craig Asher, solutions architect for IBM's pharma RFID software group, said this is what security working groups within EPCGlobal, a not-for-profit standards organization that's working to drive adoption of EPC technology that would enable the identification and tracking of individual items, are hashing out.
And this is why companies need to realize the importance of architecture.
"You don't want a single point of failure. You want to be able to distribute the data across multiple instances so that nobody can break you in one place."
There are three pillars of this work, he adds.
First, the system is certification-based, meaning you can track unique numbers on the bottles of drugs, for example, back to the unique ID that was burned into the chip when it was manufactured. Those are two areas that counterfeiters would need to breach.
Second, you need to be able to read the product with that unique tag and EPC number in order to gain authorization into the EPC-IS database shared by all companies involved in the supply chain.
"Each authorization is logged, and rogue activity can be shut down quickly."
Third, he added, that data is distributed so that a faker would have to extract it from multiple points across a supply chain before they got all the data they need to copycat it.
The standard bearer
In a recent research note, Eric Newmark, analyst for Health Industry Insights, said the FDA stopped short of making RFID an electronic pedigree mandate for more than just security and privacy concerns.
"Some of these lingering issues include frequency standards (HF versus UHF), serialization schemas (National Drug Code NDC ), and consumer privacy notifications and procedures," he wrote.
"HF is widely recognized as the accepted standard, but six leading RFID vendors recently published a study advocating the use of UHF as a more effective and practical choice. Coupled with the fact that Wal-Mart is already heavily invested in it, UHF may still have potential at the item level."
Michael Liard, principal analyst of RFID for ABI Research, said spectrum use, such as high frequency versus ultra high frequency, is also a key challenge, and each country's varies on which part they use to transmit the RFID data.
"Each country is responsible for its own radio spectrum. If products are certified as the so-called Gen2 standard approved two years ago, then they will be interoperable in the U.S., Europe and Asia."
But even with those certifications, the same reader in one country may be operating at 915 mHz frequency, while another is sitting at 952 mHz. Until the ISO, the ultimate international body for interoperable standards, puts its blessing on a UHF frequency that everyone should use, RFID is still a country-by-country patchwork.
Liard says we'll see excellent market growth moving forward once we have products based on ISO standards.
"But if you look at market for 2005-2006, a lot of growth expectations weren't met. By and large it hasn't been overly explosive" because of the continuing patchwork of standards.
You're seeing mandates on e-pedigree tracking on a state-by-state basis, not to mention possible federal legislation, including privacy standards.
"We're not there yet. We're hoping for a summer delivery. We're knocking at the door of ratifying standards. If you want a truly global supply chain, you need the EPC's Gen2 standard to become a global standard. Having that compliance is critical."