RFID Security: Retail and Beyond
- From: RFIDabc <rfidabc@xxxxxxxxx>
- Date: Thu, 02 Aug 2007 07:10:59 -0000
Human implantable RFID tags, signal interference, and RFID tag
eavesdropping and jamming. Although you can never completely remove
vulnerabilities that the hackers can exploit, you can provide
leadership in defining and understanding the RFID security concerns
and vulnerabilities facing your company, how the risks can be
mitigated, and which safeguards will yield the best returns on
investment (ROI).
Imagine you are a supply chain executive at a retail chain that has
implemented radio frequency identification technology in its stores.
One day, you find yourself in one of your company's RFID-enabled store
wondering about the new security issues associated with the radio
frequency technology. Then you look out of the window and see a
shopper with a cat walking into the store. The next thing you know,
the store's RFID infrastructure suddenly shuts down. RFID readers and
checkout computers stop working. Thousands of dollars worth of sales
are lost in one day. What would you do? Run out of the store? Not
likely. You probably would take a closer look at the cat or the
shopper.
The cat might be carrying an unseen transmitter, or the shopper might
have a transmitter implanted between his thumb and finger so small
that it would not be noticeable to the human eye. In either case, the
transmitter could be used to block radio signals, causing the store's
systems to shut down, or to send a malicious virus to an EPC
Information Services (IS) server containing product RFID data.
It's a good thing you have a disaster recovery plan in place! The
store reopens shortly, giving you the opportunity to consider other
RFID security issues that have not been addressed. Walking about the
store, you see very few shoppers carrying RFID mobile readers to scan
products, but you know that someday soon more and more consumers will
begin using personal RFID readers to scan goods before they get to the
checkout counter. The more shoppers use these readers, the more likely
that tag signal interference will occur, again raising security
concerns.
The above scenarios point to three RFID security concerns: human
implantable RFID tags, signal interference, and RFID tag eavesdropping
and jamming. Although you can never completely remove vulnerabilities
that the hackers can exploit, you can provide leadership in defining
and understanding the RFID security concerns and vulnerabilities
facing your company, how the risks can be mitigated, and which
safeguards will yield the best returns on investment (ROI). The ROIs
will reflect how well your security policy is enforced and the
resulting security program is implemented. The safeguards offered
below are recommendations, and you can either change them or build
upon them according to your organizational and security requirements.
Watch Out for Implantable RFID Tags
How do you detect if the hacker (e.g., the shopper) has an RFID
transmitter implanted in his hand? With this tool, a hacker can wave
his hand to unlock a door to enter a warehouse filled with RFID-tagged
pallets and cases, and then alter the tags. Or the hacker could send a
malicious virus to the reader for transmission, for example via a
method called "SQL injection," to an RFID tag affixed to case of, say,
Kleenex boxes.
I call this tool "war-waving," a more daring and bold strategy than
"war-walking" or "war-driving." In war-walking, the hacker walks up to
the building and physically forces open the locked doors in order to
lift and switch tags from one merchandise type to another. In war-
driving, the hacker driving by a facility uses a wireless device to
scan the signals emitted from a mobile PDA or a wireless-based laptop
for illegal use. One way of mitigating the risks of war-waving is to
set the reader to validate a user permission code in the tag. Another
way is to develop means of preventing the execution of SQL injections
via a standard tag data dictionary and validation schemes. A reader
should set off an alarm when it detects an invalid permission code.
Can You Hear Me, RFID Tag?
Another security threat comes from hackers who are able to eavesdrop
on, and jam, RFID tags. The problem with RFID tags to date is that
they are not conducive to using standard means of cryptography to
protect them.
For example, the power of passive tags is too weak and the memory too
small to incorporate the regular cryptography to secure them from
eavesdropping and jamming. And while the active tags are battery-
operated and have larger memory, and scanning area, the power of these
tags is not strong enough for the regular cryptography to work
properly.
A promising alternative to cryptography is ultra wideband (UWB)
modulation. Dong S. Ha, and Patrick Schaumont spoke at the IEEE RFID
2007 Conference about how this type of modulation can be used to
implement the link from RFID tags to readers. As they discussed, this
technology, still being developed, allows for the use of relatively
simple ciphers, and UWB is more secure against interference than
narrowband.
Tag Signal Interference
Signal interference with RFID tags can result from improper antenna
orientation in the tags and close proximity of readers. The challenge
is to detect signal interference between tags.
Let's suppose a shopper places RFID-tagged products in a shopping cart
in a random orientation. Signal interference occurs when the signals
from the antenna in some tags interfere with the signals from the
antenna in other passive tags on products. As a result, when your
shopper proceeds to checkout, the reader at the checkout counter might
not be able to read all the tags in the cart. This means that the
tagged items in the shopping cart must be taken out and placed on the
checkout counter for proper alignment of the items' orientation before
the tags on these items can be adequately re-scanned.
Even if the tagged items are placed in a proper orientation order in
the cart to prevent signal interference at checkout, mobile RFID
handheld readers (e.g., personal readers used by shoppers as they move
about the store) used in close proximity to other readers could garble
data while scanning the tags. The radio frequency field generated by
one reader used to scan the items in one cart may overlap the field of
another reader used to scan different items in a second cart that
happens to be in close proximity to the first cart.
To alert the shopper of the read tag interference, these mobile
readers could include an alert mechanism that would be able to change
color from green to red when signal interference is detected due to
overlapping scanning areas caused by the proximity of another
shopper's reader. When the red color blinks, a shopper would move away
from the overlapping area until the alert stops blinking or turns
green.
Not Enough Room Here!
Active RFID tags give rise to another signal interference issue. The
challenge here is to mitigate the risks of signal interference due to
improper antenna orientation, insufficient numbers of antennas,
improper positioning and inadequate reading area.
As you may know, an RFID reader cannot communicate with an active RFID
tag that is oriented perpendicular to the reader antenna. With active
tags and readers, unlike with passive tags, a minimum of one antenna
must be located in one zone. Although several antennas enable more
accurate tag positioning to allow for greater reading area, improper
positioning due to reflections from walls and equipment can adversely
affect the transmission. Tags that are not located at the correct
horizontal or vertical levels in buildings also affect transmission
quality.
Canus, a maker of goat's milk soap, offers a good example of how it
resolved the signal interference by changing the positioning and
orientation of the antenna. Its docking door allowed only three
antennas to be set up, but the third antenna did not allow enough
reading area. Adjustments were made to this antenna by changing its
orientation and position to provide a greater reading area, and a
fourth antenna was added to ensure that a tag can be read regardless
of its location on the pallet.
RFID technology offers great promise for improving supply chain
efficiencies, including through store-level deployments. However, as
the examples above illustrate, companies that are serious about
leveraging this still-emerging technology must take into consideration
the various security issues inherent to RFID.
------------------------------------------------------------------------------------------------------------------------------------------
http://www.rfidglobal.org
An internationally oriented online platform for RFID companies and end
users.
.
- Follow-Ups:
- Re: RFID Security: Retail and Beyond
- From: watcher
- Re: RFID Security: Retail and Beyond
- Prev by Date: NIST report on RFID issues,article link
- Next by Date: Peacefire Circumventor and hotmail
- Previous by thread: NIST report on RFID issues,article link
- Next by thread: Re: RFID Security: Retail and Beyond
- Index(es):
Relevant Pages
|
Loading
