Security Challenges

Security issues that exist in RFID systems are, in many ways, similar to security issues in computer systems and networks. Ultimately, the objective in both types of systems is to secure and protect the stored data and the data communication in and between various parts of the system. However, dealing with security in RFID systems is often more challenging due to two factors. First, the communication method in RFID systems is contactless and wireless, making them susceptible to eavesdropping. Second, the amount of computing power and programmability in RFID systems, especially on the tags, is bounded by the cost requirements of the tags themselves. More precisely, the less expensive the tags need to be in a particular application, the less computing power they will have (that is, the less programmability against security threats can be implemented). We explore these challenges and limitations as we next discuss the major vulnerability points in RFID systems and offer the means to assess the risks of security breaches and suggest appropriate solutions to protect against them.

Areas of Security Vulnerability in RFID Components

In an RFID system, data is vulnerable to unauthorized access while it is stored in the tag, the reader or the host computer, or when it is being transmitted from one of these components to another. We classify the areas of security vulnerability into four categories and describe each separately in the following sections.

Tag Data Access Vulnerability

A tag often contains an integrated circuit (IC), essentially a microchip with memory. Data on the tag can be compromised in similar fashion to data on a computer. Tag data is vulnerable when an unauthorized party either accesses an authorized reader or configures a reader to communicate with a specific tag. In such a scenario, the unauthorized user can access the data on the tag as if he was performing an authorized read. In the case of writeable tags, data might also be modified or even deleted by an unauthorized user.

Tag and Reader Communication Vulnerability

When a tag transmits data to a reader, or a reader interrogates a tag for data, the data travels through the air via radio waves. During this exchange, data is vulnerable. Some methods of exploiting the vulnerability of such wireless exchange include the following:

• An unauthorized reader hijacks the data. In this scenario, an unauthorized reader simply intercepts the data transmitted by the tag.

• A third party jams or spoofs data communication. An unauthorized party might utilize several methods to prevent communication between the tag and the reader. One common way, spoofing, creates electromagnetic interference by overloading the reader with so many fake tag responses that the reader cannot distinguish any of the legitimate tag responses. This method is also called a denial-of-service attack.

• An imposter tag sends data. An imposter tag supplies unwanted information or erroneous data to the reader, effectively tricking the RFID system to receive, process, and act on inaccurate tag data.

Vulnerability of Data Inside the Reader

When a tag sends its data to the reader, the reader stores the information in its memory and uses it to perform a number of functions before it purges that data and/or sends it to the host computer system. During these processes, the reader functions just like any other computer where traditional security vulnerabilities and issues exist. Currently, the majority of readers on the market are proprietary, and they may not provide an interface that allows users to enhance the reader's security features beyond the capabilities offered by the vendor. This limitation makes careful selection of a reader especially important.

Vulnerability of the Host Computer System

After data has moved from a tag, through a reader, and onto a host computer, it is subject to the vulnerabilities that already exist at the host level. These vulnerabilities are beyond the scope of this book. Interested readers should refer to appropriate books on computer or network security.

Assessing Security Risks in RFID Applications

The risks of data being compromised during a security breach vary depending on the type of application. For the purposes of discussion in this chapter, we broadly categorize RFID applications into two types, Consumer and Enterprise, and describe the risks for each type in more detail.

Consumer Application Risks

Consumer RFID applications include those that collect or manage data about consumers, or are "touched" by consumers. Typical applications in this category include access control, electronic toll collection, and any application that involves tagging of items in a retail store. With consumer applications, the risk of security breaches can be damaging both to the business entities deploying the system and to the consumer. We discuss the potential damages to businesses in the next section. The damage to the consumer is generally related to violation or invasion of privacy but may also include direct or indirect financial damage.

Even in cases where no personal consumer data is directly collected or maintained by an RFID system, if the consumer touches (handles, holds, or carries) an object with an RFID tag, there is potential to create an association between the consumer and the tag. Such an association conveys personal data about a consumer and may have privacy risks. For example, RFID tags used to control entry into a car do not contain any information about the owner of the car, but there still exists the threat that the holder of the tagged car key could be tracked. This can happen only if it was possible to build a series of sophisticated readers, strategically placed to interrogate the tagged key.

Enterprise Application Risks

Enterprise RFID applications are those internal to a business or a collection of businesses. Typical enterprise applications include any number of supply chain management process enhancing applications (for example, inventory control or logistics management). Another application is in the area of industrial automation where RFID systems are used to track manufacturing processes on the factory floor. Here, the risk of security breaches is generally limited to damaging the enterprise only. These security breaches can disrupt business processes and functions or compromise confidential corporate information.

For example, hackers can disrupt RFID-enabled supply chain processes among business partners through spoofing and mounting denial-of-service attacks. Also, competitors can steal confidential inventory data or gain access to specific industrial automation practices. In other cases, hackers can access and publicize similar confidential enterprise data. This can also compromise a business's competitive advantage. In cases where several enterprises are jointly using an RFID system, for example, to create a more efficient supply chain between suppliers and manufacturers, breach of tag data security is likely to be harmful to all the businesses involved.

Solutions for Securing and Protecting RFID Data

In this section, we discuss some of the more common solutions for securing and protecting RFID data and communication to address the vulnerabilities associated with tag data (Tag Data Access Vulnerability) and tag and reader interaction (Tag and Reader Communication Vulnerability). Table 10.1 shows a summary of these solutions. Vulnerabilities related to data already inside the reader (Vulnerability of Data Inside the Reader) or at the host computer level (Vulnerability of the Host Computer ) are beyond the scope of this book^[1] .

^[1] As mentioned earlier, the reader functions like a computer when it receives data from a tag for processing. Therefore, this data can and should be secured in a similar manner to securing data on a computer.

Securing Premises

Using traditional means of securing the premises (with lock and key) where tagged objects are found (for example, in a warehouse or on a factory floor) addresses some vulnerabilities associated with direct tag access. This solution works well if all tags are guaranteed to be in certain locations and are not expected to move outside of the four walls of an enterprise. Many RFID applications, however, require tagged objects to move between two or more enterprises and possibly into consumers' hands.

Using Read-Only Tags

Making tags read-only is a "designed-in" security measure that protects tag data from being changed or deleted by an unauthorized reader. However, by itself, this solution leaves data vulnerable to unauthorized readsespecially if tagged objects are easily accessible or public.

Limiting the Range of Communication Between Tag and Reader

Using operating frequencies and/or other physical attributes of the tag, reader, or antenna in order to limit the range of communication between a tag and a reader minimizes the degree of vulnerability. Although this solution effectively limits the potential threat of unauthorized readers accessing tag data, it does not guarantee secured communications at all times.

Implementing a Proprietary Communication Protocol

The strategy of implementing a proprietary protocol is useful for applications where interoperability and data sharing is not a requirement. It involves implementing a communication protocol and data encoding/encryption scheme that is not publicly accessible. Depending on the sophistication of the protocol and the underlying encoding method, this approach can offer a good level of security. However, with the benefits resulting from sharing RFID data (for example, among supply chain partners) and the adoption of wide-ranging RFID standards, proprietary protocols are not always practical. These proprietary protocols will hinder RFID data and application interoperability, which will result in fewer benefits at potentially elevated price points.

Shielding

Also known as the Faraday Cage approach, this technique involves enclosing tagged objects in materials such as metal mesh or foil that blocks electromagnetic wave penetration or propagation. Although this method effectively secures RFID tags, when the tag is shielded, RFID readers cannot read the tag either, thereby voiding RFID's benefits. For some RFID applications, temporarily shielding reduces the risk of unauthorized access. For example, the FasTrak electronic toll collection system in California provides users with a Mylar bag to encase their transponders when not driving through toll plazas. Applications that tag money or sensitive documents provide another example because the tagged objects can be placed in foil lined wallets, purses, or briefcases.

Using the Kill Command Feature

The Kill command is designed to disable a tag that is equipped to accept such a command. Upon receipt of the Kill command, the tag ceases to function and cannot receive or transmit data. Both shielding and the Kill command render the tag unreadable. However, shielding is not permanent because it can be removed and a tag can again become functional. On the other hand, a Kill command permanently renders the tag non-functional.

Killing a tag may be warranted in cases where the physical packaging of the tag does not permit shielding. EPCglobal has presented this solution as an effective means of ensuring consumer privacy after retail points of sale. The most significant advantage of this solution is the assurance of consumer privacy. Purchased items and associations to individuals cannot be tracked beyond their point of sale.

The primary disadvantage of this solution concerns limited tag functionality relevant to both consumers and businesses. Consider, for example, a scenario where a consumer returns an undamaged product such as an item of clothing. If the tag had previously been killed at the initial point of sale, the capability to efficiently update inventory, utilize smart shelves, and/or manage a supply chain was also terminated at the issuance of the Kill command.

In a more futuristic scenario, imagine that a milk carton is tagged with a variety of information including its price and expiration date. Imagine also that the refrigerator of the future has a built-in reader to alert the consumer when product expiration is near or has been reached. If the tag were killed at the point of sale, a consumer would not be able to utilize RFID's potential conveniences. In this case, alerting the consumer to use or replace the expiring carton of milk.

Physically Destroying a Tag

Physical destruction of a tag achieves the same results and possesses the same advantages and disadvantages as the Kill command. One added advantage to this solution, however, is that you don't have to wonder if the Kill command actually worked. However, in some applications, it is not always easy or possible to locate and remove a tagto destroy itbecause it may be imperceptible, inaccessible, or embedded.

Authenticating and Encrypting

Various authentication and/or encryption schemes can be used to ensure that only authorized readers can access certain tags and their data. An authentication scheme can be as simple as "locking" tag data until an authorized reader provides a valid password to unlock the data. More sophisticated schemes may include both authentication and encryption of data that provide more layers of protection. Although such schemes are not without their own vulnerabilities, cost is the most prohibitive factor in implementing sophisticated authentication and encryption solutions in RFID systems. If mandates require low-cost tagging for inexpensive items, the tags are likely to have reduced programmability for authentication and encryption. High-value items such as jewelry or military equipment may merit more expensive tags that can provide enhanced security.

Selective Blocking

This solution utilizes a special RFID tag known as a blocker tag to simulate the presence of a virtually infinite number of a subset of tags. This approach essentially blocks unauthorized readers from reading a subset of tags.

Selective blocking offers a versatile solution that minimizes some of the shortcomings of the previous techniques while avoiding the high cost associated with the more sophisticated solutions such as authentication and encryption. The combination of low cost and high security makes selective blocking an appropriate solution for implementing security in privacy sensitive consumer applications such as item-level tagging in retail stores^[2]. In this case, consumers can use blocker tags to prevent all nearby readers from detecting and tracking tags attached to items after purchase. At home, the consumer may opt to destroy or disable the blocker tag so that other readers (for example, the refrigerator of the future we described earlier) can function properly.

^[2] Blocker tags are not expected to be used widely until item-level tagging at the retail store level becomes prevalent. See Chapter 11, "Emerging Trends in RFID," for a discussion about item-level tagging.

Because the selective blocking technique requires writable tags, it cannot be successfully deployed in systems using read-only or chipless tags. The blocking technique can also be used maliciously by creating blocker tags that perform universal blocking or spoofing that can indiscriminately affect all readers within range and effectively mount a denial-of-service attack to disrupt the function of entire RFID systems. Although there are currently no commercially available solutions that can prevent or circumvent this problem, it is possible to build reader intelligence that detects spoofing problems and alerts an attendant.

Recommendations

No single security solution is suitable for every class of RFID application. In some cases, a combination approach may be necessary. For certain applications, security measures are specified by standards organizations such as ISO or EPCglobal, and are automatically available by compliant vendors. For example, ISO 15693which applies to vicinity cards (smart identification cards)specifies security measures related to tag data authentication, and is used for access control and contact-less payment applications.

Security, for RFID or otherwise, is a very complicated topic with challenging obstacles to overcome and complex solutions to implement. To deploy the most suitable scheme for securing RFID data in your application, we recommend that you do the following:

• Evaluate the unique advantages and disadvantages of all available solutions in the context of your RFID project.

• Consider the costs of implementing a particular security solution scheme.

• Weigh these costs against the risks and costs of vulnerability in your RFID project.

• Consult an RFID security expert or your trusted advisor vendor (discussed in Chapter 8, "Vendor Considerations and Landscape,") to help you with your decision.