Is RFID in Your Future? - Page 4

 By Beth Cohen
Page 4 of 4   |  Back to Page 1
Print Article

Disadvantages and Security Issues

As with all revolutionary technologies, RFID has its disadvantages and problems. Developed originally at a time when security was not the critical issue it is today, the standards make it difficult to incorporate after the fact. Like the medical ID tag example above, the paranoid Orwellian view of using RFID for tracking our citizens in every way can quickly get out of hand.

As with supply chain integration, RFID technology has the potential to allow suppliers, customers, and other firms in the industry access to critical competitive information. However, unlike ERP and supply chain integration where the information sharing is usually voluntary, with RFID it could be used to gather the information clandestinely because it is so anonymous. That means that your competitors could possibly steal information about your company from right under your nose.

Unless the encryption is very good, the RFID unique identifiers can be duplicated. This was a major problem in Europe a few years ago when cell phones were first introduced on a large scale. Until the telecoms changed the technology to prevent it, a major European cottage industry was using stolen cell phone identification codes to steal phone service.

The underlying RFID authentication mechanism is the same as the more common swipe cards, but they have some additional serious security drawbacks. Because swipe cards require physical proximity -- i.e. you need to be in physical possession of the card -- unless you stole or borrowed the card from the owner, it is difficult to gain access. The IDs on passive RFID cards, on the other hand, can easily be stolen using a sniffer and a power source without the knowledge or consent of the ID's owner.

One major problem with passive RFID systems is that the power source comes from the receiver, not from within the RFID itself. This makes the tags cheaper and more robust, but it also makes them vastly less secure. Once the tag is in proximity of an RF power source, it will happily continue to broadcast the ID information to anybody and anything -- good guys and bad. As mentioned earlier, it would be a trivial hack to sit in the lobby of the corporate headquarters of a major company with a device in a briefcase and collect IDs as people pass by.

Because they are passive and do not have the capacity for read/write, the current RFID systems do not allow the use of public/private key pairs, challenge/response for authentication, or any other form of active authentication. It would be orders of magnitude more difficult for a hacker to collect the IDs if a tag was active and returned an ever-changing authentication key, similar to the SecureID technology that has been around for almost ten years.

There has been some recent work done on creating RFID tags that have limited read/write capability. There will be many opportunities for creating more secure tags once read/write technology has been perfected. It would then be possible to create proper challenge/response systems with one-time passwords. While this would not stop the highly determined hacker from hacking the challenge system, it would certainly slow them down and make the hack that much harder.

Where It's Headed

In conclusion, as the cost of deploying Radio Frequency Identification technology has plummeted, the potential uses in business have increased significantly. In the future, we can expect the costs of RFID to continue to decline, and there will be a corresponding increase in standardization between vendor products. RFID will quickly expand beyond the retail industry where it is now heavily concentrated, into the healthcare arena, government sector, and wherever else there is a need to track large numbers of moving or transportable items. Once the issues of improved security have been addressed, this technology has the potential to literally inventory the entire world.

» See All Articles by Columnist Beth Cohen

This article was originally published on Jun 3, 2003
Get the Latest Scoop with Networking Update Newsletter