The demo on Defcon of RFID tag cloning by German security company DN-Systems has prompted a large print company to defend the use of RFID tag systems.

The program demonstrated at Defcon is a free program called RF-Dump, running under Linux written by Lukas Grunwald, a German consultant. It allows anybody with a suitably equipped (small) computer (e.g. a Sharp Zaurus) running the program to read and write data within RFID tags of many types anywhere.

Understandably these findings and the widely publicised Defcon demo, have caused some consternation in the supply chain industry using RFID tags to control e.g. pallet movements.

The Strategic Business Development Manager for EMEA, Otto Kilb, at Printronix, a large print company, defends the use of the technology: No technology is 100 per cent secure, and it seems that RFID is the latest innovative technology to come under scrutiny from the security doom-mongers. I applaud the security firms for identifying these potential flaws, but that is all they are potential flaws.

The supply chain has faced such risks for years, as barcodes were never 100 per cent secure, but the business advantages RFID brings to the market far outweigh the risks. Gen 2 tags incorporate strict security protocols (such as passwords to protect against counterfeiting) and security firms are developing techniques to increase encryption methods to protect critical data. Additional tag security features are being developed continually, so while there are risks there really isnt any reason to panic. Take sensible precautions and your data should be safe.

This attitude, based on a layman's understanding of security, is by and large correct enough. Most low-level attacks against RFID tags used for supply chain management will probably cause either just a nuisance or limited fraud/theft.

However, a real issue is the potential for high-level crimes such as terrorist attacks, e.g. by replacing innocent pallets with less innocent versions carrying identical tags, or large-scale thefts. A constant problem of technical security is the defence against a motivated resourceful attacker, and it is in this context the use of RFID tags should be seen. In other words, a risk management attitude should be applied to the implementation of these tags, and they should only be implemented where they are fit for purpose as shown by a risk assessment.

Additionally, a number of privacy issues exist and develop as the use of RFID tagging for many different purposes increases, particularly in case the tags are integrated into products without the knowledge of the end user.

So, as the security surrounding RFID tags is increased, their safe use can be expanded. If the RFID industry has taken proper security into consideration from the outset its expansion would have been faster and more profitable, and this scrutiny and debate would have gone away immediately. As it is now the industry needs to play catch-up, which is always a more costly game than proactive security.

Realising this new research is being started at the John Hopkins university aiming to address RFID tag security and privacy issues - see links below.

Related links: (Open in a new window.)
www.dn-systems.de/press/wsp0410.pdf
http://www.rfid-cusp.org/
http://www.jhu.edu/~gazette/2006/25sep06/25smart.html
www.printronix.com/

View printable version (opens in new window)
Back