RFID Insecurity

May 1, 2007
A lot of people feel insecure about RFID security.

At RFID World this month, the topics of privacy and security were raised, but not answered. In fact, answers to these concerns are hard to specify simply because they're so dependent on your application, product, physical security procedures and other considerations. In short, a lot of people feel insecure about RFID security.

However, concerns about RFID security are, in many cases, overblown and in other cases, there are some useful countermeasures.

One of the more widely discussed potential threats to RFID-based labels is the possibility of changing the product information on the label from, say, a high value product to a low value one or, in the case of a pharmaceutical, from a low concentration medication to a high concentration one. Another popular topic is the suggestion that tags can be duplicated or cloned to change the identity of a product for nefarious purposes.

Consider, for a moment, the current situation. It's equally possible to change a bar code label to show a different product code. And, if we are using RFID in addition to bar codes, whether as separate labels or as a single bar code and RFID label, there is redundancy in the data on the carton or pallet. So, simple physical attributes of the carton or pallet—that is, the presence of a label with both bar code and human readable information on it—can, or should, render the probability of success of this type of ploy fairly low. That is, of course, assuming some diligence on the part of someone somewhere along the supply chain or in the warehouse.

If that's too much to assume, what else can you do to help make sure that the data on the RFID label you put on a product isn't tampered with?

Perhaps the most powerful tool available at this point, aside from locking the data on the tag, is the use of a foundry-encoded, full ISO Tag ID. This Tag ID is a globally-unique number written to the tag at the time of manufacture. It precedes any user data on the tag and cannot be changed. The Tag ID, therefore, can serve as a key pointer to a database where data you have written to the tag can be compared against data on the tag.

It's important to note, however, that there are different types of Tag IDs. Gen2 UHF tags that comply with the EPCglobal Tag ID format include only a manufacturer and batch number and are, therefore, not unique and cannot provide any security.

Another caveat is that some vendors offer certain 13.56 MHz tags that do not have a pre-programmed Tag ID. The Tag ID is programmed by the user. This can be useful if you have to replicate a damaged or unreadable tag but cannot provide security. It also means that any application using 13.56 MHz tag with that protocol (there are several ISO protocols for 13.56 MHz) cannot rely on the Tag ID for security. There are, on the other hand, other 13.56 MHz tags using different protocols that can rely on the Tag ID for security.

No system that relies solely on RFID can be 100% secure. Database validation, human scrutiny, and physical security measures also need to be employed. Rather than focusing on the supposed "insecurity" of an RFID system, we should look at an application as a whole. Security measures are, or should be, already in place for any sensitive or high value application. In other words, we can stop being insecure about RFID and view RFID labels, with a reliable Tag ID, as a tool to add yet another level of security to what should already be a reasonably secure application environment.

Bert Moore

Latest from Transportation & Distribution