Tag hackers raise major security questions
23 August, 2006
category: Contactless, Financial, Library, RFID
Massive data sharing presents the biggest threat
By Anne Zieger, Contributor, RFID Operations
This article originally appeared in a 2005 issue of RFID Operations.
Over the last few months, some high-profile hacks have brought attention to the security problems individual RFID tags face.
In one recent case, a hacker changed data found in retail smart labels, using only a PDA-based reader and home-brewed software. In another, researchers compromised tags used for millions of car immobilizers and Smart Tag toll systems.
With the publicity those hacks have gotten, managers rolling out RFID may be wondering if tag security will become their next major headache. As it turns out, though, those concerns are probably misplaced.
While tag vulnerabilities are definitely worth keeping in mind, there are far more important security challenges for RFID operations managers to consider over the next year or two, experts say.
In building a rich database full of RFID-enhanced data—and sharing that data with partners—enterprises are taking on far more risk than any breach of an individual tag could create, says Dave Harty, chief technology officer of Marlton, N.J.-based Acsis Inc., a consulting firm specializing in enterprise data collection.
“If we’re going to gather all of this data, in a world where people are talking about sharing it all, that’s where you have to worry,” Harty says. “It’s a flood of data that paints a picture that currently doesn’t exist.”
New worries?
On the surface, the security flaws exposed by these recent exploits might seem to be enough to give RFID executives new worries.
In one case, using software he designed for the purpose, German consultant Lukas Grunwald removed read-only data from passive-tag smart labels and inserted data from other retail products. The exploit took place at a “Future Store” demonstration site run by the Metro retail chain. (Grunwald’s software is available for download at no cost at www.rf-dump.org/).
In another incident, consultants from RSA Security teamed with researchers from Johns Hopkins University to crack the security on widely-used chips found both in car immobilizer systems and “Smart Tag” systems used to pay highway tolls. The student-consultant team broke into a proprietary 40-bit encryption system found on the Texas Instruments digital signature transponder. Once inside the DST, they retrieved password information, then used the stolen password to buy gasoline with an illicit SpeedPass at an ExxonMobil station. (Details available at www.rfidanalysis.org.)
While the two security breaches are quite different technically—the German hacker changed a few bits, while the research team had to guess an encrypted password—both draw attention to the fact that there’s only so much you can do to protect individual tags.
“As long as the tags are going to be really inexpensive and sold in high volume, it’s going to be very difficult to add any real functionality for authentication,” says Ravi Pappu, co-founder of Cambridge, Mass.-based RFID reader vendor ThingMagic LLC.
Not only can the tags be compromised, in theory they can also be spoofed—a trick in which a hacker creates a false tag and uses it in place of the genuine tag. “Ultimately, there will have to be some kind of authentication scheme [on tags] which tells readers ‘I’m the real tag,'” says Mark Carleo, vice president of the supply chain practice at Woburn, Mass.-based IT professional services firm Collaborative Consulting.
Low on the list
Still, compromised tags aren’t high on the list of things enterprise RFID managers should focus on, experts agree.
For one thing, while the smart label episode does illustrate a potential problem, it’s unlikely that an industrial spy could get enough information from passive tags to make much of a difference even if they do crack the tag’s security protections, consultants say.
Besides, most passive, short-range tags being used in back-end supply chain operations aren’t very accessible to potential info-thieves. In fact, to read tag information, an invader would have to be allowed free reign of corporate facilities, notes John Greaves, global leader of Deloitte Consulting’s RFID technology initiative team.
“At that point, the issue would be corporate security, [not RFID security], because someone allowed someone with a reading-writing device into a corporate setting, and then allowed them to be within a few inches of the tags,” Greaves says.
Meanwhile, as for the Smart Tag/immobilizer break-in, the solution to the problem is pretty straightforward, researchers suggest. In short, they say, if your company wants tighter security for semi-passive tags, use widely-tested security technology rather than the proprietary approach used in this case.
Because the Texas Instruments tag uses a private, proprietary encryption/decryption scheme, the broader community of security experts has never had a chance to poke holes in the scheme. However, if TI used a public encryption scheme, it would get a stronger result, thanks to hackers working voluntarily to improve the system, Pappu says.
But even with the proprietary algorithm, there hasn’t been a single reported instance of this tag being hacked by malicious users in the field, says Bill Allen, a TI spokesman. “Yes, it can be read in a lab environment, but after eight years we still have had no fraud reported around this particular transponder,” he says. “We still feel like people using it are still very safe.”
Protecting the data
For the near term, rather than fretting about the security of individual tags, managers should be worrying about the security of their RFID-fueled operations database, consultants say.
After all, the aggregated information produced by implementing RFID can offer competitors a much more revealing portrait of their operations than had ever been possible before. For example, with cases being tracked individually, companies can collect information on inventory status throughout the supply chain. And that information could be turned into gold by competitors, Harty notes.
“If I know what a facility is producing, and how much is going through their distribution channels, I get a pretty good picture of their manufacturing capacity,” Harty says. “It may not say exactly what their lines are capable of, but that’s easily engineered if you know how many cases are being shipped and where they are in the supply chain.”
As companies open up these databases to supply chain partners—a necessary step in the supply chain integration process—it’s inevitable that they’ll expose some of this data.
It’s these kind of intrusions, not tag-level hacking stunts, which should keep RFID managers on their toes, suggests Deloitte’s Greaves. “These [hacking] exercises are useful in reminding people that RFID, like any other product, comes with its flaws,” Greaves says. “But are they relevant to issues that aren’t already relevant to the supply chain? No.”