Assume Nothing About RFID
Security"> So what should you do as someone considering developing or deploying RFID systems at your company? "Companies who use tags must not assume that the data they read from the tags was not put there by somebody else. Just like when writing Web applications, you have to assume any input from the outside world may contain malicious or corrupted data," stated Yossi Oren, a researcher at the Weizmann Institute of Science in Israel in an e-mail exchange.While RFID chips dont have a built-in power supply, they do signal their identity to a reader using the readers power. Through the use of a directional antenna and measuring power consumption, Shamir contended a hacker could discover a password based on the RFID systems reaction to a "bad bit." Once discovered, the password can be used to shut down the chip. "What are the implications for the future?," Shamir asked the attendees at RSA. "I think the first generation [RFID chips] are very, very vulnerable to a very cheap kind of attack. While we havent implemented it, we believe the cellular telephone has all the ingredients needed to carry out such an attack. Click here to read about how RFIDs high cost is detering businesses. "It [the cell phone] has a software radio and if you can tweak it enough you can just walk around and kill all the RFID tags in the vicinity," said Shamir. I asked Oren if, since that presentation, their concerns about RFID vulnerability via power consumption metering had been confirmed for newer chips (Gen 2) as well as the older ones. "We are currently working on applying our results to newer [Gen 2] tags. We have some in the lab right now. When we have convincing results, they will be posed on the Web site. The lesson for IT executives is dont assume your RFID system is secure simply because you are using hardware chips in the process. You need to apply the same security best practices to your RFID system that you would to any critical corporate information system. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
I contacted Oren because he was the researcher who, along with Adi Shamir (a professor at the institute and one of the worlds top security authorities), sent a shock wave through the RFID community when speaking at the RSA Security conference. Shamir outlined the possibility of hacking RFID chips with a cell phone.