BOSTON—I caught up with Kevin Ashton just as he was getting back into Boston following a red-eye flight.
Kevin is currently the vice president of marketing at RFID vendor ThingMagic in Cambridge, Mass. Moreover, he was one of the co-founders of MITs Auto-ID Center, and was an associate director at Proctor and Gamble.
Hes about as close to “Mr. RFID” as you are going to find.
I figured he would be good and grumpy after an all-night flight and ready to take on the two big current questions regarding RFID security: Is it really that easy to introduce an errant virus into an RFID network via a rogue chip, and can the power signals running between an RFID chip and the reader be intercepted for nefarious purposes? He was ready for both questions.
“The Dutch kids with the RFID paper? That was just a piece of rubbish, frankly. They treated data as it was code, which no one would do. It would be like driving a car with a blindfold and then concluding that all cars were unsafe,” said Ashton.
Ashton, rising to the topic, blamed the wide play the researchers from Vrije University received on the confluence of the topics RFID and security that stirred the media interest.
“The most important aspect of RFID security is to implement security practices that already exist for other kinds of network technology. Ninety-nine percent of security concerns in RFID can be addressed by existing technology. They are solved problems,” Ashton said.
No standard corporate security practices or information professionals would confuse data with code as the Vrije researchers did, Ashton contends.
So, toss out the Dutch paper, but what about the ability to intercept RFID signals as was implied by Adi Shamir? That type of intercept presents more of a challenge, said Ashton.
“The more interesting problems are how to secure the connection between the tag and the reader,” Ashton said.
He explained that RFID systems are tremendously asymmetric. The chips, in order to be low-cost, are extremely simple and “dumb,” while the readers have a lot of computing horsepower.
Two other factors come into the security consideration.
First, the nature of communicating is in the open air which is difficult to secure.
Second, the “very nature of an RFID tag is to be promiscuous and to talk to anyone,” he said.
Combine those factors with the speed with which tagged products move through the manufacturing and distribution channels and the potential of billions of tagged products being tracked, and concepts such as encryption of two key identification have to be tossed out as too slow and too unwieldy.
The answer, Ashton contends, lies in keeping the tagged data simple and exactly defined by parameters, while “putting all the interesting and secret stuff on the network where you can protect it more easily.”
The remaining issue is how to allow the RFID chips to keep their unique identifiers (electronic product code) but not allow them to be easily identified by unauthorized readers.
Just as you can identify a Boston area phone number by its 617 area code, unique identifiers can provide more information than a company might want to provide.
Random numbers as identifiers might be an answer, said Ashton.
While security is certainly a consideration, equally important right now in RFID deployments are location and organization.
RFID systems are often destined to be deployed in areas where IT infrastructure often has not existed, including warehouses and remote manufacturing plants.
And as few companies have RFID departments, trying to determine who is in charge of evaluation, deployment and budgets is a corporate consideration just now being undertaken.
While location and organization may be equal or greater considerations than security, in RFID the security issue is the one that gets the headlines, Ashton said.