RFID is hailed by its fans as a tool that will revolutionize the supply chain by streamlining product tracking. Yet as Wal-Mart and other big retailers forge ahead on 2005 deadines for initial compliance, security risks are coming to light that could conceivably raise mayhem not just on retail shelves, but all the way back to warehouses, loading docks and vehicles in transit.
The current brouhaha over RFID began last week when Lukas Grunwald announced the creation of a software tool called RFDump. At the Black Hat Briefings, a security conference in Las Vegas, the German developer explained that his RFDump software makes it possible for a laptop or PDA user, armed with an RFID reader and power supply, to tamper with the EPC (Electronic Product Code) data stored in ISO 15693 RFID tags.
Grunwald spoke mostly about possible impacts on retail stores, but he also mentioned in passing that, at some point, somebody will probably place a root exploit on an RFID tag to hack all the way back into the supply chain.
I can foresee possible abuses that are the stuff of science fiction novels. I bet you can, too. If, as Grunwald predicted, a shopper might reprogram a bottle of shampoo as cream cheese in a retail store, think what fun pranksters (or competitors) might get out of reprogramming cartons, cases or pallets of shampoo in huge warehouses!
Crooks could get into the RFID act, too, adopting the supply chain as a platform for all kinds of daring, techno-abetted schemes and ruses.
Who knows? Terrorists might even try to haul truckloads of arms over U.S. borders, mislabeled on RFID tags as baseball bats or fishing rods.
Probably none of those misfortunes will ever ensue, but at the same time, some major retail and government customers are trying hard to push RFID adoption, and on very quick deployment schedules. Wal-Mart has mandated that its top 100 suppliers support RFID by January 2005, with smaller ones to follow in 2006 and 2007. Retailers Target and Albertsons have established spring 2005 as their deadlines for Phase One compliance.
The U.S. Deptartment of Defense has likewise set 2005 as the time for its suppliers to conform to RFID. Presumably, however, military suppliers will be using tamperproof tags.
Yet the RFID tags used by many retail stores will store data in unencrypted clear text, just dandy for easy reprogramming. Why? Its still quite costly to buy the type of RFID tags that have chips capable of crunching cryptographic keys.
But hey, wait a minute! Could this be deja vu all over again, sort of? Although different in some ways, RFIDs security issues do harken back a bit to troubles plaguing the 802.11 Wi-Fi market over the past couple of years. Now being replaced with the newer IEEE 802.11i, Wi-Fis earlier WEP encryption protocol was characterized by some major flaws, including a weak encryption algorithm and no mechanism for distributing encryption keys.
Just as importantly, untold numbers of Wi-Fi users havent even been bothering to turn on WEP encryption.
And guess what? In entries in Internet newsgroups, drive-by hackers have mentioned Wal-Mart warehouses, among other places, as particularly easy pickings for Wi-Fi eavesdropping.
Meanwhile, even before Grunwalds talk at the Black Hat Briefings, industry analysts were already citing other lingering problems with RFID, ranging from standardization to tag pricing and performance.
In a report issued in June, AMR Research noted that, with compliance deadlines rapidly approaching, the RFID industry is still without a single global standard, even though a couple of organizations—ePC Global and the ISO—are each striving in that direction.
According to the same report, 10 percent to 20 percent of RFID tags are “dead on arrival.” Tags that pass initial inspection can only be read 80 percent to 90 percent of the time.
So in August of 2004, is RFID really ready for prime time yet? With unprecedented security problems starting to rear their heads, too, it might be best to stick with pilots and other limited deployments for the moment, if you can.