Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Mobile
    • Networking

    The Real RFID Security Issue

    By
    Eric Lundquist
    -
    March 22, 2006
    Share
    Facebook
    Twitter
    Linkedin

      BOSTON—Are RFID systems secure? This is a good question and one that should be asked before your company jumps on the RFID bandwagon.

      The question recently acquired an added urgency when a Dutch researcher presented a paper outlining a possible security hole. The answer may lie in cats, cell phones and making sure that you treat all the data in your network as worthy of security scrutiny regardless of the source.

      In the research paper, a group of researchers from the Computer Systems Group at Vrije University in Amsterdam raised the issue of an RFID tag being used as a carrier for SQL injection attack on the underlying software identification and tracking system. The paper is available as a pdf here and its presentation set off a storm of attacks, not from virus writers but from RFID vendors and consultants downplaying the likelihood of such an attack.

      “Many of the basic assumptions in the paper overlook a number of fundamental design features necessary in automatic data collection systems and good database design,” stated AIM Global president, Dan Mullen.

      /zimages/2/28571.gifDutch researchers create RFID malware. Click here to read more.

      “In other words, the researchers built a system with a weakness and then proceeded to show how the weakness could be exploited. Not surprisingly, poor system design, whether capturing RFID tag information, bar code information or keyboard-entered data will create vulnerabilities.”

      AIM is a trade organization representing automatic identification vendors, among others. In the controversial Dutch research paper titled, “Is Your Cat Infected with a Computer Virus?” the researchers note that, “RFID systems as a whole are often treated with suspicion, but the input data received from individual RFID tags is implicitly trusted.”

      The researchers contend that the implicit trust is unfounded and, “The security breaches that RFID deployers dread most—RFID malware, RFID worms and RFID viruses—are right around the corner.”

      Viruses entering an RFID system would indeed be a massive problem. Tracking down and eradicating viruses in e-mail systems is an ongoing and costly battle for IT administrators the world over.

      But e-mail systems dealing with thousands (and even at big companies, tens of thousands) of messages a day are still small systems compared to the millions of inputs that an RFID system tracking every product in a companys inventory would generate as those products move along the supply chain.

      While the researchers are essentially saying that if you take a good RFID chip, replace it with a viruss coded chip, let the scanning take place as usual and soon you have that piece of bad code doing its dastardly deeds in your RFID system.

      The cat in the papers title refers to a hypothetical veterinarian pet identification system that gets infected and ultimately freezes and displays, “the ominous message: All your pet are belong to us.” The bad English is a take off on a phrase that appeared in the Japanese game Zero Wing and refers to a self-propagating phrase for the whole story.

      The research findings have been attacked by RFID defenders as faulty. RFID chips, while simple devices, can be locked down, encrypted and dont present any more vulnerabilities than any other system such as bar codes, goes the argument.

      According to RFID defenders, if you incorporate bit checking, parameter checking and all the other safeguards associated with good system design in this era of security concerns, your cat will be safe.

      I think the researchers were right to raise the issue and the RFID defenders were right to raise their rebuttals.

      Next Page: Assume nothing about RFID security.

      Assume Nothing About RFID


      Security”>

      So what should you do as someone considering developing or deploying RFID systems at your company?

      “Companies who use tags must not assume that the data they read from the tags was not put there by somebody else. Just like when writing Web applications, you have to assume any input from the outside world may contain malicious or corrupted data,” stated Yossi Oren, a researcher at the Weizmann Institute of Science in Israel in an e-mail exchange.

      I contacted Oren because he was the researcher who, along with Adi Shamir (a professor at the institute and one of the worlds top security authorities), sent a shock wave through the RFID community when speaking at the RSA Security conference. Shamir outlined the possibility of hacking RFID chips with a cell phone.

      While RFID chips dont have a built-in power supply, they do signal their identity to a reader using the readers power. Through the use of a directional antenna and measuring power consumption, Shamir contended a hacker could discover a password based on the RFID systems reaction to a “bad bit.” Once discovered, the password can be used to shut down the chip.

      “What are the implications for the future?,” Shamir asked the attendees at RSA. “I think the first generation [RFID chips] are very, very vulnerable to a very cheap kind of attack. While we havent implemented it, we believe the cellular telephone has all the ingredients needed to carry out such an attack.

      /zimages/2/28571.gifClick here to read about how RFIDs high cost is detering businesses.

      “It [the cell phone] has a software radio and if you can tweak it enough you can just walk around and kill all the RFID tags in the vicinity,” said Shamir.

      I asked Oren if, since that presentation, their concerns about RFID vulnerability via power consumption metering had been confirmed for newer chips (Gen 2) as well as the older ones.

      “We are currently working on applying our results to newer [Gen 2] tags. We have some in the lab right now. When we have convincing results, they will be posed on the Web site.

      The lesson for IT executives is dont assume your RFID system is secure simply because you are using hardware chips in the process. You need to apply the same security best practices to your RFID system that you would to any critical corporate information system.

      /zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Eric Lundquist
      Since 1996, Eric Lundquist has been Editor in Chief of eWEEK, which includes domestic, international and online editions. As eWEEK's EIC, Lundquist oversees a staff of nearly 40 editors, reporters and Labs analysts covering product, services and companies in the high-technology community. He is a frequent speaker at industry gatherings and user events and sits on numerous advisory boards. Eric writes the popular weekly column, 'Up Front,' and he is a confidant of eWEEK's Spencer F. Katt gossip columnist.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Careers

      SThree’s Sunny Ackerman on Tech Hiring Trends

      James Maguire - June 9, 2022 0
      I spoke with Sunny Ackerman, President/Americas for tech recruiter SThree, about the tight labor market in the tech sector, and much needed efforts to...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×