The Continuing "Myth" of RFID Security
The most recent issue of MIT's Technology Review raises a point that has been discussed by many senior executives in the authentication industry. Despite all of the hype and publicity, just how secure are the new Radio Frequency Identity chips that are supposed to be safeguarding, not only cargo being transported through our ports and cities, but our very identities as contained in Passports and the new "enhanced" drivers licenses?
Two key points from the article:
"As long as the remaining problems are ignored, though, it's unlikely that the technology will become good enough to protect international borders without compromising the privacy of thousands or millions of people" "While new ID technology seems likely to stay, it could become a fiasco if officials don't pay attention to the work of hackers and security researchers. These people try to expose weaknesses before they can be exploited maliciously. It's much less painful to swallow the news from them than to wait until a problem becomes embarrassing -- or devastating."
Based on some information I was provided in a conversation with an expert in the field, the infrastructure of the much-ballyhooed Oyster Card system used in the London transit system has broken down multiple times illustrating the shakiness of the still to be completed infrastructure to read the embedded RF chips.
Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the "smartcards" commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools. There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and "the most anyone could gain from a rogue card is one day's travel." But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards. Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.
The hackers used an ordinary laptop computer to clone the "smart card" and then used it to program new cards.
Also related to the infrastructure question is the cost raised by the National Association of Chain Drug Stores (NACDS) that essentially concluded that the implementation of the use of the RFID technology to accomplish the Electronic Product Code in the Pharmaceutical industry in which RF chips have been all but declared the "solution" to counterfeiting, might approach a 1% cost increase.
"Until it is known what technology is chosen and the accompanying costs for implementation, it is difficult to determine the impact on costs," Chrissy Kopple, vice president of media relations for the National Association of Chain Drug Stores (NACDS), told RFID Update. "We anticipate significant differences in labor costs between 2D [bar code] and RFID in terms of reading the bar code, however we have also anticipated the potential for higher exception handling labor and processing costs due to unreadable RFID tags."
Now, when I was first confronted with RFIDs in the 2002-2003 timeframe, the question was "how is your solution different?" It was already assumed that RFID was the "standard" because of its adoption by the DoD and by large retailer and packaged goods companies. Even when witnessing the EPC/RFID presentation at the FDA meeting on Counterfeit Pharmaceuticals in 2003, while it wasn't clear that the chip was more than a supply chain tracker and locator, it was VERY clear (at least to me), that decisions had already been made (even if by the fact that EPC/RDIF got 15 minutes to present while everyone else got 4 minutes).
The next month or so following the first FDA meeting led to press hailing RFID as an identifier, a verifier, an authenicator etc. The question is whether the Rx industry, with all of the proof and empirical evidence that RFIDs can be cloned and/or reprogrammed, will relegate it to its rightful place (tracking a package through the supply chain, but not verify the authenticity of a product). Yet the "myth" expands...FDA has all but bought into EPC via RFID; DoD is using it for containers and a variety of applications; retailers are using it; RF is in the e-Passport, all with the assumed security. Ask the folks at RSA.
In a paper co-authored with staff at the University of Washington and internet security firm RSA, the team detailed how the RFID chips can be cloned from distances of up to 50 metres. They also found that a key anti-cloning technique recommended by the Department of Homeland Security (DHS) had not been used on the tags.
The problem of counterfeiting is a serious one. Leaping to the conclusion that one approach is the sole solution is "odd." In almost every case, the solution will involve a set of technologies.