For a technology that was expected to quietly transform back room operations, RFID chips are mak ing a surprisingly big splash out in the wider world. They're showing up on credit cards and golf balls. They've been embedded into racers' wrist bands and casino chips. Now RFID tags are about to burst onto the retail scene. In stores in Europe and in pilot stores in the United States, RFID tags have begun to appear on individual pieces of merchandise: books, pairs of jeans, bottles of drugs, DVDs and CDs.
Their appearance on the retail stage caught many by surprise. Until recently, most assumed that RFID tags would remain behind the scenes for several more years— tracking cases and pallets bound for retailers' DCs. Tags were thought to be much too expensive to use for tracking everyday items.
But that hasn't proved to be the case. As businesses began experimenting with RFID, some discovered benefits that easily offset the tags' costs. Pharmaceutical manufacturers, for example, found that sticking an RFID tag on a bottle of Viagra or OxyContin provided a drug "pedigree" that helped weed out counterfeits. Retailers discovered that item-level tagging saved them money by reducing out-of-stocks, deterring shoplifting and cutting the amount of labor needed to manage inventory and handle replenishment.
Though not yet commonplace, item-level tagging is no longer rare. This year, nearly 200 million tags will be attached to individual items, mainly apparel, books and drugs, according to research firm IDTechEx. Starting in 2007, item-level tagging will account for the biggest share of the world's RFID market by value, rising to an $11 billion market for tags and systems (out of a $26 billion total RFID market) in 2016.
The looming explosion in item-level tagging has left many worried about security risks. As long as RFID remained in the back room, communication among tags, readers and networks was relatively easy to secure. But as tags move out into the retail world, some experts fear they'll become the target of threats ranging from eavesdropping and data tampering to viruses.
Data at risk
"When it comes to item-level tagging, security is very, very important," says Kevin Ashton, vice president of marketing at ThingMagic, a Cambridge, Mass.-based vendor of RFID readers, sensors and other technologies. And as he sees it, the current technology, Generation 2, cannot offer that security without significant enhancements. "Gen 2 has done a very good job improving tag readability, and it is much better than Gen 1 in dealing with situations where there are multiple readers. Where it badly needs to be improved is in the area of security ... Gen 2 has a little bit more security than Gen 1, but it's absolutely not enough to give end users or the general public complete confidence in the system."
As item-level tagging takes off, so will the potential for mischief and sabotage. "Our real concern is unauthorized people reading the tags," says Ashton. For example, without additional security in place, retailers could easily obtain data to gauge how well a product—say, a newly launched videogame—is selling at a competitor's store. Unlike bar codes, RFID tags are able to uniquely identify individual items, making it possible to track how a product is selling. Someone with a scanner could walk down a store's aisles and track inventory on a shelf, charting sales of that videogame. "And because it's RFID-based, you can also do it without anybody knowing you are doing it," says Ashton.
Similarly, someone with a grudge against a particular retailer could use a scanner to collect critical sales data and leak it to the press. "If you are a publicly traded company, the last thing you need is a leak that your competitor sold 10 times as many new DVDs as you did," says Ashton. "That's just one scenario of why reader authentication is a good idea."
Those are just two of many possible scenarios. In a white paper posted on ThingMagic's Web site, "Generation 2 Security," Ashton describes other potential threats. For example, there's the possibility that a hacker might use a rogue reader to write new information to a tag (say, changing a price) or even kill the tag. There's also the risk that someone will replace a tag with a rogue tag (a tag from an unauthorized source) or clone tag (an unauthorized copy of a real tag) that transmits false data to a reader.
RFID tags are also vulnerable to data interception via what's known as a side-channel attack. In a side-channel attack (which Ashton likens to wiretapping without the wires), an interloper electronically eavesdrops on RF communications between tags and readers to obtain access to passwords or other confidential data.
Plugging the leaks
Given the variety of security risks, it's clear that the technology's vulnerabilities will have to be addressed before item-level tagging can really take off, says Ashton. That will mean security enhancements at the very least, and possibly the development of a new, Generation 3, protocol.
In his white paper, Ashton describes some security features that could be incorporated into future protocols (as well as some of the challenges they'd present). They include:
- Encryption. Storing encrypted serial numbers on tags would boost data security, but it would also raise significant technological challenges of "key" management (that is, distributing and managing the corresponding decryption key). Encryption doesn't eliminate tracking; it simply makes it more difficult. Also, any onboard encryption operations would boost the computational demands on tags— introducing new overhead and boosting the tags' price.
- Tagpasswords. Basic RFID tags already have sufficient resources to verify PINs or passwords, which could be a possible solution for protecting data. For example, a tag could be programmed to transmit critical information only if it receives the correct password. However, that raises the question of how to manage the passwords.
- Tag pseudonyms. RFID tags would change serial numbers each time they are read, which would eliminate the need to program the tags with passwords. This approach would make unauthorized tag tracking more difficult, but it would also introduce issues of pseudonym management. Ashton predicts that security will be the focus of growing awareness over the next six to 12 months. He adds that if developers start work soon, a new protocol could be ready by 2008 or 2009, just in time for the expected item-level tagging boom.
Not so fast ...
Not everyone agrees that it's time to abandon Gen 2. Executives at EPCglobal, the organization responsible for developing the standards for application of RFID tags and electronic product codes (EPC), consider talk of developing a new Gen 3 technology to be premature.
If the need arises, the agency may decide to consider security enhancements and optional features, says Sue Hutchinson, director of industry development for EPCglobal. But if it does, she says, EPCglobal will build them on the Gen 2 base—that is, develop a Gen 2, Class 2 product—rather than starting over again with a new Gen 3 standard.
Possible security enhancements to Gen 2 include additional password schemes or maybe even some light encryption on top of some of the locking mechanisms that are already in place, says Hutchinson. "We want to make sure we are all responsible users of the technology and that we've done everything we can to safeguard consumers and most importantly to safeguard the relationship that our end users have with the consumer community."
Texas Instruments (TI) is working with EPCglobal to make that happen. TI has endorsed an authentication method for tag data that can be either on- or off-network. According to Joseph Pearson, business development manager for TI's RFID Systems division, EPCglobal has created an EPC item-level serialization scheme for item tags that will serve as an electronic security marker unique to each product, enabling automated track and trace capabilities as well as real-time visibility of the product through the EPCglobal Object Name Service (ONS) network. ONS will act as a "traffic cop" and direct authorized network inquiries to the correct database hosting the desired data.
Theoff-network method enables RFID readers to authenticate the tag through a shared data encryption algorithm. When it comes to tracking a bottle of Viagra, an electronic security marker can be a digital signature generated via a public key infrastructure (PKI) and programmed into the tag's memory. An RFID reader is able to validate the tagged product because the reader is supplied with the appropriate manufacturer public key to authenticate the digital signature. By using a digital signature, a manufacturer's unique "electronic fingerprint" is created and programmed into the RFID tag, which can then be authenticated by an RFID reader without a network.
Concerns about RFID security aren't limited to private industry. The Department of Homeland Security (DHS) issued a report in July calling for increased attention to security issues. Although good physical security controls exist on the RFID systems in use by the government, the report noted, there are still some system security concerns that should be resolved. According to the government, "These security-related concerns, if not addressed, could increase the potential for unauthorized access to DHS resources and data."
