Radio Frequency Identification (RFID) technology has the potential to revolutionize business much as ERP and supply chain integration did in the late 1990s, but it can also have some serious security risks if you are not careful when deploying it. Beth Cohen reveals the power and the pitfalls of this exciting new technology so you can determine for yourself whether your company is ready to ride the next technology wave.
Have you ever wondered what those little plastic tags in your clothing are? Perhaps you have seen library books with little pieces of metal attached. In both cases, these are RFID tags.
It's quite possible you've never heard of RFID (Radio Frequency IDentification), but this technology is so powerful that you can literally inventory an entire warehouse just by installing an array of transceivers -- or readers, as they are called in the industry -- around the perimeter and placing tags on your stock.
Gillette recently announced that they will deploy several billion RFID tags in every item they manufacture so they can more closely track their billion-dollar inventory. RFID tags are commonly used in the retail industry for just-in-time supply chain delivery and the elimination of five-finger discounts. Think of how this technology could simplify tracking your company's valuable computer equipment and other assets.
RFID technology is also being heavily deployed for company access badges and other people-tracking type tasks. Imagine if your company's employees only needed to walk through doors to gain access to their areas instead of swiping their badges. While it sounds great in theory, there are some serious security repercussions to utilizing the technology for this purpose.
According to Dan Kaminsky from Doxpara Research, "When an employee is standing in front of the legitimate badge reader, this is a good thing. When an employee is sitting on the subway on his way to work and some guy walks by with a power source and a 13.56Mhz sniffer in his briefcase...well, I guarantee you that briefcase ain't going to beep 'Thank you for your access credentials; I'll be you now.' All the attacker needs to do is forge a standard plastic badge and covertly trigger a transmitter when approaching the door -- there's no way for anyone to know the badge wasn't the source of the RFID transmissions! Just because your badge reader only works from a few inches away doesn't mean anyone's reader will. If all I need to do to get access to your entire corporate infrastructure is sit in the lobby 'waiting for someone' as your CEO strolls by, you don't actually have a security system. You just have doors."
Radio Frequency Identification (RFID) technology has the potential to revolutionize business much as ERP and supply chain integration did in the late 1990s, but it can have some serious security risks if you are not careful when deploying it. Let me introduce you to the power and the pitfalls of this exciting new technology so you can decide for yourself whether your company is ready to ride the next technology wave.
Page 2: What Is It?
What Is It?
First emerging in the 1980s, RFID was originally used to track objects in harsh industrial environments where barcodes were unusable. At a basic level, it is the process of storing and retrieving data from integrated circuits or chips using radio frequency transmissions. Companies and industries might use RFID to locate, identify, and track inventories or any type of physical objects. The three components to a functional RFID system are the data warehouse application, which manages the collected data; the transceiver (or reader), which scans and captures the tag data; and the transponders (e.g. tags), which contain the data.
The data warehouse application can be any of the large or small databases or supply-chain systems available on the market today. You can purchase highly specialized inventory databases for specific vertical industries or, like Gillette, use RFID as one component in a corporate-wide ERP initiative. If you have a very specialized application, you can even write your own because the data collection methodology is completely standards-based.
The second component, the transceiver, is the system intermediary that reads the tags and uploads the data to the application. The newer readers like the just announced Handheld Reader by Matrics can read up to two hundred tags per second at a 10-foot range. "This new Handheld Reader is especially suited for high-value retail -- especially store floor inventories and backroom inventories -- high density environments requiring rapid read rates and long range," states Piyush Sodha, Matrics CEO.
Think of the RFID transponder as a form of electronic barcode. The tag itself can either be passive -- one that only responds when a transmitter station activates it -- or it can continually and actively broadcast its information to any receiver available. As CopyTag, a transponder manufacturer, writes, "The passive RFID transponder contains no batteries and is designed to be disposable. The Active RFID transponder is hermetically sealed in housing designed to tolerate harsh environmental conditions and will last many years; some active RFID transponders have replaceable batteries. The permanently programmed code is unique, counterfeit-proof, and cannot be modified or deleted. Thus, each RFID transponder is completely maintenance free and, in principle, has an unlimited life span."
Passive transponders include magnetic stripe cards, smart cards, and optical cards. These transponders are extremely inexpensive "throwaway" devices that are heavily used in the hotel industry for electronic keys, Electronic Article Surveillance (EAS), and real-time location tracking systems. Hitachi Europe has developed a smart tag chip that is just 0.3mm square and as thin as a human hair -- small enough and cheap enough to put it into banknotes! Typically, these are used to alert someone of the unauthorized removal of items from a store, library, or data center.
The more costly and higher maintenance active transponders are used in Real Time Locating Systems (RTLS) and other applications where the targeted assets and personnel move. An RTLS solution typically utilizes battery-operated radio tags and a cellular locating system to detect the presence and location of the tags. RFID offers certain advantages over hard-wired systems -- interactivity and real-time updates of inventory, shipments, or manufacturing applications -- that companies could turn to their own competitive advantage.
Page 3: What Is It Good For?
What Is It Good For?
Now that you a basic understanding of the technology, what is it used for? RFID technology is still in its infancy. Although it has been heavily deployed in the retail industry for inventory and shrinkage control where the return on investment (ROI) is obvious, even in the retail sector the potential for improving just-in-time inventory delivery and other marketing efforts is only just starting to be realized. These tags enable retail stores to track inventory in an efficient manner, specifically reducing resource time and minimizing errors. A huge advantage is that line of sight is not necessary for RFID tag scanning. The only requirement is that the item be within the field of a wireless reading device.
The systems are generally easy to manage because they are all built on the familiar Windows or UNIX platforms. The readers are basic devices that need little or no maintenance. Deployment will put a greater burden on your network, but no more than any other ERP or supply chain system would. From the system's perspective, you could track all your IT assets, including those "walking" memory chips and software applications, as well as the larger equipment. An excellent use would be in a large data center with thousands of pieces of equipment to track and limited staff to track it.
Another use that is being actively considered is using a medical ID "SmartTag" to store your medical records. The best analogy would be the old US Army "dog tags" or the MediAlert bracelets. You would wear or carry the identifier at all times. If you were injured or incapacitated, the medics would have immediate access to your medical records and any critical information that could possibly save your life. A good example would be if the emergency medics knew your blood type, they would be able to start a possible lifesaving transfusion without waiting for blood typing test results. The danger is that without the proper security in place, anyone who was motivated (an insurance company for example) could snoop into your medical records and possibly deny you medical or life insurance based on information in your records.
The potential of RFID technology is limited only by your imagination. Tags embedded into the packaging of products and antennas using conductive ink will eliminate the need for barcodes. Portals will replace checkout lines at retail stores. Smart-shelves could alert a store to restock in real time by noting when a carton of milk or a box of medicine has expired. This type of system could prevent out-of-stock merchandise and reduce obsolete or out-of-date products. This would obviously benefit the consumer with lower costs and fresher products as the manufacturers pass the benefits on.
Page 4: Disadvantages and Security Issues
This article was originally published on Tuesday Jun 3rd 2003
Disadvantages and Security Issues
As with all revolutionary technologies, RFID has its disadvantages and problems. Developed originally at a time when security was not the critical issue it is today, the standards make it difficult to incorporate after the fact. Like the medical ID tag example above, the paranoid Orwellian view of using RFID for tracking our citizens in every way can quickly get out of hand.
As with supply chain integration, RFID technology has the potential to allow suppliers, customers, and other firms in the industry access to critical competitive information. However, unlike ERP and supply chain integration where the information sharing is usually voluntary, with RFID it could be used to gather the information clandestinely because it is so anonymous. That means that your competitors could possibly steal information about your company from right under your nose.
Unless the encryption is very good, the RFID unique identifiers can be duplicated. This was a major problem in Europe a few years ago when cell phones were first introduced on a large scale. Until the telecoms changed the technology to prevent it, a major European cottage industry was using stolen cell phone identification codes to steal phone service.
The underlying RFID authentication mechanism is the same as the more common swipe cards, but they have some additional serious security drawbacks. Because swipe cards require physical proximity -- i.e. you need to be in physical possession of the card -- unless you stole or borrowed the card from the owner, it is difficult to gain access. The IDs on passive RFID cards, on the other hand, can easily be stolen using a sniffer and a power source without the knowledge or consent of the ID's owner.
One major problem with passive RFID systems is that the power source comes from the receiver, not from within the RFID itself. This makes the tags cheaper and more robust, but it also makes them vastly less secure. Once the tag is in proximity of an RF power source, it will happily continue to broadcast the ID information to anybody and anything -- good guys and bad. As mentioned earlier, it would be a trivial hack to sit in the lobby of the corporate headquarters of a major company with a device in a briefcase and collect IDs as people pass by.
Because they are passive and do not have the capacity for read/write, the current RFID systems do not allow the use of public/private key pairs, challenge/response for authentication, or any other form of active authentication. It would be orders of magnitude more difficult for a hacker to collect the IDs if a tag was active and returned an ever-changing authentication key, similar to the SecureID technology that has been around for almost ten years.
There has been some recent work done on creating RFID tags that have limited read/write capability. There will be many opportunities for creating more secure tags once read/write technology has been perfected. It would then be possible to create proper challenge/response systems with one-time passwords. While this would not stop the highly determined hacker from hacking the challenge system, it would certainly slow them down and make the hack that much harder.
Where It's Headed
In conclusion, as the cost of deploying Radio Frequency Identification technology has plummeted, the potential uses in business have increased significantly. In the future, we can expect the costs of RFID to continue to decline, and there will be a corresponding increase in standardization between vendor products. RFID will quickly expand beyond the retail industry where it is now heavily concentrated, into the healthcare arena, government sector, and wherever else there is a need to track large numbers of moving or transportable items. Once the issues of improved security have been addressed, this technology has the potential to literally inventory the entire world.
See All Articles by Columnist Beth Cohen