RFID: Recipe For International Disaster?

RFID is the crest of an approaching wave of ubiquitous computing, a trend where small computing devices will be everywhere in your daily life. Manufacturers rushing to be first to market designed them to be cheap and to consume very little power. In the process, they sacrificed good security practices like strong encryption and proper privacy protection. Researchers at RSA and Johns Hopkins Information Security Institute are calling the RFID security protections “inadequate” and have demonstrated several ways to crack the devices. Another group at Vrije UniversiteitAmsterdam have created proof of concept viruses that would spread from one RFID tag to another effortlessly. How can something so high-tech be so fraught with security holes? RFID as implemented now in the lower-priced tags is a pandora’s box which has already been opened.

One of the more interesting uses of hacked RFID technology is when a man copied his hotel key’s RFID signature into the electronic price tag on a tub of cream cheese and opened his hotel door with the food container. Anyone with the right hardware and software could alter the price of every RFID tag in a warehouse or store to scramble them or swap them, due to poor encryption and other design flaws. As these devices grow in popularity, they will increasingly become a hot target for thieves and organized crime. RFID will soon be integrated into everyone’s passport which is sure to draw the attention of terror organizations in search of low-hanging fruit. These RFID tags aren’t just being used in experimental labs, no, they are in production in cars, hotels, toll lanes, and more. If a society is going to rely this heavily on a technology, shouldn’t it be secure?

Sacrificing security for cost in this case will cost the world more than the few cents they saved per chip. The short-sightedness of some RFID designers has set the stage for what could be one of the biggest disasters to hit ubiquitous computing. The problem is that the public knows nothing about the subtle nuances of what is needed for secure RFID, and manufacturers don’t feel any pressure to make their chips secure if their competitor doesn’t have to. Governmental standards should be enacted requiring strong encryption for these tags because the industry has failed to regulate itself in this regard. Consumers need to educate themselves about the power of and problems with RFID and how it can affect their own life. Ultimately, good security always comes back to user education.

This entry was posted in General InfoSec by Troy Vennon. Bookmark the permalink.

About Troy Vennon

I recently separated from the U.S. Marine Corps after 8 years. I spent the first 3 1/2 years building classified and unclassified networks all over the world. There was a natural progression from building those networks to securing those networks. My last 4 1/2 years in the Marine Corps took me to Quantico, Va where I was stationed with the Marine Corps Network Operations and Security Command (MCNOSC). While with the MCNOSC, I was a member of the Security section, which was responsible for the installation and daily maintainance of the 34 Points-of-Presence that made up the Marine Corps 270,000+ user network. After a period of time with Security, I moved over to the Marine Corps Computer Emergency Response Team (MARCERT). There I was the Staff Non-Commissioned Officer of the MARCERT, which was responsible for the 24x7 monitoring of network traffic across the Marine Corps. Specifically, we monitored network traffic for malicious intent and investigated any network incidents as they occurred. While with the MCNOSC, I attained my CISSP, CCNA, and OPST (OSSTMM Professional Security Tester). I have been with MicroSolved for the past 4 months as the Senior Security Engineer, Technical Lead, and Project Manager.

Leave a Reply