RFID is the crest of an approaching wave of ubiquitous computing, a trend where small computing devices will be everywhere in your daily life. Manufacturers rushing to be first to market designed them to be cheap and to consume very little power. In the process, they sacrificed good security practices like strong encryption and proper privacy protection. Researchers at RSA and Johns Hopkins Information Security Institute are calling the RFID security protections “inadequate” and have demonstrated several ways to crack the devices. Another group at Vrije UniversiteitAmsterdam have created proof of concept viruses that would spread from one RFID tag to another effortlessly. How can something so high-tech be so fraught with security holes? RFID as implemented now in the lower-priced tags is a pandora’s box which has already been opened.
One of the more interesting uses of hacked RFID technology is when a man copied his hotel key’s RFID signature into the electronic price tag on a tub of cream cheese and opened his hotel door with the food container. Anyone with the right hardware and software could alter the price of every RFID tag in a warehouse or store to scramble them or swap them, due to poor encryption and other design flaws. As these devices grow in popularity, they will increasingly become a hot target for thieves and organized crime. RFID will soon be integrated into everyone’s passport which is sure to draw the attention of terror organizations in search of low-hanging fruit. These RFID tags aren’t just being used in experimental labs, no, they are in production in cars, hotels, toll lanes, and more. If a society is going to rely this heavily on a technology, shouldn’t it be secure?
Sacrificing security for cost in this case will cost the world more than the few cents they saved per chip. The short-sightedness of some RFID designers has set the stage for what could be one of the biggest disasters to hit ubiquitous computing. The problem is that the public knows nothing about the subtle nuances of what is needed for secure RFID, and manufacturers don’t feel any pressure to make their chips secure if their competitor doesn’t have to. Governmental standards should be enacted requiring strong encryption for these tags because the industry has failed to regulate itself in this regard. Consumers need to educate themselves about the power of and problems with RFID and how it can affect their own life. Ultimately, good security always comes back to user education.