December 20, 2004
(Computerworld)
Industry standards are being strengthened to protect information stored on RFID chips and to prevent hackers from using sensitive data stored there in nefarious exploits.
Radio frequency identification data is vulnerable when stored on the chip itself and also when it is written to, or read from, the chip. A much-publicized new exploit exhibited in August by Lukas Grunwald at the Black Hat 2004 conference in Las Vegas, RFDump, exposes the vulnerability. Anybody with a card reader plugged into a laptop can use RFDump to read data from within 3 feet of a passive RFID chip.
"[Grunwald] is doing what RFID is supposed to do," said security author and Counterpane Internet Security Inc. Chief Technology Officer Bruce Schneier. "This is serious. He didn't hack anything. RFID technology originally was designed to be completely open; that's its problem. He went to the spec, read it and followed it. If you query the chip, you will get this info. If there were security countermeasures on the chip that were thwarted, then we could talk about hacking."
RFDump is a threat to data stored on passive RFID chips used today. According to industry sources, the vulnerability has been known for some time, and a new standard was approved in June to shield RFID data. The lack of security isn't expected to constrain the growth of the RFID marketplace, which is expected to grow from $91.5 million to $1.3 billion in 2008, according to market research company IDC in Framingham, Mass.
Sue Hutchinson, director of product management at EPCglobal U.S., a Lawrenceville, N.J.-based industry trade association that supports the use of electronic product codes, says most of this growth will be fueled by supply chain applications, such as tracking goods from manufacturers, through shippers and warehouses, to the retailer or final consumer destination.
"Our end users provided a detailed set of requirements, and our users provided us with some good security requirements" for supply chain applications, when work began on the second-generation RFID standard last year, Hutchinson said.
"Part of our standards development was a second-generation UHF [ultra high frequency] air interface protocol, the protocols that manage data moving between the tags and readers. It includes some protections for data on the chip," she said. The new standard will secure passive tags, such as those exploited by RFDump and found in most supply chain applications, with "a secured forward link."
"When data is written to the tag, the data is masked going over the air interface. All of the data coming from the reader to the tag is masked, so parts of the write can't be intercepted as it's coming from the reader to the tag. Once data is written to the tag it can be locked so that it can be read but not altered -- it's read-only," Hutchinson said.
Hutchinson said EPC passive tags include only product identifier information -- such as product codes, part snumbers or SKU numbers, i.e., "only info about objects" -- and include no personally identifiable information subject to privacy protection regulations such as the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act.
This "object only" information generally is deemed to be less sensitive than personally identifiable information, and the masking only hides the data. It isn't encryption but does require a key to expose it to the reader.
When the U.S. Department of Defense announced its final RFID regulations for supply chain applications in August, data encryption wasn't included, according to Alan Estevez, assistant deputy undersecretary of Defense for supply chain integration. Estevez cited two reasons for the DOD's rationale. First, product information, such as serial numbers, have little meaning until associated with information in a database, he said. Second, potential enemies shouldn't be able to get close enough -- within 10 feet -- to read the tags.
Supply chain RFID applications may mature to where they will include consumer data, Hutchinson said, and "we'll be working on additional standards for higher-class tags that may include user data. We'll continue to look at more security," including how to help reduce the estimated $180 billion to $300 billion lost every year in the global supply chain, according to the Retail Industry Leaders Association.
The banking and payment card industry has much more experience in protecting personally identifiable information stored on RFID cards, said Ken Ayer, vice president of access controls at Visa International Inc. Visa and the payment card industry prefer the term EMV cards because of the Europay, MasterCard and Visa standards consortium that established standards for smart credit and payment cards beginning in 1996.
Personally identifiable data elements subject to privacy regulations are Triple-DES encrypted on EMV cards. The latest contactless EMV cards are based on the ISO 14443 standard card, which can be read from only within 10 cm. They are configurable based on privacy and security standards followed by each issuing bank in each host country.
EMV cards support both symmetrical and asymmetrical key encryption, Ayer said. The only actual encrypting done on the card is in a challenge-response process to identify an authorized card reader to the card. The rest of the encryption is handled on back-end systems.
"This is a worldwide system that works in all countries around the globe," he said. "It's entirely up to the bank to use one type of encryption or the other, as well as what type of data to encrypt."