Opinion: RFID security worries need a reality check

Computerworld - Sometimes our anxieties about security make us lose sight of how a technology is used. Such is the case with radio frequency identification, a proven technology that delivers big efficiencies and has yet to experience a confirmed hacker attack in the wild.

But RFID has seen many tightly controlled "proof-of-concept" exploits, widely publicized by academic researchers to showcase RFID vulnerabilities that in reality pose less risk than an old flu virus. Don't look for criminals to unleash these exploits anytime soon. They understand that what little they could gain is simply is not worth the effort.

In April, academics at Edith Cowan University in Australia created an RFID denial-of-service exploit, and researchers at Vrije Universiteit Amsterdam publicized an RFID virus. Those two hacks question the integrity and availability of the first generation of Electronic Product Code RFID chips from EPC Global (www.epcglobalinc.org), an industry standards body working to streamline and secure supply chains.

These proof-of-concept EPC RFID attacks could make the drying time of paint seem quick. Information criminals operating behind the virtual anonymity of the Internet have shown scant interest in supply chain applications. There are no bragging rights on hacker Web sites for exploits launched against physical goods. Confusing handlers of pallets loaded with dog food or diapers, or even diverting containers filled with toys or consumer electronics, gets you flamed as a bottom feeder in the information underworld.

Trafficking in hard goods traditionally has been blue-collar street crime, the stuff of film noir gangsters, crooked dockworkers and teamsters with ready distribution channels for stolen goods. The Internet's promise of disintermediation (http://en.wikipedia.org/wiki/Disintermediation) is simply not as appealing to the stolen-goods underworld as it is to legitimate distributors.

Stolen goods are not easily converted to cash on the Internet. Information criminals constantly try to sell stolen goods via hijacked or bogus eBay accounts, other online sales channels, or through networks of unsuspecting surfers conned by offers too good to be true. The distribution of stolen physical goods on the Internet is risky and costly because lots must be broken into small pieces to escape notice and there is an audit trail to threaten prized anonymity.

Information criminals steal information that's readily convertible to cash, not meaningless EPC RFID inventory data. The people who design EPC standards know far more about the risk to supply chains than cloistered academics engineering these meaningless proof-of-concept exploits.

The EPC initiative is backed by companies that suffer billions of dollars in global supply chain losses every year. They have performed a rigorous risk analysis and concluded that the effect of a supply chain exploit targeting EPC chips is relatively low. They also have determined that the probability of seeing a wave of hacks on EPC chips is similarly low.