McAfee: RFID chips exposing users to danger
As use expands, the technology becomes a very tempting target for hackers
The current generation of radio frequency identification (RFID) technology is vulnerable to eavesdropping, cloning and forging.
That's according to an April security trends report (download PDF) from security software vendor McAfee Inc. The Sage report is issued semiannually by McAfee Avert Labs based on its research into high-tech threats.
The report warns that as RFID technology becomes more pervasive, the risk for users increases dramatically. The study notes that the technology is increasingly embedded in clothing, food and health care products and that some companies are even embedding RFID chips into the bodies of employees. Some states have already passed laws to prohibit forced implantation of the chips.
The report found that the rapid spread of RFID technology is making it very attractive to hackers, who can clone chips and steal authentication information to gain access to a users' personal information. Some researchers have warned that a virus placed on an RFID chip can infect other networked chips, and ultimately assault vulnerable databases.
Government agencies and large retail firms are playing a key role in the spread of the technology -- and adding to the growing list of vulnerabilities, the report said.
For example, the U.S. Department of State last year began issuing passports embedded with and RFID chip containing the holder's date of birth and biometric information, such as a digital photo or a copy of their fingerprints. Critics claim that the e-passport could allow hackers to read the chip embedded inside and that the biometric data could be stolen for the purpose of identity theft. It could also allow Americans on foreign soil be tracked by enemies, critics say.
In the retail industry, the report predicted, RFID chips will soon replace bar codes as the tracking technology of choice. It cited retailer Wal-Mart Stores Inc.'s highly publicized efforts to use RFID to track pallets and cases from its suppliers to the store. The Sage report noted that many retail executives expect that RFID technology will save their companies time and money performing inventory counts and doing restocks.
Consumer advocates, on the other hand, "claim the privacy implications are too dangerous to ignore. Imagine a world in which every item you purchase has an embedded RFID tag," the report said. "When you buy the item, your entire inventory of purchases can be stored in a central database. Advertisers could track your spending habits. When you wear the tagged clothing, you can be tracked and profiled as you travel through strategically placed scanners," it said.
Some experts contended that the dangers of RFID chips are overstated in the report. "There is nothing inherently insecure about RFID," said Michael Shamos, a computer science professor at Carnegie Mellon University who specializes in security issues. "There are some bad protocol implementations around that have security vulnerabilities. I'm all in favor of trashing specific bad implementations, but this is not a generic defect in RFID technology."
He said that government agencies and businesses should use chips that are encrypted to prevent hackers from replicating their data. Shamos also contended that RFID chips are not susceptible to viruses.
Also, he said, it is very difficult -- and expensive -- to track the movements of embedded RFID chips. "If you want to track someone, it's much easier and more effective to point a video camera at their face from 100 yards away than to plant RFID readers every 10 centimeters throughout your country," said Shamos.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts