Computerworld - Industry standards are being strengthened to protect information stored on RFID chips and to prevent hackers from using sensitive data stored there in nefarious exploits.
Radio frequency identification data is vulnerable when stored on the chip itself and also when it is written to, or read from, the chip. A much-publicized new exploit exhibited in August by Lukas Grunwald at the Black Hat 2004 conference in Las Vegas, RFDump, exposes the vulnerability. Anybody with a card reader plugged into a laptop can use RFDump to read data from within 3 feet of a passive RFID chip.
"[Grunwald] is doing what RFID is supposed to do," said security author and Counterpane Internet Security Inc. Chief Technology Officer Bruce Schneier. "This is serious. He didn't hack anything. RFID technology originally was designed to be completely open; that's its problem. He went to the spec, read it and followed it. If you query the chip, you will get this info. If there were security countermeasures on the chip that were thwarted, then we could talk about hacking."
RFDump is a threat to data stored on passive RFID chips used today. According to industry sources, the vulnerability has been known for some time, and a new standard was approved in June to shield RFID data. The lack of security isn't expected to constrain the growth of the RFID marketplace, which is expected to grow from $91.5 million to $1.3 billion in 2008, according to market research company IDC in Framingham, Mass.
Sue Hutchinson, director of product management at EPCglobal U.S., a Lawrenceville, N.J.-based industry trade association that supports the use of electronic product codes, says most of this growth will be fueled by supply chain applications, such as tracking goods from manufacturers, through shippers and warehouses, to the retailer or final consumer destination.
"Our end users provided a detailed set of requirements, and our users provided us with some good security requirements" for supply chain applications, when work began on the second-generation RFID standard last year, Hutchinson said.
"Part of our standards development was a second-generation UHF [ultra high frequency] air interface protocol, the protocols that manage data moving between the tags and readers. It includes some protections for data on the chip," she said. The new standard will secure passive tags, such as those exploited by RFDump and found in most supply chain applications, with "a secured forward link."
"When data is written to the tag, the data is masked going over the air interface. All of the data coming from the reader
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
