Industry standards are being strengthened to protect information stored on RFID chips
By Mark Willoughby
December 20, 2004 12:00 PM ET
Computerworld - Industry standards are being strengthened to protect information stored on RFID chips and to prevent hackers from using sensitive data stored there in nefarious exploits. Radio frequency identification data is vulnerable when stored on the chip itself and also when it is written to, or read from, the chip. A much-publicized new exploit exhibited in August by Lukas Grunwald at the Black Hat 2004 conference in Las Vegas, RFDump, exposes the vulnerability. Anybody with a card reader plugged into a laptop can use RFDump to read data from within 3 feet of a passive RFID chip. "[Grunwald] is doing what RFID is supposed to do," said security author and Counterpane Internet Security Inc. Chief Technology Officer Bruce Schneier. "This is serious. He didn't hack anything. RFID technology originally was designed to be completely open; that's its problem. He went to the spec, read it and followed it. If you query the chip, you will get this info. If there were security countermeasures on the chip that were thwarted, then we could talk about hacking." RFDump is a threat to data stored on passive RFID chips used today. According to industry sources, the vulnerability has been known for some time, and a new standard was approved in June to shield RFID data. The lack of security isn't expected to constrain the growth of the RFID marketplace, which is expected to grow from $91.5 million to $1.3 billion in 2008, according to market research company IDC in Framingham, Mass. Sue Hutchinson, director of product management at EPCglobal U.S., a Lawrenceville, N.J.-based industry trade association that supports the use of electronic product codes, says most of this growth will be fueled by supply chain applications, such as tracking goods from manufacturers, through shippers and warehouses, to the retailer or final consumer destination. "Our end users provided a detailed set of requirements, and our users provided us with some good security requirements" for supply chain applications, when work began on the second-generation RFID standard last year, Hutchinson said.
"Part of our standards development was a second-generation UHF [ultra high frequency] air interface protocol, the protocols that manage data moving between the tags and readers. It includes some protections for data on the chip," she said. The new standard will secure passive tags, such as those exploited by RFDump and found in most supply chain applications, with "a secured forward link." "When data is written to the tag, the data is masked going over the air interface. All of the data coming from the reader
This independent paper from senior analyst Jon Collins at FreeForm Dynamics considers how Web-based security threats are evolving, within the context of IT trends including mobile, home computing and other forms of remote access that could potentially increase the attack surface of the companies. It defines the scale and types of threat, what to look for in a corporate web security solution and compares the different types of technological approach available to companies and the processes that need to be considered for effective protection.
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.
An intelligent system enables data to flow across an enterprise infrastructure, spanning the devices where valuable data is gathered from employees and customers,...
Organizations are eager to connect the vast amounts of data available within and outside their businesses to compete more effectively and make better...
See how the Nebraska Medical Center implemented a SQL solution to make information more readily available to streamline operations, improve patient care and...
This whitepaper offers a detailed look into the fundamentals of HP NonStop SQL solutions. See how this system delivers unprecedented levels of application...
Free Insider Guide