McAfee: RFID chips exposing users to danger

As use expands, the technology becomes a very tempting target for hackers

The current generation of radio frequency identification (RFID) technology is vulnerable to eavesdropping, cloning and forging.

That's according to an April security trends report (download PDF) from security software vendor McAfee Inc. The Sage report is issued semiannually by McAfee Avert Labs based on its research into high-tech threats.

The report warns that as RFID technology becomes more pervasive, the risk for users increases dramatically. The study notes that the technology is increasingly embedded in clothing, food and health care products and that some companies are even embedding RFID chips into the bodies of employees. Some states have already passed laws to prohibit forced implantation of the chips.

The report found that the rapid spread of RFID technology is making it very attractive to hackers, who can clone chips and steal authentication information to gain access to a users' personal information. Some researchers have warned that a virus placed on an RFID chip can infect other networked chips, and ultimately assault vulnerable databases.

Government agencies and large retail firms are playing a key role in the spread of the technology -- and adding to the growing list of vulnerabilities, the report said.

For example, the U.S. Department of State last year began issuing passports embedded with and RFID chip containing the holder's date of birth and biometric information, such as a digital photo or a copy of their fingerprints. Critics claim that the e-passport could allow hackers to read the chip embedded inside and that the biometric data could be stolen for the purpose of identity theft. It could also allow Americans on foreign soil be tracked by enemies, critics say.

In the retail industry, the report predicted, RFID chips will soon replace bar codes as the tracking technology of choice. It cited retailer Wal-Mart Stores Inc.'s highly publicized efforts to use RFID to track pallets and cases from its suppliers to the store. The Sage report noted that many retail executives expect that RFID technology will save their companies time and money performing inventory counts and doing restocks.

Consumer advocates, on the other hand, "claim the privacy implications are too dangerous to ignore. Imagine a world in which every item you purchase has an embedded RFID tag," the report said. "When you buy the item, your entire inventory of purchases can be stored in a central database. Advertisers could track your spending habits. When you wear the tagged clothing, you can be tracked and profiled as you travel through strategically placed scanners," it said.

Some experts contended that the dangers of RFID chips are overstated in the report. "There is nothing inherently insecure about RFID," said Michael Shamos, a computer science professor at Carnegie Mellon University who specializes in security issues. "There are some bad protocol implementations around that have security vulnerabilities. I'm all in favor of trashing specific bad implementations, but this is not a generic defect in RFID technology." 

He said that government agencies and businesses should use chips that are encrypted to prevent hackers from replicating their data. Shamos also contended that RFID chips are not susceptible to viruses.

Also, he said, it is very difficult -- and expensive -- to track the movements of embedded RFID chips. "If you want to track someone, it's much easier and more effective to point a video camera at their face from 100 yards away than to plant RFID readers every 10 centimeters throughout your country," said Shamos.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon