May 2004 CSO Magazine

What's Your Frequency

As RFID technology gets more widely deployed, will security and privacy suffer?


DURING THE NEXT YEAR, hundreds of companies will be forced to deploy technology for automatically tracking the movement of consumer goods using radio waves. Radio frequency identification (RFID) technology has been mandated by both the U.S. Department of Defense and—perhaps more important—Wal-Mart. Last year both of these organizations stated that their hundred largest suppliers would have to equip every shipment with an RFID tag so that the deliveries could be automatically tracked and recorded by inventory systems.

Meanwhile, the Food and Drug Administration has passed a regulation requiring pharmacies throughout the United States to purchase RFID readers by 2006. The theory is that each case of prescription drugs will carry an RFID tag with a unique serial number that can be looked up automatically in an online database, while counterfeit drugs will not.

From the news coverage that accompanied these announcements, you might think that RFID was some kind of fundamentally new technology. It's not. The idea of using radio signals as a kind of remote identification system was first pioneered during World War II, when Identification Friend or Foe, or IFF, systems were deployed in bombers to prevent them from being shot down by their own militaries.

In the 1970s, scientists at the Los Alamos National Laboratory developed a system that used RFID for controlling access to nuclear materials. Similar technology showed up in the civilian sector in the 1980s as building management companies deployed the first generation of "proximity cards."

Then in the 1990s, electronic toll collection systems like E-ZPass were introduced by highway and transit authorities worldwide; today there are more than 10 million cars with transponders in the United States alone.

Whether they're being used to track the movement of nuclear materials or deduct a $2 toll from your account with the New York State Thruway Authority, all of these RFID systems work more or less the same way. A small electronic circuit in the RFID chip listens for a radio signal from the RFID reader. When the circuit hears this signal, it sends back a coded radio signal of its own. The code contains the chip's identification number and possibly other information. When the reader hears the response, it sends that information to a computer system. Typically, the computer looks up the number in a database, verifies that it is valid and hasn't been stolen, and then performs some sort of action.

RFID chips are usually packaged in small plastic boxes called tags. There are two kinds of tags: active and passive. Active tags contain a microchip, an antenna and a battery. They can work from a distance of dozens or even hundreds of feet, depending on the size of the antenna, the strength of the battery and the portion of the radio spectrum that's being used for the communication. Because batteries have a limited life span, these tags work for only a few years. Passive tags, on the other hand, don't have batteries.

Instead, they are powered directly from the same radio signal that's used to trigger them. Because they don't have batteries, passive tags are much cheaper to manufacture and pretty much have an indefinite shelf life. But passive tags also have a very limited reading range: Most passive tags can't be detected unless they are within a foot of a reader, and some can't be read unless they're within an inch.

Two factors are driving the sudden interest in RFID technology. The first is the plummeting price of tags. Today, tags tend to cost between 25 cents and a dollar, depending on the technical details of the tags and the number ordered. But it's widely believed that tags will cost a penny or less by the end of the decade.

The second factor is the dawning era of RFID compatibility. As anybody who has ever deployed a proximity card system in a building knows, until now, most RFID systems have been mutually incompatible. But last year, an industry consortium adopted an RFID standard called the Electronic Product Code, or EPC. Management of this standard was turned over to the Uniform Code Council (UCC), the same organization that manages the ubiquitous Uniform Product Code (UPC) that's on consumer products. The UCC and its European counterpart, EAN International, have created an organization called EPCglobal to shepherd the future development of this technology. As you might imagine, the big goal here is to have EPC UPC in the coming years. (Point of disclosure: I am a member of EPCglobal's Public Policy Committee.)

This push for what's called item-level tagging has caused a huge outcry among privacy activists in the popular press—and with good reason. If RFID technology is deployed to consumers the way it has been described by some, it could have devastating implications.

The push for item-level tagging has caused a huge outcry among privacy activists—and with good reason. If RFID technology is deployed as some predict, it could have devastating implications.
Indelible tags sewn into clothing or embedded into the soles of shoes would make it possible to track consumers as they enter or leave stores. Readers on store shelves could alert whenever a consumer picks up expensive merchandise—perhaps automatically snapping a picture if someone picks up too many razors at once. Tags on books or magazines would identify what a person is reading by scanning his briefcase or backpack. Tags on banknotes would enable a mugger to figure out who is carrying large amounts of cash.

It's tempting to dismiss these scenarios as ravings from unsophisticated technophobes. Don't. The glaring misuses of RFID technology previously mentioned were first brought up not by privacy activists, but by the RFID industry itself. Although many people working on RFID are concerned about privacy issues, these concerns often take a backseat to technical ones.

Equally troubling is the lack of attention to security, an issue that overlaps with personal privacy but has concerns all its own. One of the biggest security problems with today's RFID tags is that they are promiscuous—they will respond to any reader that tries to query them. The implications, as this technology becomes widespread, are staggering.

Consider the case of item-level tagging: What's to prevent the competition from walking in with a portable RFID reader hidden in a backpack and surreptitiously taking a complete inventory? Or consider the potential for fraud. Since tags can be reprogrammed, a thief could enter a store, scan the ID of a tag on a $50 VCR, program this ID into his own tag and affix that tag to a $500 unit.

When the privacy issue was first raised with the creators of the EPC standard, they responded by giving every tag a special command called "kill." Send this command to the tag and it commits suicide. The theory is that a dead tag is not a threat to anybody's privacy. Legislation has now been proposed in California that would require any business selling consumer goods to remove or kill all item-level RFID tags before the item leaves the store.

The problem with the "all tags must die" approach, says Henry Holtzman, a research scientist at the MIT Media Lab, is that tags on stolen property won't be killed. That means that having an item on your body containing a live tag might be taken as circumstantial evidence that you are a shoplifter. It's not hard to imagine police walking the sidewalks in some neighborhoods with high-powered RFID readers, searching for anybody giving off the right signals. And it's not hard to imagine anti-RFID activists going into stores and killing every tag they can find with covert tools.

The problem with the "all tags must die" approach is that tags on stolen property won't be killed, says Henry Holtzman, a research scientist at the MIT Media Lab.
Last November I chaired a one-day workshop looking into RFID-related privacy issues at MIT. You can find copies of the papers that were presented as well as streaming video of the day's proceedings on the conference website, at

RFID technology is going to be deployed throughout our society. And while the threat to privacy should not be underestimated, I think that the lack of security on these systems is potentially a far greater problem. Today's RFID systems were developed in a collegial environment that was largely ignorant of security concerns. The challenge was getting the chips to work and making the technology cheap enough for mass deployment.

Sadly, we've seen this story before with analog cell phones and then again with Wi-Fi networking. For some reason, engineers working on wireless systems consistently underestimate the resources and motivation of our adversaries. They take the paucity of attacks as evidence of their systems' strength.

What engineers fail to realize again and again is that the bad guys aren't motivated to find flaws in these wireless systems until they are widely deployed. At that point, the costs of adding security can be staggering.

With commitment and work, the RFID industry could produce technology that is far more secure and, as a result, more responsive to privacy needs as well. But the industry won't do that unless customers make those demands now.end

Simson Garfinkel, CISSP, is a technology writer based in the Boston area. He is also CTO of Sandstorm Enterprises, an information warfare software company. He can be reached at


Code Violations
CSOs and CISOs have options for making their software more secure.

Read More

Most Recent Responses:

Just like any other technology RFID can be exploited for enslaving humanity further, or it can be a viable tool to stop terrorist, shrinkage, missing children, etc... The applications are limitless. It will be commonplace technology one day. Caution and ethics must be applied though, so people like the Enron Squad don't get their hands on it, and abuse the potential for doing good.

Will Davis
Chief Engineer
Innovative Design

As I see it the fact that RFID is NOT killed indicates either product theft or store abuse.

This is a GREAT feature and not a problem. Honest consumers have privacy. Thieves or producers wihtout ethics gets sentences.


Great coverage, and timely especially with all the buzz around the subject. I am confident that our industry will develop solutions to leverage the technology to enhance business and personal lives as the benefits always far outweigh the rouge usage; and minimize the potential of abuse or mis-use!.

This is the wisdom attributed to the existence of the "duality" in nature-every "good" has it's "bad" counterpart; The ying and the yang.

Ajit Kapoor
Lockheed Martin

Great article - especially the thoughts on engineers not doing their job (or their managers not putting them to the right tasks?).

EU recently held a workshop on RFIDs focussing on privacy as one of the major aspects. The result was a clear message to direct attention towards Privacy Enhancing Technologies to ensure a win-win on RFIDs.

I was invited to present some of our solutions for securing RFIDs incorporating several new PET technology solutions of which the core is based on something we call Zero-knowledge Device Authentication ensuring that the RFID can enter into "Privacy Mode" at Point of Purchase.

These solutions still needs maturing and of course peer review, but they should in time be able to solve the privacy problems by transferring control to the end-user.

It is key to remember that applications raise different requirements for the technology to be secure. Control of Post-purchase RFIDs should be 100% transferred to the consumer without backdoors such as *fake* deep sleep mode which are still centrally controlled.

Proximity RFIDs (such as library and car toll passports) require additional support in order not to leak sensitive tracking information to the service providers.

The in-store problem is not really about RFIDs, but about the fact that consumers are being identified and tracked without respect for the creation of barriers for the trade process.

But in principle there is no inherent privacy problem in RFID technology. The problem is created because engineers dont do their job properly and regulators fail to see the privacy problem in context.

Stephan Engberg
Open Business Innovation

One of the defining characteristics of a complex system is the inability to determine an initial condition from any current state. The other side of that coin is the inability to predict any future state based on knowledge of initial conditions. With as many variables as we have in play here it's hard to say where RFID is going to go.

It's easy to imagine combining RFID with several other up-and-coming technologies (e.g. IPv6, high density ROM, etc.) to come up with a whole new way of doing things.

Already I've seen an article on a club in Spain implanting RFID chips into patrons who don't want to have to carry credit cards. That's a simple application of a current technology that sounds incredibly "futurist".

It seems to me that the security problems inherent in RFID are in no way unique to RFID.

Security depends on rules and limits. The problem we face with RFID is the same problem posed to security in any semi-chaotic system. The boundaries of the system are not easily definable. The response will either need to be draconian in drawing an arbitrarily broad boundary around the system (i.e. lockdown, timebombs, passwords, etc) or it'll need to be more intelligent than the business processes that are created by whatever marriage of technology we see in the future. We're not yet able to manufacture "Smart" automation. So I predict what we'll see is a cry from the security/privacy advocates to regulate - at the same time we'll see risk-takers forge ahead and boom/crash through cycles of innovations and attacks on those innovations.

Either way RFID=job security for security professionals.

Brendan D.

Index of all responses to this column to date.

Add a Comment: Your comment will be displayed at the bottom of this page, at the discretion of CSOonline.

Subject *
Your Comment: *

* Required fields.
We do not post comments promoting products or services.
Comments are owned by whomever posted them. CSO is not responsible for what they say.
Selected comments may be published in CSO magazine.
We will neither sell nor display your personal information.

All content copyright CXO Media Inc., 1994-2002. All rights are reserved. No material may be reproduced electronically or in print without written permission from CXO Media, 492 Old Connecticut Path, Framingham, MA 01701.

Dated: May 2004