DURING THE NEXT YEAR, hundreds of companies will be forced to
deploy technology for automatically tracking the movement of consumer
goods using radio waves. Radio frequency identification (RFID)
technology has been mandated by both the U.S. Department of Defense
and—perhaps more important—Wal-Mart. Last year both of these
organizations stated that their hundred largest suppliers would have to
equip every shipment with an RFID tag so that the deliveries could be
automatically tracked and recorded by inventory systems.
Meanwhile, the Food and Drug
Administration has passed a regulation requiring pharmacies throughout
the United States to purchase RFID readers by 2006. The theory is that
each case of prescription drugs will carry an RFID tag with a unique
serial number that can be looked up automatically in an online
database, while counterfeit drugs will not.
From the news coverage that
accompanied these announcements, you might think that RFID was some
kind of fundamentally new technology. It's not. The idea of using radio
signals as a kind of remote identification system was first pioneered
during World War II, when Identification Friend or Foe, or IFF, systems
were deployed in bombers to prevent them from being shot down by their
In the 1970s, scientists at the Los
Alamos National Laboratory developed a system that used RFID for
controlling access to nuclear materials. Similar technology showed up
in the civilian sector in the 1980s as building management companies
deployed the first generation of "proximity cards."
Then in the 1990s, electronic toll
collection systems like E-ZPass were introduced by highway and transit
authorities worldwide; today there are more than 10 million cars with
transponders in the United States alone.
Whether they're being used to track
the movement of nuclear materials or deduct a $2 toll from your account
with the New York State Thruway Authority, all of these RFID systems
work more or less the same way. A small electronic circuit in the RFID
chip listens for a radio signal from the RFID reader. When the circuit
hears this signal, it sends back a coded radio signal of its own. The
code contains the chip's identification number and possibly other
information. When the reader hears the response, it sends that
information to a computer system. Typically, the computer looks up the
number in a database, verifies that it is valid and hasn't been stolen,
and then performs some sort of action.
RFID chips are usually packaged in
small plastic boxes called tags. There are two kinds of tags: active
and passive. Active tags contain a microchip, an antenna and a battery.
They can work from a distance of dozens or even hundreds of feet,
depending on the size of the antenna, the strength of the battery and
the portion of the radio spectrum that's being used for the
communication. Because batteries have a limited life span, these tags
work for only a few years. Passive tags, on the other hand, don't have
Instead, they are powered directly
from the same radio signal that's used to trigger them. Because they
don't have batteries, passive tags are much cheaper to manufacture and
pretty much have an indefinite shelf life. But passive tags also have a
very limited reading range: Most passive tags can't be detected unless
they are within a foot of a reader, and some can't be read unless
they're within an inch.
Two factors are driving the sudden
interest in RFID technology. The first is the plummeting price of tags.
Today, tags tend to cost between 25 cents and a dollar, depending on
the technical details of the tags and the number ordered. But it's
widely believed that tags will cost a penny or less by the end of the
The second factor is the dawning era
of RFID compatibility. As anybody who has ever deployed a proximity
card system in a building knows, until now, most RFID systems have been
mutually incompatible. But last year, an industry consortium adopted an
RFID standard called the Electronic Product Code, or EPC. Management of
this standard was turned over to the Uniform Code Council (UCC), the
same organization that manages the ubiquitous Uniform Product Code
(UPC) that's on consumer products. The UCC and its European
counterpart, EAN International, have created an organization called
EPCglobal to shepherd the future development of this technology. As you
might imagine, the big goal here is to have EPC UPC in the coming
years. (Point of disclosure: I am a member of EPCglobal's Public Policy
This push for what's called
item-level tagging has caused a huge outcry among privacy activists in
the popular press—and with good reason. If RFID technology is deployed
to consumers the way it has been described by some, it could have
Indelible tags sewn into clothing or embedded into the
soles of shoes would make it possible to track consumers as they enter
or leave stores. Readers on store shelves could alert whenever a
consumer picks up expensive merchandise—perhaps automatically snapping
a picture if someone picks up too many razors at once. Tags on books or
magazines would identify what a person is reading by scanning his
briefcase or backpack. Tags on banknotes would enable a mugger to
figure out who is carrying large amounts of cash.
The push for item-level tagging has caused a huge outcry among privacy
activists—and with good reason. If RFID technology is deployed as some
predict, it could have devastating implications.
It's tempting to dismiss these
scenarios as ravings from unsophisticated technophobes. Don't. The
glaring misuses of RFID technology previously mentioned were first
brought up not by privacy activists, but by the RFID industry itself.
Although many people working on RFID are concerned about privacy
issues, these concerns often take a backseat to technical ones.
Equally troubling is the lack of
attention to security, an issue that overlaps with personal privacy but
has concerns all its own. One of the biggest security problems with
today's RFID tags is that they are promiscuous—they will respond to any
reader that tries to query them. The implications, as this technology
becomes widespread, are staggering.
Consider the case of item-level
tagging: What's to prevent the competition from walking in with a
portable RFID reader hidden in a backpack and surreptitiously taking a
complete inventory? Or consider the potential for fraud. Since tags can
be reprogrammed, a thief could enter a store, scan the ID of a tag on a
$50 VCR, program this ID into his own tag and affix that tag to a $500
When the privacy issue was first
raised with the creators of the EPC standard, they responded by giving
every tag a special command called "kill." Send this command to the tag
and it commits suicide. The theory is that a dead tag is not a threat
to anybody's privacy. Legislation has now been proposed in California
that would require any business selling consumer goods to remove or
kill all item-level RFID tags before the item leaves the store.
The problem with the "all tags must
die" approach, says Henry Holtzman, a research scientist at the MIT
Media Lab, is that tags on stolen property won't be killed. That means
that having an item on your body containing a live tag might be taken
as circumstantial evidence that you are a shoplifter. It's not hard to
imagine police walking the sidewalks in some neighborhoods with
high-powered RFID readers, searching for anybody giving off the right
signals. And it's not hard to imagine anti-RFID activists going into
stores and killing every tag they can find with covert tools.
Last November I chaired a one-day workshop looking
into RFID-related privacy issues at MIT. You can find copies of the
papers that were presented as well as streaming video of the day's
proceedings on the conference website, at www.rfidprivacy.org/agenda.php.
The problem with the "all tags must die" approach is that tags on
stolen property won't be killed, says Henry Holtzman, a research
scientist at the MIT Media Lab.
RFID technology is going to be
deployed throughout our society. And while the threat to privacy should
not be underestimated, I think that the lack of security on these
systems is potentially a far greater problem. Today's RFID systems were
developed in a collegial environment that was largely ignorant of
security concerns. The challenge was getting the chips to work and
making the technology cheap enough for mass deployment.
Sadly, we've seen this story before
with analog cell phones and then again with Wi-Fi networking. For some
reason, engineers working on wireless systems consistently
underestimate the resources and motivation of our adversaries. They
take the paucity of attacks as evidence of their systems' strength.
What engineers fail to realize again
and again is that the bad guys aren't motivated to find flaws in these
wireless systems until they are widely deployed. At that point, the
costs of adding security can be staggering.
With commitment and work, the RFID
industry could produce technology that is far more secure and, as a
result, more responsive to privacy needs as well. But the industry
won't do that unless customers make those demands now.
Simson Garfinkel, CISSP, is a technology writer based in the Boston
area. He is also CTO of Sandstorm Enterprises, an information warfare
software company. He can be reached at firstname.lastname@example.org.
ILLUSTRATION BY ANASTASIA VASILAKIS
|CSOs and CISOs have options for making their software more secure. |
Most Recent Responses:
Just like any other technology RFID can be exploited for enslaving
humanity further, or it can be a viable tool to stop terrorist,
shrinkage, missing children, etc... The applications are limitless. It
will be commonplace technology one day. Caution and ethics must be
applied though, so people like the Enron Squad don't get their hands on
it, and abuse the potential for doing good.
As I see it the fact that RFID is NOT killed indicates either product theft or store abuse.
This is a GREAT feature and not a problem. Honest consumers have privacy. Thieves or producers wihtout ethics gets sentences.
Great coverage, and timely especially with all the buzz around the
subject. I am confident that our industry will develop solutions to
leverage the technology to enhance business and personal lives as the
benefits always far outweigh the rouge usage; and minimize the
potential of abuse or mis-use!.
is the wisdom attributed to the existence of the "duality" in
nature-every "good" has it's "bad" counterpart; The ying and the yang.
Great article - especially the thoughts on engineers not doing their
job (or their managers not putting them to the right tasks?).
recently held a workshop on RFIDs focussing on privacy as one of the
major aspects. The result was a clear message to direct attention
towards Privacy Enhancing Technologies to ensure a win-win on RFIDs.
was invited to present some of our solutions for securing RFIDs
incorporating several new PET technology solutions of which the core is
based on something we call Zero-knowledge Device Authentication
ensuring that the RFID can enter into "Privacy Mode" at Point of
These solutions still needs maturing
and of course peer review, but they should in time be able to solve the
privacy problems by transferring control to the end-user.
is key to remember that applications raise different requirements for
the technology to be secure. Control of Post-purchase RFIDs should be
100% transferred to the consumer without backdoors such as *fake* deep
sleep mode which are still centrally controlled.
RFIDs (such as library and car toll passports) require additional
support in order not to leak sensitive tracking information to the
The in-store problem is not
really about RFIDs, but about the fact that consumers are being
identified and tracked without respect for the creation of barriers for
the trade process.
But in principle there is
no inherent privacy problem in RFID technology. The problem is created
because engineers dont do their job properly and regulators fail to see
the privacy problem in context.
One of the defining characteristics of a complex system is the
inability to determine an initial condition from any current state. The
other side of that coin is the inability to predict any future state
based on knowledge of initial conditions. With as many variables as we
have in play here it's hard to say where RFID is going to go.
Open Business Innovation
It's easy to imagine combining RFID with several other up-and-coming
technologies (e.g. IPv6, high density ROM, etc.) to come up with a
whole new way of doing things.
seen an article on a club in Spain implanting RFID chips into patrons
who don't want to have to carry credit cards. That's a simple
application of a current technology that sounds incredibly "futurist".
It seems to me that the security problems inherent in RFID are in no way unique to RFID.
depends on rules and limits. The problem we face with RFID is the same
problem posed to security in any semi-chaotic system. The boundaries of
the system are not easily definable. The response will either need to
be draconian in drawing an arbitrarily broad boundary around the system
(i.e. lockdown, timebombs, passwords, etc) or it'll need to be more
intelligent than the business processes that are created by whatever
marriage of technology we see in the future. We're not yet able to
manufacture "Smart" automation. So I predict what we'll see is a cry
from the security/privacy advocates to regulate - at the same time
we'll see risk-takers forge ahead and boom/crash through cycles of
innovations and attacks on those innovations.
Either way RFID=job security for security professionals.
Index of all responses to this column to date.