What is the purpose of RFID identification?
RFID identification can be used to keep track of everything from credit cards to livestock. But what security risks are involved?
What is the purpose of RFID identification, and what access control problems and security risks are associated with it?
RFID stands for radio frequency identification. RFID tags emit radio signals and are usually embedded in things like credit cards, passports, merchandise, or even livestock. The tag resembles a smart card when embedded in a card and may carry the same data as a smart card, but smart cards need to be swiped by a reader and don't transmit radio signals.
RFID is a fantastic technology for businesses, particularly warehousing, retail and livestock. RFID tags can be attached to merchandise in a warehouse so that employees can automatically conduct inventories with handheld readers that send data to the company's servers or databases. Users don't have to go back to a terminal to enter data manually.
The fundamental security problem of RFID is the same as that of any wireless device. It transmits data out in the open where it can be easily sniffed, captured or stolen. Thus, an attacker doesn't even have to find a network or cable for attaching a sniffer. All he or she needs is a laptop with an antenna and a wireless hookup outside the place the device is transmitting, and he or she could obtain confidential customer information leading to financial loss or identity theft.
Security guru Bruce Schneier has long been a vocal critic of the recent move by the State Department to put RFID chips in U.S. passports. He has cited the feats of security researchers in the UK who were able to steal data with simple home-built readers with parts costing under $100.
Also, RFID chips can only hold a limited number of encryption keys, which makes them more vulnerable to cracking.
In answer to the question about access controls, RFID chips, like those in smart cards, come in two varieties: programmable and fixed. Programmable chips are at higher risk, since they can be manipulated for malicious purposes, whereas pre-programmed chips aren't as susceptible.
RFID technology is still developing and maturing. To be more secure, all radio signals need to be encrypted and shielded, so they can't be read without authorization. Chips also need to be designed to carry stronger encryption keys.
RFID technology isn't going away, as evidenced by the stringent requrements Wal-Mart Stores Inc. has put in place for its suppliers. But a thorough analysis of the IT security risks should always be conducted before any implementation.