Historically, articles looking at RFID in the coming year have focused on supply chain or asset tracking or access control or smart phones or any of a dozen other key applications where RFID could offer significant advantages. It's true that market growth is important. But the roll-out of applications that don't include adequate security precautions poses a potential risk not only to the users of the technology but to the entire industry.
Security solutions already exist and many RFID hardware and systems suppliers are ready to implement them. What's necessary is for the end-users to recognize the need for security -- even if it does entail some additional cost -- and include it in their system design.
As we look forward to 2010, will this be the year that we start seeing security considerations being included as an essential part of RFID system design or will 2010 be remembered for more examples of what was done wrong?
The past is full of mistakes
There are more than enough examples of early -- and even current -- implementations where security was not properly thought through. Many early mistakes can be attributed to technologists involved in these pilots being so focused on how to provide benefits through RFID that it never occurred to them that someone with malicious intent could or would try to attack, subvert or corrupt the system.
Take the infamous case of a customer loyalty card that was reprogrammed with a different customer ID; even a reasonably paranoid person would not have anticipated this outcome (and it's still difficult to understand the potential benefit to anyone in changing the customer ID). Therefore, security was not considered and the card was left "unlocked" so that data on it could easily be changed.
Even though this example was relatively unfathomable, it should have triggered security consciousness on the part of those designing and implementing RFID systems. Unfortunately, it did not.
The threats are out there
Today, cyber security is constantly in the news with identity theft, breaches in corporate financial records, and threats of cyber terrorism. RFID security should be seen in the same light.
Admittedly, many of the proofs-of-concept that demonstrate the supposed vulnerability of RFID, even with some level of encryption, are more than a little far-fetched, require significant effort, are wildly convoluted or offer little reward for the perpetrator beyond the act itself.
Nonetheless, the number of computer worms and viruses constantly being developed and deployed show that senseless attacks on today's computer systems are rife and will likely continue to grow. While some of these viruses and worms are designed to steal passwords or financial transaction data, many are simply malicious attacks that serve no purpose other than to destroy data and offer the perpetrator no tangible benefit beyond personal aggrandizement within a very small community of his or her peers.
Perhaps a revision to Murphy's Law should be posted in every office of anyone designing, implementing or using RFID in order to trigger security conscious thinking: "Anything that can be hacked will be hacked."
It's not all doom-and-gloom
First, despite any real or theoretical vulnerabilities of an RFID implementation, the alternatives are often even more vulnerable to attack, spoofing or circumvention. Take the case of RFID automobile immobilizers (chips in keys). While the encryption in these can be cracked by sophisticated equipment, it's not necessarily accomplished quickly or easily. And the alternative is to have no additional security and leave the car vulnerable to theft by someone with virtually no technical skills and possessing only a few rudimentary tools.
Second, there are many options for providing RFID security including simply reading the tag ID, tag/reader authentication, specialized cards that can only be read when activated by the user, high levels of public key encryption, and back-end security similar to financial transaction systems. Both RFID tag/reader solutions and systemic solutions are available. So it's not that RFID systems can't be secured, it's just that many of them haven't been implemented in a security-conscious manner.
Third, it's important to recognize that no single technology can be 100% secure. Whether it's as basic as a house or car key or as sophisticated as a government database, everything is subject to criminal attacks. The fundamental principle of security is to make it as difficult as possible for criminals to break in. Adding a second or even third layer to security (encryption, PINs, passwords, biometrics, security guards, etc.) for sensitive or critical applications makes it far less likely that a criminal can successfully hack a system.
Finally, adequate tag data security is essential in addressing privacy issues by securing data against unauthorized access.
Security is an opportunity
For RFID vendors, the potential vulnerability of RFID (real or theoretical) is not a liability, it's an opportunity. Designing security into an RFID system provides vendors with an additional service to offer clients and it may provide clients with an additional means to not only prevent security breaches but potentially to identify those responsible.
For users of RFID, adequate tag and system data security can address privacy concerns while providing all RFID's benefits in terms of efficiency, cost reduction and, yes, security.
Developing a rigorous yet realistic and cost-effective level of RFID system security requires a thorough analysis of potential threat approaches, likelihood of attack, value of data or benefit, and potential countermeasures.
AIM's RFID Experts Group (REG) produced an implementation guideline, now available as an ISO/IEC technical report, on RFID tag data security that discusses these issues and examines open system solutions. This document is available in the AIM Store (see below). [It should be noted that there are also a variety of proprietary solutions that were not included in this document but which might be appropriate.]
While we look forward to 2010 as a year in which RFID pilot projects and implementations will continue to grow, a year in which many new applications of RFID are explored and deployed, we must also look to 2010 as the year in which RFID was deployed as a secure and robust solution to a growing number of business issues.