RFID Security: A Reality Check

The possibility that someone would gain access to a Target distribution center or the back of a Wal-Mart store and start killing tags willy-nilly was remote, so the designers of the original Gen 1 tags decided that an 8-bit security code was sufficient. Given that millions of Gen 1 tags have been flowing through the supply chains of Wal-Mart and others without any incidents of Gen 1 tags being killed (outside of the Weizmann Institute), the practical decision made would seem to be the right one.

Whether Shamir and the EE Times are aware of it or not, EPC technology has already evolved to another level. The second-generation EPC protocol calls for a 32-bit security code. With an 8-bit code, there are 256 possible kill codes. If a cell phone could be used to hack a Gen 1 tag, Oren estimates it might take about a minute (but admits he’s guessing because they didn’t have a phone that could actually kill tags). A 32-bit kill code has more than 4 billion possible kill codes. Someone might have to spend hours (perhaps days) in the back of your warehouse pointing his cell phone at the tag on one of your cases to kill one tag. And for what? They would accomplish nothing more than proving an academic theory.

Security is becoming increasingly important as companies consider new applications for EPC tags. Pharmaceutical companies are looking at using EPC tags to create secure electronic pedigrees. Boeing and Airbus want to store parts’ histories on tags. These companies are realizing that more secure tags are needed—tags that can’t be hacked, spoofed or cloned. So groups within EPCglobal and the Auto-ID Labs are looking at whether there are any vulnerabilities in the Gen 2 tags and, if so, how they might be addressed.

There is value in academics pointing out that EPC and other RFID tags—especially those used by toll collection systems, contactless credit cards and other payment devices—have vulnerabilities. Once the makers of RFID devices know the vulnerabilities, they can address them.

There is also value in keeping the industry—and public—informed. The problem is that stories about security weaknesses get overplayed in the media. Journalists love to scare people because it encourages them to read articles. They love to use phrases such as “security expert,” “encryption algorithm” and “researchers at (fill in the blank) university” to give credibility to claims. They tend, however, to leave out the context that makes the story less frightening, which means end users could make bad business decisions based on misinformation, and people are led to worry more than they need to about these issues.

My view is that we should report the facts, present them in context and let people know when security weaknesses are a threat to their business. And right now, I don’t think anyone should be losing any sleep over the possibility of a hacker killing the tags on cases in their supply chain with a cell phone.

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below.