RFID NEWS
Text size:
T
T
T
Forrester Says RFID Security Falls Short for Some Apps
The report suggests RFID users develop business processes within their RFID deployment that include steps to have employees check the presence and condition of tags attached to products, rather than fully automating the system so that no one checks them. It also notes that RFID tags themselves can be tampered with, rather than just read by unauthorized parties. Thus, it recommends that if RFID tags are used as security tools in a retail environment, employees should “physically monitor items to ensure that tags have not been removed or replaced.” Otherwise, the report states, a thief could more easily steal the product because it would pass through interrogators undetected.
Passive tags on the market today, including the ISO 14443 inlays used in some credit cards from MasterCard, Visa and American Express, lack the processing power needed to enable tags to encrypt the data they transmit to readers, Mulligan says. Instead, the reader encrypts its initial request for data from the tag, and the tag responds. This opens up RFID transactions to relay attacks, in which a mole device is placed near a legitimate RFID-enabled card so it can relay the card’s response to the interrogator linked to a point-of-sale system. Through a relay attack, someone could make a transaction by pulling the tag data from an unsuspecting consumer’s RFID tag in his or her wallet (see The Consequences of Convenience). If successful, this kind of attack would result in an unsuspecting consumer’s account being charged for goods he or she did not purchase.
The article predicts that by the latter half of 2007, passive tags will possess the memory and processing power required to encrypt data before transmitting it back to an interrogator. It adds that companies looking to deploy RFID for applications in which data requires full encryption (both interrogator data and tag data) should wait to deploy until these tags are available. The National Science Foundation (NSF)recently awarded a $1.1 million grant to the Consortium for Security and Privacy, which will work to improve encryption schemes on passive tags (see RFID Security Consortium Receives $1.1 Million NSF Grant). Connecticut firm SecureRF says it has already developed a means of encrypting passive tag data with its Algebraic Eraser tool, which it says consumes less power and memory than conventional encryption methods (see SecureRF Creates New Encryption Method).
The full, six-page report is available for download from Forrester’s Web site. Current Forrester clients can log into the site for free, while others must pay a $349 download fee.
Passive tags on the market today, including the ISO 14443 inlays used in some credit cards from MasterCard, Visa and American Express, lack the processing power needed to enable tags to encrypt the data they transmit to readers, Mulligan says. Instead, the reader encrypts its initial request for data from the tag, and the tag responds. This opens up RFID transactions to relay attacks, in which a mole device is placed near a legitimate RFID-enabled card so it can relay the card’s response to the interrogator linked to a point-of-sale system. Through a relay attack, someone could make a transaction by pulling the tag data from an unsuspecting consumer’s RFID tag in his or her wallet (see The Consequences of Convenience). If successful, this kind of attack would result in an unsuspecting consumer’s account being charged for goods he or she did not purchase.
The article predicts that by the latter half of 2007, passive tags will possess the memory and processing power required to encrypt data before transmitting it back to an interrogator. It adds that companies looking to deploy RFID for applications in which data requires full encryption (both interrogator data and tag data) should wait to deploy until these tags are available. The National Science Foundation (NSF)recently awarded a $1.1 million grant to the Consortium for Security and Privacy, which will work to improve encryption schemes on passive tags (see RFID Security Consortium Receives $1.1 Million NSF Grant). Connecticut firm SecureRF says it has already developed a means of encrypting passive tag data with its Algebraic Eraser tool, which it says consumes less power and memory than conventional encryption methods (see SecureRF Creates New Encryption Method).
The full, six-page report is available for download from Forrester’s Web site. Current Forrester clients can log into the site for free, while others must pay a $349 download fee.
