Sep 04, 2008This article was originally published by RFID Update.
September 4, 2008—The RFID Security Alliance (RFIDSA) officially announced its formation as a resource to provide education and assistance for RFID-related security and privacy issues. The association has about 20 regular members, who include a mix of RFID companies and other firms focused on various security and technology areas. The group began working together last fall and held several meetings before announcing itself last week, RFIDSA founder and chairman Mike Ahmadi told RFID Update.
The RFID Security Alliance wants to raise awareness of security issues in RFID systems in a responsible manner, according to Ahmadi. Its efforts will span multiple industries and applications where RFID is used, and will include development of educational resources, creation of security metrics, public relations outreach to legislators and others, and other activities to promote the inclusion of security provisions in RFID programs.
There are many legitimate RFID security concerns and vulnerabilities, but also many exaggerated threats and misperceptions about security and privacy, Ahmadi said. He began to form the association after having difficulty finding credible, comprehensive information about RFID security while he was doing security consulting and design for a client. Ahmadi is also chief operating officer of GraniteKey, a non-RFID-oriented security company that is a founding member of the RFID Security Alliance.
A major focus for the association is to make people aware of RFID-related security issues so appropriate precautions can be designed into systems. Ahmadi said security is frequently overlooked during project planning, and only addressed when vulnerabilities are discovered later. The association is available to help organizations develop threat models to help understand potential security problems and how to mitigate them.
"It is always easier and more cost effective to build security into a system than to fix it later," Ahmadi said. "There's a push now to create these bigger and bigger RFID systems, but there's a dearth of concern about security."
"Founding members of the RFID Security Alliance all share a common vision of implementing RFID applications with the appropriate level of security and privacy, balancing risk and cost," Ahmadi said in RFIDSA's announcement. "We want others to realize that security and privacy are functions that can successfully be part of an RFID solution, and that should be considered during the design process, not after."
RFIDSA members include two celebrated RFID hackers: Lukas Grunwald of NeoCatena Networks, who exposed security vulnerabilities in RFID-enabled passports (see New RFID Passport Scare -- Does it Matter?) and also showed how a cloned passport could trigger an explosion, and researcher Karsten Nohl, who led an attack on MIFARE RFID chips, which are widely used in public transport systems for cashless fare collection (see Yet Another RFID Hack Could Affect Up To 1 Billion Cards). However, the RFID Security Alliance does not plan to hack systems or sensationalize threats, but wants to raise awareness and build dialogue responsibly, according to Ahmadi.
"Some people and organizations simply ignore RFID security issues, and others only want to highlight the problems. We want to be the third camp," Ahmadi said, adding that there is no fundamental reason RFID systems can't be adequately secured. "A lot of the challenges to securing RFID are just common sense."
Other founding members include AWID, MIKOH, NeoCatena Networks, QLM Consulting, SecureRF, Sensitel, Sybase and Verayo. About 20 organizations have participated in meetings, and 90 organizations and individuals have joined the association's online groups.
The RFID Security Association is a non-profit organization and membership is open. The association will present a panel discussion on security topics at next week's RFID World show in Las Vegas.
