RFIDs: What's Your Frequency

As RFID technology gets more widely deployed, will security and privacy suffer?

During the next year, hundreds of companies will be forced to deploy technology for automatically tracking the movement of consumer goods using radio waves. Radio frequency identification (RFID) technology has been mandated by both the U.S. Department of Defense and, perhaps more important, Wal-Mart. Last year both of these organizations stated that their hundred largest suppliers would have to equip every shipment with an RFID tag so that the deliveries could be automatically tracked and recorded by inventory systems.

Meanwhile, the Food and Drug Administration has passed a regulation requiring pharmacies throughout the United States to purchase RFID readers by 2006. The theory is that each case of prescription drugs will carry an RFID tag with a unique serial number that can be looked up automatically in an online database, while counterfeit drugs will not.

From the news coverage that accompanied these announcements, you might think that RFID was some kind of fundamentally new technology. It's not. The idea of using radio signals as a kind of remote identification system was first pioneered during World War II, when Identification Friend or Foe, or IFF, systems were deployed in bombers to prevent them from being shot down by their own militaries.

In the 1970s, scientists at the Los Alamos National Laboratory developed a system that used RFID for controlling access to nuclear materials. Similar technology showed up in the civilian sector in the 1980s as building management companies deployed the first generation of "proximity cards."

Then in the 1990s, electronic toll collection systems like E-ZPass were introduced by highway and transit authorities worldwide; today there are more than 10 million cars with transponders in the United States alone.

Whether they're being used to track the movement of nuclear materials or deduct a $2 toll from your account with the New York State Thruway Authority, all of these RFID systems work more or less the same way. A small electronic circuit in the RFID chip listens for a radio signal from the RFID reader. When the circuit hears this signal, it sends back a coded radio signal of its own. The code contains the chip's identification number and possibly other information. When the reader hears the response, it sends that information to a computer system. Typically, the computer looks up the number in a database, verifies that it is valid and hasn't been stolen, and then performs some sort of action.

RFID chips are usually packaged in small plastic boxes called tags. There are two kinds of tags: active and passive. Active tags contain a microchip, an antenna and a battery. They can work from a distance of dozens or even hundreds of feet, depending on the size of the antenna, the strength of the battery and the portion of the radio spectrum that's being used for the communication. Because batteries have a limited life span, these tags work for only a few years. Passive tags, on the other hand, don't have batteries.

Instead, they are powered directly from the same radio signal that's used to trigger them. Because they don't have batteries, passive tags are much cheaper to manufacture and pretty much have an indefinite shelf life. But passive tags also have a very limited reading range: Most passive tags can't be detected unless they are within a foot of a reader, and some can't be read unless they're within an inch.

Two factors are driving the sudden interest in RFID technology. The first is the plummeting price of tags. Today, tags tend to cost between 25 cents and a dollar, depending on the technical details of the tags and the number ordered. But it's widely believed that tags will cost a penny or less by the end of the decade.

The second factor is the dawning era of RFID compatibility. As anybody who has ever deployed a proximity card system in a building knows, until now, most RFID systems have been mutually incompatible. But last year, an industry consortium adopted an RFID standard called the Electronic Product Code, or EPC. Management of this standard was turned over to the Uniform Code Council (UCC), the same organization that manages the ubiquitous Uniform Product Code (UPC) that's on consumer products. The UCC and its European counterpart, EAN International, have created an organization called EPCglobal to shepherd the future development of this technology. As you might imagine, the big goal here is to have EPC UPC in the coming years. (Point of disclosure: I am a member of EPCglobal's Public Policy Committee.)

This push for what's called item-level tagging has caused a huge outcry among privacy activists in the popular pressand with good reason. If RFID technology is deployed to consumers the way it has been described by some, it could have devastating implications.

Indelible tags sewn into clothing or embedded into the soles of shoes would make it possible to track consumers as they enter or leave stores. Readers on store shelves could alert whenever a consumer picks up expensive merchandiseperhaps automatically snapping a picture if someone picks up too many razors at once. Tags on books or magazines would identify what a person is reading by scanning his briefcase or backpack. Tags on banknotes would enable a mugger to figure out who is carrying large amounts of cash.

It's tempting to dismiss these scenarios as ravings from unsophisticated technophobes. Don't. The glaring misuses of RFID technology previously mentioned were first brought up not by privacy activists, but by the RFID industry itself. Although many people working on RFID are concerned about privacy issues, these concerns often take a backseat to technical ones.

Equally troubling is the lack of attention to security, an issue that overlaps with personal privacy but has concerns all its own. One of the biggest security problems with today's RFID tags is that they are promiscuousthey will respond to any reader that tries to query them. The implications, as this technology becomes widespread, are staggering.

Consider the case of item-level tagging: What's to prevent the competition from walking in with a portable RFID reader hidden in a backpack and surreptitiously taking a complete inventory? Or consider the potential for fraud. Since tags can be reprogrammed, a thief could enter a store, scan the ID of a tag on a $50 VCR, program this ID into his own tag and affix that tag to a $500 unit.

When the privacy issue was first raised with the creators of the EPC standard, they responded by giving every tag a special command called "kill." Send this command to the tag and it commits suicide. The theory is that a dead tag is not a threat to anybody's privacy. Legislation has now been proposed in California that would require any business selling consumer goods to remove or kill all item-level RFID tags before the item leaves the store.

The problem with the "all tags must die" approach, says Henry Holtzman, a research scientist at the MIT Media Lab, is that tags on stolen property won't be killed. That means that having an item on your body containing a live tag might be taken as circumstantial evidence that you are a shoplifter. It's not hard to imagine police walking the sidewalks in some neighborhoods with high-powered RFID readers, searching for anybody giving off the right signals. And it's not hard to imagine anti-RFID activists going into stores and killing every tag they can find with covert tools.

Last November I chaired a one-day workshop looking into RFID-related privacy issues at MIT. You can find copies of the papers that were presented as well as streaming video of the day's proceedings on the conference website, at www.rfidprivacy.org/agenda.php.

RFID technology is going to be deployed throughout our society. And while the threat to privacy should not be underestimated, I think that the lack of security on these systems is potentially a far greater problem. Today's RFID systems were developed in a collegial environment that was largely ignorant of security concerns. The challenge was getting the chips to work and making the technology cheap enough for mass deployment.

Sadly, we've seen this story before with analog cell phones and then again with Wi-Fi networking. For some reason, engineers working on wireless systems consistently underestimate the resources and motivation of our adversaries. They take the paucity of attacks as evidence of their systems' strength.

What engineers fail to realize again and again is that the bad guys aren't motivated to find flaws in these wireless systems until they are widely deployed. At that point, the costs of adding security can be staggering.

With commitment and work, the RFID industry could produce technology that is far more secure and, as a result, more responsive to privacy needs as well. But the industry won't do that unless customers make those demands now.

Copyright © 2004 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)