TECHNOLOGY NEWS

as well as readers that can recognize

How Secure the emitted signals. Most commer-

cial RFID chips, such as those used
in place of bar codes on products in

Is RFID? stores, are passive emitters and thus

have no onboard power source.
They send a signal over a range of
several feet when a nearby reader ac-
tivates them.
Sixto Ortiz Jr. Active emitter chips, like those
used in automatic highway toll-pay-
ing devices that let drivers pass
through collection booths without
stopping, have their own batteries

R
adio frequency identifica- and thus can send signals up to
tion technology, of minor about 300 feet to readers.
importance in the market- RFID transceivers, such as the one
place not long ago, is surg- that Figure 1 shows, are tiny, re-
ing in popularity and find- source-constrained computers. In
ing use in a growing number of passive systems, they detect a signal
applications. arriving from a reader, power up the
Vendors are using RFID in place tag, send a reply, and store a small
of product bar codes in stores, in em- amount of data. The amount of stor-
ployee identification badges for ties flagged by skeptics either don’t age depends on the usage, varying
building access, in car keys to enable exist in most real-world implementa- from a few bits for applications such
vehicle startup, and even to identify tions or could not be practically ex- as a small store’s inventory-control
lost or stolen pets. ploited by hackers, said Dan Mullen, system to multiple kilobits for ap-
In the near future, the technology president of the Association for Auto- plications such as a large business
might become part of more high- matic Identification and Mobility supply-chain system.
profile applications, such as pass- (AIM), an RFID industry consortium. The readers perform various func-
ports, credit cards, airport luggage- Meanwhile, proponents say, they tions, like simply displaying data
tracking systems, and hospital badges are always making the technology such as a product’s price, acting on
used to identify patients and the med- more secure. data such as admitting a person to a
ications and dosages they require. building, or communicating with a
Despite RFID’s growing profile, RFID PRIMER back-end application such as a toll
some researchers worry that potential The technology behind RFID has system’s database.
security problems could cloud the been in use since World War II, when The data in some RFID tags, such
technology’s future, particularly as it the British used it to identify whether as those used to store product prices,
is used for more critical purposes. planes belonged to “friend or foe.” is read-only. Other tags are read-
There are concerns that hackers could Work on the technology contin- write, so information can be stored
tamper with or steal RFID data, such ued, and in 2004, vendors began as the need arises. For example, this
as product prices or patients’ or credit- pilot projects using RFID tags on type of system could write location
card holders’ private information. products and supplies to store pric- and other information about a prod-
“The security of today’s systems is ing- and inventory-related informa- uct to a tag as it moves through
appallingly bad,” said Peter G. tion, said Bert Moore, AIM’s a supply chain, explained Jack
Neumann, principal scientist at the director of communications and Brandon, manager of business de-
Computer Science Lab at SRI media relations. velopment for Socket Communica-
International, a research institute. Large institutions, such as the tions, a vendor of data-collection
“There are many potential risks in US Department of Defense, have and network-connectivity products
the use of RFID tags.” since implemented RFID, which is for mobile devices.
RFID is subject to the same com- now spreading to other organiza-
plexity-related security problems that tions and industries. Advantages
have affected the entire IT industry, Because RFID is simple, it is gen-
added Vrije Universiteit PhD student How it works erally inexpensive, which is practi-
and researcher Melanie Rieback. RFID systems consist of small cal for use in high-volume settings
However, many of the vulnerabili- radio chips in tags placed on items, such as stores and warehouses.

Published by the IEEE Computer Society July 2006 17

 TECHNOLOGY NEWS

it showed how hackers could launch that access its information could
Antenna DoS attacks against some types of write the malware into other tags
Receive/ RFID systems, including those in and thereby propagate the infection.
Signal flow transmit switch which tags communicate via fre- According to Rieback, the Vrije
Receiver Transmitter quency-hopping spread-spectrum group made its findings public to en-
modulation. courage RFID designers to use se-
FHSS entails the repeated switch- cure programming practices. She
Attenuator Attenuator ing of frequencies during transmis- said some designers have been re-
or amplifier or amplifier
sion, which reduces interference luctant to acknowledge their prod-
Power and makes intercepting signals ucts’ vulnerabilities. However, she
supply
Demodulator Modulator more difficult. added, others have privately sought
The Edith Cowan researchers her research group’s help.
Processor used RF jamming, which sends sig-
nals across the entire spectrum range Rewriting tags
in which an FHSS-based RFID sys- Hackers with the proper equip-
Figure 1. An RFID tag consists of a radio tem functions, explained university ment could record data from an
transmitter and receiver, an antenna, lecturer Andrew Woodward. RFID chip that is on an inexpensive
a processor, a modulator and a This technique continuously sent product and upload the data to a
demodulator to put data onto and signals to an RFID tag, which left it chip that is on an expensive product,
remove data from signals, attenuators, unable to respond to or communi- thereby getting the latter for a lower
or amplifiers to modify or strengthen cate with legitimate traffic. price, noted Lukas Grunwald, a con-
signals, and sometimes onboard power sultant with DN-Systems Enterprise
sources. Vrije Universiteit: viruses Solutions, an information-security
Security experts have not reported consultancy.
In addition, the technology trans- finding any RFID viruses in the wild. Grunwald developed the RFDump
mits signals through materials such However, researchers with Vrije application, which runs on a mobile
as cardboard, making it good for Universiteit’s Computer Systems device and reads and writes data to
merchandise tracking, added Joe Group say their work indicates hack- and from RFID tags.
Melo, RFID product manager for ers could create viruses and embed Such programs could find their
vendor Psion Teklogix. them in RFID tags. A reader could way onto the Internet and become
encounter the tag and transmit the available to hackers, he said.
SECURITY ISSUES data to the application that uses it.
Even though RFID chips have lit- The viruses could then exploit appli- Stealing cars
tle memory, they can send malicious cation vulnerabilities and cause a Many new cars won’t start unless
data to unsecured back-end data- buffer overflow or some other prob- an RFID reader, called an immobi-
bases and other systems that are sus- lem that could infect a back-end sys- lizer, detects the encrypted RFID tag
ceptible to common attacks such as tem with the malware. embedded in the owner’s key. When
viruses, buffer overflows, and de- “If improperly secured,” Rieback someone inserts a key into a car igni-
nial-of-service (DoS) assaults, said said, “back-end systems … could ex- tion, the immobilizer sends a “chal-
Vrije Universiteit’s Rieback. ecute malware as code.” lenge,” in the form of encrypted data,
“Of even greater concern can be For demonstration purposes, she to the tag, which then must send a re-
the lack of definitive binding be- noted, the researchers didn’t exper- quired “response” using the same
tween the tags and the objects they iment with actual RFID systems but cryptographic key. If the tag responds
purportedly correspond to,” added instead replicated them in software. properly, the immobilizer lets the ve-
SRI International’s Neumann. They also created a proof-of-con- hicle’s fuel-injection system operate.
For example, he said, terrorists or cept, self-replicating RFID virus that A hacker could use an electronic
smugglers could switch tags or dis- inserts malicious Structured Query cloning device—which consists of an
able one tag and add another to Language code into a database. antenna and modulation/demodula-
evade future RFID-based airport According to Rieback, RFID tags, tion routines that can intercept,
luggage-scanning systems. even with their small memories, record, and manipulate RFID sig-
could easily transport the small nals—to eavesdrop on transmissions
Edith Cowan University: amount of code—some commands between the RFID tag on a car key
DoS attacks are a single word—typically needed and an immobilizer. The cloner
Edith Cowan University’s School for SQL injection attacks. would then extract the car key’s re-
of Computer and Information Sci- Once a database is infected, quired response and obtain the en-
ence Security Research Group says Rieback noted, RFID applications cryption key, which, if weak enough,

18 Computer
the hacker could break via a brute-
10,000
force attack.
The thief could then demodulate, 9,000 Tags Readers Software

Revenue (millions of US dollars)

replicate, and store the response and 8,000
subsequently broadcast it via a soft- 7,000
ware radio to steal the vehicle. 6,000
5,000
Cloning implanted RFID tags
4,000
Implantable RFID tags are used
for applications such as smart cards, 3,000
like those in badges that give em- 2,000
ployees access to a building. The tags 1,000
are also used in small devices that let 0
a driver pay for gasoline by simply 2003 2004 2005 2006 2007 2008 2009
waving the device near a pump. Source: ABI Research

However, researchers at Johns

Hopkins University’s Information Figure 2. Global revenue from RFID-related sales grew steadily during the past three
Security Institute and at RSA Labo- years and is expected to continue doing so during the next three years.
ratories have demonstrated that
hackers could clone implanted tags memory capacity, implanting all but tack, they should allow researchers
in much the same way that thieves the smallest viruses would be diffi- to test them via simulated attacks.
steal RFID-protected vehicles. cult, explained Kevin Ashton, mar- Other software vendors have done
Hackers could use cloners to in- keting vice-president for RFID this, she noted, offering a reward for
tercept a tag’s digital identification vendor ThingMagic. defeating an application’s security,
signature, which the chip transmits “In addition,” he said, “RFID tags and this has improved their products.
along with data. The hacker could do not execute code, malicious or
then crack the encryption and use a otherwise; they just store data.”

M
software radio to simulate the legit- Moreover, RFID systems are de- arket statistics indicate the
imate tag, thereby fooling the reader. signed to verify that data read from RFID industry will continue
tags matches predefined parameters growing rapidly. As Figure 2
RFID INDUSTRY RESPONSE such as the proper number of digits shows, ABI Research, a market-
The RFID industry says it has built in a product code, said AIM’s analysis firm, predicts global RFID
numerous security features into its Mullen. Thus, he said, it is unlikely revenue will surge from $1.42 billion
products. a hacker could infect a system via in 2003 to $8.98 billion in 2009.
For example, some systems in- malware copied into a tag’s memory “As RFID deployments grow and
clude encryption to limit signal theft. because the code probably wouldn’t reach consumer-level applications,
To do this, developers add encryp- fit the necessary format. In this case, new security measures will be re-
tion algorithms and routines to the the reader would ignore the code. quired,” contended ThingMagic’s
APIs that program the tags. Researchers claim they can get a Ashton. He said some new RFID pro-
However, this adds cost, noted system to at least transmit malicious grams will contain highly sensitive in-
Psion Teklogix’s Melo. Thus, he code to back-end applications. formation that must be protected
noted, systems deployed for pur- According to Ashton, researchers vigorously. These applications will re-
poses such as product tracking don’t did this only by creating vulnerabil- quire measures such as stronger en-
include encryption because users ities in their experimental systems cryption or passwords, he explained.
don’t consider the information that that are unlikely to occur in com- According to Vrije’s Rieback,
the tags contain to be valuable mercial RFID systems. sound software-development tech-
enough to steal. Also, he said, hackers would need niques will help make RFID more
Some RFID tags have writable inside information—such as the data secure. ■
memory that users can lock. This ap- formats with which a reader works
proach is designed to keep hackers or how an RFID application inter- Sixto Ortiz Jr. is a freelance technology
from writing malicious data to tags. acts with a back-end database or writer based in Spring, Texas. Contact
However, many users might not lock reader—to plant a hostile program him at [email protected].
the memory because they either in an RFID system.
don’t know how or don’t want to However, said Vrije Universiteit’s Editor: Lee Garber, Computer,
spend the time necessary to do so. Rieback, if the RFID industry really [email protected]
Generally, tags have such a small believes its systems are immune to at-

July 2006 19