This story appeared on Network World Fusion at
An RFID warning shot
By Scott Bradner
Network World, 02/07/05
Radio frequency identification is a part of the present and may well be a major part of our future. This situation is, at best, a mixed bag.
It would not be quite so bad if vendors of RFID products and companies that say they want to use them better understood security and privacy.
For those of you who have been cave dwellers over the last few years, RFIDs are small electronic devices, normally with no battery or power supply, that can interact wirelessly to identify themselves to a scanner.
The best-known examples are the very simple devices that companies such as Wal-Mart are asking suppliers to put on pallets of goods and that drug companies are beginning to attach to containers in the distribution chain (see Privacy as an afterthought ). These RFIDs are basically wireless bar codes that respond with a unique serial number when queried by a wireless scanner. Companies with large database infrastructures, like Wal-Mart, can keep track of where individual cartons of goods are in their supply chain or, someday far too soon, what individual products are in a shopper's physical cart.
But not all RFIDs are that simple. Some, like those being considered for the next generation of U.S. passports, can report back a bunch of passport-holder-specific data. Others, like the electronic key used in some cars and the ExxonMobil SpeedPass, include a cryptographic challenge-response interaction in an attempt to make sure that the RFID is not counterfeit.
These have not been particularly good days for the RFID business. Researchers at Johns Hopkins University and RSA Laboratories have shown that the RFID used in the SpeedPass and in the keys for some Ford vehicles can be spoofed reasonably easily (see rfidanalysis.org). The researchers demonstrated that the RFID chips used weak encryption keys that can be broken within a few hours. Imagine thieves scanning for car owners' encrypted keys while standing next to the car owners on elevators. The thieves then could break the encrypted keys and steal the car using normal car burglary tools, knowing that they could fool the electronic interlock into thinking they had the right key.
Texas Instruments, which makes the circuits used in the Ford keys and the SpeedPass, makes similar circuits with longer and harder-to-break keys. But Ford and Exxon decided to use the less expensive, weaker chips. Texas Instruments is not immune from blame here, as it is using a secret encryption algorithm, which violates the most basic of good encryption rules.
At the same time, the National Institute of Science and Technology (NIST) has shown that RFIDs to be used in U.S. passports can be read from as far away as 30 feet. This would make it easy to spot people carrying U.S. passports and capture information about them, and maybe even the passport holders themselves.
Finally, Wal-Mart and other merchants investigating the use of RFIDs seem to be genetically blind to privacy issues inherent in setting up a system that would let individuals be singled out by wirelessly determining the pattern and values reported back by the RFIDs embedded in their clothing and possessions.
I wonder how much bad news the RFID business can absorb before it begins to figure out that there are still problems to be solved before it's time to deploy. So far, the RFID business has shown a remarkable level of absorbency.
Disclaimer: From time to time the local community complains about Harvard's ability to absorb property near the campus, but the above absorbency puzzlement is mine, not the university's.