1 1October 2008 RFID Privacy & Security What is RFID? Here's a plain-english explanation of what radio frequency identification is and why it's suddenly become an important technology. Radio frequency identification (RFID) is a generic term that is used to describe a system that transmits the identity (in the form of a unique serial number) of an object or person wirelessly, using radio waves. It's grouped under the broad category of automatic identification technologies. Auto-ID technologies include bar codes, optical character readers and some biometric technologies, such as retinal scans. The auto-id technologies have been used to reduce the amount of time and labor needed to input data manually and to improve data accuracy. Some auto-id technologies, such as bar code systems, often require a person to manually scan a label or tag to capture the data. RFID is designed to enable readers to capture data on tags and transmit it to a computer system without needing a person to be involved. Antennas read passive tags on cases stacked on a pallet A typical RFID tag consists of a microchip attached to a radio antenna mounted on a substrate. (For more detail and for information about tags that don t use silicon chips, read The Basics of RFID Technology. ) The chip can store as much as 2 kilobytes of data. For example, information about a product or shipment date of manufacture, destination and sell-by date can be written to a tag. To retrieve the data stored on an RFID tag, you need a reader. A typical reader is a device that has one or more antennas that emit radio waves and receive signals back from the tag. The reader then passes the information in digital form to a computer system. RFID technology has been used by thousands of companies for a decade or more. (RFID Business Applications spells out some of the ways the technology has been and will be used.)
2 The technology is not new (see The History of RFID), so why is it taking off now? Until recently, the cost of RFID has limited its use. For many applications, such as tracking parts for just-in-time manufacturing, companies could justify the cost of tags a dollar or more per tag by the savings an RFID system could generate. And when RFID was used to track assets or reusable containers within a company s own four walls, the tags could be reused. But for tracking goods in open supply chains, where RFID tags are put on cases and pallets of products by one company and read by another, cost has been a major obstacle to adoption. Tags must, in effect, be disposable because the company putting them on cannot recycle them. They get thrown out with the box. (Tags built into pallets could be reused, and some companies are looking to develop ways to recycle tags on corrugated cases.) The Auto-ID Center In 1999, the Uniform Code Council and EAN International teamed with Gillette and Procter & Gamble to fund the Auto-ID Center at the Massachusetts Institute of Technology. The center changed the equation by working with private industry to develop an RFID tag that would be very low cost (the goal was five cents) when manufactured in high volumes. That way, companies could put tags on everything they own and then connect them to the Internet through a secure network. The center eventual gained the backing of the U.S. Department of Defense and some 100 global companies, including Kimberly-Clark, Metro, Target, Tesco, Unilever, Wal- Mart. These companies were attracted to RFID because it held out the potential of offering perfect supply chain visibility the ability to know the precise location of any product anywhere in the supply chain at any time. The 5-cent tag is still several years away. Today tags cost from 20 to 40 cents, depending on their features and packaging. (For more on this, see RFID Costs and Components). The Auto- ID Center's contribution went beyond trying to create an inexpensive tag. It developed the Electronic Product Code (EPC), a numbering scheme that makes it possible to put a unique serial number on every item manufactured. It developed a way for tags and readers to communicate (the air interface protocol) and designed a network infrastructure that stores information in a secure Internet database. A virtually unlimited amount of data associated with a tag s serial number can be stored online, and anyone with access privileges can retrieve it. The Auto-ID Center handed off its technology to a non-profit organization called EPCglobal, which has created a second-generation air interface protocol and is developing the network infrastructure now called the EPCglobal Network to enable companies to share data in real time. Here's how it will work. When Company A ships a pallet full of soft drink, the tags on the cases and pallet are scanned as the shipment leaves, and software is used to automatically let Company B know the shipment has left the warehouse. Company B can look up data associated with the serial numbers on the shipment and learn what's coming, when it will arrive and so on. When Company B receives the shipment, it scans the tags automatically, and a message can be immediately sent to Company A to let it know the shipment arrived.
3 The potential efficiencies created by this visibility are enormous. Companies would be able to reduce inventories while ensuring product is always in the right place at the right time. And because no humans would have to scan the tags, labor costs and errors would also be greatly reduced. The grand vision is to ultimately flip the supply chain around. Today, companies make goods based on a monthly forecast. They then push the goods out into the supply chain and hope they sell. If demand is greater than they forecast, they lose sales. If it is less than forecast, they have excess goods that are sold at a loss or thrown away. The goal is to use RFID to track goods through the supply chain It would be much more efficient if goods could be pulled through the supply chain based on real-time demand. RFID readers on shelves would monitor how many products are being sold. They would signal the backroom when the shelves get low and request more inventory be brought out. When inventory in the backroom gets low, readers there would signal the warehouse to send more product. When inventory in the warehouse gets low, readers would signal the manufacturer to send more product. And so on back through the manufacturer's suppliers. It's not clear if this vision can ever be fully achieved. The biggest obstacle is the cost of the tags. The Auto-ID Center did research suggesting the price of tags could fall to 5 cents when 30 billion tags are consumed annually. But 30 billion tags will never be consumed if the tags cost 25 cents or more. So the industry faces a chicken-and-egg problem tags won't get cheap until a lot of people use them, but a lot of people won't use them until they get cheap. Wal-Mart was the first retailer to require suppliers to put tags on cases and pallets of goods. In June 2003, it told its top 100 suppliers that they would need to begin putting tags on shipments in January One reason Wal-Mart chose this approach was to solve the chicken-and-egg problem. If the giant retailer's top suppliers began buying tags, that would begin to drive the price down. Lower prices would enable more companies to use the technology. Then volumes would increase and prices would fall further. Why RFID Is Hot Wal-Mart's push to use RFID in the open supply chain is a big reason why the technology is hot today. But it's not the only reason. Several important factors have come together around the same time. One is the advances in ultra-high frequency RFID systems. UHF systems are able to deliver the read range needed for supply chain applications, such as scanning tags on products as pallets are moved through a dock door or scanning cases on a high shelf in a warehouse.
4 Another factor was the efforts by the Auto-ID Center to develop a system that is low cost and based on open standards. These are prerequisites for the use of RFID in open supply chains, where a company puts a tag on a product, and it's read by other companies in the supply chain. And finally the ubiquity of the Internet is an important (and often overlooked factor). The Auto-ID Center realized that the Internet could be used to enable companies to share information about the location of products within the supply chain. Before the Auto-ID Center proposed the EPCglobal Network, there was no way (other than manually phoning, faxing or ing) for Company A to let Company B know that it has shipped something, and there was no way for Company B to let Company A know that the product has arrived. With the network, companies can not only identify products in the supply chain, they can share information about the location of goods. Company A, for instance, could let Company B see in real time what is in Company A's warehouse. Or Company A could let Company B know automatically that goods were scanned leaving the warehouse and will arrive at Company B's facility the next day. It is this ability to share information about the location of products anywhere in the supply chain that makes RFID a potentially powerful technology. Working with Boeing and Endwave Defense Systems, companies like Omnitrol Networks have now extended this capability to produce applications such as Real-Time, Work-in-Process for integrated visibility of manufacturing operations. What are the Major Components of an RFID System? Deploying a radio frequency identification system that delivers true business value involves much more than purchasing the right tags and installing the right readers. To get business value from the all of the information collected, companies also need middleware to filter the collected raw tag data. Customers typically want the entire system supplied by a specialized System Integrator on a total solution, turn-key basis. This makes sense to ensure effective integration of many different components and different RFID vendor products and avoid any finger-pointing in such implementations. Tags and Readers Tags and readers are the main components of an RFID system. There are two basic types of tags, active and passive. Active RFID tags have a transmitter and their own power source (typically a battery). The power source is used to run the microchip's circuitry and to broadcast a signal to a reader (the way a cell phone transmits signals to a base station). Passive tags have no battery. Instead, they draw power from the reader, which sends out electromagnetic waves that induce a current in the tag's antenna. Semi-passive tags use a battery to run the chip's circuitry, but communicate by reflecting power from the reader.
5 Readers can house internal or external antennas. Readers with external antennas can have one or more ports for connecting additional antennas. Readers can also have input/output ports for connecting to external devices. An input port might be connected to an electric eye that activates the reader when something passes through its field of view. An output port might connect to a programmable logic controller, conveyor sorter or other device controlled by the reader. Readers also have ports for connecting to a computer or network. Middleware Middleware is a generic term used to describe software that resides between the RFID reader and enterprise applications. The middleware takes raw data from the reader (which might read the same tag 100 times per second), filters it and passes on the useful event data to back-end systems. Middleware can play a key role in getting the right information to the right application at the right time. Significant enterprise value is created by the application of customer-defined business rules to the sea of data constantly flowing from all the tags, sensors and readers. The automated actions taken from the implementation of those business rules creates the real-time enterprise and assures management that the enterprise is consistently being run to pre-defined guidelines 7x24x365. In order for the immense volume of RFID data not to burden corporate networks and business management systems, it is considered highly desirable to maximize the use and action on those data as close to the enterprise network edge as possible. Due to their high costs and lengthy lead times, It is also highly desirable to avoid having to contract changes to existing enterprise middleware. With its self-contained middleware and built-in adapters for systems such as SAP, Omnitrol s industry-leading edge appliance does exactly this function. What are Active RFID Systems? Active tags may be broadly operated in one of two operational modes: as transponders and/or as beacons. Active transponders are awakened when they receive a signal from a reader. Popular applications are in toll payment collection, checkpoint control and other choke-point systems. For example when a car with an active transponder approaches a tollbooth, a reader at the booth sends out a signal that activates the transponder on the car windshield. The transponder then transmits its unique ID to the reader. In this manner, transponders conserve battery life by enabling the tag to send a signal only when it is within range of a reader. Active beacons are utilized in real-time locating systems (RTLS) that cannot accommodate choke points. A beacon emits a signal with its unique identifier at pre-set intervals, for example, once every second, every minute, every hour, or several times per day, depending on the urgency of the location tracking application. Active tags can be read reliably because they transmit (rather than reflect) a signal to the reader. Read ranges of 100 meters (greater than 300-feet) is common, but range
6 often depends on the antenna type, environmental factors, and regulatory constraints. Active tags can cost from $10 to a few hundred dollars, depending on their capability, amount of memory, battery life, and integrated sensor functionality. Bringing some order to this technology explosion EPCglobal maintains the electronic-product-code database, which identifies a manufacturer, product, and version and serial number; provides middleware specifications for data exchange; and administers the Object Name Service for matching an electronic product code to information about the associated item. Securing RFID Tags From Eavesdropping Businesses and vendors alike acknowledge that security is a key consideration for all RFID deployments. Security breaches can happen at the RFID tag, RFID Reader, network, or data level. Unsecured wireless networks present opportunities for eavesdropping on data. To serve as a successful alternative to barcodes, RFID tags must be very inexpensive. While more expensive RFID tags for special environments can do cryptography, affordable tags lack the resources to do sophisticated computing, and certainly cannot perform the standard cryptographic operations necessary to offer privacy and security. Securing basic RFID tags therefore presents a considerable challenge. All of the good security tools developed over the last 20 years won't fit into the hardware that's available on most of these RFID tags. The continued march of Moore s Law and computing power has also required ever stronger encryption algorithms to prevent easy cracking. Strong encryption on a tag, for instance, would chew up too much of a tag's processing power, as well as add extra cost to tags that need to be lightweight and inexpensive for companies to keep costs in line. But scientists and researchers have come up with techniques that have potential for privacy and security.
7 Protecting RFID Tags from Eavesdropping in Enterprises For enterprises, eavesdropping on RFID readers is a major threat. It can be a highly effective and profitable form of corporate or military espionage. RFID readers themselves can broadcast RFID tag data over long distances often up to hundreds of meters away. It is difficult to shield the radio emissions of readers effectively without impeding their use. This means that an eavesdropper with an antenna and some basic receiving equipment can gather the same RFID tag information that is compiled by your enterprise s own warehouse! Scientists have proposed two different techniques for addressing the enterprise eavesdropping problem. One, proposed by researchers at MIT, is known as silent treewalking. Silent tree-walking involves a modification to the basic reading protocol for RFID tags that eliminates reader broadcast of tag data. A second technique, proposed by RSA Laboratories, involves the use of pseudonyms. In this proposal, tags carry multiple identifiers, and emit different identifiers at different times. Thus the appearance of a tag is changeable. Legitimate readers are capable of recognizing different identifiers belonging to a single RFID tag. An eavesdropper, however, is not. Pseudonyms can prevent an adversary from unauthorized tracking of RFID-tagged objects. Despite the questions that revolve around security, you can't ignore the fact that RFID ultimately provides a tremendous security boost. "If you look at most supply chains today, truth be told, it's almost security by obscurity," says Arvind Parthasarathi, director of product management at supply-chain software vendor i2 Technologies Inc. "Bad things are more likely to happen in the dark, and, in some sense, [with RFID] you're reducing the amount of darkness out there." RFID's ability to pinpoint the exact location of an item in inventory lowers the risk of insider theft, because workers will know the inventory is carefully tracked and up to date. "If you know for certain that the TV arrived at a warehouse at a specific time, and then it ends up missing there," he says, "that's a great deterrent."
8 The Tag Such a tiny tag. So much potential for mischief. For starters, RFID tags can be manipulated easily by hackers, shoplifters, or disgruntled employees. That's what Lukas Grunwald, a consultant with DN-Systems Enterprise Internet Solutions GmbH demonstrated at the 2004 Black Hat security conference earlier this year. Using a small program he helped develop, dubbed RFDump, Grunwald showed how the tags could be read, altered, and even deleted. RFDump requires nothing more than an inexpensive plug-in tag reader attached to a handheld, notebook, or desktop system running Windows or Linux. The software shows how anyone could potentially destroy all RFID tag information, change the price of an RFID-tagged item for sale, or even switch data, which could lead to retailers having to do time-consuming manual inventories to have an accurate count of their goods. Most passive tags supporting EPCglobal standards are write-once, but RFID tags that support other standards, such as ISO, provide multiple write-to capabilities, and, by next spring, the market will be flooded with EPCglobal UHF generation 2 protocol RFID tags that also support multiple-write features. Because they're not write-protected, passive tags can be changed or written to "a couple of thousand times," Grunwald says. Tire manufacturer Michelin North America Inc., which is embedding RFID tags in tires' sidewalls to help auto manufacturers and auto-parts retailers identify them, says chip reprogrammability is a concern. It needs to be "managed appropriately," says Pat King, Michelin North America Inc.'s global electronics strategist. King also is a member of the RFID Expert Group within the AIM Global Standards Action Group, a global trade association concerned with managing the collection and integration of data with information-management systems. "Companies shouldn't assume or depend on keeping the data that resides in that reprogrammable space on the tag secure. If you doubt the validity of that information, you can always go back to the secure information on the chip and verify it with data stored in a database." The lack of support for point-to-point encryption (which is available using existing standards such as ISO 14443/DESFire) and a PKI key exchange contribute to tag vulnerability, according to IT advisory services firm The Advisory Council. In an article on InformationWeek's RFIDinsights.com site (informationweek.com/1011/tac_rfid.htm), The Advisory Council also identifies other ways tags could be exploited. "Rumors within law enforcement have reported that hijackers of cargo trucks are already using RFID readers to help determine which shipping pallets are worth stealing," The Advisory Council writes. EPCglobal is a joint venture between EAN International (Europe) and UCC (USA) aiming at developing industry RFID standards. Since EPCglobal unifies the two biggest organizations responsible for Barcode technology, it has the potential to influence the standard for RFID technology at the global scale. One of the most important standards
9 proposed by EPC global is the EPCglobal Class-1 Gen-2 RFID specification which defines the functionality and operation of a RFID tag. Unfortunately, the EPCGlobal Class-1 Gen-2 RFID specification pays little attention to the security and privacy issues mentioned earlier. More specifically, RFID tag uses a very naive method to authenticate RFID reader by sending out a random number and requiring the reader to acknowledge that number. After that, a tag backscatters the associated EPC in clear text to the reader. This protocol obviously enables any malicious reader conforming to the standard to perform a skimming attack to capture the EPC stored in the tag's memory. Everything from the reader back is very standard Internet infrastructure. So you have all the same security issues and opportunities that you have with the Internet. That includes having a rogue reader introduced by a competitor or intruder onto an unsecured network and shipping all the data it scans off to that person, says Forrester analyst Laura Koetzle. "Another place to worry is having the data taken in by your readers hijacked between the readers and the repository of that data, she stated. The solution is to make sure all the readers on your network are authenticated before they can pass on any information to middleware that feeds enterprise systems and that the data traffic between the reader and the back-end system is encrypted. "There are some very sensible measures that should be taken when deploying RFID readers to make sure that they authenticate themselves properly to the corporate network and also that they're not broadcasting meaningful, useful information through the air that could be subject to eavesdropping by other people. For those countries implementing RFID Passports, Passport data on RFID chips is signed with a digital certificate belonging to the country to which the passport was issued. E-passport systems are intended to verify that certificate when scanning a passport. All countries issuing e-passports are supposed to upload their digital certificate to the Public Key Directory (PKD), a database that should be queried to ensure the certificate is correct On 3 October 2008, California followed Washington State's footsteps to become the second U.S. state outlawing so-called Radio Frequency Identification Device skimming. Skimmers can easily pilfer information from non-encrypted RFID tags that are growing commonplace. California's bill was adopted and signed by Gov. Arnold after a demonstration showed that personal information skimmed from entry-card badges from statehouse workers allowed hackers access to secured areas of government offices. The legislation came a year after the hacking of the RFID-enabled Dutch passport, and the successful hacks of the Exxon Mobile key fob and the exposed VeriChip human RFID implant
10 Still, California's measure and the one Washington State adopted in March, don't mandate any RFID encryption. So the vulnerabilities of the Golden State statehouse's entry system remains.