Is RFID a danger?

5 September 2005 (Last Updated September 5th, 2005 18:30)

As RFID is slowly becoming an accepted norm for companies fighting counterfeit and improving logistics, Lukas Grunwald, Boris Wolf and Nicholas Walker of DN Systems, warn that maybe not enough attention has been paid to the risks it poses.

Applications based on RFID technology are becoming more and more important. RFID is already deployed in access-control systems for authentication, and to unlock a door or deactivate an anti-theft device in a car. Use in the retail industry is in the initial phases of wide deployment.

At present, there are only a few markets where RFID is used extensively. Some of the most common applications are at the point of sale: for self-checkout systems, intelligent shelf management, misplaced or perishable goods, receipt-less exchange, efficient warranty claim handling and many more. Several governments are considering integration of RFID chips into personal identification cards.

All RFID systems transact data and identity information by radio transmission. The individual implementations of RFID technology, however, have little else in common.

Some RFID systems include their own processing logic directly on the chip. These chips usually require a battery to ensure a consistent power supply to the logic chip. In contrast, the more common and less expensive type of RFID system is passive and draws power from the radio frequency energy emitted by an RFID reader within range.

This simple, passive type of chip cannot execute code. Instead, it can only transmit its serial number or ID code. Some chips additionally contain non-volatile RAM storage (NVRAM), allowing for persistent storage of data. These passive NVRAM chips are commonly used in the retail industry.

RFID chips can be accessed from a distance as well. This makes them useful in manufacturing as well as in the supply chain and logistics. Goods can be identified and traced from their origin to the customer and beyond.

This is one of the core differences between RFID, and EAN numbers and bar codes. Because of limited information capacity, EAN numbers and bar codes can at best be used to identify types or groups of goods but not to identify each manufactured unit. It is the significant increase in storage capacity that makes new applications possible with RFID: a smart fridge recognising expired food or a retail store offering receipt-less exchange of items.

Vendors are experimenting with RFID tags in a number of markets. They are attaching smart labels to consumer goods. Thanks to the standardisation efforts by EPC Global ,one can expect these smart labels to replace current EAN number and bar code solutions in the long run. RFID tags are assigned different radio frequencies depending on their application. Smart labels are usually of type ISO15693 or ISO14443A and operate in the 13.56MHz frequency band, while tags used for access control and identifying animals operate at 156KHz.

A risky technology

To convert to high-capacity RFID tags from classic tagging based on bar codes or block matrix codes is a tempting solution to many problems. It might be possible simply to exchange reader devices and keep the back-end application with few adjustments. The same software could process the numbers coming from the RFID tags where before it processed the numbers read from bar codes. However, such temptation does not take into account the risks of RFID. Using RFID in the supply chain introduces risks for the vendor as well as for the customer. These risks must be evaluated and then minimised or eliminated by organisational or technical measures.

Technical problems

Initial testing of bulk-reading found the process to be error-prone. Ideally a palette would arrive at a warehouse, and all products on the palette would be recognised immediately on arrival. In practice, however, only an average of approximately 70 per cent of RFID tags are properly recognised during a bulk read.

That said, there is no reliability problem when reading a queue of tags one at time. There are additional problems when tags are attached to metal foil or wrapped around products containing liquids because of radio shielding and reflection effects. The latency of the reading process is also important. Tags must remain in the radio field of the reader until the reading process is complete.

Privacy problems

Smart labels attached to retail products may be read at any time, even after purchase. It is thus quite possible to use them to identify or track a person. When tags are invisibly integrated into a product and remain physically and electrically intact after the purchase, this possibility of abuse is quite real and warrants consideration.

For example, Smart Labels are often inserted or even woven into the fabric of clothing. Because RFID tags have no read-protection whatsoever, somebody wearing a tagged suit could easily be identified - or re-identified - by reading the unique serial number of the tag.

This scenario is quite uncomfortable: one cannot know when and whether tags are being read. Smart labels contain a segmented EEPROM memory. The EEPROM memory is divided into the administrative data field and the user data field. The administrative data field is read-only and contains a globally unique serial number.

The user data field is writable and can potentially store information about the product, information about the purchase (such as the date, purchase price and other items purchased), or any other information. The serial number of the tag can be used as a unique key for recalling a record from a central database.

For security reasons, or because of the limited storage capacity of the tag's memory, information can be stored on a database server in a record keyed with the unique serial number of the tag. This could be used to supply the customer with elaborate background information about specific products or to supply the retailer with elaborate information about the customer.

If the tag in a suit only contains the ID number of the suit itself - if the user data field is empty or unused - with all customer and product information stored in a database system at the point of sale, then there is no direct link between the customer and the serial number.

However, if the person purchasing the suit carries an RFID member card, it would be possible to read the consumer's personal information from the card and to link the suit with that personal information in a database. A competitor familiar with another's data structures could collect information about new, old or unfaithful customers.

For good reason, privacy activists ask for ways to protect smart labels, but the ISO15XXX standards do not address issues of privacy. While it is possible to define tags as read-only, doing so renders it impossible to erase the write-protected areas.

In Germany, the Metro corporation introduced an RFID deactivator in response to protests from privacy activists and associations. The deactivator is designed to erase the content of RFID tags. For this to work the user data field must be kept fully writable; this introduces further risks for Metro as well as for the customer.

The effectiveness of the deactivator is also questionable because the globally unique serial number in the administrative data field is read-only by default and hence can still be used as long as the RFID tag remains functional. Even after the deactivator erases the tag it remains possible to use tools such as RF-Dump (developed as an auditing tool for RFID integration projects and for use in penetration testing) to modify the user data field arbitrarily.

The company RSA Security Inc has developed the Blocker Tag (by Dr Ari Jules and others), which it claims allows one to manage selectively which readers might access one's RFID tags. Initially, the Blocker Tag was intended to operate by broadcasting an interfering cover signal that would trigger the anti-collision mechanism of the reader and prevent any read or write transactions from succeeding - unless the Blocker Tag had been deactivated previously by an appropriate signal from the reader.

With this, RSA-Security would have delivered an effective RFID denial-of-service tool to your door: one with which smart labels could be nullified and could paralyse entire supply chains.

At present, RSA suggests soft-blocking instead. With this solution, a second RFID label signals to the reader that it should not read the tag. Alternatively, the same result can be achieved by setting a standardised bit directly in the label.

However, this is an unrealistic solution borne of marketing hype; the solution opens new security holes and does nothing to increase the consumer's privacy. RSA's solution is based on an expectation of compliance with their conventions; it does nothing to prevent a person with bad intentions and their own RFID transceiver from reading from or writing to any RFID tag.

Storing more information on an RFID tag than only a read-only EPC is not an option for retail shops because of the overwhelming risks involved. It remains to be seen whether RFID-enabled products such as smart household appliances will be the main applications for this technology.

As long as the industry is reluctant to provide labels with a complete and effective deactivation feature, RFID tags must be considered a risk to privacy. Consumers must be aware that they will carry readable and writable memory without their consent.