From RSA 2006: Use caution with RFID tags
By Ericka Chickowski on Feb 17, 2006 7:16PM
The opportunities afforded by the use of RFID tags are multiplying quickly, but experts are still advising organizations to be mindful of the security and legal implications surrounding this relatively new technology.
Last year at RSA Conference 2005, experts opened dialogue about the vulnerability of information stored on these tags as RFID readers drop in price over the next decade. The topic of RFID security was addressed again at this year's RSA Conference, with experts detailing more vulnerabilities and privacy issues.
Most notable among the RFID security news discussed at the conference this week was the revelation by prominent cryptographer Adi Shamir of Weizmann University that first generation RFID tags are vulnerable to attacks from cell phones.
"I think the first generation of RFID tags are very vulnerable to a very cheap kind of attack," he said. "We believe that the cellular telephone has all of the ingredients needed in order to carry out such an attack. If you can tweak (them) enough, you can just walk around and kill all of the RFID tags in the vicinity."
Shamir said that he and his research team used power analysis to find a way to crack the kill password built into all first-generation tags. Initially built into the tags to give users a way to protect sensitive data stored within, this kill function is activated when the right series of bits is transmitted to the tag. By analyzing the power spikes on the tags that occurred when a wrong bit was transmitted, Shamir and his team could easily find the password.
It is revelations like this that will continue to put RFID on the hot seat in regards to security policies. In a separate session on hot topics in information security law, Paula Arcioni said that the legal implications of RFID should be something to track in 2006. As organizations begin to use the tags creatively, they'll need to ask tough questions about their usage policies.
"For example, should people be able to opt out? Should we use it in passports? There are questions we'll need to ask," said Arcioni, who is the Identity Management Services program manager for the New Jersey Office of Information Technology.