"August 15,2006
ANYONE WHO SAYS RFID IS 'COMPLETELY SECURE' IS SELLING SOMETHING
What you should know about RFID Security to protect your business
By Paul Stamp(with Jennifer Mulligan, Christine Spivey Overby, Ellen
Daley andSarah Bernhardt)
EXECUTIVE SUMMARY
Radio frequency identification (RFID) technology is not mature enough
yet to protect your company secrets. Weak security protocols risk
compromising your infrastructure, and any business looking to implement
RFID should review the inherent security risks of today's RFID systems.
RFID will inevitably bring changes to business processes, and adopters
need to anticipate the potential threats that can arise with these new
changes and know the limitations of their RFID systems. As with any
system, start by considering your need for confidentiality, integrity,
and access to your RFID devices and data. If you can't maintain your
security standards with the currently available hardware, wait until
your RFID manufacturer improves its devices before you implement your
system.
TARGET AUDIENCE
Security and risk professional, supply chain professional
IMPROPERLY IMPLEMENTED RFID CAN REVEAL MORE THAN YOU PLANNED
RFID devices are not new technology, but from simple package tracking
to passports, they're appearing more and more often in consumer and
enterprise environments. RFID vendors claim that their products are
secure and that any attacks are purely theoretical or in another part
of the RFID system, while media reports have widely propagated
proof-of-concept attack scenarios demonstrated by researchers. Along
with academics at places like MIT, service providers and product
vendors like RSA Security and VeriSign are also concerned about the
security risks inherent in RFID. These mixed messages make it difficult
for security folks to identify the real security risks of an RFID
system.The truth is that some of these problems can already be
addressed, while others await further technological advancement.
Promises of new capabilities and greater efficiencies have spurred
interest in RFID.Also, organisations like RFID industry body EPCglobal
have set standards for how companies should and should not use data on
RFID tags; for example, they state that only a unique identification
number is stored on the tag. But RFID users want to push that boundary,
and sometimes they are placing too much trust in the data the RFID tag
can provide. RFID implementers using the technology must look carefully
at the technology and business processes that support their RFID
systems and examine the risks they're introducing.
RFID systems comprise several parts including tags on the item, readers
that query the tag, and middleware that processes the data from the
reader and communicates with the back-end database (see Figure 1).
[omitted] The threats to each RFID system component vary. ......."
Continued in Part 2
Reg Curtis/VE9RWC
Received on Sat Mar 02 2024 - 00:57:16 CST
This archive was generated by hypermail 2.3.0
: Sat Mar 02 2024 - 01:11:43 CST