"...
- Attackers can send their own signals or block yours. RFID tags are
susceptible to denial of service attacks. Interference using the same
frequency or large groups of tags responding at the same time can
overwhelm the reader. Any system should detect and respond quickly to
such an attack. Moreover, any RFID system must include assurances to
provide availability such as redundant servers or readers, and in the
case of more serious failure, a backup alternative system - such as
printing traditional bar codes onto the RFID tag.
Tag accessibility scenario: A store has deployed its shelves with RFID
systems. An attacker walks through the store broadcasting an
overwhelming number of tags while picking up a few items. The system
can't handle the data deluge and doesn't notice that the missing items
are gone from the shelf but not purchased until the attacker is out the
door.
RECOMMENDATIONS
PROCEED WITH CAUTION ONLY IF YOUR SECURITY NEEDS ARE MET
While RFID is an exciting technology, it is currently only appropriate
for a limited number of scenarios. Slap and ship is a good example of
where RFID can be securely applied. Like any new technology companies
need to balance efficiencies gained from the system against the
security and operational risks that RFID introduces. Carefully quiz
RFID vendors to make sure that they are upfront and knowledgeable about
the security risks their proposals introduce. Companies like RSA
Security and VeriSign can help you review proposed RFID plans if you do
not have that ability in-house. Anyone implementing an RFID system
should remember:
- Back up your RFID deployment with business process. Businesses
shouldn't fully automate RFID until the technology is ready.
Confidentiality and integrity issues are still ripe for abuse. Mitigate
these weaknesses by developing business processes providing human
oversight and consistency checking. Employees should physically monitor
items to ensure that tags have not been removed or replaced, preventing
someone from removing the tag and stealing the actual goods.
- Do as much computation in the middleware as possible. RFID tags,even
the active ones, cannot perform cryptographic functions at server
speeds. Performing all possible functionality in the middleware will be
quicker and will reduce the amount of communication between the tag and
the reader. Transmitting fewer messages shrinks the processing
requirements of the tags, making them simpler and thus reducing the
possible attack avenues.Tag vendors may be tempted to increase the
capacity and processing power of their tags for higher profit, but it
may not be in the user's best interest to use those tags.
- Weigh the tradeoff between security and transmission power. RFID tags
have a direct tradeoff between processing power and transmit power. The
more power they use for computation, the lower the transmit power thus
the shorter the maximun distance between the tag and the reader for
them to interact reliably. Avoid the shortsighted temptation to
sacrifce security to make a system that can actually work. Vendors are
working quickly to improve their products, and they will provide the
ability to communicate securely and effectively soon. Forrester
predicts that cryptographically advanced tags will be produced in the
latter half of 2007.
[SUPPLEMENTAL MATERIAL AND ENDNOTES OMITTED]"
The end of Part 3 of 3 Parts.
Reg Curtis/VE9RWC
Received on Sat Mar 02 2024 - 00:57:19 CST
This archive was generated by hypermail 2.3.0
: Sat Mar 02 2024 - 01:11:44 CST