RFID: Is it safe?

IBM is currently running a TV commercial where two guys are driving a delivery truck full of cargo to Fresno, Calif. The problem is, they’re lost. They’re actually on the road to Albuquerque, N.M.. They don’t know that, but the boxes they’re transporting do, because they’re equipped with RFID tags. The tags notified IBM’s help desk that they’re headed in the wrong direction. “Maybe the boxes should drive,” says one driver to the other.

In this case, RFID was used to improve supply chain efficiency, but a technology that can not only tell you what goods you’re carrying but also where you’re headed has some people worried. If it can be used to scan cargo, can it not also be used to scan an individual? To determine his whereabouts, his blood type, his bank account number or what he had for breakfast?

The Electronic Frontier Foundation has spent several years investigating the potentially damaging impact a technology like RFID could have on society. Because RFID tags do not require line-of-site scanning technology, as barcodes do, they can be read from a distance. Tags also contain a great deal more information than barcodes.

The worry may not immediately be identity theft, says Seth Schoen, staff technologist for the EFF, but could be a problem in the future if RFID is used to store personal data as part of a passport or other form of ID.

RFID tags can be copied, claims Schoen, and cost pressures may cause businesses to cut corners when they’re rolling out RFID for various business applications.

“You might say that these threats derive from the fact that the RFID industry wants things to be as cheap as possible,” says Schoen. “And people haven’t necessarily thought through the implications of deploying a lot of tags without any security measures for a particular application.”

Several libraries are rolling out RFID as a means to track books, he says, but they haven’t considered the possibility that the people carrying the books could also be tracked.

Bartek Muszynski, the president of Vancouver-based RFID consulting firm NJE Consulting Inc., says that most of the concerns about the technology are “significantly overblown.” But that isn’t to say that they don’t exist.

The level of detail that can be applied to an RFID chip is far beyond conventional barcoding means.

“When you buy a can of Coke with a barcode on there, all that will tell is that it’s a can of Coke. With an RFID tag, if you bought a sweater, it would not just tell that it’s a certain kind of sweater, it will tell you it’s sweater No. 2,000,456,” he says.

GS1, the international standards body that governs RFID requirements, has considered the potential for abuse and built in safeguards to prevent such abuse, according to GS1 Canada CEO Arthur Smith.

There is a “kill switch” built right into an RFID tag that would render it virtually useless after it leaves a store, for example. Data on the tag is also encrypted. A more pressing concern for Smith right now is how different businesses will exchange data as they use RFID to track goods through a supply chain.

“People who are interested in the supply chain are worried about information ownership, information rights, access rights – part of the benefit that people talk about is transparency along the supply chain,” says Smith.

“‘Where are the goods? Where are my goods? Are they sitting in the manufacturing warehouse? Are they sitting on a truck?’ Right now we’re just going through some of those issues with the industry. Who has what access rights and how are we going to protect it?”

Manufacturers may be more concerned if Wal-Mart, or anyone else along the supply chain, has the ability to view their inventory levels rather than RFID hacks from the outside, he says. “Some of those issues are now just coming into place.”

Last year IBM Canada opened the first RFID centre in Canada with the co-operation of GS1 Canada and several interested groups like the Canadian Council of Grocery Distributors. The centre was designed to showcase RFID as a means to supply chain efficiency, initially for agricultural products.

In many respects, RFID is just like any other wireless technology, says Shai Verma, IBM Canada’s RFID practice leader.

“Any digital information that is transmitted over secure or unsecure wireless protocols and networks, there is always a chance that can be penetrated or hacked in to. The challenge is, every system that’s developed has to have unique protocols to protect it. I think RFID is just the same,” he says.

“We have to stay active with this, because if we do get passive . . . there could be some negative impact.”

A kill switch is just one way in which a tag can be made more secure, he says. Other tags have a tear-off strip that would render them unreadable from anything more than a few inches.

The fallacy is that tags can be read from great distances, he adds, but in reality their maximum range is on the order of 20 or 30 feet. It is unlikely, he says, that a person could drive by your house and discover information about you by reading RFID tags.

“You can’t be driving down the street and pick up that this guy has a large screen TV or this guy uses Viagra because he has a bottle of Viagra sitting on his bedside table. It’s not possible,” he says, “or rather, it’s not probable.”

Bartek agrees that this kind of scenario is unlikely. “It’s not something someone with limited resources could do, like a hacker with a reader sitting somewhere in the corner. That is not, in my opinion, something to be concerned about,” he says.

Regardless of the likelihood of these threats, the EFF’s Schoen says he’s not convinced that there are enough precautions being taken to prevent them from happening, particular if RFID is part of a crucial service. For example, RFID may play a significant role in tracking pharmaceuticals in order to make sure they end up in the hands of the right patient and to prevent the possibility that they could be intercepted and counterfeited along the supply chain.

Smith says that the Food and Drug Administration in the U.S. already has stringent requirements for the use of RFID in pharmaceuticals. The EFF itself published a position paper in 2003 saying that drug supply chains may be one area where RFID would be an acceptable means for tracking goods. But Schoen isn’t so sure.

“If the RFID tag has a serial number, it may be trivial to copy. People may assume that if they have this technological thing, it somehow serves to prevent or detect counterfeiting,” he says. “It may be worse than useless for that particular kind of application.”

Verma acknowledges that there is still work to be done in determining the best uses for RFID chips, but if they are used properly they should hinder crime rather than encourage it. People should be more concerned about the information they willingly give out already, he says.

“Their concern is that Big Brother is watching you because you’re buying something and they’ll know exactly what you bought, when you bought it, etc.,” he says. “If you’re part of a loyalty program with any kind of retailer, they know that information anyway, and in much more detail than RFID is going to be able to give us.”

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+