NIST identifies RFID security threats
That National Institute of Standards and Technology, or NIST, released a report that advises manufacturers, retailers, hospitals, federal agencies and other organizations that use radio frequency identification to evaluate security and privacy risks associated with the technology.
The report focuses on RFID applications for asset tracking and supply-chain management. Recommended practices for ensuring the RFID systems' security and privacy include firewalls, radio encryption, authentication, audit procedures and tag disposal and recycling procedures that permanently disable or destroy sensitive data.
Tom Karygiannis, senior researcher at the NIST's computer security division, said the report links several RFID applications to associated risks. For each risk, the report maps available technical, operational and management countermeasures.
“For most RFID technologies that are used in the supply chain, we give you a list of potential threats, and for each one we tell you how to mitigate it based on existing technology,” Karygiannis said.
Data privacy is a concern. For example, if U.S. military personnel are deploying to a war zone with RFID-tagged equipment, adversaries could tap into the data and determine the end-point location. In a warehouse environment, management may deploy a pallet or item-level tag. Karygiannis warns that third parties along the supply chain could access data on the RFID chips.
“In this case, you should put a limited amount of data on the tag,” he said. “In some situations, the information on the tag is simply a link to a database to where you can look up more information. This puts enterprises at risk.”
The report is free and available on the NIST Web site at www.nist.gov.