https://urgentcomm.com/wp-content/themes/ucm_child/assets/images/logo/footer-new-logo.png
  • Home
  • News
  • Multimedia
    • Back
    • Multimedia
    • Video
    • Podcasts
    • Galleries
    • IWCE’s Video Showcase
    • IWCE 2022 Winter Showcase
    • IWCE 2023 Pre-event Guide
  • Commentary
    • Back
    • Commentary
    • Urgent Matters
    • View From The Top
    • All Things IWCE
    • Legal Matters
  • Resources
    • Back
    • Resources
    • Webinars
    • White Papers
    • Reprints & Reuse
  • IWCE
    • Back
    • IWCE
    • Conference
    • Special Events
    • Exhibitor Listings
    • Premier Partners
    • Floor Plan
    • Exhibiting Information
    • Register for IWCE
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Terms of Service
    • Privacy Statement
    • Cookie Policy
  • Related Sites
    • Back
    • American City & County
    • IWCE
    • Light Reading
    • IOT World Today
    • Mission Critical Technologies
    • TU-Auto
  • In the field
    • Back
    • In the field
    • Broadband Push-to-X
    • Internet of Things
    • Project 25
    • Public-Safety Broadband/FirstNet
    • Virtual/Augmented Reality
    • Land Mobile Radio
    • Long Term Evolution (LTE)
    • Applications
    • Drones/Robots
    • IoT/Smart X
    • Software
    • Subscriber Devices
    • Video
  • Call Center/Command
    • Back
    • Call Center/Command
    • Artificial Intelligence
    • NG911
    • Alerting Systems
    • Analytics
    • Dispatch/Call-taking
    • Incident Command/Situational Awareness
    • Tracking, Monitoring & Control
  • Network Tech
    • Back
    • Network Tech
    • Interoperability
    • LMR 100
    • LMR 200
    • Backhaul
    • Deployables
    • Power
    • Tower & Site
    • Wireless Networks
    • Coverage/Interference
    • Security
    • System Design
    • System Installation
    • System Operation
    • Test & Measurement
  • Operations
    • Back
    • Operations
    • Critical Infrastructure
    • Enterprise
    • Federal Government/Military
    • Public Safety
    • State & Local Government
    • Training
  • Regulations
    • Back
    • Regulations
    • Narrowbanding
    • T-Band
    • Rebanding
    • TV White Spaces
    • None
    • Funding
    • Policy
    • Regional Coordination
    • Standards
  • Organizations
    • Back
    • Organizations
    • AASHTO
    • APCO
    • DHS
    • DMR Association
    • ETA
    • EWA
    • FCC
    • IWCE
    • NASEMSO
    • NATE
    • NXDN Forum
    • NENA
    • NIST/PSCR
    • NPSTC
    • NTIA/FirstNet
    • P25 TIG
    • TETRA + CCA
    • UTC
Urgent Communications
  • NEWSLETTER
  • Home
  • News
  • Multimedia
    • Back
    • Video
    • Podcasts
    • Omdia Crit Comms Circle Podcast
    • Galleries
    • IWCE’s Video Showcase
    • IWCE 2023 Pre-event Guide
    • IWCE 2022 Winter Showcase
  • Commentary
    • Back
    • All Things IWCE
    • Urgent Matters
    • View From The Top
    • Legal Matters
  • Resources
    • Back
    • Webinars
    • White Papers
    • Reprints & Reuse
    • UC eZines
    • Sponsored content
  • IWCE
    • Back
    • Conference
    • Why Attend
    • Exhibitor Listing
    • Floor Plan
    • Exhibiting Information
    • Join the Event Mailing List
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Terms of Service
    • Privacy Statement
  • Related Sites
    • Back
    • American City & County
    • IWCE
    • Light Reading
    • IOT World Today
    • TU-Auto
  • newsletter
  • In the field
    • Back
    • Internet of Things
    • Broadband Push-to-X
    • Project 25
    • Public-Safety Broadband/FirstNet
    • Virtual/Augmented Reality
    • Land Mobile Radio
    • Long Term Evolution (LTE)
    • Applications
    • Drones/Robots
    • IoT/Smart X
    • Software
    • Subscriber Devices
    • Video
  • Call Center/Command
    • Back
    • Artificial Intelligence
    • NG911
    • Alerting Systems
    • Analytics
    • Dispatch/Call-taking
    • Incident Command/Situational Awareness
    • Tracking, Monitoring & Control
  • Network Tech
    • Back
    • Cybersecurity
    • Interoperability
    • LMR 100
    • LMR 200
    • Backhaul
    • Deployables
    • Power
    • Tower & Site
    • Wireless Networks
    • Coverage/Interference
    • Security
    • System Design
    • System Installation
    • System Operation
    • Test & Measurement
  • Operations
    • Back
    • Critical Infrastructure
    • Enterprise
    • Federal Government/Military
    • Public Safety
    • State & Local Government
    • Training
  • Regulations
    • Back
    • Narrowbanding
    • T-Band
    • Rebanding
    • TV White Spaces
    • None
    • Funding
    • Policy
    • Regional Coordination
    • Standards
  • Organizations
    • Back
    • AASHTO
    • APCO
    • DHS
    • DMR Association
    • ETA
    • EWA
    • FCC
    • IWCE
    • NASEMSO
    • NATE
    • NXDN Forum
    • NENA
    • NIST/PSCR
    • NPSTC
    • NTIA/FirstNet
    • P25 TIG
    • TETRA + CCA
    • UTC
acc.com

content


A new way to fish

A new way to fish

Unforeseen RFID vulnerabilities could reate massive headaches for the supply chain
  • Written by Urgent Communications Administrator
  • 1st October 2007

Suppose you’re shipping a truckload of big-screen TVs. And say you’ve put radio frequency identification, or RFID, tags on the cartons to help track these products from your warehouse to your customer’s distribution center, stockroom and retail floor.

Now imagine a clever thief strolling around a truck stop, scanning trailer after trailer with an RFID reader. Picking up electronic product codes (EPCs) from tags, he discovers that one truck is hauling socks and T-shirts, one is hauling safety razors and one is hauling high-definition TVs. Guess which truck he’ll try to break into?

According to Joe White, vice president of business development for Motorola’s Enterprise Mobility Business (formerly Symbol Technologies), this scenario isn’t very likely, because many cargo trailers are made of aluminum. “You can’t read RFID through metal,” he said.

But Joshua Perrymon, chief executive officer for Packet Force Security Solutions in Birmingham, Ala., warns that shippers should be wary. In a test meant to explore the vulnerability of RFID tags used in supply chain applications, researchers at Packet Force rented a tractor trailer, filled it with tagged goods and scanned the trailer with an off-the-shelf EPC reader. They easily read the product codes.

“The thin metal did, in fact, provide RFID reads. The read rate was roughly 30 to 40%, but it was enough to identify EPC products,” he said.

“We didn’t use anything really fancy,” Perrymon added, explaining that anyone could buy similar equipment. “It was just to show that when you implement RFID, you need to implement it securely.”

Craig Asher, manager of an IBM solution called the WebSphere RFID Information Center, agreed. “If the industry doesn’t take measures to do something about this, then if you have a standard UHF reader, you could get the number of the product code by reading the tag, if you can see it,” he said. “You’d have to get pretty close to the truck, but you can do it.” You also would need a source where you could look up the numerical code to find out what product it represented, which Asher said is becoming fairly available.

Large companies such as Wal-Mart and Procter & Gamble, which pioneered the use of RFID in the supply chain, certainly aren’t ignoring the need to secure their data. But as EPC tags proliferate, less-sophisticated users might not consider security as they implement the new technology, Perrymon said.

“People are worried about operations first — just getting it out there — when they could just take a little bit of time up front and think about deploying securely,” he said.

In some ways, RFID today is like wireless local area network technology a few years ago. Many users who purchased wireless access points had no idea that, unless they took steps to secure their networks, outsiders could borrow their bandwidth or use it to invade their computer systems. “How many years did it take for 802.11 wireless — for the access points — to come with WEP [Wired Equivalent Privacy] enabled? It took four or five years, at least,” Perrymon said.

To help organizations that use RFID, the National Institute of Standards and Technology (NIST) published Guidelines for Securing Radio Frequency Identification (RFID) Systems in April.

Unauthorized snooping into data encoded on an RFID tag — an act known as “skimming” — is one kind of threat that organizations must keep in mind when they deploy this technology, said Tom Karygiannis, a computer scientist in NIST’s Computer Security Division and principal author of the report. Another is “eavesdropping,” intercepting data as it passes between a tag and a reader.

The report (available at http://csrc.nist.gov/publications/) covers RFID used in EPC applications as well as for other uses. It discusses the various threats an RFID system might face and outlines for each a management countermeasure, an operational countermeasure and a technical countermeasure. “The decisions aren’t only technical,” Karygiannis said. “They’re also economic. Some of the countermeasures may be too costly for your particular application.”

So if you’re placing RFID tags on valuable cargo and transporting it by truck, how do you make sure someone with rogue equipment can’t spy on your merchandise? “One thing is, you limit the amount of sensitive information on the tag,” Karygiannis said.

Some companies are using precisely that tactic. In response to concerns from the pharmaceutical industry, a working group within the standards organization EPCglobal has proposed a technique known as masking, which involves leaving product information off the tag.

One of the common formats used on EPC tags is the serialized global trade identification number (SGTIN). Its three main components are the EPC manager, which identifies the manufacturer; the object class, which identifies the product; and a unique serial number.

When the product in question is, for example, Cheez Whiz, it’s no big deal if a hacker can read the object class code, Asher explained. But when it’s a valuable or sensitive product, such as medicine, security becomes vitally important.

Masking replaces the SGTIN product code with a row of zeroes. An unauthorized reader encountering those zeroes would not be able to identify the product. But through access to an EPC Information Service (EPCIS), an authorized reader could get that information.

“You could look up the serial number and find out what the product is,” said Asher, who co-chairs EPCglobal’s EPCIS Software Action Group and its Data Exchange Joint Requirements Group.

Without access to the EPCIS, the EPC tag reveals only the identity of the manufacturer and a serial number. “Therefore, it would be very difficult to know what to do with this information if you’ve walked around and read it in the tractor-trailers,” Asher said.

Companies that put tags on individual items can use the same technique to protect the privacy of customers who are carrying the product, Asher added. “That’s where the issue originally came up. The tractor-trailer issue was then brought up by the government, by the Drug Enforcement Agency.”

Other techniques for protecting the data on EPC tags also exist. One is to encrypt the data, Asher said. “If the reader does not have the code in it … you just get gibberish.”

The use of encryption in EPC tags is in its early stages, said Joe White, vice president of business development and marketing for the RFID division of Motorola’s Enterprise Mobility Business (formerly Symbol Technologies). “But as more and more customers want to put more and more information on a tag, it becomes more and more important.”

When it developed standards for Generation 2 EPC hardware, EPCglobal included other features that users can employ to protect the data on their tags, White said. One is the ability to prevent a second reader from eavesdropping on a data exchange between an authorized reader and a tag.

There’s also a pair of features users can employ to lock their tags, either permanently or temporarily. The “write lock” makes it impossible to change the data recorded on a tag, White said, and the “read lock” uses password protection to keep unauthorized parties from reading the EPC code or other stored data. Among other things, this safeguard prevents counterfeiting; it ensures that a rogue user can’t read the data on an EPC tag and then copy it onto a second tag, White said.

Although these security features are available in EPC products out of the box, they offer no protection unless users take positive steps. “The customer would have to implement the encoding schemes, or whatever they want to use for authentication, based on their implementation,” White said.

Companies that want to mask their product codes and link serial numbers to a back-end database can do it as part of an EPCIS implementation they accomplish on their own or by working with an EPCIS solutions vendor. IBM’s WebSphere RFID Information Center is one example of such a solutions vendor, but it’s far from alone. “Probably 20 other companies offer some form of this capability,” Asher said.

Of course, along with specific techniques to foil thieves and spies, companies that use EPC tags also can, to some extent, rely on basic physics to protect their data. For one thing, an RFID reader developed for EPC applications can read a tag only over a limited range, about 10 to 20 feet, Asher said.

At those distances, often there are simpler ways to identify a product. “You can probably figure out what’s in the box because it’s probably written on the outside anyway.”

Tags: RFID content Tracking, Monitoring & Control

Most Recent


  • Lynk inks New Zealand deals seeking cash to grow satellite fleet
    In the first few days of June, Lynk Global made two announcements relating to New Zealand – the first being a successful trial of satellite-enabled texting with local telco 2Degrees and the other a partnership with another operator, Spark. While the company’s technology holds the promise to improve connectivity in areas with zero coverage, more […]
  • Barracuda warns all of its ESG appliances need urgent rip & replace
    Despite pushing out patches addressing vulnerabilities in its Email Security Gateway (ESG) appliances in May, today Barracuda issued an urgent warning that all affected devices need to be taken offline and replaced immediately. The ESG remote command injection vulnerability, tracked under CVE-2023-2868, was already under active exploit since October 2022, Barracuda said in its initial May […]
  • NTT Docomo sees smart surfaces as key to 6G
    Could smart surface tech be one of the keys to 6G radio? The 6G network will have to do a lot of heavy lifting in very high frequency bands, requiring dense clusters of very low cost transmitters and receivers. NTT Docomo is advancing the idea of metasurface reflectors that dynamically redirect signals to mobile devices […]
  • Where local governments must allocate federal funds to support the future of cybersecurity
    This past February, the Department of Homeland Security’s State and Local Cybersecurity Grant Program began to distribute funds to states with approved cybersecurity plans. For budget and resource strapped state, local and territorial governments (STLGs), these grants enable crucial cybersecurity investments to protect our nation from unprecedented cybersecurity risks and help bridge the gap between current funding […]

Leave a comment Cancel reply

To leave a comment login with your Urgent Comms account:

Log in with your Urgent Comms account

Or alternatively provide your name, email address below:

Your email address will not be published. Required fields are marked *

Related Content

  • Driverless-tech liability is all in the wording
  • Is an attacker living off your land?
  • New ThroughTek IoT supply-chain vulnerability announced
  • What “smart city” means for 2021: How digital twins, AI and other innovations drive smart transformation

Commentary


Updated: How ‘sidelink’ peer-to-peer communications can enhance public-safety operations

  • 1
27th February 2023

NG911 needed to secure our communities and nation

24th February 2023

How 5G is making cities safer, smarter, and more efficient

26th January 2023
view all

Events


UC Ezines


IWCE 2019 Wrap Up

13th May 2019
view all

Twitter


UrgentComm

Lynk inks New Zealand deals seeking cash to grow satellite fleet dlvr.it/SqNLhG

8th June 2023
UrgentComm

Barracuda warns all of its ESG appliances need urgent rip & replace dlvr.it/SqNHhV

8th June 2023
UrgentComm

NTT Docomo sees smart surfaces as key to 6G dlvr.it/SqN9dJ

8th June 2023
UrgentComm

Where local governments must allocate federal funds to support the future of cybersecurity dlvr.it/SqN935

8th June 2023
UrgentComm

FCC votes to launch NG911 proceeding to align wireline, wireless 911 requirements dlvr.it/SqN6Dh

8th June 2023
UrgentComm

CMA plans to release Airwave price-control order by end of July, impacting Motorola Solutions dlvr.it/SqGn3C

7th June 2023
UrgentComm

Why antivirus cannot protect your car dlvr.it/SqFLgL

6th June 2023
UrgentComm

ChatGPT hallucinations open developers to supply-chain malware attacks dlvr.it/SqF72D

6th June 2023

Newsletter

Sign up for UrgentComm’s newsletters to receive regular news and information updates about Communications and Technology.

Expert Commentary

Learn from experts about the latest technology in automation, machine-learning, big data and cybersecurity.

Business Media

Find the latest videos and media from the market leaders.

Media Kit and Advertising

Want to reach our digital and print audiences? Learn more here.

DISCOVER MORE FROM INFORMA TECH

  • American City & County
  • IWCE
  • Light Reading
  • IOT World Today
  • Mission Critical Technologies
  • TU-Auto

WORKING WITH US

  • About Us
  • Contact Us
  • Events
  • Careers

FOLLOW Urgent Comms ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.