A new way to fish
Suppose you’re shipping a truckload of big-screen TVs. And say you’ve put radio frequency identification, or RFID, tags on the cartons to help track these products from your warehouse to your customer’s distribution center, stockroom and retail floor.
Now imagine a clever thief strolling around a truck stop, scanning trailer after trailer with an RFID reader. Picking up electronic product codes (EPCs) from tags, he discovers that one truck is hauling socks and T-shirts, one is hauling safety razors and one is hauling high-definition TVs. Guess which truck he’ll try to break into?
According to Joe White, vice president of business development for Motorola’s Enterprise Mobility Business (formerly Symbol Technologies), this scenario isn’t very likely, because many cargo trailers are made of aluminum. “You can’t read RFID through metal,” he said.
But Joshua Perrymon, chief executive officer for Packet Force Security Solutions in Birmingham, Ala., warns that shippers should be wary. In a test meant to explore the vulnerability of RFID tags used in supply chain applications, researchers at Packet Force rented a tractor trailer, filled it with tagged goods and scanned the trailer with an off-the-shelf EPC reader. They easily read the product codes.
“The thin metal did, in fact, provide RFID reads. The read rate was roughly 30 to 40%, but it was enough to identify EPC products,” he said.
“We didn’t use anything really fancy,” Perrymon added, explaining that anyone could buy similar equipment. “It was just to show that when you implement RFID, you need to implement it securely.”
Craig Asher, manager of an IBM solution called the WebSphere RFID Information Center, agreed. “If the industry doesn’t take measures to do something about this, then if you have a standard UHF reader, you could get the number of the product code by reading the tag, if you can see it,” he said. “You’d have to get pretty close to the truck, but you can do it.” You also would need a source where you could look up the numerical code to find out what product it represented, which Asher said is becoming fairly available.
Large companies such as Wal-Mart and Procter & Gamble, which pioneered the use of RFID in the supply chain, certainly aren’t ignoring the need to secure their data. But as EPC tags proliferate, less-sophisticated users might not consider security as they implement the new technology, Perrymon said.
“People are worried about operations first — just getting it out there — when they could just take a little bit of time up front and think about deploying securely,” he said.
In some ways, RFID today is like wireless local area network technology a few years ago. Many users who purchased wireless access points had no idea that, unless they took steps to secure their networks, outsiders could borrow their bandwidth or use it to invade their computer systems. “How many years did it take for 802.11 wireless — for the access points — to come with WEP [Wired Equivalent Privacy] enabled? It took four or five years, at least,” Perrymon said.
To help organizations that use RFID, the National Institute of Standards and Technology (NIST) published Guidelines for Securing Radio Frequency Identification (RFID) Systems in April.
Unauthorized snooping into data encoded on an RFID tag — an act known as “skimming” — is one kind of threat that organizations must keep in mind when they deploy this technology, said Tom Karygiannis, a computer scientist in NIST’s Computer Security Division and principal author of the report. Another is “eavesdropping,” intercepting data as it passes between a tag and a reader.
The report (available at http://csrc.nist.gov/publications/) covers RFID used in EPC applications as well as for other uses. It discusses the various threats an RFID system might face and outlines for each a management countermeasure, an operational countermeasure and a technical countermeasure. “The decisions aren’t only technical,” Karygiannis said. “They’re also economic. Some of the countermeasures may be too costly for your particular application.”
So if you’re placing RFID tags on valuable cargo and transporting it by truck, how do you make sure someone with rogue equipment can’t spy on your merchandise? “One thing is, you limit the amount of sensitive information on the tag,” Karygiannis said.
Some companies are using precisely that tactic. In response to concerns from the pharmaceutical industry, a working group within the standards organization EPCglobal has proposed a technique known as masking, which involves leaving product information off the tag.
One of the common formats used on EPC tags is the serialized global trade identification number (SGTIN). Its three main components are the EPC manager, which identifies the manufacturer; the object class, which identifies the product; and a unique serial number.
When the product in question is, for example, Cheez Whiz, it’s no big deal if a hacker can read the object class code, Asher explained. But when it’s a valuable or sensitive product, such as medicine, security becomes vitally important.
Masking replaces the SGTIN product code with a row of zeroes. An unauthorized reader encountering those zeroes would not be able to identify the product. But through access to an EPC Information Service (EPCIS), an authorized reader could get that information.
“You could look up the serial number and find out what the product is,” said Asher, who co-chairs EPCglobal’s EPCIS Software Action Group and its Data Exchange Joint Requirements Group.
Without access to the EPCIS, the EPC tag reveals only the identity of the manufacturer and a serial number. “Therefore, it would be very difficult to know what to do with this information if you’ve walked around and read it in the tractor-trailers,” Asher said.
Companies that put tags on individual items can use the same technique to protect the privacy of customers who are carrying the product, Asher added. “That’s where the issue originally came up. The tractor-trailer issue was then brought up by the government, by the Drug Enforcement Agency.”
Other techniques for protecting the data on EPC tags also exist. One is to encrypt the data, Asher said. “If the reader does not have the code in it … you just get gibberish.”
The use of encryption in EPC tags is in its early stages, said Joe White, vice president of business development and marketing for the RFID division of Motorola’s Enterprise Mobility Business (formerly Symbol Technologies). “But as more and more customers want to put more and more information on a tag, it becomes more and more important.”
When it developed standards for Generation 2 EPC hardware, EPCglobal included other features that users can employ to protect the data on their tags, White said. One is the ability to prevent a second reader from eavesdropping on a data exchange between an authorized reader and a tag.
There’s also a pair of features users can employ to lock their tags, either permanently or temporarily. The “write lock” makes it impossible to change the data recorded on a tag, White said, and the “read lock” uses password protection to keep unauthorized parties from reading the EPC code or other stored data. Among other things, this safeguard prevents counterfeiting; it ensures that a rogue user can’t read the data on an EPC tag and then copy it onto a second tag, White said.
Although these security features are available in EPC products out of the box, they offer no protection unless users take positive steps. “The customer would have to implement the encoding schemes, or whatever they want to use for authentication, based on their implementation,” White said.
Companies that want to mask their product codes and link serial numbers to a back-end database can do it as part of an EPCIS implementation they accomplish on their own or by working with an EPCIS solutions vendor. IBM’s WebSphere RFID Information Center is one example of such a solutions vendor, but it’s far from alone. “Probably 20 other companies offer some form of this capability,” Asher said.
Of course, along with specific techniques to foil thieves and spies, companies that use EPC tags also can, to some extent, rely on basic physics to protect their data. For one thing, an RFID reader developed for EPC applications can read a tag only over a limited range, about 10 to 20 feet, Asher said.
At those distances, often there are simpler ways to identify a product. “You can probably figure out what’s in the box because it’s probably written on the outside anyway.”