Unprotected RFID could lead to corporate espionage
Companies who dismiss the privacy concerns of RFID radio tags may be opening themselves up to unexpected security risks.
According to Burt Kaliski, chief scientist at RSA, companies using RFID tags to track goods in the supply chain risk having their data leaked to rivals.
Speaking the RSA Conference in Barcelona, Spain, Kaliski said a rival company could plant RFID readers to monitor the movement of products, thereby gaining valuable data on the target's business.
"Sure, you could also bribe someone to get the data, or hack their systems, but using RFID makes it a lot more covert, and a lot more detailed," he said. And tags could be imitated or manipulated to cause havoc and disrupt a victim's processes.
RFID tags have been gaining popularity as tools to track the movement and management of goods in the supply chain. Lobbyists oppose RFID on privacy grounds, claiming it will allow consumers' buying habits and movements to be tracked.
Other concerns with RFID technology include the security of the readers used to scan tags. An attack was discovered (and fixed) recently which could interrogate a reader to gain data about the tags within its range. And the backend processes to deal with the large volumes of data generated by an RFID environment will also need to be carefully structured for security, Kaliski said. "Some people are saying that RFID could be a killer app for web services, because you have so much data to move and you need a standard way to exchange and secure it."
"The real security challenge is one of timing," Kaliski said. Although the problems are being resolved, "if security is left out until the second version of a standard, it gets a bad rap for being a 'new feature' which adds cost. Security needs to be built in from the start."