At a seminar I recently attended, a roar of contention arose over the state of security for enterprise-scale RFID systems.
Most notably, EPCglobal Gen 2 standards currently lack over-the-air data-stream encryption between passive RFID tags and readers, though there are provisions for locking RFID tag memory and disabling tags. EPCglobal Gen 2 is the current standard for how passive tags affixed to items and encoded with information about them communicate wirelessly with readers, which collect that information and pass it to upstream applications.
Some of the start-up vendors at the seminar, sponsored last month by the Silicon Valley - China Wireless Technology Association, were willing to shrug the current state of RFID security off as "good enough." Others warned that such an attitude could be repeating the mistakes of Wi-Fi, where overlooking security concerns early in the game could come back to haunt.
Seminar presenter Vijay Sarathy, director of product marketing and strategy for RFID from Sun, told me that without encryption, "Anyone within range can query a tag and find out what's on them. As we get better performing tags, the longer the range will be over which the tag will transmit." The implication is that longer range means more potential intruders.
Sarathy said RFID tag-to-reader encryption is "being worked on," but has been challenging because passive RFID tags are powered by readers, then reflect back a signal communicating their information, with little power left over to set up an encryption channel.
However, Sarathy acknowledged that “you’re not going to get a whole lot of information by reading one tag or set of tags. You need more information on movement in the supply chain.”
But lack of encryption can aid in petty breaches, and might make it possible to corrupt data.
Darren Suprina, chief security architect at Innovativ, a systems integrator in Edison, N.J., suggests treating an RFID tag like any other device connected to your IT infrastructure. For example, consider encrypting the information on the tag, if you believe the risk justifies it.
“Do due diligence for tag security as you do for servers, workstations and Wi-Fi [devices],” he says. He notes that some organizations may not care if a hacker discovers how many rolls of paper towels they have in inventory, but a manufacturer of avionics equipment might.