GovernmentExecutive.com

Businesses and federal agencies using radio-frequency identification devices should regularly evaluate security and privacy risks, according to a new report on RFID best practices from the National Institute of Standards and Technology.

RFID devices send or receive audio signals, transmitting information like serial numbers of products within warehouses.

"RFID tags, commonly referred to as smart tags, have the ability to improve logistics, profoundly change cost structures for business, and improve the current levels of safety and authenticity of the international pharmaceutical supply chain and many other industries," Technology Administration chief Robert Cresanti said.

"This important report lays the foundation for addressing important RFID security risks so a thoughtful enterprise can launch a smart-tag program with confidence." The 154-page report outlines inherent risks to data security and privacy and how to mitigate them.

For example, if a warehouse uses only RFID tags to track inventory, an attack on the technology could crash order-processing. A competitor also could hack into the information generated by RFIDs. In another scenario, someone could use an RFID reader to locate a box of expensive electronic equipment to steal it.

On the privacy side, the report discusses risks as RFIDs become more prevalent. It said that as more data is stored, organizations could combine and correlate to infer identities or locations and build profiles of people for other purposes.

The report also noted that privacy and business objectives sometimes could conflict. For example, if it is too easy for customers to disable RFID tags after sales, it also may be easy for adversaries to disable them before sales.

The report outlines existing privacy rules like the 1974 Privacy Act, which allows people to know what's being collected, get a copy, opt out of such collection and prevents data from being used for other purposes. The 2002 E-Government Act requires privacy impact assessments for devices.

"The goal of our report," according to lead author Tom Karygiannis of NIST, "is to give organizations practical ways in a structured format with checklists and specific recommendations to address potential RFID security risks."

The recommendations include: installing firewalls to separate organizations' RFID databases from other databases; encrypting the radio signals; authenticating approved RFID users; shielding tags to prevent unauthorized access; adopting audit procedures to detect security breaches; recycling or destroying tags so sensitive data is permanently destroyed; and minimizing sensitive data stored on the tags.

Another section shows how grounded metal fencing can be used as a shield to protect against eavesdropping or radiation. It said reducing transmitting power also can help prevent the interception of information and reduce electromagnetic radiation risks.

The report also weighs issues like encrypting data when it is at rest and having a remote "kill" feature to disable tags.

The report focused on security controls available on the market now while acknowledging that more security solutions are planned.

COMMENTS

• I have a suggestion. include a pin number that the holder of the card would punch in and a back up question and a answer only the real holder of that card would know if by chance he forgot the pin number. of course you may already have this idea. boyd herrst Posted January 25, 2008 5:19 PM
• Okay, I’ll admit it. Paranoid Peter is raising his ugly head again. Another possible scenario is: in response to security issues the government starts requiring the implantation of RFID devices in driver’s licenses passports (Tell me if you’ve heard this one). Locating sensing devices initially at ports of entry, federal and local governmental buildings, then centers of mass transit, and finally in centers of commerce they gain the ability to track terrorists, and the average “legal” citizen’s movements, in real time all in the name of protecting us. Unfortunately, as Big Brother watches the other way, terrorists also discover the simplicity that is reading the RFIDs and begin tracking key military and governmental personnel and cargo. Please remember a few of things when considering security. 1. If we can see them, they can see us. 2. If it’s in the air, anyone can receive it. 3. Every security measure carries an inherent weakness. I realize that, supposedly, I am legally entitled to learn what is collected on me, but I’ve learned how a few simple facts can be used to infer much more. And what is inferred depends largely not on my intent but the mindset of the receiver. RFID technology, when combined with data mining, could mean the end of privacy in America. Personally, the government has controlled the waking portion of my life, through employment, for the past 34 years. I really don’t care for their “looking out for me” on my time. Unfortunately, being a student of both history and technology, I do not see how we can prevent it. Do you? Please excuse me while I wrap my wallet in this foil. Tip off GovExec.com reader Posted May 2, 2007 8:21 AM