Report on smart tags includes security, privacy warnings

Businesses and federal agencies using radio-frequency identification devices should regularly evaluate security and privacy risks, according to a new report on RFID best practices from the National Institute of Standards and Technology.

RFID devices send or receive audio signals, transmitting information like serial numbers of products within warehouses.

"RFID tags, commonly referred to as smart tags, have the ability to improve logistics, profoundly change cost structures for business, and improve the current levels of safety and authenticity of the international pharmaceutical supply chain and many other industries," Technology Administration chief Robert Cresanti said.

"This important report lays the foundation for addressing important RFID security risks so a thoughtful enterprise can launch a smart-tag program with confidence." The 154-page report outlines inherent risks to data security and privacy and how to mitigate them.

For example, if a warehouse uses only RFID tags to track inventory, an attack on the technology could crash order-processing. A competitor also could hack into the information generated by RFIDs. In another scenario, someone could use an RFID reader to locate a box of expensive electronic equipment to steal it.

On the privacy side, the report discusses risks as RFIDs become more prevalent. It said that as more data is stored, organizations could combine and correlate to infer identities or locations and build profiles of people for other purposes.

The report also noted that privacy and business objectives sometimes could conflict. For example, if it is too easy for customers to disable RFID tags after sales, it also may be easy for adversaries to disable them before sales.

The report outlines existing privacy rules like the 1974 Privacy Act, which allows people to know what's being collected, get a copy, opt out of such collection and prevents data from being used for other purposes. The 2002 E-Government Act requires privacy impact assessments for devices.

"The goal of our report," according to lead author Tom Karygiannis of NIST, "is to give organizations practical ways in a structured format with checklists and specific recommendations to address potential RFID security risks."

The recommendations include: installing firewalls to separate organizations' RFID databases from other databases; encrypting the radio signals; authenticating approved RFID users; shielding tags to prevent unauthorized access; adopting audit procedures to detect security breaches; recycling or destroying tags so sensitive data is permanently destroyed; and minimizing sensitive data stored on the tags.

Another section shows how grounded metal fencing can be used as a shield to protect against eavesdropping or radiation. It said reducing transmitting power also can help prevent the interception of information and reduce electromagnetic radiation risks.

The report also weighs issues like encrypting data when it is at rest and having a remote "kill" feature to disable tags.

The report focused on security controls available on the market now while acknowledging that more security solutions are planned.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.