Report on smart tags includes security, privacy warnings

Businesses and federal agencies using radio-frequency identification devices should regularly evaluate security and privacy risks, according to a new report on RFID best practices from the National Institute of Standards and Technology.

RFID devices send or receive audio signals, transmitting information like serial numbers of products within warehouses.

"RFID tags, commonly referred to as smart tags, have the ability to improve logistics, profoundly change cost structures for business, and improve the current levels of safety and authenticity of the international pharmaceutical supply chain and many other industries," Technology Administration chief Robert Cresanti said.

"This important report lays the foundation for addressing important RFID security risks so a thoughtful enterprise can launch a smart-tag program with confidence." The 154-page report outlines inherent risks to data security and privacy and how to mitigate them.

For example, if a warehouse uses only RFID tags to track inventory, an attack on the technology could crash order-processing. A competitor also could hack into the information generated by RFIDs. In another scenario, someone could use an RFID reader to locate a box of expensive electronic equipment to steal it.

On the privacy side, the report discusses risks as RFIDs become more prevalent. It said that as more data is stored, organizations could combine and correlate to infer identities or locations and build profiles of people for other purposes.

The report also noted that privacy and business objectives sometimes could conflict. For example, if it is too easy for customers to disable RFID tags after sales, it also may be easy for adversaries to disable them before sales.

The report outlines existing privacy rules like the 1974 Privacy Act, which allows people to know what's being collected, get a copy, opt out of such collection and prevents data from being used for other purposes. The 2002 E-Government Act requires privacy impact assessments for devices.

"The goal of our report," according to lead author Tom Karygiannis of NIST, "is to give organizations practical ways in a structured format with checklists and specific recommendations to address potential RFID security risks."

The recommendations include: installing firewalls to separate organizations' RFID databases from other databases; encrypting the radio signals; authenticating approved RFID users; shielding tags to prevent unauthorized access; adopting audit procedures to detect security breaches; recycling or destroying tags so sensitive data is permanently destroyed; and minimizing sensitive data stored on the tags.

Another section shows how grounded metal fencing can be used as a shield to protect against eavesdropping or radiation. It said reducing transmitting power also can help prevent the interception of information and reduce electromagnetic radiation risks.

The report also weighs issues like encrypting data when it is at rest and having a remote "kill" feature to disable tags.

The report focused on security controls available on the market now while acknowledging that more security solutions are planned.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.


When you download a report, your information may be shared with the underwriters of that document.