Report on smart tags includes security, privacy warnings

Businesses and federal agencies using radio-frequency identification devices should regularly evaluate security and privacy risks, according to a new report on RFID best practices from the National Institute of Standards and Technology.

RFID devices send or receive audio signals, transmitting information like serial numbers of products within warehouses.

"RFID tags, commonly referred to as smart tags, have the ability to improve logistics, profoundly change cost structures for business, and improve the current levels of safety and authenticity of the international pharmaceutical supply chain and many other industries," Technology Administration chief Robert Cresanti said.

"This important report lays the foundation for addressing important RFID security risks so a thoughtful enterprise can launch a smart-tag program with confidence." The 154-page report outlines inherent risks to data security and privacy and how to mitigate them.

For example, if a warehouse uses only RFID tags to track inventory, an attack on the technology could crash order-processing. A competitor also could hack into the information generated by RFIDs. In another scenario, someone could use an RFID reader to locate a box of expensive electronic equipment to steal it.

On the privacy side, the report discusses risks as RFIDs become more prevalent. It said that as more data is stored, organizations could combine and correlate to infer identities or locations and build profiles of people for other purposes.

The report also noted that privacy and business objectives sometimes could conflict. For example, if it is too easy for customers to disable RFID tags after sales, it also may be easy for adversaries to disable them before sales.

The report outlines existing privacy rules like the 1974 Privacy Act, which allows people to know what's being collected, get a copy, opt out of such collection and prevents data from being used for other purposes. The 2002 E-Government Act requires privacy impact assessments for devices.

"The goal of our report," according to lead author Tom Karygiannis of NIST, "is to give organizations practical ways in a structured format with checklists and specific recommendations to address potential RFID security risks."

The recommendations include: installing firewalls to separate organizations' RFID databases from other databases; encrypting the radio signals; authenticating approved RFID users; shielding tags to prevent unauthorized access; adopting audit procedures to detect security breaches; recycling or destroying tags so sensitive data is permanently destroyed; and minimizing sensitive data stored on the tags.

Another section shows how grounded metal fencing can be used as a shield to protect against eavesdropping or radiation. It said reducing transmitting power also can help prevent the interception of information and reduce electromagnetic radiation risks.

The report also weighs issues like encrypting data when it is at rest and having a remote "kill" feature to disable tags.

The report focused on security controls available on the market now while acknowledging that more security solutions are planned.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • GBC Issue Brief: The Future of 9-1-1

    A Look Into the Next Generation of Emergency Services

  • GBC Survey Report: Securing the Perimeters

    A candid survey on cybersecurity in state and local governments

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

  • eBook: State & Local Cybersecurity

    CenturyLink is committed to helping state and local governments meet their cybersecurity challenges. Towards that end, CenturyLink commissioned a study from the Government Business Council that looked at the perceptions, attitudes and experiences of state and local leaders around the cybersecurity issue. The results were surprising in a number of ways. Learn more about their findings and the ways in which state and local governments can combat cybersecurity threats with this eBook.


When you download a report, your information may be shared with the underwriters of that document.