Security -- and its high cost -- appears to be the next hurdle in the widespread adoption of RFID.
But many say scenarios where supply-chain data could get corrupted by "rogue" RFID tags, or that supply chains could be slowed by changing a tag's data to random data in a denial-of-service attack, pose no greater risk than what already exists today. "RFID provides more security and more opportunities to prevent people from getting their hands on the supply chain. I can't think of any scenario that could be done because of RFID that doesn't already happen today," says Mani Subramanyam, principal consultant for retail solutions at IT-services company Wipro Technologies. For instance, retail customers have been known to swap bar-code tags to try to cheat the system, he says. And, unlike RFID tags, bar codes can be counterfeited on most any computer and printer.
"That sort of thing is much more difficult with RFID tags than with bar codes. You need specific technical knowledge and specific tools to pull it off," agrees Peter Regen, VP of global visible commerce solutions at Unisys Corp.
Security devices are being considered and are likely to ease many of the security worries that center around RFID tags. For example, unique, product-specific EPC codes, akin to a car's vehicle ID number, could be created so that if anyone were to break the security, he or she would get information for only a single product. And that's not worth the time it will take to break the code, Regen says. "You're not going to do it, the bar will be too high," he says.
Additionally, the new EPCglobal UHF generation 2 protocol standard will provide enhanced security features for passive tags, says Sue Hutchinson, director of product management at EPCglobal. The standard provides password protection as well as the ability to encrypt the data being sent from the tag to the reader, rather than having encryption on the tag itself.
While companies are just starting to address security questions, privacy advocates and legislators have for some time been attempting to address the privacy issue, which primarily centers around the tags. As the issue gains traction, the industry has started to focus on it, as well. At Germany's Metro Group AG's Future Store in Rheinberg, RFID tags on items lose their function outside the store, a spokesman for the retailer says. A "deactivator" is available to the customer at the exit of the store; this overwrites the numerical product code stored on the chip and changes it into zeroes.
RSA Security developed ways to block RFID tag reader's, says Dan Bailey, RFID solutions architect at RSA Laboratories.
Earlier this year, RSA Security demonstrated its RSA Blocker Tag, a specially designed RFID tag built into shopping bags that launches a denial-of-service attack to prevent RFID readers from reading any tags that might be attached to items in the bag. But the downside was that the Blocker Tag also could provide a way for shoplifters to blind a store's security efforts. So the company shifted gears, says Dan Bailey, RFID solutions architect with RSA Laboratories. "We've come up with ideas and refinements that are more suited to actual deployment," Bailey says.
One idea is the "soft blocker," which would enforce consumer-privacy preferences, but only after an item actually has been purchased. At the point of sale, a consumer could swipe a loyalty card, which would link to data about his or her privacy preferences. "After the item is purchased, the point of sale would update the privacy bit and note that it should be ignored by certain readers, such as supply-chain readers," Bailey says.
The soft blocker would be a good alternative to killing the tag with a privacy bit, a capability available with the EPCglobal generation 2 tags. "Killing tags will stifle the development of downstream consumer applications," he says.
Whether or how all these ideas will be embraced is up for grabs. "These are ideas that are being tossed around," Hutchinson says. "Frankly, the end-user community hasn't worked through on a process level how a soft kill would be implemented in a real environment."
Maybe now is a good time to start.
As the examples above show, there are plenty of opportunities on retail-store floors or during the transport of goods from one location to another to uncover and even alter data on an RFID tag. But equally vulnerable is the network at companies' distribution centers, warehouses, and store back rooms where RFID-tagged cases, pallets, or other items enter into the possession of a company or one of its stores. Unsecured wireless networks present opportunities for eavesdropping on data.
"Everything from the reader back is very standard Internet infrastructure," says Kevin Ashton, VP of marketing at ThingMagic, an RFID-reader manufacturer whose technology is sold through original equipment manufacturers, includingTyco International Ltd.'s ADT subsidiary and Zebra Technologies Corp. "So you have all the same security issues and opportunities that you have with the Internet."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.