Radio Frequency Identification – Is It Secure?

This post is also available in: עברית (Hebrew)

Radio-frequency identification (RFID) tags have begun appearing everywhere. When one looks carefully, it’s easy to notice them in passports, credit cards, library books, office access passes, and even pet cats. According to homelandsecuritynewswire.com, the technology allows fast, automated identification of physical objects and is a staple for many factories and warehouses who use it to track inventory and manage supply chains, pharmaceutical companies deploy it to track drugs, and courier services use it to tag deliveries. But what would happen if RFID technology were compromised?

“A security breach in RFID applications would leak valuable information about physical objects to unauthorized parties,” says Li Yingjiu, Associate Professor at the Singapore Management University (SMU) School of Information Systems. The University says that Professor Yingjiu, an expert on RFID security and privacy, as well as other aspects of mobile security, is attempting to develop better safeguards into the technology.

Because RFID tags work by broadcasting information to electronic RFID readers, security breaches can occur if hackers eavesdrop on this conversation, and manage to gain access to or tamper with information. The consequences of such an attack could be serious, says Professor Yingjiu. “In the context of supply chain management, for example, this means industrial espionage may obtain sensitive information about inventory levels, trading volumes, trading partners, and even business plans,” he explains.

In order to protect communications between tags and readers, Yingjiu and his team are designing and testing new RFID protocols with enhanced security features. These strategies include making the protocol’s output unpredictable, making two tags indistinguishable to the hacker, and preventing hackers from obtaining useful information even if they manage to interact with the tags.

There are also many instances where sharing of RFID information between suppliers and retailers, for example, or between various components of an Internet of Things would have obvious benefits, says Professor Yingjiu. But without appropriate security controls, however, most companies would be reluctant to make valuable data readily available. To address this problem, Professor Yingjiu’s team is also designing improved access control mechanisms that protect RFID information when it is shared on the internet.

Mobile payment systems such as Apple Pay and Google Wallet use a specialized form of RFID technology. The team identified a number of attacks which hackers could use to target Apple iPhones. The code to launch these attacks could be embedded within third-party apps that were available in the iTunes store. The team reported their findings to Apple’s security team, and the company plugged these loopholes when its new operating system was released the following year.

The team also reported Android framework vulnerabilities and potential attacks to Google.