Top RFID Security Myths

We have tag level encryption, so we already have security for our RFID system...

While encryption is important in securing your RFID network, it is one aspect of a meaningful security policy. Security depends on three key factors:

  • Confidentiality
  • Integrity
  • Availability

Encryption gives you a basis for confidentiality, but even then is not completely reliable and depending on the technology being used, it may be significantly insecure. If the encryption is implemented on the RFID tag itself, there is a severe limitation in computing power available for encryption, compared with a traditional computer system. The result is weak encryption that poses a risk to your business because the encryption can be circumvented.

While encryption can only cover the confidentiality aspect, other key pieces are missing to implement a security policy following a holistic approach. For example, it is necessary to provide visibility into the data being stored on the tag, because even if encrypted the user data may contain malware. Furthermore, methods for compliance, auditing and analysis of the dataflow cannot be provided by an encryption only approach.

Our RFID application is in a closed loop system, we don't need security...

A closed loop system is no more secure than an open loop system they are different only in the methods used to hack each. In business today the need to gain a competitive edge often takes a malicious form and industrial espionage and intellectual property theft are all too common activities. Using insecure RFID networks within a closed loop system can even make the system more susceptible to attack because the attacker knows that once the closed system is accessed defeating the RFID network is easier. The application of security through obscurity is a risky policy. It is also important to realize that the RFID network does not cease to exist beyond the boundaries of the closed loop system within which it primarily operates. A hacker, intent on accessing the network systems, can often do so from outside the loop using remote means.

We have reader level filtering, so we already have RFID security...

While reader level filtering is a valid and useful process within RFID systems, it is only a small portion of the security measures necessary to protect business systems and operations. Filtering alone does not ensure confidentiality, integrity and availability, and often serves a logistics function rather than being a security focused process. Filtering will not detect a large number of malicious attacks and without additional security measures leaves your RFID network vulnerable to a significant number of different attacks.

You can't store enough data on an RFID tag to pose a security threat, so we don't need RFID security...

While the space allocated for data on many RFID tags may seem small in comparison to today's massive storage devices there is more than enough space to contain a high risk threat, such as a code injection attack, malware or viruses. Some virus attacks can be fit into a space as small as 108 bytes, such as on an ISO 15693 tag, and other code snippets are even smaller. For example, a well known CPU attack, called f00f is only 32 bits in size.

It may be possible in theory to attack a network through RFID, but no-one knows how to do it in the real world...

More everyday hackers are finding new ways to exploit vulnerabilities in RFID networks and related systems (please feel free to browse the real world stories we have in our practical attacks section of our website. As more ways to exploit these systems are discovered the relative cost of attacking such a network is dropping to a point where attacks can be carried out using inexpensive equipment, costing as little as $20. In the cases of organized criminal activities there are plentiful resources available to attempts attacks against even the most robust systems. Hacking into RFID networks is a growing concern and in an industry that is set to reach billions of dollars over the next 10 years security must be a primary business practice to ensure your organization can continue to enjoy the benefits of RFID technology.

To learn more about your RFID network and determine if you have hidden business risks that can be avoided please contact us for an RFID Security Assessment.