The solution? Here is another case in which challenge-response chips would be useful. As the response is constantly changing, it would not be possible to track an individual chip without knowing how to properly decode the response based on the challenge.
RFID has recently been integrated into passports, allowing a traveler to move more quickly through security checks.
The risk? The problem again is that the chip will respond to any reader. What if that reader were attached to an explosive device? It could trigger a bomb simply by the person’s presence. But the current security in passport RFID is woeful. The latest security efforts by passport authorities were to include a wire mesh into the cover of the passport.
Like a tin-foil hat, it blocks the signal from the reader, rendering the chip unresponsive until the passport is opened. This is a good first step, but studies have shown that it only needs to be opened slightly to be readable. Furthermore, when the passport is slightly open, the mesh protection becomes an amplifier, making the chip readable from further distances.
The solution? The best security solution for this implementation is encryption. The payment card industry uses RFID technology in the new contactless payment technology (i.e., PayPass by MasterCard). This technology takes advantage of encryption capabilities in some RFID systems to ensure that a rogue reader cannot compromise the information sent from the card to the reader.
Some of the risks with RFID are more easily solved than others. There are implementations in use today which prove that some of these solutions are possible. Part of the problem is that the RFID chips capable of these advanced security features are more expensive, and thus less desirable, for massive rollout, such as for tracking products in stores.
Do risks outweigh rewards? Certainly, RFID and its uses are innovative and can simplify daily life for people. However, it’s critical that the industry implements this technology mindful of the abundant threats that RFID inherently introduces. Considering the risks and threats early in the implementation and adoption stages will eliminate many of the security problems.
John Carmichael leverages his strong lab development, programming and security process skills to deliver secure software development training courses to some of the world’s largest organizations including Adobe, EMC and MassMutual. Prior to joining Security Innovation, John was a systems analyst who led various Web development labs and product training for both technical and non-technical audiences.