RFID security - Part 4: Management of RFID security

When conducting threat management for RFID systems, monitor everything, which will help with any difficulties.

If you are performing information security, you may be overwhelmed by the large amount of data and communications that must be monitored. As a matter of routine, you should confirm the integrity of your systems via login access and Dynamic Host Confi guration Protocol (DHCP) logs, and perform physical checks to make sure that new devices are not being added to the network without your knowledge.

Adding RFID systems to the list of systems to be monitored will increase the difficulty. In addition to physically checking the Ethernet connections, you will also have to perform RF sweeps for devices attempting to spoof tags, and keep an eye out for people with RF equipment who may attempt to sniff data from the airways.

You will need new equipment and training for the radio side of the system, since radio systems are usually outside the experience of most network professionals. You will also have new middleware connections that will add new channels, thus, introducing possible new threats and adding new vectors for the more routine threats such as computer viruses and spyware.

When you are done securing your new RFID system and you think you have all the threats under control, go back to the beginning and start looking for new vulnerabilities, new risks, and new attacks. As previously mentioned, things such as increases in computing power and new encryption cracking techniques are constantly evolving, and may break a security model in short order. Keeping up with new security problems and the latest attack methods is an ongoing process—one that demands constant vigilance.

24.10 Summary
In this chapter, we discussed how RFID systems work; the various types of RFID tags, data formats, and tag protocols; and some typical applications. We also discussed some of the potential attacks that RFID systems are susceptible to. We learned that some of the attacks that are well known to IT professionals can also be applied to RFID.

With new technologies, we are often seduced by the grand vision of what "it" promises. Currently, RFID is one of the newest technologies offering this a grand vision. While RFID holds great promise in many applications, the last several years have proven that many aspects of RFID systems are insecure and new vulnerabilities are found daily.

The driving idea behind this chapter is applying information security (InfoSec) principles to RFID applications. What we [the authors] have attempted to do is show you some common pitfalls and their solutions, and get you started thinking about the security implications of installing and running an RFID system in your organization.

24.11 Links to Sites
• RFID Gazette — www.rfidgazette.org
• EPCglobal — www.epcglobalus.org
• ISO — www.iso.org
• RFID Buzz — www.rfidbuzz.com
• RFID Viruses — www.rfidvirus.org

Printed with permission from Newnes, a division of Elsevier. Copyright 2008. "Wireless Security: Know it All" by Praphul Chandra, Alan Bensky et al. For more information about this title and other similar books, please visit www.elsevierdirect.com.

Related links:
RFID Security - Part 1: RFID radio basics & architecture | Part 2: RFID data communications | Part 3: Threat and target identification
Cryptography for embedded systems - Part 1: Security level categories & hashing | Part 2: To optimize or not to optimize...
RFID Basics: How to Determine the Link Budget
Augmented Reality: Beyond RFID and QR Codes For Mobile
Understanding Crypto Performance in Embedded Systems - Part 1: Hardware and software variables | Part 2: Measuring performance
Security Protocols for the Embedded Internet
Rise of the Embedded Internet
Implementing secure digital data transfer in portable handheld embedded devices: Part 1 | Part 2 | Part 3