IoT Security Blog

Articles and Posts on IoT Security, Embedded Systems, and the Internet of Things

RFID Security: Sooner or Later

Contributed by Louis Parks:
Shannon Kellogg of RSA recently posted a blog (no longer available) where he felt people in Europe and the United States are getting too worked up over the security and privacy issues around RFID. He feels it is too soon to pressure the industry to require safeguards and it is better to let RFID get off the ground and then let the industry deal with it. His attitude is best summed up where he wrote, there are legitimate security and privacy concerns around RFID that need to be addressed and the time to do that is sooner rather than later. He is clear the time is not now.

This attitude, from an employee of a company selling security, is a bit of a surprise but really reflects how industry has approached the use of security for decades. It has been all too common for a new technology to ignore security issues in their rush to market – only to deal with the resulting demons for years to come. You can just look at the CD/DVD industry as one of many examples.

What is a surprise is that Shannon didn’t see Burt Kaliski’s blog, the Chief Scientist at RSA the company where Shannon works, of 9/14/2006 (no longer available) where he reported on the vulnerabilities of the VeriChip. The VeriChip is an RFID transponder that is being implanted in humans now not sooner or later. Burt describes in some detail the ease with which these tags can be cloned (identity theft) and used for tracking individuals without their knowledge. He does suggest a re-encryption scheme that might mitigate some threats of tracking but no more so than simply re-writing the tag identifier.

Something will happen with RFID that will put the industry on the defensive and force it to spend excessive amounts of resources fixing, correcting and responding to critics. RSA is already spending a lot of time and money to help demonstrate the vulnerabilities of this great new technology – and getting some good press in the process. Hopefully the RFID industry will take this input and use it to break the traditional cycle of denial now rather than sooner or later.