RFID Security Forum

Wednesday, November 15, 2006

A Strong Dose of RFID

Contributed by Louis Parks:

I just attended the three-day RFID Health Care Industry Adoption Summit sponsored by the National Associations of Chain Drug Stores and the Healthcare Distribution Management Association. This was billed as the single largest pharmaceutical meeting (to date) to discuss and review progress in adopting RFID.

It was very impressive to see attendees from all aspects of the pharmaceutical supply chain because it is going to take everyone working together to deliver a solution.

Many of us think that a pharmaceutical manufacturer makes a drug and ships it to our local pharmacy who then hands it to us. In reality, a drug passes through an average of nine owners/handlers before being dispensed. This very fluid and dynamic supply chain makes it an ideal environment for those looking to make a fast buck through diverging and counterfeiting our drugs. The industry realizes this and it is also one of the reasons the FDA is pushing for the introduction of RFID.

Seeing a real industry dealing with real implementations and real pilots also shows how far we have to go before RFID becomes the standard ubiquitous technology we all are hoping for. Standards, security, what data should be on a tag, who has the data, who can get the data, what network will carry it, when will that network be ready, the affect of RF on some drugs, and who is paying for everything are just a few of the questions being dealt with in real time. You also need to layer in the vendor’s agendas, the FDA, and each state since much of this regulation involves state bodies.

There are no easy answers and it will certainly take several more years before you see general adoption across the supply chain. Regardless, I am very impressed by the effort, commitment, and resources this industry is applying to adopt RFID for everyone’s benefit. I hope other industries think to look at this group for suggestions and direction. The drug industry’s pioneering will shorten the time to adoption for each and every market that follows.

Labels: , , , ,

Friday, November 10, 2006

Nip/Tuck comes to RFID

Contributed by Louis Parks:

IBM announced a new method they have patented called Clipped Tag Technology. It is as easy to explain as it is to use. A consumer simply pulls off the RFID antennae from a RFID-enabled tag hung on the outside of an item to shorten the read range. Not clear enough – you can go to the video at http://www.youtube.com/watch?v=95VOxKp0s74&mode=related&search

I applaud IBM for acknowledging the privacy white elephant in the room that too many in our industry have tried to ignore. I also think the simplicity of their idea makes it likely that it will gain some traction. In fact, one Canadian company has already licensed the method and announced a retail tag for immediate availability.

Unfortunately, it is only part of the solution and a few small issues still linger. First, some amount of privacy comes only if the consumer deactivates the tags. How many of you actually cut out those tags that say “remove after purchase”? If you do remember to disable the tag it is not clear what the reduced read range is. Remember, the short read-range RFID tags – think payment cards with only a few inch read-range - have been read from over 150 feet in university tests. This solution also assumes the tags will be accessible. We have been contacted by several consumer manufacturers who want RFID tags inserted in their products – where they can not be accessed - because they are more concerned about the $200B of counterfeit goods that enter their markets each year.

Regardless of any apparent issues with Clipped Tag technology this is still a move in the right direction and will hopefully make its way onto consumer shelves soon. More important, it shows IBM and others recognize that real solutions are necessary now to meet security and privacy needs.

Labels: , , , ,

Wednesday, November 08, 2006

RFID Security: Sooner or Later

Contributed by Louis Parks:
Shannon Kellogg of RSA recently posted a blog http://www.rsasecurity.com/blog/entry.asp?id=1141 where he felt people in Europe and the United States are getting too worked up over the security and privacy issues around RFID. He feels it is too soon to pressure the industry to require safeguards and it is better to let RFID get off the ground and then let the industry deal with it. His attitude is best summed up where he wrote, “…there are legitimate security and privacy concerns around RFID that need to be addressed and the time to do that is sooner rather than later.” He is clear the time is not “now”.

This attitude, from an employee of a company selling security, is a bit of a surprise but really reflects how industry has approached the use of security for decades. It has been all too common for a new technology to ignore security issues in their rush to market - only to deal with the resulting demons for years to come. You can just look at the CD/DVD industry as one of many examples.

What is a surprise is that Shannon didn’t see Burt Kaliski’s blog, the Chief Scientist at RSA – the company where Shannon works, of 9/14 http://www.rsasecurity.com/blog/entry.asp?id=1130 where he reported on the vulnerabilities of the VeriChip. The VeriChip is an RFID transponder that is being implanted in humans now – not sooner or later. Burt describes in some detail the ease with which these tags can be cloned (identity theft) and used for tracking individuals without their knowledge. He does suggest a re-encryption scheme that might mitigate some threats of tracking but no more so than simply re-writing the tag identifier.

Something will happen with RFID that will put the industry on the defensive and force it to spend excessive amounts of resources fixing, correcting and responding to critics. RSA is already spending a lot of time and money to help demonstrate the vulnerabilities of this great new technology - and getting some good press in the process. Hopefully the RFID industry will take this input and use it to break the traditional cycle of denial now – rather than sooner or later.

Labels: , , , ,

Friday, November 03, 2006

Fair and Balanced?

Contributed by Louis Parks:

The Smartcard Alliance issued a press release this week in attempt to clarify the pitfalls of relying on RFID technology to secure our borders. Unfortunately, its partial views, questionable reference to unrelated events, and failing to address the actual performance needs of the Passport card weaken their argument.

First, it is unclear how much more secure smartcard technology is versus some of the recent developments in RFID. The NY Times lead business article last week pointed out the ease at which some students could gather your identification and credit card number from “smartcard-secure” credit cards. Earlier this year it took a group in Holland just 2 hours to crack the “secure data” gathered off an electronic passport using smart card technology.

The Smartcard Alliance have also missed the mark in questioning our government’s ability to protect our data (part of the proposed border solution). The press release sited the recent data breach at the Department of Veteran Affairs. In fact, this was a case where a Unisys PC went missing that contained some VA billing records. Unisys was a subcontractor and likely under some very strict guidelines for data security that they obviously failed to meet. I don’t think this totally absolves the government from some responsibility but this incident was not a direct failing of a government agency. I could not find a recent failing of this nature so maybe the fix is to simply not contract out the work (sorry for the subliminal pitch for bigger government)?

Finally, the press release failed to mention that Passport Card needs to be read from up to 20 feet away to support the proposed streamlining functions at the border. Smartcard technology can only be read over a few inches. I don’t see how you substitute one function for another without affecting the proposed process.

We don’t have all the answers yet on how Homeland Security and the State Department will secure the Passport Card but we will need factual critical review of any technology presented to decide if it is secure – hopefully it will come from a fair and balanced view.

Labels: , , , , , ,