Skip to content
Search AI Powered

Latest Stories

technology review

will loose lips sink chips?

With their ability to store a product's full history, RFID chips promise to solve a variety of retail woes. But some fear that without added security features, they'll divulge the data to anyone with a scanner.

will loose lips sink chips?

For a technology that was expected to quietly transform back room operations, RFID chips are mak ing a surprisingly big splash out in the wider world. They're showing up on credit cards and golf balls. They've been embedded into racers' wrist bands and casino chips. Now RFID tags are about to burst onto the retail scene. In stores in Europe and in pilot stores in the United States, RFID tags have begun to appear on individual pieces of merchandise: books, pairs of jeans, bottles of drugs, DVDs and CDs.

Their appearance on the retail stage caught many by surprise. Until recently, most assumed that RFID tags would remain behind the scenes for several more years— tracking cases and pallets bound for retailers' DCs. Tags were thought to be much too expensive to use for tracking everyday items.


But that hasn't proved to be the case. As businesses began experimenting with RFID, some discovered benefits that easily offset the tags' costs. Pharmaceutical manufacturers, for example, found that sticking an RFID tag on a bottle of Viagra or OxyContin provided a drug "pedigree" that helped weed out counterfeits. Retailers discovered that item-level tagging saved them money by reducing out-of-stocks, deterring shoplifting and cutting the amount of labor needed to manage inventory and handle replenishment.

Though not yet commonplace, item-level tagging is no longer rare. This year, nearly 200 million tags will be attached to individual items, mainly apparel, books and drugs, according to research firm IDTechEx. Starting in 2007, item-level tagging will account for the biggest share of the world's RFID market by value, rising to an $11 billion market for tags and systems (out of a $26 billion total RFID market) in 2016.

The looming explosion in item-level tagging has left many worried about security risks. As long as RFID remained in the back room, communication among tags, readers and networks was relatively easy to secure. But as tags move out into the retail world, some experts fear they'll become the target of threats ranging from eavesdropping and data tampering to viruses.

Data at risk
"When it comes to item-level tagging, security is very, very important," says Kevin Ashton, vice president of marketing at ThingMagic, a Cambridge, Mass.-based vendor of RFID readers, sensors and other technologies. And as he sees it, the current technology, Generation 2, cannot offer that security without significant enhancements. "Gen 2 has done a very good job improving tag readability, and it is much better than Gen 1 in dealing with situations where there are multiple readers. Where it badly needs to be improved is in the area of security ... Gen 2 has a little bit more security than Gen 1, but it's absolutely not enough to give end users or the general public complete confidence in the system."

As item-level tagging takes off, so will the potential for mischief and sabotage. "Our real concern is unauthorized people reading the tags," says Ashton. For example, without additional security in place, retailers could easily obtain data to gauge how well a product—say, a newly launched videogame—is selling at a competitor's store. Unlike bar codes, RFID tags are able to uniquely identify individual items, making it possible to track how a product is selling. Someone with a scanner could walk down a store's aisles and track inventory on a shelf, charting sales of that videogame. "And because it's RFID-based, you can also do it without anybody knowing you are doing it," says Ashton.

Similarly, someone with a grudge against a particular retailer could use a scanner to collect critical sales data and leak it to the press. "If you are a publicly traded company, the last thing you need is a leak that your competitor sold 10 times as many new DVDs as you did," says Ashton. "That's just one scenario of why reader authentication is a good idea."

Those are just two of many possible scenarios. In a white paper posted on ThingMagic's Web site, "Generation 2 Security," Ashton describes other potential threats. For example, there's the possibility that a hacker might use a rogue reader to write new information to a tag (say, changing a price) or even kill the tag. There's also the risk that someone will replace a tag with a rogue tag (a tag from an unauthorized source) or clone tag (an unauthorized copy of a real tag) that transmits false data to a reader.

RFID tags are also vulnerable to data interception via what's known as a side-channel attack. In a side-channel attack (which Ashton likens to wiretapping without the wires), an interloper electronically eavesdrops on RF communications between tags and readers to obtain access to passwords or other confidential data.

Plugging the leaks
Given the variety of security risks, it's clear that the technology's vulnerabilities will have to be addressed before item-level tagging can really take off, says Ashton. That will mean security enhancements at the very least, and possibly the development of a new, Generation 3, protocol.

In his white paper, Ashton describes some security features that could be incorporated into future protocols (as well as some of the challenges they'd present). They include:

  • Encryption. Storing encrypted serial numbers on tags would boost data security, but it would also raise significant technological challenges of "key" management (that is, distributing and managing the corresponding decryption key). Encryption doesn't eliminate tracking; it simply makes it more difficult. Also, any onboard encryption operations would boost the computational demands on tags— introducing new overhead and boosting the tags' price.
  • Tagpasswords. Basic RFID tags already have sufficient resources to verify PINs or passwords, which could be a possible solution for protecting data. For example, a tag could be programmed to transmit critical information only if it receives the correct password. However, that raises the question of how to manage the passwords.
  • Tag pseudonyms. RFID tags would change serial numbers each time they are read, which would eliminate the need to program the tags with passwords. This approach would make unauthorized tag tracking more difficult, but it would also introduce issues of pseudonym management. Ashton predicts that security will be the focus of growing awareness over the next six to 12 months. He adds that if developers start work soon, a new protocol could be ready by 2008 or 2009, just in time for the expected item-level tagging boom.

Not so fast ...
Not everyone agrees that it's time to abandon Gen 2. Executives at EPCglobal, the organization responsible for developing the standards for application of RFID tags and electronic product codes (EPC), consider talk of developing a new Gen 3 technology to be premature.

If the need arises, the agency may decide to consider security enhancements and optional features, says Sue Hutchinson, director of industry development for EPCglobal. But if it does, she says, EPCglobal will build them on the Gen 2 base—that is, develop a Gen 2, Class 2 product—rather than starting over again with a new Gen 3 standard.

Possible security enhancements to Gen 2 include additional password schemes or maybe even some light encryption on top of some of the locking mechanisms that are already in place, says Hutchinson. "We want to make sure we are all responsible users of the technology and that we've done everything we can to safeguard consumers and most importantly to safeguard the relationship that our end users have with the consumer community."

Texas Instruments (TI) is working with EPCglobal to make that happen. TI has endorsed an authentication method for tag data that can be either on- or off-network. According to Joseph Pearson, business development manager for TI's RFID Systems division, EPCglobal has created an EPC item-level serialization scheme for item tags that will serve as an electronic security marker unique to each product, enabling automated track and trace capabilities as well as real-time visibility of the product through the EPCglobal Object Name Service (ONS) network. ONS will act as a "traffic cop" and direct authorized network inquiries to the correct database hosting the desired data.

Theoff-network method enables RFID readers to authenticate the tag through a shared data encryption algorithm. When it comes to tracking a bottle of Viagra, an electronic security marker can be a digital signature generated via a public key infrastructure (PKI) and programmed into the tag's memory. An RFID reader is able to validate the tagged product because the reader is supplied with the appropriate manufacturer public key to authenticate the digital signature. By using a digital signature, a manufacturer's unique "electronic fingerprint" is created and programmed into the RFID tag, which can then be authenticated by an RFID reader without a network.

Concerns about RFID security aren't limited to private industry. The Department of Homeland Security (DHS) issued a report in July calling for increased attention to security issues. Although good physical security controls exist on the RFID systems in use by the government, the report noted, there are still some system security concerns that should be resolved. According to the government, "These security-related concerns, if not addressed, could increase the potential for unauthorized access to DHS resources and data."

The Latest

More Stories

forklift carrying goods through a warehouse

RJW Logistics gains private equity backing

RJW Logistics Group, a logistics solutions provider (LSP) for consumer packaged goods (CPG) brands, has received a “strategic investment” from Boston-based private equity firm Berkshire partners, and now plans to drive future innovations and expand its geographic reach, the Woodridge, Illinois-based company said Tuesday.

Terms of the deal were not disclosed, but the company said that CEO Kevin Williamson and other members of RJW management will continue to be “significant investors” in the company, while private equity firm Mason Wells, which invested in RJW in 2019, will maintain a minority investment position.

Keep ReadingShow less

Featured

iceberg drawing to illustrate supply chain threats

GEP: six factors could change calm to storm in 2025

The current year is ending on a calm note for the logistics sector, but 2025 is on pace to be an era of rapid transformation, due to six driving forces that will shape procurement and supply chains in coming months, according to a forecast from New Jersey-based supply chain software provider GEP.

"After several years of mitigating inflation, disruption, supply shocks, conflicts, and uncertainty, we are currently in a relative period of calm," John Paitek, vice president, GEP, said in a release. "But it is very much the calm before the coming storm. This report provides procurement and supply chain leaders with a prescriptive guide to weathering the gale force headwinds of protectionism, tariffs, trade wars, regulatory pressures, uncertainty, and the AI revolution that we will face in 2025."

Keep ReadingShow less
maersk dual fuel containership

Maersk orders 20 dual-fuel container vessels

The Danish ocean freight and logistics giant A.P. Moller – Maersk has signed agreements with three shipyards to build a total of 20 container vessels equipped with dual-fuel engines capable of running on either methanol or liquified natural gas.

The move delivers on its August announcement of a fleet renewal plan that will allow the company to proceed on its path to decarbonization, according to a statement from Anda Cristescu, Head of Chartering & Newbuilding at Maersk.

Keep ReadingShow less
chart of business concerns from descartes

Descartes: businesses say top concern is tariff hikes

Business leaders at companies of every size say that rising tariffs and trade barriers are the most significant global trade challenge facing logistics and supply chain leaders today, according to a survey from supply chain software provider Descartes.

Specifically, 48% of respondents identified rising tariffs and trade barriers as their top concern, followed by supply chain disruptions at 45% and geopolitical instability at 41%. Moreover, tariffs and trade barriers ranked as the priority issue regardless of company size, as respondents at companies with less than 250 employees, 251-500, 501-1,000, 1,001-50,000 and 50,000+ employees all cited it as the most significant issue they are currently facing.

Keep ReadingShow less
chart of shipping business conditions

Shippers Conditions index reached high-point in September

A measure of business conditions for shippers improved in September due to lower fuel costs, looser trucking capacity, and lower freight rates, but the freight transportation forecasting firm FTR still expects readings to be weaker and closer to neutral through its two-year forecast period.

Bloomington, Indiana-based FTR is maintaining its stance that trucking conditions will improve, even though its Shippers Conditions Index (SCI) improved in September to 4.6 from a 2.9 reading in August, reaching its strongest level of the year.

Keep ReadingShow less