News

RFID takes a hit, after researcher cracks the code

Is the world ready for RFID? Maybe not, says SelfService.org editor Bryan Harris.

August 14, 2006

About the author: Bryan Harris is the editor ofSelfService.org. He recently wrote about the crucial roledata-miningplays in successful loyalty-card programs.

For years we've been told that RFID, also known as radio frequency identification, is about to permeate the market. But is RFID ready for widespread deployment? While a lot of optimism surrounds the technology, there are some concerns.

Security

Bryan Harris is the editor of SelfService.org.

At a recent security conference in Las Vegas, a graduate student demonstrated the ability to steal data from RFID tags that companies have said could only be cracked by their proprietary readers. The researcher, Melanie Rieback of Vrije University in The Netherlands, and her helpers promised to make public the schematic and computer code for building a portable device that reads RFID codes and tags.

She calls it the RFID Guardian,on the premise that a person can use it to monitor the RFID chips carried on his or her person - in passports and the like. Another way to consider it might be as the RFID Assailant, if one uses it to snag data from other people's RFID chips.

Rieback is far from the first scholar to crack a code. When a team of researchers cracked the DES code used to encrypt ATM data, they spent almost $250,000 and three days computing 88 billion different code combinations needed to crack the single encryption standard - a much grander undertaking than the handheld box Rieback's team can use to scan RFID chips without the owners' consent. (Triple DES was the remedy for the financial space.)

Rieback also takes credit for writing the first RFID virus: a code that when written onto an RFID tag can make its way through middleware and infect a database. Since the same database is accessed when making and reading tags, all new tags would contain the infected code, if the database is breached.

Price

A vice president for one of the world's biggest RFID innovators told me that item-by-item RFID tracking is not likely to be adopted by retailers because it's too expensive.

Retailers frequently talk about the 5-cent RFID tag: Once RFID tags cost a nickel each, it could be feasible to put them on everything, just like price tags. For now, however, retailers still quibble over the price.

So, I ask you to tell me - is RFID ready for widespread deployment?