The news last month that RFID chips are reportedly vulnerable to virus attacks shouldn't have been news at all. After all, an RFID tag is essentially a tiny computer chip connected to a network, and it relies on software that is inevitably going to have a few bugs in it, and inevitably some of those bugs will be potential vulnerabilities that some bright spark will figure out how to exploit. This has been the case for every other computer network in the world, and it's becoming increasingly true with Internet-capable mobile phones. Why would RFID be any different‾
It's not even the first time someone's discovered how to hack RFID in some form or another. Three weeks before the RFID virus paper made the news, researchers at the Weizmann Institute of Science announced at the annual RSA Security conference that they were able to kill an EPC Class 1 Gen 1 passive tag after hacking it and determining its kill password.
The reason the RFID virus story is making waves is because most people only have a vague idea of how RFID works or how it will be used. The most they hear about RFID - if they ever do at all - is that it's used for tracking things, it will be in all the stuff you buy from Wal-Mart, it will eventually be in your driver's license/ID card, and it will possibly even be implanted in your skin. It will also be virtually ubiquitous by the end of the decade. In-Stat says that the number of RFID tags will grow from 1.3 billion in 2005 to 33 billion by 2010.
So a story indicating that all of this is susceptible to the same threats (more or less) as Windows XP is going to make headlines and raise eyebrows. Some consumer advocate and civil liberties groups are already upset over the potential privacy issues of trackable chips in everyday items. Such concerns are valid (within reason), but the RFID sector, and its clientele, has had mixed results in addressing them.
Veil of secrecy
Several RFID industry executives have responded to the virus threat study by saying the real risk is extremely limited because the attack uses outdated EPC technology. Also, RFID middleware and software is usually proprietary to the organization using it, which means it's not as widespread as, say, Windows.
Answers like that aren't enough, no matter how accurate they may be. The real disconnect from the consumer side is that they don't really understand just what's at risk when an RFID chip with their info on it gets hacked. PC users have a pretty good idea of what's on their computer because they installed or input much of it. RFID tags are a different matter. How much personal info goes into, say, a medical wristband‾ Who has access to it‾ How do you check that the info is correct‾ How do you know when it's been compromised‾
These aren't new questions, but they're not always satisfactorily answered, and the reason tends to boil down to the age-old obsession with secrecy. Companies don't want fraudsters gaming the system. Governments don't want terrorists or criminals to find a weakness that could be exploited to create fake IDs or attack the system itself.
Fair enough, but secrecy has serious drawbacks. Security by obscurity almost never works for computer networks - hackers can't resist a challenge. And competitive secrets can be liabilities when they mean keeping secrets from consumers as well.