No Real Theft Protection

Although shoplifters have been apprehended when trying to leave a store with RFID-protected items, this approach is not very effective in an IT environment for two reasons. First, attackers targeting IT systems are more skilled than their counterparts looking for perfume, coffee, and other goods. The attackers' technical knowledge means you can expect some opposition.

The COVID-19 pandemic made the BYOD and home office phenomenon an issue. RFID scanners are triggered by every label that comes within their range. If a developer takes their oscilloscope or workstation home, plant security is contacted. In theory, it is possible to use a self-built "smart scanner" that compares tag information with a database before triggering an alarm and excludes portable products from detection.

RFID systems are vulnerable through various attack vectors, such as the hardware or wireless interface. The most common type of attack on a transponder involves destroying the transponder, which is intended by the manufacturers; however, cashiers would not be expected to remove every tag by hand.

Electronic destruction is specified in industry standards ISO/IEC 14443 and ISO/IEC 15693, which takes advantage of the fact that a strong field bakes the regulator intended for the power supply – to put it simply – by overloading it. The RFID transponder is then unable to absorb energy from the reader and remains silent. Because of various industry standards, other electronic components such as computers and the like can easily withstand the specified field strengths.

The second problem relates to cloning RFID tags. Dumb ROM tags that respond to requests from the reader with a (programmed) serial number are easy to replicate. If a rewritable tag is used, the attacker can edit the information contained in the tag directly. One countermeasure involves the use of intelligent transponders that cryptographically sign incoming or outgoing information in a challenge-response procedure.

Although attacks on the transponder system are made more difficult, deploying this setup involves significant increases in the cost of tags and readers. The extent of resilience measures, it follows, is driven by the intended use of the RFID system. If you use your labels to list the servers in a room, do not resort to cryptographic trickery in the interest of lowering costs and easing system administration.

The German Federal Office for Information Security (BSI) has responded to this trend by publishing a family of standards [4] that includes security criteria optimized for different scenarios; the US National Institute of Standards and Technology (NIST) has published guidelines for the use of RFID technology, as well [5]. Finally, do not forget that RFID systems sometimes generate tracking information that is problematic with a view to the European Union General Data Protection Regulation (GDPR) or personnel agreements (monitoring). In large companies, administrators are strongly advised to consult with the legal department before deployment.

Conclusions

When rolling out an RFID-based asset tracking system, it is important to consider the specifics of your environment. A decision for or against RFID should never be based on technical parameters alone. The willingness of employees and management to support the use of RFID tags is of fundamental importance for successful deployment. This article does not provide a complete description of the technology for space reasons. The RFID manual by Klaus Finkenzeller [6] is the ideal companion for people with previous knowledge of electronics.

The Author

Tam Hanna (tam.hanna on Instagram) has seen the embedded space inside and out. His multidecade work has involved coding games for early mobile phones, designing metrology systems, and tackling various projects for civil and military clients.