Photo by Claudio Schwarz on Unsplash

Photo by Claudio Schwarz on Unsplash

RFID technologies and risks

Contact

Article from ADMIN 81/2024
By
We look at various approaches to RFID asset tracking, provide an understanding of the technologies and challenges involved, and cover some of the potential attack vectors.

Manually typing in device IDs for asset tracking can quickly become a major chore in large environments. Automated entry with a radio frequency identification (RFID) system saves valuable time compared with barcode and other traditional methods, but it comes with its own problems. In this article, I look at various tech-based approaches to RFID asset tracking in the IT environment. After doing so, I turn my attention to sample implementations and software and some potential security concerns.

Break It Down

The first question related to asset tracking with an RFID system is the type of transponder to be used. The energy source built into active tags enables longer ranges, and the reader supplies energy to passive tags. However, the battery in the tags requires maintenance, which can mean some additional work, especially if you have a large number of tags; after a while, the results can be unreliable. Also don't forget that button cells are a substantial cost factor and have an environmental impact. From a total cost of ownership perspective in particular, passive tags are almost always preferable to their active counterparts in tracking scenarios.

The next question concerns the communication frequency – the reader and tags must transmit in the same frequency range to work together successfully. Candidate 1 is low-frequency systems that operate at between 120 and 140KHz. Product or card family 2 is near-field communication (NFC) cards, which operate in the frequency range of 13.56MHz and achieve ranges of around 50cm. Finally, ultrahigh frequency (UHF) systems normally reside in the frequency range between 869 and 915MHz and offer a very long range.

Several factors must be taken into account when selecting the frequency. First, especially in companies with an industrial background, you need to ask the transmitter technology people which frequencies other devices use. If you fail to do this, interference can drown out any NFC communication. Second, having more range is not always an advantage. Readers automatically report the presence of a tag, but if, say, two buses with long-range tags are parked next to each other, you can't reliably say which vehicle contains the device.

Incidentally, AirTags rely on a completely different system. They are not based on RFID technology but use Bluetooth Low Energy (BLE). The data is captured by nearby iPhones, which record the tags and transmit their location to the cloud. The problems include high costs (~$29/£35/EUR25 per unit) and the limited service life of the battery.

RFID Tag Formats

In addition to deciding on a working frequency, it is important to choose the correct presentation format. At best, employing the wrong transponder will lead to problems with range; at worst, you could run into security problems. The most widespread format is the "tag sticker" normally supplied with an adhesive film on the back for adhering to an object (Figure 1). The stickers are available from various suppliers all over the world.

Figure 1: A stick-on RFID tag houses some very complex technology.

Particularly in the case of inexpensive tags, if you stick them to metallic surfaces such as workstation housings, you'll experience frequency range-dependent attenuation; in the worst case the range is reduced to a few centimeters. RFID blockers, which are included in higher priced wallets, are a good example. However, you can now also find labels that can be attached to a more robust surface and do not react sensitively when stuck to metallic substrates.

Many RFID tags are printable. RFID chip card providers levy a price for this service with margins often in the region of several hundred percent. Particularly for larger companies, it might make sense to purchase your own label printer to prints cards with information such as the system type.

Industry standard DIN/ISO 69873 is important in the computer numerical control (CNC) sector. It specifies barrel-shaped RFID chips that are internally equipped with an isolator. The advantage of this architecture is that such systems can be easily accommodated in metallic devices – you just need to locate the sensor in the (prefabricated) groove. Unfortunately, administrators very rarely come across these slots. Unlike suppliers of CNC tools, computer manufacturers are not prepared for RFID tracking.

On the other hand – especially if a 3D printer and some double-sided adhesive tape are available – you could make a housing and place it in the systems (somewhere well hidden). This approach makes it more difficult for attackers to remove the tags and nips a common vulnerability of RFID systems in the bud. The key fobs shown in Figure 2 are particularly helpful when tracking workstations. They can be suspended in the housing by cable ties, which makes it difficult to track the devices from the outside.

Figure 2: Tag fobs not only work on key rings, but can also be used to track devices.

Inventory Management

In addition to technical factors, the choice of asset management program plays an important role when considering RFID-based systems. The most important point is that the decision for or against RFID can only be part of the overall decision. If a company is already using an asset tracking system, changing over for the sole reason of adding RFID technology will typically fail to boost user satisfaction. In a company with an asset management system, your first step should be to find out whether the existing provider uses an interface for RFID technology and what costs can be expected.

A second approach would involve the use of a handheld scanner that transmits the RFID tag data by emulating a USB human interface device (HID). Readers of this type simulate keyboard input; to scan, users first click on the input box of the program they use and then tap the tag with the reader. This procedure might lack convenience, because it involves changing the user device, but in practice it works without any problems.

In general, providers precisely define the hardware they require their customers to use. The use of third-party products is not recommended; otherwise, problems can lead to denial of responsibility. In the case of EZOfficeInventory [1], for example, the iPhone application opens the connection to the scanner. The assets are recorded in bulk and can then be managed in groups and posted or reposted. Because of the focus on the US market, support for Android is described as a "future feature" and was not available at press time. It will be of little surprise to most people in IT that purchasing and maintaining iPhones involves considerable costs. (See also the "QR Codes and Smartphones" box.)

QR Codes and Smartphones

An interesting alternative is the Shelf system [2], which does not use RFID. The product lets you print QR codes that are scanned by a smartphone. The system also records GPS position data provided by the smartphone, creating a geographic history of the asset in the process.

WiseTrack [3] deals with the management of tools or equipment located in fire stations, which results in a broader approach: The company advertises on its website that it actively supports third-party RFID tags and therefore does not force the administrator to purchase WiseTrack's own tags. The company also offers various RFID scanners with very long ranges to enable "permanent location fixing" of assets. I am still looking at the associated problems in relation to bring your own device (BYOD) and home office applications.

A thorough field test that determines how good a fit the system is for the existing corporate culture is required before a final decision can be made. Note that asset tracking creates deep ties with the provider, which is why differences in corporate culture are relevant and the decision should not be based solely on technical parameters. Some providers only offer cloud software, which is annoying, although in-house operation offers benefits from a data protection perspective.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus