Researchers Receive Grant To Improve RFID Security

The National Science Foundation has awarded a team of University of Virginia engineers $1 million to improve the privacy and security of RFID chips, computer chips the size of a grain of sand that wirelessly send and receive information over short distances (generally 10 feet or less) via very low-power radio waves.

One common RFID use: the remote car-locking systems that dangle from millions of keychains all over the world.

Billions of RFID chips are already in use in a variety of applications, explained the research team's leader, David Evans, an associate professor of computer science in U.Va.'s School of Engineering and Applied Science.

Many are used to effectively replace the ubiquitous bar codes that currently identify all our products. Wireless readers of the RFIDs eliminate the need for manually scanning barcodes, providing great advantages for inventory management. Major users include Wal-Mart and the U.S. military.

RFID chips are also increasingly being used in more sophisticated applications. The chips provide the wireless magic behind touchless smart cards being used for more and more things, from touchless credit and debit cards, to building access keycards and reusable farecards for public transit systems. RFID is also being used in wearable and implantable medical devices, to transmit patient data for remote monitoring, said fellow researcher John Lach, an associate professor of electrical and computer engineering who has done pioneering research in the field

Use of RFIDs for patient monitoring is a trend expected to increase in the future, Lach said, as Baby Boomers age and the rising costs of health care prompt a new emphasis on "aging in place" -- allowing the elderly to remain independent while also having their health effectively monitored.

The wireless nature of RFIDs gives them myriad potential uses, but also raises security and privacy concerns. For instance, many already-implanted medical RFIDs have no security measures, Lach noted, prompting a recent outcry that an unprotected pacemaker or insulin delivery system could be tampered with externally.

More expensive RFID chips (costing more than 50 cents apiece) have enough resources (memory space and power) to allow standard encryption schemes that provide good security.

But less expensive and lower powered chips -- the ones that are and will be used most widely -- do not have the capacity to allow standard encryption schemes. Such chips either include no security measures or use custom cryptography, which has repeatedly proven to be a weak defense.

To address the problematic use of custom cryptography, the U.Va. research team will develop an encryption scheme that is relatively strong -- providing some measure of privacy and security -- but that can be implemented at almost zero cost by repurposing the meager hardware resources already available on common RFID tags. Providing a solution that adds virtually no cost is crucial, because these RFIDs are made by the billions, at such low costs (5 cents or less apiece) that there is no margin for any added expense.

"The ultimate goal is to make the cost as close to zero as possible," Evans said.

The new design will be published, allowing rapid and inexpensive adoption by RFID makers.

"At least from a cost side, there will no longer be an excuse not to have security and privacy," said Nohl, whose 2008 doctoral thesis on RFID security is providing a foundation for some of the newly funded research.

The team is breaking new ground by using a holistic design approach that considers how all the various levels of the design -- the hardware, the encryption algorithm and how it is used -- work together, mindful of how an attacker will target the single weakest link in the design.

"This is really the justification for breaking systems," Evans said. "By using a big-picture approach to zero in on the most vulnerable aspects of the system, you learn how to design better systems."

The other members of the research team are Ben Calhoun, an assistant professor in electrical and computer engineering and an expert in low-power circuit design, and Abhi Shelat, an assistant professor of computer science specializing in cryptography.

RFIDs are poised to offer many cool functions and capabilities in the future. For instance, a refrigerator could read the RFIDs that identify the foods within it, and then offer a recipe suggestion to make use of what's on hand, Nohl said.

But RFID capabilities are already raising serious privacy and security concerns among consumers and the public. If the information on an RFID is not encrypted (or poorly encrypted), it can be read by anyone with an inexpensive RFID reader device.

In an activity called "skimming," a thief can simply walk by you or hang out in a crowded location and potentially steal monetary value from your smartcard, or copy your keycard for building access.

Consumer profilers could take a digital snapshot of everything in your shopping cart or backpack, possibly using it to target advertising or enable price discrimination, and could track your movements by reading the tags on the items you carry.

To avoid such pitfalls, proposed legislation in Europe would require that all RFIDs are disabled at any point of retail sale.

"It would be sad if, as a result of the discussion around RFID privacy, the decision is made to just disable them all," Nohl said. This would eliminate many potential benefits of RFIDs, and would not solve the privacy and security problems for applications like library books, subway farecards and medical devices, where the RFID needs to keep working.

The research team hopes their research will forestall that possibility, enabling RFIDs to be used in countless ingenious applications not yet dreamt of, without sacrificing privacy and security in a Faustian bargain.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3