Friday, May 05, 2006

Can RFID be a Security Solution?

In recent months we've heard announcements from major pharmaceutical players who are piloting RFID on their high-profile, most-counterfeited drugs. We've also reported here in the past on the costs of using RFID, and stories about their security weakenesses.

Seems like a paradox? Not really.

The FDA is pushing drug companies very hard to implement its vision of pharmaceutical security which relies on an electronic pedigree of every transaction at every point in a drugs supply chain. The Florida ePedigree rules come into effect this July, CA and NV are soon to follow. Drug companies are running pilots so they can't be accused of doing nothing - but the costs are extraordinary, and expectations are low. John Theriault heads security at Pfizer, he was recently interviewed on NPR.
JOHN THERIAULT: Is RFID you know a magic bullet that's gonna solve this tomorrow? The answer's absolutely not.
The company has tagged all bottles of Viagra that ship in the US. But Theriault says only one of the wholesalers Pfizer ships to have invested in the technology to read the tags.
JOHN THERIAULT: You have to understand that for RFID to work, there has to be technology deployed throughout the entire supply chain from the manufacturer to the point of sale. And that technology is currently expensive; it currently does not exist throughout the entire supply chain.
Wired magazine is running a piece this month on just how easy it is to crack RFID tags, replace their data, spoof them, and steal from them. Many security experts are predicting that RFID will be implemented with insufficient security, and users will have unrealistic expectations about how secure the data is.

Ari Juels, of RSA labs, has published several excellent articles on the weaknesses and challenges of RFID. In once of his presentations he makes the following observation:

1980: Not one reported incident of a computer virus in the wild
1999: Not one reported incident of a major DDoS attack on the Internet
2005: Not one reported incident of fraudulent use of RFID tags.