But RFID has seen many tightly controlled "proof-of-concept" exploits, widely publicized by academic researchers to showcase RFID vulnerabilities that in reality pose less risk than an old flu virus. Don't look for criminals to unleash these exploits anytime soon. They understand that what little they could gain is simply is not worth the effort.
These proof-of-concept EPC RFID attacks could make the drying time of paint seem quick. Information criminals operating behind the virtual anonymity of the Internet have shown scant interest in supply chain applications. There are no bragging rights on hacker Web sites for exploits launched against physical goods. Confusing handlers of pallets loaded with dog food or diapers, or even diverting containers filled with toys or consumer electronics, gets you flamed as a bottom feeder in the information underworld.
Trafficking in hard goods traditionally has been blue-collar street crime, the stuff of film noir gangsters, crooked dockworkers and teamsters with ready distribution channels for stolen goods. The Internet's promise of disintermediation (http://en.wikipedia.org/wiki/Disintermediation) is simply not as appealing to the stolen-goods underworld as it is to legitimate distributors.
Stolen goods are not easily converted to cash on the Internet. Information criminals constantly try to sell stolen goods via hijacked or bogus eBay accounts, other online sales channels, or through networks of unsuspecting surfers conned by offers too good to be true. The distribution of stolen physical goods on the Internet is risky and costly because lots must be broken into small pieces to escape notice and there is an audit trail to threaten prized anonymity.
Information criminals steal information that's readily convertible to cash, not meaningless EPC RFID inventory data. The people who design EPC standards know far more about the risk to supply chains than cloistered academics engineering these meaningless proof-of-concept exploits.
The EPC initiative is backed by companies that suffer billions of dollars in global supply chain losses every year. They have performed a rigorous risk analysis and concluded that the effect of a supply chain exploit targeting EPC chips is relatively low. They also have determined that the probability of seeing a wave of hacks on EPC chips is similarly low.
The probability is even less with the second generation of EPC chips that is replacing the generation currently in mainstream usage. Second-generation EPC chips have stronger authentication, encryption and traceability, giving authorities a multitude of tools to correlate with back-end databases to thwart supply chain exploits.
The Defense Department, a very large EPC user, has accepted the risk posed by RFID to the armed forces' logistics chain. The high-impact RFID threat is terrorists with weapons of mass destruction masquerading as real cargo behind an EPC chip. The threat of terrorists using counterfeit or stolen RFID chips is one element that contributed to the beefed-up authentication and traceability in second-generation EPC chips.
Information criminals remain fixated on the proven formula of robbing banks, because that's where the money is. This means hackers are likely to devote more effort to stealing personal and sensitive information from RFID chips used in banking and identity applications than in supply chain operations. These RFID chips span a much broader technology spectrum, with multiple industry standards and proprietary technologies being used to store, transmit and secure the information.
The banking industry eschews the RFID acronym and has developed standards for "contact" and "contactless" cards. The most common type of contact card is the ubiquitous magnetic-stripe variety. Newer contactless cards are replacing magnetic-stripe cards in many applications, and the standard limits the reading distances of those cards to 10 centimeters -- 4 inches.
Those cards are highly configurable and support both symmetrical and asymmetrical key encryption for data stored on the card and in transit. Despite some sophisticated and widely publicized proof-of-concept academic cryptanalysis exploits -- which are very difficult to reproduce in the wild -- don't feel compelled to buy an RF-shielded wallet to protect these cards. History tells us that a single server exploit will produce a bigger information bonanza than the entire universe of RFID hacks.
Autor/Author: Mark Willoughby
Quelle/Source: Computerworld, 03.05.2006
