NIST highlights RFID risks
The guidance, still in draft form, outlines the security and privacy risks associated with RFID and discusses potential safeguards.
Guidance for Securing Radio Frequency Identification (RFID) Systems
A draft publication from the National Institute for Standards and Technology highlights some of the security and privacy risks associated with radio frequency identification technology.
Some of the risks involved can be serious. The threat can extend from the RFID tags to central databases on an agency's network, according to the report. But NIST experts are not trying to scare agencies from using the technology.
"Like any new technology, RFID presents new security and privacy risks that must be carefully mitigated through management, operational, and technical controls in order to realize the numerous benefits the technology has to offer," the report states.
One danger is that an unauthorized user with a RFID reader, which is also called an interrogator, could gather information about the contents of a container, making it easier to decide what to steal. So agencies need to decide how much information to include on the tags and how to protect it.
Even if a tag contains nothing more than identifier, it can reveal more than agencies realize. For example, observers could monitor tagged materials as they arrive at their destination, giving them information about the quantity of tagged products. “Adversaries could obtain valuable intelligence from the mere existence of a tag,” the report states.
There is greater danger if an RFID system is tied to a back-end database. An intruder could use the interrogator as a back door to that database, if it has not been properly secured with access controls, password-protection and cryptography.
But these and other dangers can be addressed, according to NIST. "When practitioners adhere to sound security engineering principles, RFID technology can help a wide range of organizations and individuals realize substantial productivity gains and efficiencies," the report states.
The guidance is intended to help current and future RFID users understand those risks and the best-known safeguard, according to the report.
NEXT STORY: Week in Review