There are many myths and misunderstandings about RFID. Can RFID be hacked? Can RFID tags be cloned? What’s the range of RFID? We demystify the misinformation.
RFID is a wireless technology that’s easy to misunderstand. While some elements have been around since the 1940s, RFID is still relatively young and various myths persist about security weaknesses.
These security risks are largely overstated and often misplaced. Part of the confusion stems from the fact there are many types of RFID. The fastest-growing segment of the RFID market, RAIN RFID, has many built-in safeguards to protect data and user privacy, and the industry places a high value on security and privacy as adoption accelerates around the world.
RAIN RFID is on the leading edge of wireless connectivity advances used by many industries, so confusion and misinformation are becoming common. The latest buzz comes from an article about the U.S. military’s experimentation with RFID to track firearms at armories. And there are unfounded and silly conspiracy theories about governments and corporations secretly using RFID to track people.
To demystify RFID and discuss the security of RAIN RFID, we sat down with Matthew Robshaw, technical fellow at Impinj and an expert in cryptographic security for low-power wireless radios.
What is RFID?
RFID, or radio-frequency identification, is a generic term that encompasses primarily battery-free radios that store and transmit a small amount of information, such as a digital barcode. Different types of RFID have different communication ranges and are designed for different purposes — such as access control, asset tracking, ticketing, and inventory management. Even wireless payment systems use RFID, like the NFC RFID in a smartphone.
If you’ve used an access card to get into your office or tapped your credit card when buying groceries, you’re already familiar with RFID. All RFID systems operate on the same principle: An RFID tag stores information that can be read wirelessly by an RFID reader.
RAIN RFID is a global, standards-based form of RFID. It is typically used to identify items in warehouses, retail stores, hospitals, and other facilities. RAIN RFID tags can be read from up close or as far away as 10 meters, without line-of-sight or the need to open a box or container.
How secure is RFID?
RFID systems have different properties and uses with different security needs. So, it is important to understand the use case because each requires different security techniques. For example, RFID carrying payment information uses more security than RFID carrying a digital barcode.
There are two broad categories of RFID systems: ones that use “active” tags and ones that use “passive” tags. Active RFID tags use batteries to broadcast their signal, like a beacon. Passive RFID tags don’t use batteries and instead get their energy from radio waves broadcast by an RFID reader.
RAIN RFID is passive, so tags don’t emit a signal unless asked to by a reader. The chip inside a RAIN RFID tag holds an identification number for the item to which the tag is attached. When read, the chip provides the item’s identification number, which is like a digital barcode.
Depending on the application, some chips also allow reading and writing small amounts of additional data, like an expiration date. Security features prevent bad actors from reading and writing the data without authorization.
What are common RFID security concerns?
The success of a RAIN RFID deployment is determined by the reliability of reading the tag’s identifier. It’s not surprising, then, that most security concerns for RAIN RFID involve the reliability of data, who might read and write the data, and who might misuse the data.
But security concerns don’t stop at the tag. RAIN RFID readers must also be secure, as must the backend systems that process the data and, in some deployments, pass it on to the cloud. In short, security means securing the entire solution.
The RAIN RFID industry and the associated standards bodies have monitored potential security risks for many years. As a result, a wide range of security features are available to protect both the deployments and the users. At Impinj, we’ve been innovating features like Impinj QT technology since 2010 and Impinj Protected Mode since 2019 to protect business data and consumer privacy.
Today, RAIN RFID system security is designed for the most common use cases, such as asset tracking in warehouses or inventory management at retail stores. We expect an ongoing evolution in security controls.
How can you minimize RFID security risks?
Security is about managing risk — about finding the appropriate balance among security, cost, and features. It is hard to envision any security feature that does not carry a cost somewhere in the system. Even something as straightforward as password security has hidden costs in the technical support for resetting passwords or risks from people writing their passwords down.
When deploying RAIN RFID, it is important to carefully consider the system design, vendor selection, and potential security risks of a specific use case. The Impinj Partner Network features an experienced and trusted ecosystem of product manufacturers, system designers, and resellers that enable secure deployments. It’s imperative to choose products from a trusted source and keep firmware updated to maximize security.
Most RAIN RFID tags have a range of data protection features. The most extreme is a “kill” feature, whereby an authorized reader can permanently deactivate a tag so it no longer responds, ever. An alternative is to block unauthorized readers from accessing information. Yet another is switching the tag to “short-range mode,” in which the tag will only respond if it is sufficiently close to a reader.
Impinj Protected Mode, a security and privacy feature exclusive to Impinj chips, ensures that a RAIN RFID tag remains silent, making it effectively invisible, unless a reader first provides an 8-character PIN.
Beyond the tags, data still needs to be handled with care. It’s important to carefully evaluate the following questions: Is the reader secure? Is its firmware digitally signed, making the reader — like the Impinj R700 — more resistant to high-jacking or malicious corruption? In back-end systems and the cloud, are system architects using industry best practices and established security mechanisms?
Can RFID be hacked? Can RFID be copied or cloned?
The term “hacked” carries an air of excitement and a hint of mystique, so much depends on your definition of “hacked.” Yes, without careful system design, data carried over the air can be copied. But if eavesdropping is a concern, there are several easy steps that can be taken to prevent it.
We’ve talked about short-range access and making the tag invisible. If data on a tag is sensitive, it can be encrypted before it is written. And cloning can be thwarted using cryptographic tag authentication, which verifies that the reader knows a secret key, or credential, on the tag.
The global specifications that define how RAIN RFID readers and tags talk to one another include a range of features that support cryptographic security. Among these, cryptographic authentication can be used to build solutions for tags, readers, and mutual authentication. Features like these already appear in some road tolling deployments. Tag authentication may well become the foundation for global solutions aimed at preventing the counterfeiting of goods and medicines.
There are even more layers of security available in the cloud, particularly through the concept of every physical item being associated with a “digital twin.” Information about where and when a RAIN RFID tag is read can be checked against that item’s digital twin, which can hold history and ownership records.
How far away can RAIN RFID be read?
The RAIN RFID industry typically refers to a read range of 10 meters. Range depends on a variety of factors, including chip performance, tag antenna size, the properties of the item to which the tag is attached, the reader and its antenna, and the environment — for instance, if there is interference. RAIN RFID readers can detect tags across broad areas and don’t require direct line-of-sight, yet their performance is regulated by industry standards and governmental limits.
A bad actor, though, may not follow the rules. Someone wanting to optimize read range may go to extreme lengths to access a tag and get the data they seek. Highly directional antennas and illegally high power levels can increase a reader’s range so it is important to consider the available countermeasures if this is of concern to a given use case.
If the ability to read a tag from long range is a security risk for your deployment, consider using features that prevent reading the tag’s memory or accessing its data. If someone merely detecting the presence of a tag is a security risk, use tags that offer Impinj Protected Mode to make the tag invisible to readers.
How might RFID security evolve?
One of the most significant changes I expect over time is more data moving to the cloud. This means an increasing role for edge devices like RAIN RFID readers, and therefore more effort securing those devices and the cloud databases where information is processed or stored. I predict more cryptographic authentication capabilities for protecting brands and eliminating counterfeits. And we’ll likely see more loss-prevention systems use RAIN RFID to seamlessly address theft and product diversion.
In the longer term, I see some measure of cryptographic security becoming the norm rather than the exception for RAIN RFID. This will likely be dominated by tag authentication initially, followed by reader authentication. Standards for encrypting and authenticating data over the air are already available. While market demand remains light for such security solutions, the tipping point may come soon as more people recognize the value of adopting RAIN RFID for new and emerging use cases.
At Impinj, we work closely with enterprise customers around the world who rely on our products and capabilities for mission-critical applications. We strive to understand the needs of businesses and consumers for data integrity, privacy, and security. We actively participate in standards-body workgroups and efforts to establish best practices for RAIN RFID. And our R&D teams continuously evaluate our hardware products and software to prevent security vulnerabilities.