Tuesday, October 5, 2010

Privacy vs. Security on the DASH7 Wireless Sensor Networking Blog

The concepts of security and privacy are related, but different, and people often confuse the two issues. SecureRF’s CEO, Louis Parks, tackles this topic in his first posting for the DASH7 Wireless Sensor Networking Blog.

His post, Privacy vs. Security, lays down a foundation on what is security versus privacy, in a general, non-specific product way.
Future postings will cover:
  • “What is security?” and describe related tools and functions.
  • How you put these tools together to create security protocols that address real world issues.
  • Security on a DASH7 platform.
  • Addressing and describing the security needs and solutions for different applications and industries of interest to the DASH7 Alliance.
Pat Burns, President of the DASH7 Alliance, starts the conversation with his posting - Introducing Louis Parks.
The DASH7 Alliance was formed to advance the use of DASH7 wireless data technology by developing extensions to the ISO 18000-7 active RFID standard, ensuring interoperability among devices, and educating the market about DASH7 technology.  SecureRF is now a member of this organization.

Monday, August 16, 2010

In the News - Mikoh

Fellow RFIDSA member, Neil Mitchell of MIKOH Corporation Limited, had an article published in the July/August issue of Miltary Embedded Systems.  It is titled  "RFID and asset authentication: Enabling true security measures," and can be viewed at http://www.mil-embedded.com/articles/id/?4787.

Wednesday, July 28, 2010

RFID Security Alliance Examines Risks

RFID Security Alliance Examines the Risks Associated with Wal-Marts Recently Announced Shift of RFID Technology from the Warehouse into its 3,750 U.S. Stores

Wal-Mart Continuing to Drive the Industry Adoption and Risk Management of RFID Tags in the Retail Market

Sausalito, CA, July 27, 2010 – With over 250 million RFID (Radio Frequency Identification) tags being put into Wal-Mart’s men’s basics, across Wal-Marts 3,750 U.S. stores, the RFID Security Alliance (“RFID SA”) has been receiving a number of inquiries from the public questioning the security and privacy of their personal information and their risks when purchasing such merchandise.

“We at the RFID SA take an active role to educate the industry and lay person of the advantages and risks associated with RFID based solutions and are deeply committed to insuring that everyone’s information remains private and secure in a well implemented RFID solution” said RFID SA Chairman Michael McCartney. He continued “In reviewing the details of this use-case we find the threat to privacy to be very low and in fact not dissimilar to that of bar codes that it is designed to replace. The removable tags are attached to the garment in the same manner as the conventional bar code tags, with a plastic or cotton loop or tie. Additionally, once removed, these tags can also be permanently disabled with a pair of scissors rendering them irrevocably unreadable so even once the tag is disposed of at the home, the tag can no longer be accessed”.

Additionally, since the information, as the RFID SA understands it, is basic inventory information used to keep track of in stock jeans and apparel items, the RFID SA seriously doubt how useful this non-personal information might be to anyone other than Wal-Mart.

At the RFID SA, we will continue to perform due diligence on this project and others to determine what is the threat level to the public’s privacy. We also will continue to educate the RFID industry on best practices and to make certain that the level of security is high enough to protect the consumer and the markets use of RFID technology. RFID can provide huge cost savings to the industry that will also be passed onto the consumer and will also allow faster and more efficient checkout and returns. While a poorly implemented system could be open to risk, the RFID SA is promoting industry best practices to insure all RFID implementations provide all the benefits with minimal risks.

About the RFID Security Alliance
The RFID Security Alliance (RFIDSA) was founded as a resource for the RFID industry, driving market education and discussion about security and privacy issues surrounding the use of RFID technologies, solutions and applications. More information about RFID SA can be found on its Web site at www.RFIDSA.com. Insights into RFID Security can be also found on the association’s blog at http://rfidsa.blogspot.com/ or contact Anna Haight at Anna.Haight@RFIDSecurityAlliance.org.

Wednesday, June 9, 2010

India Wide ID system and more at RFIDSA meeting on 6/10

At this month's RFID Security Alliance meeting Mohinder Sikka of Sensitel, Inc. will be providing information about the India Wide Identification system which is being implemented.  Q&A session to follow.

This open discussion will be followed by a RFID Security Alliance business meeting.

You are welcome to join us.

Meeting Details:
Thursday, June 10
10:00 a.m. – 11:00 a.m. PST / 1:00 p.m. – 2:00 p.m. EST

To participate:
Dial in Phone Number: 218.936.7999
Access code: 413685# (Follow the prompts)
Physical Location: QLM Consulting, Sausalito CA

Friday, May 28, 2010

First human ‘infected with computer virus’ - Another example of “spreading the fear”

Contributed by Neil Mitchell, RFIDSA Vice Chairperson

Another example of how RFID is “being connected” in negative technology reporting occurred this week from one of the respected news sources. The BBC reported on a University researcher who embedded himself with an RFID device that is used to open the doors in the university and enable his cell phone. However, the device was purposely embedded with a computer virus intended to infect other such similar implants. The fear factor is the potential spread of this computer virus between similar embedded devices in people (that happen to use RFID to communicate). Examples they have included Pace Makers and Deep Brain Stimulators that actually do not contain RFID readers. This fact was conveniently overlooked.

While a very valid topic (protecting human embedded devices from viruses), little attempt was made to distant the RFID technology as cause of the technology weakness. There are no cases of this “in the wild” today although this is a very valid topic that the RFID Security Alliance is also monitoring.

Fellow RFIDSA member and security consultant, Lukas Grunwald, pointed out that “This is the classical Riebeck scheme.” More information on RFID viruses can be found at Dr Melanie Rieback’s homepage: www.cs.vu.nl/~melanie/ and http://www.rfidvirus.org/.

The BBC’s story is here: http://news.bbc.co.uk/2/hi/technology/10158517.stm.

Tuesday, May 11, 2010

Insights into the Spring Conference Season

Members of the RFID Security Alliance have been busy attending conferences all over the globe. These attendees are going to share their insights about these recent events at our next RFIDSA meeting.

• INTERPHEX Pharmaceutical Conference - Louis Parks, CEO of SecureRF
• RFID Journal Live - Michael McCartney, QLM Consulting and Chair, RFIDSA
• United Fresh - Michael McCartney, QLM Consulting and Chair, RFIDSA
• Pan-European High Security Printing Conference - Lukas Grunwald, Neocatena

Also, Tim Downs will talk about two upcoming events:

• Smart Grid Cyber Security Summit
• Life Sciences Information Security conference

This open discussion will be followed by a RFID Security Alliance business meeting.

You are welcome to join us.

Meeting Details:
Wednesday, May 12
10:00 a.m. – 11:45 a.m. PST / 1:00 p.m. – 2:45 p.m. EST

To participate:
Dial in Phone Number: 218.936.7999
Access code: 413685# (Follow the prompts)

Physical Location: QLM Consulting, Sausalito CA

Friday, April 30, 2010

Video: The Use of RFID in Supply Chain Security

Contributed by Joanne C. Kelleher

Last week was the annual INTERPHEX Conference for pharmaceutical manufacturers and packagers. Editors of BioPharm International and Pharmaceutical Technology conducted a series of in-depth conversations with speakers, industry stakeholders and thought leaders.

RFID Security Alliance members Louis Parks, CEO of SecureRF and Bikash Chatterjee, CTO of Pharmatech Associates, along with Anthony Palermo, Director of the RFID Centre of Excellence were interviewed together about the use of RFID in supply chain security.

You can view their interview at http://interphexvideocast.com/media/index.php?vid=Bikash_Anthony_Louis.

All of the interviews conducted at INTERPHEX are at http://interphexvideocast.com/

Monday, April 12, 2010


Members of the RFID Security Alliance (RFIDSA) are participating in a discussion at the 2010 INTERPHEX conference titled “Securely Implementing RFID in the Pharmaceutical Supply Chain.”  The talk will be presented on Wednesday, April 21, 2010 from 2:15PM - 3:45PM at the Jacob K. Javits Center in New York, NY.

Participants include these RFIDSA members:
  • Louis Parks, President and CEO of SecureRF Corporation
  • Bikash Chatterjee, President and CTO of Pharmatech Associates Inc.

We hope you will be able to attend their session.  Not yet registered for INTERPHEX?  As a speaker, they have the ability to extend a 15% registration discount to friends and colleagues.  Go to http://www.interphex.com/speaker.  This link will access the official INTERPHEX website which contains complete event details including the full Conference program and online registration. The speaker discount has been programmed into the link and will automatically display reduced pricing when you begin the registration process.

Friday, April 9, 2010

RFIDSA at RFID Journal LIVE 2010

RFID Journal LIVE 2010 is next week, April 14-16 in Orlando, FL.

Michael McCartney, RFID Security Alliance's chairperson, will be speaking in the RFID for IT Professionals track. His talk, titled RFID Security: Potential Threats, Their Impact and Solutions, will be presented on 4/14 at 11:30 am.

If you are going to this conference, please attend this session and introduce yourself to Michael.

Friday, March 26, 2010

Notes on InterTraffic Conference

RFIDSA's Vice Chairperson, Neil Mitchell, shared his insights about the InterTraffic Conference. 

InterTraffic was held over 4 days this month from March 23rd – 26th in Amsterdam. The show runs every 2 years and has considerably expanded from the show 2 years ago (having almost tripled in size!). It is a broad based traffic event and not solely focused on RFID or security technologies. While some portions of the show are not relevant to MIKOH and the RFID Security Alliance there are significant key parts that are.

ITS (Intelligent Traffic Systems) and Cooperative Systems which are highly relevant took up 1/3 of the show and Safety and Infrastructure that had parts that were relevant and parts that were not took up another 1/3 of the show.

Attendance was mostly European but there were significant attendance from beyond including North and South America, Asia (including Russia and China), and Australia.

Major themes from the show were:
• Increased use of video based vehicle tracking (free flow, parking, security etc). Note: Clearly video based tracking has hugely varying read rates from 65%-95%) and if to be used as a revenue generating activity is often used in addition to a technology such as RFID to fill that significant gap (unless in a more controlled environment such as parking).
• Vehicle networking and traffic management using vehicle-to-vehicle communication (of information such as speed, time, GPS location etc). There was actually a live demo around Amsterdam of this technology. RFID tags on vehicles can be part of this solution but is likely to be used only if employed for other reasons beyond just this.

While the theme of security was present, it was mostly from the point of view of vehicle security (high level tracking and monitoring) and less so the detailed issues relating to tag security.

The show was generally, highly relevant for anyone involved in Automatic Vehicle Identification (e.g. Electronic Vehicle Registration, tolling, parking etc) and a very good meeting place for customers, partners and relevant industry bodies.

Thursday, January 7, 2010

Karsten Nohl to Discuss Hacking Mifare and other 'secure' RFID on 1/13/2010

The RFID Security Alliance has changed the format of their monthly meetings and will now start with a discussion of a topic of interest. On January 13, 2010 researcher Karsten Nohl will mark the 25th anniversary month of declaring Mifare insecure by leading a discussion about Mifare and several other types of 'secure' RFID which have been broken in the meantime (HID, Legic).

Questions to be covered include:
  • How have the hacks on the Mifare transit cards impacted new projects?
  • How have existing systems been protected?
  • What is status of Mifare Plus?
  • How have other systems been broken?

Karsten bridges the three worlds of academic research, hacking, and industry. His academic research with the University of Virginia focuses on privacy protection in large networks. His hacking projects-- at H4RDW4RE in the Silicon Valley or with the CCC in Berlin--assess (and usually break) proprietary cryptography. Finally, his consulting job at McKinsey helps him understand why corporations often choose technically inferior solutions.
The meetings can be joined in person in California or via conference call. If you want to participate in next week's call (Wednesday, 1/13) on this topic, you are welcome to join us at 10 AM PST / 1PM EST. After this discussion and an open Q&A you can stay on the call for RFIDSA internal business topics if you wish.

Dial in Phone Number: 218.936.7999
Access code: 413685# (Follow the prompts)

RFID Security Alliance meetings are usually scheduled for the second Wednesday of each month at 10 AM PST / 1PM EST. More info about the RFID Security Alliance is at http://www.rfidsa.com/ or via the LinkedIn Group at http://www.linkedin.com/groups?gid=62849.

Contributed by Joanne C. Kelleher
RFIDSA Marketing Committee

Tuesday, December 22, 2009

RFID Readers May Become Ubiquitous

During December’s RFID Security Alliance call, there was an open discussion on the effects of RFID readers becoming ubiquitous. This frank and useful discussion posed the following questions:

What will happen when RFID Readers become embedded in common every day devices that a non-expert can use?

One examples of RFID readers becoming embedded in a common device is with the Smart Phone that many of us own today. Such speculation is not baseless and while limited to the rumor mill at this point, it seems likely that some consumer devices will start to incorporate such reader technologies in the near future. How do we know this?

On the speculative side, the rumor mills are filled with suggestions that next generation Apple iPhone may include such technology:



On the more fact-based side, we know that NXP semiconductors and others are developing combo chips that combine Cell Phone and RFID technology into single devices. While this does not mean a product will certainly be on the market with this functionality, it seems a high probability.

How might such multi-function devices be used?

There could be many uses. Speculating a little, one rational would be to incorporate such RFID reading capability with bar code and other sensors to allow a device to read a product ID (and other information). This would then be used to locate information about the product (through the internet via the cell phone connection), possibly including price at varying local stores as well as a combination of other on-line retailers. Why? To enable a purchase from a different location than the one were you scanned the item. Motivation for purchasing elsewhere includes price, offering a value added purchase, offering related products and their improved availability or other factors (service, support etc). The goal would be to take a small service fee for the pleasure.

Another possible usage is to turn the iPhone into a ‘digital wallet” with RFID.

What will happen when RFID Readers are available to such users?

Phones are regularly hacked (e.g. “Jailbreaking” iPhone) or increasingly targeted for unscrupulous activities (e.g. identity theft etc). It will be no different with RFID reader enabled devices and the system and tags in question. One member suggested that applications that have value will be the first ones hacked and then hackers will pick on applications that will be fun to break or for bragging rights.

The RFID Security Alliance is looking carefully at such concerns and has decided to pull together a “Best Practices” white paper to address these concerns. Any solution must address the full spectrum of threats, RF security, physical tag security, reader security etc.

Contributed by Neil Mitchell, RFIDSA Vice Chair

Wednesday, December 9, 2009

The RFIDSA's View of the RFID Marketplace

At last week’s RFID Security Alliance meeting we had open discussions about the effects of RFID readers becoming ubiquitous and the state of the RFID marketplace.

Aim Global’s RFID Connections recently spoke with Reik Read, senior analyst for Robert W. Baird & Co., about RFID and the economy. They posted this podcast at the same time the RFIDSA was meeting and it was interesting to see that there are strong overlaps between the thoughts of our members and a leading analyst. You can read/listen to Reik’s interview here. http://www.aimglobal.org/members/news/templates/template.aspx?articleid=3613&zoneid=42.

Here are the highlights from the RFID Security Alliance marketplace discussion:
• Up to 6 months ago, RFID projects were on hold but they are now starting to pick back up.
• There is a shift from exploring RFID to problem solving, i.e. automating to reduce costs, errors and staff.
• The RFID technology is now ready for prime time and the costs of tags and readers are coming down. New products are being developed that will make implementations better: i.e. readers with higher sensitivity, multi-directional tags and more security functions.
• As the role of the U.S. Food and Drug Administration changes and becomes a fully empowered agency, they will be looking at food traceability so RFID will grow.
• Ultra Wide Band is getting more traction around sensitive equipment like in hospitals.
• Several members are seeing more overseas (rather than US) activities, especially for asset tracking.

Of course, our members continue to think that security is an significant issue related to RFID. I was glad to see Reik Read highlighted it as an important issue too.

What are your thoughts about the current RFID marketplace? We invite you to add your comments.

Contributed by Joanne Kelleher, SecureRF Corporation
RFIDSA Marketing Committee

Friday, December 4, 2009

Call for Papers: The Workshop on RFID Security 2010

Here is a call for papers.
The Workshop on RFID Security 2010 (http://www.projectice.eu/rfidsec10/index.html) is the sixth edition of a series of workshops held in Graz, Malaga, Budapest and Leuven. In 2010 it will take place in Istanbul, Turkey.

The workshop focuses on approaches to solve security and data-protection issues in advanced contactless technologies like RFID. It stresses implementation aspects imposed by resource constraints.

Topics of the conference include but are not limited to:
  • New applications for secure RFID systems
  • Data protection and privacy-enhancing techniques for RFID
  • Cryptographic protocols for RFID
  •     Authentication protocols
  •     Key update mechanisms
  •     Scalability issues
  • Integration of secure RFID systems
  •     Middleware and security
  •     Public-key Infrastructures
  •     Case studies
  • Resource-efficient implementation of cryptography
  •     Small-footprint hardware
  •     Low-power architectures
  • Attacks on RFID systems
  • RFID security hardware e.g. RFID with PUF, RFID Trojans, .
Important Dates:
  •  April 20, 2010 Submission Deadline
  •  May 20, 2010 Notification
  •  June 1, 2010 Final Version
  •  June 8 - 10, 2010 RFIDSec Workshop

More details about how to submit a paper are at http://www.projectice.eu/rfidsec10/CfP/index.html.

Someone from SecureRF attended this event a few years ago and found it was a mix of researchers, academics and businesses.

Joanne C. Kelleher
RFID Security Alliance Marketing Committee



Wednesday, November 18, 2009

Speaking Opportunity in Singapore

Hello RFIDSA members,
I received an email today that the Pharmas & Biotech Supply Chain Asia 2010 conference has an open call for speakers. This conference is being held on March 17-18, 2010 in Singapore. http://www.terrapinn.com/2010/pharmascm/index.stm

The invitation said:
"Pharmas & Biotech Supply Chain Asia 2010 will address:
- Import & export regulatory compliance
- Clinical Supply Chain
- Cold chain management and supply
- Achieving Drug Safety across the entire supply chain
- Protecting Inbound Supply Chain Through Stringent Suppliers Qualification
- Managing your logistics and distribution in Asian context
- Strategising the right demand forecasting strategy to ensure speed to market and product availability
- The essential data management technologies to drive supply chain visibility and security
- Manufacturers-Suppliers- Vendors Relationship Management: Collaborating with varies supply chain stakeholders to increase supply chain visbility and integration
- Establishing good supply chain practice in challenging market - India And China
- Packaging and labelling strategies to ensure regulatory compliance and product safety

We are now looking for industry leaders to share their expertise, experience and strategies on the above mentioned topics. Do you have an interesting case study to share? Interested to speak at the event?

Contact Stella Teo at +65 6322 2737 or email stella.teo@terrapinn.com to discuss your speaking opportunity at Pharma & Biotech Supply Chain Asia now!"

I don't know anything else about this event and it sounds like a "sponsored" speaking opportunity (i.e. you have to pay), but I thought I would pass it along in case anyone was interested.

Joanne Kelleher
SecureRF Corporation
RFID Security Alliance Marketing Committee

Tuesday, October 27, 2009

Australia takes the application of electronic travel documents to the next level

Since their initial rollout, RFID-enabled electronic passports have seen wide-spread adoption in the US, Europe and other countries. It is also nothing new that biometric and other data can be read off the chip by unauthorized third parties and, in some cases, also be forged.


But so far, the International Civil Aviation Organization (ICAO) has always insisted that despite any potential security concerns there would never be any fully automated immigration process and that the manual inspection by the immigration officer would serve as last line of defense that cannot be easily fooled.

Now the Australian government has introduced just that: After conducting a multi year trial the so called “SmartGate” system is being deployed at major Australian airports. SmartGate is a fully automated immigration procedure, involving having your passport scanned at a self-service terminal and then using an automatic immigration gate employing face recognition technology to match a live picture taken on the spot against the photo stored inside your passport.


If you think about it, what’s happening in Australia is just the next logical step. After all the purpose of introducing electronic documents is, besides added security, to automate and streamline otherwise manual processes to save both time and money. But it also highlights once again the design flaws that had security experts around the world raise concerns ever since the introduction of the electronic passport.

At this point the SmartGate system is open to citizens of Australia and New Zealand aged 18 and over only, but over time the system is expected to open up to citizens of other nations as well.

Boris Wolf
VP of Business Development and Co-Founder
NeoCatena Networks, Inc.

Friday, October 2, 2009

Message from the incoming Chairperson

As the incoming chair of the RFID Security Alliance I want to thank all of those individuals who have contributed to the success of the Security Alliance. The Alliance represents perhaps the most knowledgeable group of individuals in the RFID community who have voluntarily come together to share ideas and start a long process of providing security improvements to our technical community and to the public at large.

Given ehealth mandates, the pharma-industries concerns over counterfeit drugs, and the food industries focus on tracking and tracing the perishable supply chain, RFID and RFID security issues will be more in the forefront of corporate thinking than before. The Alliance will be scheduling presentations and enlisting members to present topics that will be focused on industry wide issues during the fourth quarter 2009.

In addition we are starting a membership drive to ask for contributions to cover the legal costs to convert the organization to a non-profit status. This status will enable the organization to qualify for federal , state and local grants for RFID security issues and research. So if you can contribute send an email to our Secretary/Treasurer Anna Haight (mailto:a@qlmconsulting.com). In all cases your energy and expertise are greatly appreciated.

Michael McCartney
RFID Security Alliance

Tuesday, August 4, 2009

Feds at DefCon Alarmed After RFIDs Scanned | Threat Level | Wired.com


D. Mike Ahmadi
P: (925) 413-4365
E: MikeAhmadi@mikeahmadi.com

Sent from my phone, so please forgive spelling and punctuation errors.

Friday, July 17, 2009

Reporters: Unsure of the RFID Security Facts? Contact the RFIDSA.

Contributed by Joanne C. Kelleher

Earlier this week one of my co-workers sent me a link with the comment “No surprise, but this kind of guy really irritate me.” The article, Chips in official IDs raise privacy fears by AP National Writer, Todd Lewan appeared in several places including http://news.yahoo.com/s/ap/20090711/ap_on_bi_ge/us_chipping_america_iv. It also triggered follow up articles such as Robin Harris’ blog post on ZDnet entitled RFID passports: a tragedy waiting to happen.

I was planning to post about how much of the content was old news or technically incorrect. For example, Harris mixed up Pass Cards and Passports which use different RFID protocols and have different security features. But Mark Roberti, editor of RFID Journal, beat me to it so I am going to refer you to his postings -AP Hack Strikes Again and Another Blogger Confuses the RFID Issue.

If any reporters wish to write about RFID security issues in the future, please contact the RFID Security Alliance and we can refer you to people who can accurately talk about the topic.

Tuesday, May 12, 2009

RFID Privacy and Data Protection Principles

Contributed by Joanne C. Kelleher

The Commission of The European Communities issued a recommendation today “on the implementation of privacy and data protection principles in applications supported by radio-frequency identification.”

Their “recommendation provides guidance to Member States on the design and operation of RFID applications in a lawful, ethical and socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal data.”

Here is a summary of the recommendations:
  • Develops a framework for privacy and data protection impact assessments
  • Identify those applications that might raise information security threats then develop new schemes, or apply existing schemes, in order to demonstrate that an appropriate level of information security and protection of privacy is established in relation to the assessed risks.
  • Develop and publish a concise, accurate and easy to understand information policy for each RFID application and inform individuals of the presence of RFID readers for the application.
  • Inform individuals of the presence of RFID tags that are placed on or embedded in products in the retail trade, determine whether tags placed on or embedded in products sold to consumers through retailers by others represent a likely threat to privacy or the protection of personal data and deactivate or remove at the point of sale tags used in their application.
  • Take appropriate measures to inform and raise awareness among public authorities and companies of the potential benefits and risks associated with the use of RFID technology, especially information security and privacy aspects.
  • Stimulate and support the introduction of the ‘security and privacy by design’ principle at an early stage in the development of RFID applications.
These first two recommendations sound awfully familiar to those involved in the RFID Security Alliance. Performing risk assessments, which should cover both data protection and privacy issues, and then implementing the appropriate level of security and protection is a recommendation that we have been making since the RFIDSA’s formation. We also support designing privacy and security into the application at the beginning of the technology development process, not shoehorning it in at the end (like with DVDs).

I also found several of the Commission’s reasons behind these recommendations (the “whereas” clauses in the beginning of the document) to be right on target:

6.) Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID. Consequently, privacy and information security features should be built into RFID applications before their widespread use (principle of ‘security and privacy-bydesign’).

13.) RFID application operators should take all reasonable steps to ensure that data does not relate to an identified or identifiable natural person through any means likely to be used by either the RFID application operator or any other person, unless such data is processed in compliance with the applicable principles and legal rules on data protection.

19.) An assessment of the privacy and data protection impacts carried by the operator prior to the implementation of an RFID application will provide the information required for appropriate protective measures. Such measures will need to be monitored and reviewed throughout the lifetime of the RFID application.

22.) RFID applications with implications for the general public, such as electronic ticketing in public transport, require appropriate protective measures. RFID applications that affect individuals by processing, for example, biometric identification data or health related data, are especially critical with regard to information security and privacy and therefore require specific attention.

26.) Research and development on low-cost privacy-enhancing technologies and information security technologies is essential at Community level to promote a wider take-up of these technologies under acceptable conditions.

A full copy of the document, issued May 12, 2009, is at http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf. Also check out their RFID page at http://ec.europa.eu/information_society/policy/rfid/index_en.htm.

Thursday, April 16, 2009

Welcome to a New Security Alliance

Contributed by Joanne C. Kelleher

A new organization, the Cloud Security Alliance is being launched next week at the RSA Conference. They plan to provide security advice to companies adopting cloud computing products.

SearchSecurity.com has an opinion piece about the challenges the new Cloud Security Alliance (CSA) will face and the RFIDSA gets a mention. The CSA is tackling 15 "Domains of Concern" and several of these items overlap with issues we face with RFID.

Cloud computing group to face challenges ahead
By Eric Ogren at SearchSecurity.com
15 Apr 2009

"This is not the first, nor will it be the last, security alliance that was formed to get ahead of security issues that may stunt the growth of enticing new technologies. A search on "security alliances" will quickly uncover similar organizations including the Internet Security Alliance, Voice over IP Security Alliance, Document Security Alliance and Radio Frequency Identification (RFID) Security Alliance. Security practitioners are well-schooled in talking about potential security pitfalls in new technologies and in making best practices recommendations."
Read the full piece at http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1353872,00.html#

Saturday, April 4, 2009

Thank God For Academic Interest

I recently had the opportunity to present to a join meeting of the American Society For Quality (ASQ) and The Institute For Supply Chain Management (ISM) on the subject of ePedigree. The title of my presentation was "ePedigree: Security As A Quality Objective" and I was joined by Bikash Chaterjee of Pharmatech Associates.

One of the attendees was Dr. Richard Dawe, an associate professor from Golden Gate University in San Francisco. He teaches about global supply chains, and ee was very intrigued by my presentation. He essentially found it quite interesting that in all the discussions about ePedigree, security issues rarely get any mention.

One of Dr. Dawe's MBA students asked me to assist he with a project she is working on centered on ePedigree. I spent some time explaining the enormous security challenges with implementing ePedigree in general, and also about security challenges in the RFID "portion" of ePedigree.

What I find absolutely fascinating about discussions at this particular level (meaning the academic level) is that I find myself feeling very warmly embraced by the teachers and students. This is because I bring them information they cannot easily find through any of the organizations that claim to specialize in providing answers about ePedigree.

As I mentioned in a previous posting, organizations (like SupplyScape) are working very hard to convince companies (like pharmaceutical companies) to get "ePedigree Ready", and raising the spectre of security obviously throws a huge monkey wrench into the works. It essentially amounts to a cover up of the issues, because many of these ePedigree implementation organizations are well aware of the security issues. For those that are not aware of the issues, ignoring opportunities to become more aware is perhaps an even bigger crime.

When I explain a mere handful of the security challenges and risks associated with insecure ePedigree and RFID implementations, I consistently get the classic "eyes wide and mouth open" response from the audience, who are shocked to learn this new information. What is even better is when I show them documented evidence of what I am discussing.

I hope more academics become involved and spread the word.

Friday, April 3, 2009

Help Present a Balanced View of RFID Security

Bert Moore, Editor of AIM Global’s RFID Connections, discusses RFID security and privacy in his April 1, 2009 column titled RFID: Legislative Action.

"At some recent legislative hearings on whether to limit, regulate or restrict RFID in some way, advocates of RFID finally began to get their views heard. Why? Because many of the advocates weren't companies manufacturing or selling RFID, they were companies and agencies actively using the technology. They were able to point out to state legislators how the technology was actively benefitting citizens of the state. And their real world experiences helped put to rest some of the more outlandish claims of some privacy advocates.

At the same time, there are new concerns that some companies and governmental agencies are implementing RFID technology without giving adequate attention to the need for security and, therefore, privacy. Concerns about covert reading of ID cards and similar items must be addressed because they highlight real or potential system vulnerabilities that expose not only individuals but the entire system to unnecessary risk.

It is up to those in the RFID community -- both vendors and end users -- to be heard in legislative hearings and community forums in order to present a balanced view of the technology and point to ways in which it can be implemented securely so that it can continue to provide benefits while protecting the integrity of the system and personal privacy."

The RFID Security Alliance invites vendors and end users interested in this issue to join our organization.

Burt also goes on to announce the availability of a new technical report from the International Organization of Standards (ISO) which was based on the work of AIM Global. Publication ISO/IEC TR24729-4, Information technology - Radio frequency identification for item management - Implementation guidelines - Part 4: Tag data security is available for purchase from the AIM Global website.

I was pleased to see that this report “offers sufficient guidance to enable users or developers to assess potential risks and determine appropriate techniques to mitigate these risks.” The RFID Security Alliance encourages users and implementers to completing a risk assessment of potential RFID systems.

Thursday, February 19, 2009

RFID Security & Privacy and Search Engine Results

Contributed by Joanne C. Kelleher

Marketers know that you can track social trends by looking at search engine results for select phrases. As the director of Marketing at SecureRF Corporation, I have been tracking various key words related to radio frequency identification (RFID) for a couple of years and after seeing Mark Roberti’s latest RFID Journal blog entry I did a little more research.

Mark Roberti’s RFID Opponent Joins Ixquick.com blog entry discusses how the RFID Journal website appears as the top link in Ixquick.com with a rating of eight stars. Ixquick, a meta-search engine that uses other search engines to produce its results, dubs itself "the world's most privacy-friendly search engine." The more times a site appears at the top of search results such as Google, MSN and Yahoo, the higher a rating the site receives in Ixquick. Mark found RFID Journal’s high rating ironic because “Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and an outspoken opponent of radio frequency identification—and, from time to time, of RFID Journal for its advocacy of the technology—has been placed in charge of public relations at Ixquick.com.”

In testing the phrase RFID Security (no quotes) in Ixquick I found that the blog I usually contribute to (the RFID Security blog) was ranked # 2 with six stars. The RFID Security Alliance homepage (RFIDSA.com) was ranked # 3 with six stars. Of the other “38 unique top-ten pages selected from at least 49,599,904 matching results” there were a mix of sites I expected, like Wikipedia and other RFID security vendors or organizations and a few disappointments, like a seven year old article and discount barcode vendor. Overall, these top results were focused on solutions to RFID security issues.

In comparison, the top result in Ixquick for the phrase RFID privacy was the Spychips site, a project of Katherine Albrecht’s CASPIAN organization. Most of the other “20 unique top-ten pages selected from at least 53,299,284 matching results” also focused on the issues and problems related to consumer privacy in the usage of RFID rather then solutions.

This trend of RFID security: solutions and RFID privacy: issues continued in Google. The phrase RFID Security currently results in about 1,060,000 Google results, a dramatic increase from about 518,000 to 626,000 pages at various times in 2008. I was pleasantly surprised to see that there are now 21 sponsored links for this phrase, including RFIDSA members Verayo and Neocatena. Until recently there were only a few paid listings for solutions to RFID security issues. In comparison, the phrase RFID currently results in over 21 million hits with 389 sponsored links and RFID privacy currently results in over 2 million hits but only 1 to 4 sponsored links (one of which was from Amazon for a book by the same name).

As the RFID Security Alliance was founded as a resource to drive market education and discussion about security and privacy issues surrounding the use of RFID technologies, solutions and applications, we can have a role in changing these trends. If your organization is interested in addressing these issues, regardless of where your website currently appears in the search engines, we invite you to join the RFIDSA - www.rfidsa.com.

Monday, December 8, 2008

RFID Journal Opinion Piece On Collaborative Threat Modeling

RFID Journal has just published my opinion piece on Collaborative Threat Modeling.  The article can be seen here.

Thank you to Mark Roberti and his editing staff for assisting me in getting it published.

Monday, November 24, 2008

Ready, Fire, Aim !!!

In a recent article by Mark Roberti, founder of RFID Journal, titled "Pharma Ponders a Track-and-Trace System", he speaks of the current "great deal of focus on what state governments and the FDA will require the pharmaceutical industry to do, and less emphasis on the business value of RFID".

It is no secret that the entire RFID industry is salivating at the spectre of RFID as a part of the ePedigree initiative. The amount of revenue this would (and currently does) generate for the RFID industry is ENORMOUS. Imagine all the consulting, tags, readers, databases, etc. that an industry as large as the pharmaceutical industry, and all its associated industries, would need to make this happen. Also consider, if you will, that in the current economic crisis health care is still thriving. The RFID industry has grown rapidly in the past several years, and the current financial climate has put the brakes on RFID projects for many industries who are suffering in this economy. This, of course, is causing several industries to shift their focus on industries which can "pay the bills", and health care is definitely high on the list.

So why is Big Pharma not diving into RFID ? There is no doubt that RFID offers many business benefits to the pharmaceutical industry. Is that not all that really matters ?

The health care industry operates on a level which is vastly different than any other industry. Sure, you have the big financial models found in any industry. You have the same supply chain logistics exercises found elsewhere. You have the CXO's with the big pay, corporate jets, retreats, etc. The health care industry also has the FDA, which can be their best friend or their worst enemy, and the FDA is currently not taking ePedigree lightly. The problem, however, is that nobody really knows, with any degree of certainty, how ePedigree will impact those financial models, big pay, etc.

Drug companies are currently not held liable for counterfeits. Some may argue this, but the reality of the situation is that counterfeits are not something a drug company is LEGALLY held liable for. How does this potentially change when ePedigree becomes the law of the land? If Big Pharma spends billions of dollars implementing an ePedigree system which incorporates RFID as part of the track and trace technology, then what potential liability does Big Pharma, or a distributor, or a pharmacist, or whoever face if someone clones an RFID tag, or infiltrates a database, or if prescription information for your herpes medication is skimmed as you leave the pharmacy?

I firmly believe that one of the major reasons the health care industry is stable is because they have to be so much more careful before they adopt any new technology, system, paradigm, or idea. The impact of a failed health care system is ultimately devastating at a level unseen in most other industries. Not being able to ship drugs, pay suppliers, build devices, and so on means people suffer and die. The court of public opinion does not like it when this happens. The RFID Security Alliance has recently experienced a surge in interest in risk and security among health care professionals interested in adopting RFID. I was recently asked to deliver a presentation for a joint meeting of the ASQ (American Society for Quality) and the ISM (Institute for Supply Management) in February of 2009 regarding security considerations for ePedigree. My presentation emphasizes a need for a clear understanding of security considerations for the UNDERLYING ePedigree system (not the fact that ePedigree is meant to bring security to the drug supply chain), and was overwhelmingly well received by the ASQ Golden Gate Chapter board, who then presented it to the ISM, and arranged for the joint meeting. The health care industry looks to these organizations for guidance as they try to determine the best pathway to success for any initiative. Thankfully, these industries are indeed interested in understanding the potential risks associated with ePedigree implementation.

RFID industry leaders, on the other hand, have all but ignored security and risk management in their quest to make RFID ubiquitous. As the chairman of the RFID Security Alliance, I have first hand knowledge of the VERY FEW organizations who are focusing on RFID security, and can tell you that they do not have industry leaders (i.e. RFID Journal, ABI Research, SupplyScape, etc.) banging on their doors for assistance in secure RFID implementation. I can tell you that most of the industry leaders have essentially politely ignored the efforts of the RFID Security Alliance.

Still, we are making progress. We have gotten the attention of the organizations which matter most to the health care industry, and they are beginning to understand that the RFID industry is not quite as forthcoming with an understanding of security and risk as they should be, and they are beginning to wonder why. We continue to press on.

Tuesday, October 14, 2008

Ignoring The Risk In The Name Of Profit...A "Cultural Change".

In an earlier posting, I spoke of a comparison between the current financial mess caused (at least in part) by bad choices at many levels in the housing/property market and potential bad choices being made by Pharmaceutical Companies as they consider options for ePedigree which include RFID. From an article I read today, Washington Mutual insiders have testified that the "company's risk managers, the "gatekeepers" who were supposed to protect the bank from taking undue risks, were ignored, marginalized and in some cases, fired."

The article goes on to say that WaMu executives tried to convince risk mangers to "lay off" and that the new way of doing business at the bank was part of a "cultural change" and instructed them to "lead the charge in modifying the perception of compliance and risk oversight from a regulatory burden to a competitive advantage."

This is an extremely direct and irresponsible approach to risk on the part of these executives, and truly indicative of a willfully ignorant approach to dealing with the issue. It is clear (at least to me) that executives who chose to ignore such risks are clearly at fault for the failure of such institutions.

In dealing with the security concerns in implementing RFID for use in the ePedigree initiative, the irresponsible behavior is not always so obvious. Security choices are generally delegated to the information technology and engineering departments, and the choices they make are generally driven by cost mandates for the implementation of the technologies, as well as the ease in which the security (if any) can be implemented. If implementation resources become strained (time and money), then security is simply marginalized. Executives are, by and large, unaware of this, and are generally viewed as innocent in nearly all cases of systemic failures caused by security breeches. This is largely because, unlike choices executives make regarding financial decisions, executives are not generally expected to understand the intricacies of security, nor do they want to. This situation results in "plausible deniability" par excellence. When faced with the cause of the failure, executives simply point the finger of guilt elsewhere.

An example of this would be the security failures in voting machines. The State Election Boards certified electronic voting machines for elections, and when security problems were discovered, they de-certified the machines, and the finger of guilt pointed directly at the voting machine vendors. Consequently, State and Federal governments have begun expending resources to determine how far the security issues go (and they are indeed being thorough), and we, as taxpayers, are now shouldering the burden of the failed system (one estimate place the cost to California alone at $66 Million). If this had simply been done at the beginning of the project, in all likelihood it would not have cost $66 Million plus the enormous loss in trust by the electorate in the election system and in vendors of the equipment.

What will happen if or when Pharmaceutical Companies decide to either ignore or marginalize security in the implementation of ePedigree systems? Such systems will cost BILLIONS of dollars to implement (a cost sure to be passed on to consumers and/or taxpayers), and will cost BILLIONS of dollars to repair once security holes manifest themselves. In several instances both I (a security consultant) and pharmaceutical consultants I have convinced to present the issue of security to pharmaceutical company employees who have been given direct responsibility for implementing ePedigree, have either been politely ignored or flat out told that "security is not even on the radar screen". When pressed for a reason that security is not being addressed, the typical response centers around...You Guessed It...cost.

Can we, as stakeholders in this initiative, sit idly by and allow this risk taking in the name of profit? Is this a "cultural change" we are ready to embrace?

Wednesday, September 10, 2008

RFID Security Alliance Member Comments About PUF Technology

Verayo recently announced that they have released the worlds first unclonable RFID chip at RFID World in Las Vegas. Both Verayo and Veratag incorporate similar principles to achieve unclonability in their designs, in the sense that they rely on capturing differences introduced in manufacturing. In theory, this appears to be quite "solid". Both Verayo and Veratag are members of the RFID Security Alliance.

Celebrated security researcher Karsten Nohl is also a member of the RFID Security Alliance, and is well known for his research and commentary on RFID security. Karsten recently commented on PUF technology:

Verayo is the second company to announce the "World’s first unclonable RFID tag" based on a physically unclonable function (PUF), after Veratag announced a similar product based on PUF technology. The security claims of these and other PUF-based products seem dubious since the current realization of PUFs defies basic principles of cryptography. The announcement states:
This new RFID chip is based on recently announced breakthrough technology called Physical Unclonable Functions (PUF). PUF technology is a type of electronic DNA or fingerprinting technology for silicon chips that makes each chip unclonable.
It might be besides the point that neither DNA, nor
fingerprints are unclonable. The failure of proprietary security, which has been a constant theme on this blog, has led many to conclude that only well-reviewed security primitives can be strong. PUF technology tries to achieve security in exactly the opposite way: the PUF circuit is designed in a way so that not even the designer understands how outputs are derived from inputs. Security-by-obscurity par excellence.
Every circuit, including PUFs, is a deterministic function; the only difference in PUF circuits is that some inputs to the function vary across different tags. For a PUF to be cryptographically strong, one would hence need to show that

1. the fixed part of the circuit (the cipher) is strong by cryptographic metrics,
2. the number of device-dependent inputs (the secret key) is large and
3. the entropy of these inputs is high.

PUFs are a wonderful idea for using manufacturing variance constructively, but in their current realization, PUFs fail to convince that they are strong building blocks for security systems.

It is important to note that while Nohl, Verayo, and Veratag are all members of the RFID Security Alliance this does not preclude scrutiny of security claims made by members of the RFIDSA, nor commentary of the same. It is also important to emphasize that this level of scrutiny is critical for the "vetting" of designs and technologies.

Wednesday, September 3, 2008

Adam Savage Changes His Account Of RFID Vendor Intimidation

In a previous post, I had linked to a YouTube video where Adam Savage of MythBusters gives an account of intimidation by credit card company legal teams when the MythBusters team was trying to prepare for a future episode which dealt with RFID vulnerabilities (among other RFID related topics).

Since that YouTube video has received some publicity, Adam Savage has taken a step back from his comments. From the CNet article:

MythBusters co-host Adam Savage is stepping back from public comments suggesting that legal counsel from several credit card companies led the Discovery Channel to pull the plug on an episode dedicated to security holes in RFID.
At the
Last HOPE conference in New York in July, Savage told a crowd of several thousand people that his theory on why MythBusters had not gone forward with a planned episode on RFID (radio frequency identification) hackability was that on a conference call to discuss the matter with technicians from Texas Instruments, the lawyers for the credit cards companies had put the hammer down on the show.
"Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else (co-host Tory Belleci and a MythBusters producer) were way, way out-gunned," Savage told the crowd, "and (the lawyers) absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down, being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it."
But Texas Instruments spokeswoman Cindy Huff told CNET News on Tuesday that things had gone a bit different than Savage had said.
"In June 2007, MythBusters was interested in pursuing some great myth-busting ideas for RFID. While in pursuit, they contacted Texas Instruments' RFID Systems, who is a pioneer of RFID and contactless technology, for technical help and understanding of RFID in the contactless payments space," Huff said. "Some of the information that was needed to pursue the program required further support from the contactless payment companies as they construct their own proprietary systems for security to protect their customers. To move the process along, Texas Instruments coordinated a conversation with Smart Card Alliance (SCA) who invited MasterCard and Visa, on contactless payments to help MythBusters get the right information. Of the handful of people on the call, there were mostly product managers and only one contactless payment company's legal counsel member. Technical questions were asked and answered and we were to wait for MythBusters to let us know when they were planning on showing the segment. A few weeks later, Texas Instruments was told by MythBusters that the storyline had changed and they were pursuing a different angle which did not require our help."
And now, even Savage is saying that he got his facts wrong.
In a statement from Savage--who was speaking for himself at the conference and not appearing on behalf of the show--provided to CNET News by Discovery Channel on Wednesday, the MythBusters co-host retracted the substance of what he'd told the Last HOPE audience.
"There's been a lot of talk about this RFID thing, and I have to admit that I got some of my facts wrong, as I wasn't on that story, and as I said on the video, I wasn't actually in on the call," Savage said in the statement. "Texas Instruments' account of their call with Grant and our producer is factually correct. If I went into the detail of exactly why this story didn't get filmed, it's so bizarre and convoluted that no one would believe me, but suffice to say...the decision not to continue on with the RFID story was made by our production company, Beyond Productions, and had nothing to do with Discovery, or their ad sales department."
From his statement, it's also logical to conclude that when he told the Last HOPE audience that co-host Belleci was on the conference call, he had meant Grant Imahara, another MythBuster co-host.
Further, a Discovery Channel representative told me that MythBusters did end up running an episode, last January, on RFID, but that the issue of the technology's security holes was not addressed.

I will leave it up to you to decide what this potentially means, as my feelings about this are conjecture at best.

Tuesday, September 2, 2008

Official RFID Security Alliance Announcement

Today the RFID Security Alliance had the pleasure of officially announcing our presence to the world. I sincerely wish to thank all who have helped build the RFID Security Alliance, and continue to help it grow.

From the Business Wire Press Release:

The RFID Security Alliance Emerges As New Industry Resource
Alliance Drives Market Education and Dialog about Security and Privacy Issues Surrounding the Use of RFID Solutions and Applications
SAUSALITO, Calif.--(
BUSINESS WIRE)--The RFID Security Alliance (RFIDSA) today officially made its presence known as a new resource for the radio frequency identification (RFID) industry, driving market education and discussion about security and privacy issues surrounding the use of RFID technologies, solutions and applications. RFIDSA aims to be a visible resource to the RFID community through people, tools, market presence and organizational involvement.
“Founding members of the RFID Security Alliance all share a common vision of implementing RFID applications with the appropriate level of security and privacy, balancing risk and cost,” said Mike Ahmadi, chairman of the RFIDSA and COO of GraniteKey. “We want others to realize that security and privacy are functions that can successfully be part of an RFID solution, and that should be considered during the design process, not after.”
The RFIDSA has several goals and objectives, including:
Education – To educate all stakeholders (e.g. Alliance members, potential users, analysts, educational institutions, media, etc.) about security and privacy issues as they relate to RFID, in addition to associated technologies and processes.
Metrics – To develop metrics that may be used to establish common terminology around security robustness within the industry.
Dialog – To foster an open, two-way dialog within the RFID community.
Resources – To provide information and support to stakeholders involved in RFID development and implementation. This includes developing and publishing a public reference list of RFID vendors involved in the RFIDSA.
Legislative and PR Involvement – To inspire all RFIDSA members to become involved in, and monitor social and legislative initiatives with respect to RFID security and privacy. This includes addressing myths surrounding RFID security, and promoting positive legislation and perception through sensible analysis. Also included is examining and commenting on the liabilities of those who ignore the security implications in RFID development and implementation.
Demonstration Technologies – To have the capability to effectively demonstrate the RFIDSA concepts and initiatives, including the development of RFID security threat assessment models.
Acceleration of Secure RFID – To foster an environment that leads to sensible and rapid adoption of secure RFID technologies and solutions.
Founding members of the RFIDSA include AWID, GraniteKey, MIKOH Corporation, NeoCatena Networks, Inc., QLM Consulting, SecureRF Corporation, Sensitel, Sybase and Verayo. Companies with a substantial business in providing RFID or security hardware, software, or services are encouraged to inquire about membership with the RFIDSA. Law firms, consulting firms, accounting firms and educational institutions interested in the RFID security issue are also welcome.
About the RFID Security Alliance:
The RFID Security Alliance (RFIDSA), a California corporation, was founded as a resource for the RFID industry, driving market education and discussion about security and privacy issues surrounding the use of RFID technologies, solutions and applications. More information about RDIDSA can be found on its Web site at
www.RFIDSA.com. Insights into RFID Security can be also found on the association’s blog at http://rfidsa.blogspot.com/.

Saturday, August 30, 2008

Adam Savage: Credit Card Companies Bullied Mythbusters

Here is a YouTube interview with MythBusters Adam Savage talking about how they would not do an episode of MythBusters on RFID security because they (Discovery Channel) were intimidated by credit card companies legal teams.

I can certainly understand how credit card companies would freak out at this exposure. The MythBusters do a very thorough job of researching and testing "myths". It is certainly not a full scientific method, but anyone who watches them knows that they definitely present very compelling information.

I guess exposing information to the general public is simply not an acceptable practice if you are a credit card company. This is a shame, as I am sure it would have been a very interesting episode. I found this on Digg.com. Please go to the link to see the comments.

read more digg story

Thursday, August 14, 2008

Who owns the liability? Scenario #1

Counterfeit drugs are currently a booming business. I am not going to go into detail about this, since a simple Google search will tell you all you want to know about the problem.

Pharmaceutical companies do not like counterfeit drugs making their way into the marketplace. Counterfeits cut into profits and make a drug company look bad. Pharmaceutical companies, however, are generally not liable for counterfeits making their way into the marketplace. If someone chooses to buy their heart medication over the internet and they get sugar pills that look like the real thing, and then die from using those pills, nobody can claim that the maker of the genuine drug is liable for this. If someone buys a counterfeit from a legitimate source (such as a genuine brick and mortar pharmacy), then the liability chain starts there, and a good investigation can probably trace the problem somewhere short of the company making the genuine drug. Once again, Big Pharma (my nickname for the pharmaceutical industry) is not liable.

Now we get to ePedigree, which is the huge initiative mandated by the Federal Government for all drug companies to implement a system to track and trace all drugs they produce. At least one of the goals of mandating ePedigree is to combat the enormous proliferation of counterfeit drugs. In essence, drug companies will have to put an identifier on the drugs they sell to insure that they can be traced all the way back to the manufacturing plant. If someone buys a counterfeit drug, the identifier will (ostensibly) not be present, and therefore the drug is a counterfeit. This is definitely an oversimplification of the ePedigree initiative, but the essence of what I am describing is valid.

One can imagine the enormous cost that Big Pharma must absorb in making this happen, not to mention everyone involved in the supply chain. In a word, this is an enormous headache to the entire industry. Counterfeits are definitely a problem, but the industry remains quite profitable despite the counterfeits on the market. It is difficult to ascertain the losses a company faces due to counterfeits, but they can determine the enormous cost of ePedigree, and the numbers simply do not look pretty. The bottom line is that Big Pharma is currently interested in implementing a system which is primarily low in cost. That is essentially the first reaction to any organization which is forced to comply.

So let me paint a scenario. Big Pharma is required to implement unique identifiers on their drugs. A drug counterfeiter makes a counterfeit copy of the identifier (such as an RFID tag), and attaches it to the bottle of counterfeit drugs. Someone buys the counterfeit drug over the Internet (the same counterfeit heart medicine I mentioned earlier) and dies from using the counterfeit. When checked for authenticity, the RFID tag shows that the drug was legitimate, and it is traced back to the source. Further investigation reveals that the tag itself was counterfeited. When asked about what security Big Pharma put in place to prevent this from happening, what will the answer be? Who owns the liability at this point?

Creating an insecure (i.e. clonable) ePedigree system introduces a method for a counterfeiter to introduce drugs which are deemed COMPLETELY VALID into the system. Nokia, for example, is currently implementing RFID readers into mobile phones. This could eventually make its way into the home, and someone who buys drugs over the Internet could "validate" their internet purchases. Pharmacies who receive counterfeit drugs with "valid" RFID tags would feel quite confident that the drugs are legitimate. After all, the ePedigree information says it is !

Several members of the RFID Security Alliance have, quite literally, met with Big Pharma and posed the issue of security in ePedigree, and the response has been less than promising. One company said they have absolutely no incentive to deal with security. Another said they will deal with security when it is a problem (this is ALWAYS a bad idea). Still others said they are not going to spend the money for security. These are all Fortune 10 companies. Big Pharma may deny this, but my sources are pretty darn good.

When faced with the question "Why didn't you make this more secure?", what is Big Pharma's answer going to be ?

Will they claim ignorance ?

Will they claim they are not liable ?

Tough questions...

Friday, August 8, 2008

And the winner is....

Several years ago I recall seing a picture of a sign someone had posted on a bridge which read something like this:

Remember when you drive over this bridge that the company who built it was the lowest bidder.

Sort of makes you question the safety of the bridge, does it not?

At the Blackhat Conference this past week, several of the exploits generating quite a bit of stir involve attacks on automatic toll systems (which use completely non-secure RFID), as well as attacks on e-passports (also using non-secure RFID).

Security experts have discussed the vulnerabilities of these systems nearly to the point of exhaustion, only to be dismissed as theoretical possibilities.

An article posted at Techdirt.com discusses this latest Blackhat exploit , and the last sentence in the article asks "So why weren't these systems designed with better security in the first place?"...which brings us back to the bridge.

Sadly, I am willing to bet anyone that every one of the companies who implemented these systems were absolutely made aware that they had to consider the design of the security of the system, and absolutely either chose to ignore security, or failed to validate security if they did choose to implement it.

The lowest bidder can easily cut security out of the bid, because everyone else does.

Perhaps the makers of the toll systems and passports can sue the Blackhat hackers, like NXP tried to do to the students who published the Oyster Card exploit. I am sure their lawyers would love to collect some fees.

Wednesday, August 6, 2008

Why Do They Choose To Ignore The Risk?

I was reading through some news items today, and ran across several stories asking why Freddie Mac chose to ignore advice from their risk management officers who were telling Freddie Mac CEO, Richard F. Syron, that the risky subprime loans they were backing were exposing them to huge risks (read the article here).

This reminded me of an article I recently penned. I am not sure it answers the question, but I think it makes a valid point:

Humans are generally well intentioned beings. We do not, however, begin life that way. Any of you who have children can certainly relate to this. A child is perhaps the most self centered being in the world. Children will fly into tantrums, hit, kick, bite, steal, and do whatever it takes to get what they both need and want. This is not because children are inherently evil. They simply do not know any other way to survive. When we attempt to teach our children how to do better it is no surprise that they do not welcome this gift of wisdom. After all, their method works to achieve the results they want, and changing gears is just too much work.

Some parents persevere in the endeavor to make their children understand the importance of being well mannered, sharing with others, and honesty. These parents are generally rewarded for their efforts in the long term, yet are often left biting their nails in frustration in the short term. It is, by any stretch of the imagination, no easy task, and many parents seek the assistance of others as they endeavor to stay the course in raising their children while attempting to avoid the pitfalls of frustration which so often force even the most determined to give in. We ask those we trust and love for assistance. We hire professionals into our homes to help us build better offspring. We send them off to schools to learn what they need to know to be all they can be. We buy books and study them, hoping to glean some insight on how to do better.

At times, however, we end up with children who don’t seem to reach maximum potential, and they grow into adults who struggle to make it in an often difficult world, and who frequently wreak havoc on a seemingly well designed sociological master plan. There is no need to expound on this; we all know what I am talking about. As Ayn Rand so eloquently illustrated in “Atlas Shrugged”, there are those that exploit and there are those that are exploited. Remarkably, the “exploiter” often begins life as the “exploited”. This is not always true, but it is true often enough to be noteworthy.

Why is it that we sometimes fail at this project? Volumes have been written with so many reasons and theories that it has created a multi-billion dollar industry for writers, doctors, psychologists, and the list goes on. Some suggest it may be diet. Others suggest it is the way we teach our children. Some feel it the music they listen to, the TV they watch, or the games they play. The way we raise our children changes with each generation, based on who is considered the expert of the day. One common thread which seems to remain intact, however, is perhaps the most valuable information of all. Parents who truly CARE about how they are raising their children seem to achieve success.

I need to stop for a moment and define what I mean by CARE. Truly caring about someone or something is, at its core, an unselfish act. It is about recognizing and setting aside personal gains, ego, fears, and barriers in order to focus on the achievement of an initiative which can stand as a testament to excellence. It is not about forcing your child to go to medical school so you can proudly boast to your friends associates that your child is a doctor. It is about doing what it takes to raise a child that can stand on his (her) own and proudly proclaim that all that he has become, whatever that may be, is in large part because you cared enough to guide him to find his passion and reach his maximum potential. To succeed at this, however, requires commitment and good judgment. The kind of commitment and judgment I am referring to is of the type that comes from careful introspective analysis in a non-egotistical manner. This is the type of commitment that considers the wisdom of others who have faced such challenges and have risen above them despite the obstacles they faced. This is the type of commitment which does not hand the task at hand over to someone else to do, while stepping back, only to lay blame on someone else when the outcome is not what was expected. This is the type of commitment and good judgment which is not afraid to question the judgment of others and raise the difficult questions, despite the fear associated with “rocking the boat” or questioning “common wisdom”. This is also the type of commitment and good judgment that leads to perhaps the most difficult task of all: The ability to admit when you have made a mistake and to change direction to fix the mistake and get back on track.

So what does this have to do with voting machines, our national mortgage crisis, and the current ePedigree solutions being proposed for ensuring authenticity of drugs from the global supply chain in the Pharmaceutical industry?

As we made the move into the modern age we live in, replete with technological marvels only a true Luddite would not embrace, we found ourselves with an ever-growing need to shed ourselves of many old ways. Voting on paper seemed to make no more sense than filling out withdrawal slips at a bank or writing checks at the grocery store. Sure, there are still those among us that embrace the old-fashioned way of performing these tasks. By and large, however, they are a dying breed. Paper-based voting systems required too much space, time, and money to tally the votes. It was clearly time to digitize the system. Voting machine companies and election committees from various states got together and began hammering out the details of the project, and the voting machines hit the ground running. Then disaster struck. Academics, reporters, and whitehat hackers discovered that the security of these systems was entirely inadequate for the purpose they were designed for. State election officials began decertifying these machines, and the court of public opinion pointed at the voting machine manufacturers and accused them of everything short of treason for their lack of attention to security. Being a security company, we decided it would be a good idea to study this situation and perhaps offer some assistance. As we discovered, the level of security of the voting machines was not a major concern for nearly all state certifying bodies at the time that these machines were first certified by the State. Some voting machine companies clearly understood what it would take to build a secure system, yet the requirements did not dictate a need for a secure system, and the voting machine companies couldn’t justify spending the money for security as it would make them uncompetitive.

Who is at fault here? Is it the election committee’s fault for not validating the security of the system? Is it the voting machine company’s fault for not insisting that the system had to be more secure and spending a little more money to make the security at least reasonable? Is it the fault of the American public for not seeing this coming? These are tough questions, but one question is easily answered: Who ended up paying for the failure? Yes, dear reader, we did.

Then there is the mortgage crisis we are all now quite familiar with. Almost everyone in the financial world knew of the enormous risks associated with sub-prime mortgages. Economists, academics, realtors, and simply sensible people tried to warn us of the dangers of what was happening in the market. Still, countless people continued to play this dangerous game, hoping to avoid being burned. Many people deluded themselves into believing those who characterized the experts that were warning us as “fear mongers” and “out of touch financially”. Hindsight is 20/20. We are paying the cost for this failure.

Now we come to the enormous ePedigree initiative. Counterfeit drugs are an enormous problem. Some estimates claim as much as 30% of drugs coming from some nations are counterfeit. Counterfeiting drugs has become a multi-billion dollar industry worldwide. Many operations which once dealt in illegal narcotics and other illegal drugs have turned to counterfeiting due to the enormity of the market and the relative ease with which those who deal in counterfeit drugs can operate (compared to those who produce illegal drugs). Clearly, something had to be done to combat this growing menace. The United States government, in cooperation with governments all over the world, decided to take action by requiring a pedigree for each and every drug produced and/or sold in the United States. By requiring a traceable pedigree for these drugs from producer to consumer, and every step along the way, in the event of a problem the point of breakdown could be detected, isolated and addressed. Initially, the rollout for this system was slated for 2010 (2009 for California), and has been pushed back to 2011. This is, without a doubt, a huge project with an enormous number of complexities involved in implementation. One of the first steps in this process that stakeholder have focused on is determining what technologies and methods would be employed to track these drugs. Will it be 2D barcodes, RFID, security chips, databases, auditing & legal resource? The list goes on. How will the information be shared? The complexity is staggering.

As a security expert, I thought it would be prudent to get involved in this process. Surely, I speculated, the organizations tasked with implementing such systems would be extremely interested in making sure that the security of the system was validated. I was perhaps a bit na├»ve in my zeal. Organizations involved in the Pharmaceutical manufacture and supply chain are clearly focused on compliance with a law which failure to comply with will lead to a complete inability to do business. I have witnessed a great deal of activity at the tactical level – putting together the components to comply with the law, but have yet to see any activity at the solution security level. The law simply does not call for validation of system security at any level that a counterfeiter could sidestep – these organizations are not allocating resources and mindshare to anything other than compliance. Hackers and perpetrators are much more determined, sophisticated, and resilient than government regulations around compliance. We all intuitively know this, yet where is the duty of Care to do something about it. Will this “Care” only emerge after enough people have died, or enough money has been wasted on a broken system, where people will be then be galvanized to be the hero and fix the problem, once the appropriate resources and attention has been allocated. What kind of “Caring” is this? Can a company afford to care if nobody else does?

So then I need to ask the same questions I asked earlier. Whose responsibility is it to validate the security of the system? Who is expected to CARE enough and demonstrate commitment and good judgment? Whose fault is it when the Pharmaceutical industry spends billions of dollars implementing a system that, if implemented without careful consideration of the security issues surrounding the deployment, is doomed to fail as did electronic voting systems and the mortgage markets? Only this time, people’s lives are directly at stake. Who is going to pay to implement the system, then pay to fix it when it fails, not to mention pay for the recourse to remedy wrongful deaths?

You and I will, of course.

So whose responsibility is it? Who will step up to the plate? Who can step up to the plate?

Karsten Nohl Discusses RFID Insecurities

Karsten Nohl, the security researcher who was part of a team that broke the crypto algorithm in the Mifare Classic RFID-based smart card, talks about his upcoming briefing at Black Hat in Las Vegas in an interview with Security Wire Weekly called Wireless Insecurities.

Nohl, a University of Virgina graduate student, has been active with the RFID Security Alliance and presented a threat model for Mifare at our May meeting. Hear his interview at http://securitywireweekly.blogs.techtarget.com/2008/08/01/sww-wireless-insecurities/

Monday, August 4, 2008

RFIDSA Presenting at RFID World on September 9.

Members of the RFID Security Alliance are presenting at RFID World. The presentation is called "RFID Security Should Not be an Afterthought." If you are going to be in Las Vegas for this event, you are invited to attend the session.

Date/Time: Tuesday, September 9, 2008, 1:00pm — 1:50pm

Description: RFID technology offers great benefits - supply chain solutions, for example, provide unprecedented visibility and increased efficiency. However, the technology also introduces a number of new business risks, among them:
-Fraud and error as a result of tag data manipulation
-Cloning of tags
-Malware and viruses stored on tags
-Hacker attacks at the point of sale, cyber shoplifting
-Interruption of business continuity as a result of attacks against IT infrastructure (readers, edge servers, backend systems)
To fully enjoy the benefits of RFID, these risks need to be addressed adequately. A holistic approach is required analyzing a RFID system end-to-end to identify potential threats and their business impact.. Members of the RFID Security Alliance will discuss strategies to minimize or mitigate these risks and how to comply with industry regulations and governing law (e.g. SOX, FDA). The discussion starts with a short presentation by Lukas Grunwald (NeoCatena).

More information about RFID World is at http://www.cmpegevents.com/web/rfid/home

Tuesday, July 15, 2008

The Expressway To What?

I recently had the opportunity to attend a meeting titled the "California Express Manufacturer Workshop", which turned out to be a very elegant presentation, held at SAP Laboratories in Palo Alto, California. For those of you unfamiliar with the California Express Solution, it is a conglomeration of six companies with the goal of creating a suite of solutions to get California companies who must comply with the upcoming ePedigree laws up and running as soon as possible. From the site:

The California Express Solution provides a framework for global serialization and ePedigree compliance to pharmaceutical and bio tech manufacturers, wholesale distributors, and contract producers of any size. We will help you prepare for quickly approaching mandates in the United States. The California Express Team includes these member companies: ACSIS, HP, Nosco, SupplyScape, Systech International, and InCode.
The California Express Team is cross-trained on all solution components, works on common issues such as serial number structures and provides educational workshops and webinars to the industry. The team has specific expertise and focus on solutions for SAP customers and the deployment of the SAP enterprise serialization infrastructure.

Being involved in the security industry, and working with RFID companies who are focused on RFID security, I was initially excited about this workshop. After all, I surmised, ePedigree is about securing drugs against counterfeits (at least in part, if not in its essence), and who wouldn't want help in implementing a secure RFID solution. As it turns out, security is one of the last things on the mind of the companies who are being forced to comply. Why is that the case? Because security is not mandated. Sure, if you ask the solution providers questions about security, they will tell you they are implementing it. The minute you start digging deeply into validating the security of the ePedigree solutions, you quickly find that it is more "security theater" than security.

I made several attempts to make contact with SupplyScape, who is at the forefront of this initiative, but my emails have all gone unanswered.

The reality of this entire situation is that making these organizations validate the security of these systems is more of a headache than they wish to deal with, which really means that the California Express Solution is an expressway to yet another failed security solution.

Unfortunately, the companies involved will probably come back to us after they have caused stakeholders BILLIONS of dollars due to a failure of the system, or if the FDA ever requires validation of the security of the system.

Until then, we will try to get the word out.

Monday, June 30, 2008

Don't Shoot The Messenger

Mark Roberti, owner of the popular RFID Journal (http://www.rfidjournal.com) recently posted a small piece on the RFID Journal Blog where he admonished Greg Day, an analyst for security company McAfee, for comments he made regarding the security issues surrounding contactless payments. While I feel Mr. Roberti has every right to express his opinion of Mr. Day, I was a bit disappointed in a comment he made which I felt characterized security experts as fear mongers:

"So security experts can try to scare people, but the truth is, consumers don't appear to have much to be concerned about at this point. "

I sent an the following email to Mr. Roberti:

I read the article titled "Yes, Contactless Payments Are Safe" and found the final line more than a little alarming:
"So security experts can try to scare people, but the truth is, consumers don't appear to have much to be concerned about at this point."
While there are many instances we all can point to where scare tactics are used to promote agendas, not all security experts are trying to scare people. In fact, one of the basic tenants of the RFID Security Alliance is to avoid using scare tactics, and carefully presenting information as factually as possible and fostering a collaborative environment to discuss the issues surrounding RFID and security.
As a security expert, there are several points in the article that I would like to discuss. For example, the point of OTA dynamic security patches. Many systems designed to be managed in this manner are fraught with security issues. The iPhone, for example, has had many security patches applied to it in a similar manner (not OTA, but through a downloaded update), and is generally hacked again within 24-48 hours. OTA management systems, once breached, can become a means of mass hacking from literally thousands of miles away. I would love to discuss a threat model about this issue.
Security experts are not here merely to generate Fear, Uncertainty, and Doubt. Believe it or not, many of us truly care about being ethical and shy away from scaring people. Many security problems are caused by fear mongering, because people tend to make rash decisions out of fear, and that is rarely the best decision. Consumers do indeed have much to be concerned with, and security experts are working hard (around the clock) to address and FIX the problems. That is the true measure of our success. Please reconsider the tone of this article. RFID Journal is arguably the most prominent RFID publication in this nation. What you say carries a lot of weight, and the tone of this article may serve to alienate many stakeholders who are indeed concerned with creating secure RFID solutions.
Please consider attending a meeting of the RFID Security Alliance. I have invited you several times. Your presence would be welcomed.
Thank You,
Mike Ahmadi

Mr. Roberti graciously replied:

It's interesting that you are alarmed by my comment about security experts and not alarmed by the original article in which Greg Day says that this is a huge threat to consumers. It's okay for Day to say something that is extremely detrimental to the NFC industry, but it's not okay for me to be critical of security experts?
If the Alliance has credibility, it should come out and condemn Day an his irresponsible comments and then set the record straight. I'm sure not all security experts are trying to scare people, but I frankly haven't seen a lot of evidence of that. Comment's like Day's are far more common.
Having said that, I'm interested in open and honest discussion of the issues. I suggest you post your comments about OTA on the blog page for others to read. I'm sure many readers will be interested.

My response:

Thank you very much for your quick response. It is certainly okay for you to voice your opinion on any topic. I truly believe that is what makes the internet fantastic. My point is that you carry quite a bit of weight in what you say. I would like to posit that more people in the RFID industry are familiar with Mark Roberti than they are with Greg Day.
That being said, I do not feel the credibility of the RFID Security Alliance hinges on the condemnation of anyone. We are not here to admonish anyone. We are trying to foster open discussions of security issue surrounding the secure implementation of RFID systems. That is why the RFIDSA is open to all who wish to attend.
As for the comments Greg Day made in the article you mention, I could not find it through the link on your blog, but I did find the Reuter's article at the Reuter's site:
While I understand how many in the NFC industry may be concerned by some of Day's comments, I am curious as to why you feel his comments are any more or less irresponsible than making the blanket statement that Contactless Payments Are Safe. Once again, your words carry a lot of weight, and such statements should be carefully considered.
Is there any way we can perhaps foster more of an environment where the RFIDSA can work together with RFID Journal to deliver the message in a better way. I can understand your viewpoint about security experts being alarmist, but there are many of us that choose not to take that stance, and would like to foster a more cooperative environment. Your support can go a long way to creating an environment where we ALL achieve the credibility we would like to have.

Mike Ahmadi

Mr. Roberti's response:

Mike, Here why I feel my comments are not irresponsible and his are. First, McAfee is a company that is well know and carries a great deal of weight with consumers. The article was published by Reuters, a news agency picked up by hundreds, maybe thousands, of newspapers around the world. It had the potential to influence millions of consumers, and yet Day provided no evidence or reasons for claiming NFC phones are such a huge threat. He said only that criminals will steal in small increments. He doesn’t explain what the security flaws are or why they can’t be addressed by the NFC industry. Reuters was equally irresponsible for not having an NFC person respond in the article.My blanket statement was not irresponsible because my statement is demonstrably true. Even if a hacker steels information stored on your NFC phone and makes a fraudulent purchase, you are not any more responsible for that purchase than you would be if the waiter you gave your card to last night used it to buy something. Also, to my knowledge, there has not been a single case where an NFC device being abused. Further, one would have to be insane to believe that the makers of phones and NFC chips will not continue to enhance the technology in an effort to make it safer.You may believe that my statement is inaccurate. But I think you would be hard pressed to say that I did not try to support it with the facts as I know them, as opposed to Day who does not support his argument. I recognize that I don’t know everything, so if you believe my statement to be wrong, then I would welcome you to publish an article on RFID Journal to say why. I have credibility because I am willing to criticize those in my industry who would not respect people’s privacy and because I am willing to publish views that are contrary and/or critical of my own. Not only am I willing, I believe it is essential to the RFID industry to do so. So I’m more than willing to work with any party to enlighten and inform the public and the RFID industry about potential problems.


Mr. Roberti then posted a new entry:

Yes, it is true that consumers have much to be concerned about and it is true that the cost of NFC fraud would be passed on to them. It's equally true that when credit card numbers are stolen from databases and when mag stripe cards are cloned, consumers pay the price for that too. I was wrong to generalize. All security experts aren't trying to scare people. But Day's comments were grossly irresponsible and potentially very damaging to the NFC industry and to consumers who could benefit from the technology should it take off.

I wish to thank Mr. Roberti for clarification of his statement, and wish to once again invite him to attend a meeting of the RFID Security Alliance. As of this date, all my requests to Mr. Roberti to attend a meeting have gone unanswered.

I am sure Mr. Roberti is a very busy person. He should, however, consider working directly with security experts in order to avoid such misunderstandings in the future.

Just my opinion, so take it or leave it!