Monday, December 8, 2008

RFID Journal Opinion Piece On Collaborative Threat Modeling

RFID Journal has just published my opinion piece on Collaborative Threat Modeling.  The article can be seen here.

Thank you to Mark Roberti and his editing staff for assisting me in getting it published.

Monday, November 24, 2008

Ready, Fire, Aim !!!

In a recent article by Mark Roberti, founder of RFID Journal, titled "Pharma Ponders a Track-and-Trace System", he speaks of the current "great deal of focus on what state governments and the FDA will require the pharmaceutical industry to do, and less emphasis on the business value of RFID".

It is no secret that the entire RFID industry is salivating at the spectre of RFID as a part of the ePedigree initiative. The amount of revenue this would (and currently does) generate for the RFID industry is ENORMOUS. Imagine all the consulting, tags, readers, databases, etc. that an industry as large as the pharmaceutical industry, and all its associated industries, would need to make this happen. Also consider, if you will, that in the current economic crisis health care is still thriving. The RFID industry has grown rapidly in the past several years, and the current financial climate has put the brakes on RFID projects for many industries who are suffering in this economy. This, of course, is causing several industries to shift their focus on industries which can "pay the bills", and health care is definitely high on the list.

So why is Big Pharma not diving into RFID ? There is no doubt that RFID offers many business benefits to the pharmaceutical industry. Is that not all that really matters ?

The health care industry operates on a level which is vastly different than any other industry. Sure, you have the big financial models found in any industry. You have the same supply chain logistics exercises found elsewhere. You have the CXO's with the big pay, corporate jets, retreats, etc. The health care industry also has the FDA, which can be their best friend or their worst enemy, and the FDA is currently not taking ePedigree lightly. The problem, however, is that nobody really knows, with any degree of certainty, how ePedigree will impact those financial models, big pay, etc.

Drug companies are currently not held liable for counterfeits. Some may argue this, but the reality of the situation is that counterfeits are not something a drug company is LEGALLY held liable for. How does this potentially change when ePedigree becomes the law of the land? If Big Pharma spends billions of dollars implementing an ePedigree system which incorporates RFID as part of the track and trace technology, then what potential liability does Big Pharma, or a distributor, or a pharmacist, or whoever face if someone clones an RFID tag, or infiltrates a database, or if prescription information for your herpes medication is skimmed as you leave the pharmacy?

I firmly believe that one of the major reasons the health care industry is stable is because they have to be so much more careful before they adopt any new technology, system, paradigm, or idea. The impact of a failed health care system is ultimately devastating at a level unseen in most other industries. Not being able to ship drugs, pay suppliers, build devices, and so on means people suffer and die. The court of public opinion does not like it when this happens. The RFID Security Alliance has recently experienced a surge in interest in risk and security among health care professionals interested in adopting RFID. I was recently asked to deliver a presentation for a joint meeting of the ASQ (American Society for Quality) and the ISM (Institute for Supply Management) in February of 2009 regarding security considerations for ePedigree. My presentation emphasizes a need for a clear understanding of security considerations for the UNDERLYING ePedigree system (not the fact that ePedigree is meant to bring security to the drug supply chain), and was overwhelmingly well received by the ASQ Golden Gate Chapter board, who then presented it to the ISM, and arranged for the joint meeting. The health care industry looks to these organizations for guidance as they try to determine the best pathway to success for any initiative. Thankfully, these industries are indeed interested in understanding the potential risks associated with ePedigree implementation.

RFID industry leaders, on the other hand, have all but ignored security and risk management in their quest to make RFID ubiquitous. As the chairman of the RFID Security Alliance, I have first hand knowledge of the VERY FEW organizations who are focusing on RFID security, and can tell you that they do not have industry leaders (i.e. RFID Journal, ABI Research, SupplyScape, etc.) banging on their doors for assistance in secure RFID implementation. I can tell you that most of the industry leaders have essentially politely ignored the efforts of the RFID Security Alliance.

Still, we are making progress. We have gotten the attention of the organizations which matter most to the health care industry, and they are beginning to understand that the RFID industry is not quite as forthcoming with an understanding of security and risk as they should be, and they are beginning to wonder why. We continue to press on.

Tuesday, October 14, 2008

Ignoring The Risk In The Name Of Profit...A "Cultural Change".

In an earlier posting, I spoke of a comparison between the current financial mess caused (at least in part) by bad choices at many levels in the housing/property market and potential bad choices being made by Pharmaceutical Companies as they consider options for ePedigree which include RFID. From an article I read today, Washington Mutual insiders have testified that the "company's risk managers, the "gatekeepers" who were supposed to protect the bank from taking undue risks, were ignored, marginalized and in some cases, fired."

The article goes on to say that WaMu executives tried to convince risk mangers to "lay off" and that the new way of doing business at the bank was part of a "cultural change" and instructed them to "lead the charge in modifying the perception of compliance and risk oversight from a regulatory burden to a competitive advantage."

This is an extremely direct and irresponsible approach to risk on the part of these executives, and truly indicative of a willfully ignorant approach to dealing with the issue. It is clear (at least to me) that executives who chose to ignore such risks are clearly at fault for the failure of such institutions.

In dealing with the security concerns in implementing RFID for use in the ePedigree initiative, the irresponsible behavior is not always so obvious. Security choices are generally delegated to the information technology and engineering departments, and the choices they make are generally driven by cost mandates for the implementation of the technologies, as well as the ease in which the security (if any) can be implemented. If implementation resources become strained (time and money), then security is simply marginalized. Executives are, by and large, unaware of this, and are generally viewed as innocent in nearly all cases of systemic failures caused by security breeches. This is largely because, unlike choices executives make regarding financial decisions, executives are not generally expected to understand the intricacies of security, nor do they want to. This situation results in "plausible deniability" par excellence. When faced with the cause of the failure, executives simply point the finger of guilt elsewhere.

An example of this would be the security failures in voting machines. The State Election Boards certified electronic voting machines for elections, and when security problems were discovered, they de-certified the machines, and the finger of guilt pointed directly at the voting machine vendors. Consequently, State and Federal governments have begun expending resources to determine how far the security issues go (and they are indeed being thorough), and we, as taxpayers, are now shouldering the burden of the failed system (one estimate place the cost to California alone at $66 Million). If this had simply been done at the beginning of the project, in all likelihood it would not have cost $66 Million plus the enormous loss in trust by the electorate in the election system and in vendors of the equipment.

What will happen if or when Pharmaceutical Companies decide to either ignore or marginalize security in the implementation of ePedigree systems? Such systems will cost BILLIONS of dollars to implement (a cost sure to be passed on to consumers and/or taxpayers), and will cost BILLIONS of dollars to repair once security holes manifest themselves. In several instances both I (a security consultant) and pharmaceutical consultants I have convinced to present the issue of security to pharmaceutical company employees who have been given direct responsibility for implementing ePedigree, have either been politely ignored or flat out told that "security is not even on the radar screen". When pressed for a reason that security is not being addressed, the typical response centers around...You Guessed It...cost.

Can we, as stakeholders in this initiative, sit idly by and allow this risk taking in the name of profit? Is this a "cultural change" we are ready to embrace?

Wednesday, September 10, 2008

RFID Security Alliance Member Comments About PUF Technology

Verayo recently announced that they have released the worlds first unclonable RFID chip at RFID World in Las Vegas. Both Verayo and Veratag incorporate similar principles to achieve unclonability in their designs, in the sense that they rely on capturing differences introduced in manufacturing. In theory, this appears to be quite "solid". Both Verayo and Veratag are members of the RFID Security Alliance.

Celebrated security researcher Karsten Nohl is also a member of the RFID Security Alliance, and is well known for his research and commentary on RFID security. Karsten recently commented on PUF technology:

Verayo is the second company to announce the "World’s first unclonable RFID tag" based on a physically unclonable function (PUF), after Veratag announced a similar product based on PUF technology. The security claims of these and other PUF-based products seem dubious since the current realization of PUFs defies basic principles of cryptography. The announcement states:
This new RFID chip is based on recently announced breakthrough technology called Physical Unclonable Functions (PUF). PUF technology is a type of electronic DNA or fingerprinting technology for silicon chips that makes each chip unclonable.
It might be besides the point that neither DNA, nor
fingerprints are unclonable. The failure of proprietary security, which has been a constant theme on this blog, has led many to conclude that only well-reviewed security primitives can be strong. PUF technology tries to achieve security in exactly the opposite way: the PUF circuit is designed in a way so that not even the designer understands how outputs are derived from inputs. Security-by-obscurity par excellence.
Every circuit, including PUFs, is a deterministic function; the only difference in PUF circuits is that some inputs to the function vary across different tags. For a PUF to be cryptographically strong, one would hence need to show that

1. the fixed part of the circuit (the cipher) is strong by cryptographic metrics,
2. the number of device-dependent inputs (the secret key) is large and
3. the entropy of these inputs is high.

PUFs are a wonderful idea for using manufacturing variance constructively, but in their current realization, PUFs fail to convince that they are strong building blocks for security systems.

It is important to note that while Nohl, Verayo, and Veratag are all members of the RFID Security Alliance this does not preclude scrutiny of security claims made by members of the RFIDSA, nor commentary of the same. It is also important to emphasize that this level of scrutiny is critical for the "vetting" of designs and technologies.

Wednesday, September 3, 2008

Adam Savage Changes His Account Of RFID Vendor Intimidation

In a previous post, I had linked to a YouTube video where Adam Savage of MythBusters gives an account of intimidation by credit card company legal teams when the MythBusters team was trying to prepare for a future episode which dealt with RFID vulnerabilities (among other RFID related topics).

Since that YouTube video has received some publicity, Adam Savage has taken a step back from his comments. From the CNet article:

MythBusters co-host Adam Savage is stepping back from public comments suggesting that legal counsel from several credit card companies led the Discovery Channel to pull the plug on an episode dedicated to security holes in RFID.
At the
Last HOPE conference in New York in July, Savage told a crowd of several thousand people that his theory on why MythBusters had not gone forward with a planned episode on RFID (radio frequency identification) hackability was that on a conference call to discuss the matter with technicians from Texas Instruments, the lawyers for the credit cards companies had put the hammer down on the show.
"Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else (co-host Tory Belleci and a MythBusters producer) were way, way out-gunned," Savage told the crowd, "and (the lawyers) absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down, being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it."
But Texas Instruments spokeswoman Cindy Huff told CNET News on Tuesday that things had gone a bit different than Savage had said.
"In June 2007, MythBusters was interested in pursuing some great myth-busting ideas for RFID. While in pursuit, they contacted Texas Instruments' RFID Systems, who is a pioneer of RFID and contactless technology, for technical help and understanding of RFID in the contactless payments space," Huff said. "Some of the information that was needed to pursue the program required further support from the contactless payment companies as they construct their own proprietary systems for security to protect their customers. To move the process along, Texas Instruments coordinated a conversation with Smart Card Alliance (SCA) who invited MasterCard and Visa, on contactless payments to help MythBusters get the right information. Of the handful of people on the call, there were mostly product managers and only one contactless payment company's legal counsel member. Technical questions were asked and answered and we were to wait for MythBusters to let us know when they were planning on showing the segment. A few weeks later, Texas Instruments was told by MythBusters that the storyline had changed and they were pursuing a different angle which did not require our help."
And now, even Savage is saying that he got his facts wrong.
In a statement from Savage--who was speaking for himself at the conference and not appearing on behalf of the show--provided to CNET News by Discovery Channel on Wednesday, the MythBusters co-host retracted the substance of what he'd told the Last HOPE audience.
"There's been a lot of talk about this RFID thing, and I have to admit that I got some of my facts wrong, as I wasn't on that story, and as I said on the video, I wasn't actually in on the call," Savage said in the statement. "Texas Instruments' account of their call with Grant and our producer is factually correct. If I went into the detail of exactly why this story didn't get filmed, it's so bizarre and convoluted that no one would believe me, but suffice to say...the decision not to continue on with the RFID story was made by our production company, Beyond Productions, and had nothing to do with Discovery, or their ad sales department."
From his statement, it's also logical to conclude that when he told the Last HOPE audience that co-host Belleci was on the conference call, he had meant Grant Imahara, another MythBuster co-host.
Further, a Discovery Channel representative told me that MythBusters did end up running an episode, last January, on RFID, but that the issue of the technology's security holes was not addressed.


I will leave it up to you to decide what this potentially means, as my feelings about this are conjecture at best.

Tuesday, September 2, 2008

Official RFID Security Alliance Announcement

Today the RFID Security Alliance had the pleasure of officially announcing our presence to the world. I sincerely wish to thank all who have helped build the RFID Security Alliance, and continue to help it grow.

From the Business Wire Press Release:

The RFID Security Alliance Emerges As New Industry Resource
Alliance Drives Market Education and Dialog about Security and Privacy Issues Surrounding the Use of RFID Solutions and Applications
SAUSALITO, Calif.--(
BUSINESS WIRE)--The RFID Security Alliance (RFIDSA) today officially made its presence known as a new resource for the radio frequency identification (RFID) industry, driving market education and discussion about security and privacy issues surrounding the use of RFID technologies, solutions and applications. RFIDSA aims to be a visible resource to the RFID community through people, tools, market presence and organizational involvement.
“Founding members of the RFID Security Alliance all share a common vision of implementing RFID applications with the appropriate level of security and privacy, balancing risk and cost,” said Mike Ahmadi, chairman of the RFIDSA and COO of GraniteKey. “We want others to realize that security and privacy are functions that can successfully be part of an RFID solution, and that should be considered during the design process, not after.”
The RFIDSA has several goals and objectives, including:
Education – To educate all stakeholders (e.g. Alliance members, potential users, analysts, educational institutions, media, etc.) about security and privacy issues as they relate to RFID, in addition to associated technologies and processes.
Metrics – To develop metrics that may be used to establish common terminology around security robustness within the industry.
Dialog – To foster an open, two-way dialog within the RFID community.
Resources – To provide information and support to stakeholders involved in RFID development and implementation. This includes developing and publishing a public reference list of RFID vendors involved in the RFIDSA.
Legislative and PR Involvement – To inspire all RFIDSA members to become involved in, and monitor social and legislative initiatives with respect to RFID security and privacy. This includes addressing myths surrounding RFID security, and promoting positive legislation and perception through sensible analysis. Also included is examining and commenting on the liabilities of those who ignore the security implications in RFID development and implementation.
Demonstration Technologies – To have the capability to effectively demonstrate the RFIDSA concepts and initiatives, including the development of RFID security threat assessment models.
Acceleration of Secure RFID – To foster an environment that leads to sensible and rapid adoption of secure RFID technologies and solutions.
Founding members of the RFIDSA include AWID, GraniteKey, MIKOH Corporation, NeoCatena Networks, Inc., QLM Consulting, SecureRF Corporation, Sensitel, Sybase and Verayo. Companies with a substantial business in providing RFID or security hardware, software, or services are encouraged to inquire about membership with the RFIDSA. Law firms, consulting firms, accounting firms and educational institutions interested in the RFID security issue are also welcome.
About the RFID Security Alliance:
The RFID Security Alliance (RFIDSA), a California corporation, was founded as a resource for the RFID industry, driving market education and discussion about security and privacy issues surrounding the use of RFID technologies, solutions and applications. More information about RDIDSA can be found on its Web site at
www.RFIDSA.com. Insights into RFID Security can be also found on the association’s blog at http://rfidsa.blogspot.com/.

Saturday, August 30, 2008

Adam Savage: Credit Card Companies Bullied Mythbusters

Here is a YouTube interview with MythBusters Adam Savage talking about how they would not do an episode of MythBusters on RFID security because they (Discovery Channel) were intimidated by credit card companies legal teams.

I can certainly understand how credit card companies would freak out at this exposure. The MythBusters do a very thorough job of researching and testing "myths". It is certainly not a full scientific method, but anyone who watches them knows that they definitely present very compelling information.

I guess exposing information to the general public is simply not an acceptable practice if you are a credit card company. This is a shame, as I am sure it would have been a very interesting episode. I found this on Digg.com. Please go to the link to see the comments.

read more digg story

Thursday, August 14, 2008

Who owns the liability? Scenario #1

Counterfeit drugs are currently a booming business. I am not going to go into detail about this, since a simple Google search will tell you all you want to know about the problem.

Pharmaceutical companies do not like counterfeit drugs making their way into the marketplace. Counterfeits cut into profits and make a drug company look bad. Pharmaceutical companies, however, are generally not liable for counterfeits making their way into the marketplace. If someone chooses to buy their heart medication over the internet and they get sugar pills that look like the real thing, and then die from using those pills, nobody can claim that the maker of the genuine drug is liable for this. If someone buys a counterfeit from a legitimate source (such as a genuine brick and mortar pharmacy), then the liability chain starts there, and a good investigation can probably trace the problem somewhere short of the company making the genuine drug. Once again, Big Pharma (my nickname for the pharmaceutical industry) is not liable.

Now we get to ePedigree, which is the huge initiative mandated by the Federal Government for all drug companies to implement a system to track and trace all drugs they produce. At least one of the goals of mandating ePedigree is to combat the enormous proliferation of counterfeit drugs. In essence, drug companies will have to put an identifier on the drugs they sell to insure that they can be traced all the way back to the manufacturing plant. If someone buys a counterfeit drug, the identifier will (ostensibly) not be present, and therefore the drug is a counterfeit. This is definitely an oversimplification of the ePedigree initiative, but the essence of what I am describing is valid.

One can imagine the enormous cost that Big Pharma must absorb in making this happen, not to mention everyone involved in the supply chain. In a word, this is an enormous headache to the entire industry. Counterfeits are definitely a problem, but the industry remains quite profitable despite the counterfeits on the market. It is difficult to ascertain the losses a company faces due to counterfeits, but they can determine the enormous cost of ePedigree, and the numbers simply do not look pretty. The bottom line is that Big Pharma is currently interested in implementing a system which is primarily low in cost. That is essentially the first reaction to any organization which is forced to comply.

So let me paint a scenario. Big Pharma is required to implement unique identifiers on their drugs. A drug counterfeiter makes a counterfeit copy of the identifier (such as an RFID tag), and attaches it to the bottle of counterfeit drugs. Someone buys the counterfeit drug over the Internet (the same counterfeit heart medicine I mentioned earlier) and dies from using the counterfeit. When checked for authenticity, the RFID tag shows that the drug was legitimate, and it is traced back to the source. Further investigation reveals that the tag itself was counterfeited. When asked about what security Big Pharma put in place to prevent this from happening, what will the answer be? Who owns the liability at this point?

Creating an insecure (i.e. clonable) ePedigree system introduces a method for a counterfeiter to introduce drugs which are deemed COMPLETELY VALID into the system. Nokia, for example, is currently implementing RFID readers into mobile phones. This could eventually make its way into the home, and someone who buys drugs over the Internet could "validate" their internet purchases. Pharmacies who receive counterfeit drugs with "valid" RFID tags would feel quite confident that the drugs are legitimate. After all, the ePedigree information says it is !

Several members of the RFID Security Alliance have, quite literally, met with Big Pharma and posed the issue of security in ePedigree, and the response has been less than promising. One company said they have absolutely no incentive to deal with security. Another said they will deal with security when it is a problem (this is ALWAYS a bad idea). Still others said they are not going to spend the money for security. These are all Fortune 10 companies. Big Pharma may deny this, but my sources are pretty darn good.

When faced with the question "Why didn't you make this more secure?", what is Big Pharma's answer going to be ?

Will they claim ignorance ?

Will they claim they are not liable ?

Tough questions...

Friday, August 8, 2008

And the winner is....

Several years ago I recall seing a picture of a sign someone had posted on a bridge which read something like this:

Remember when you drive over this bridge that the company who built it was the lowest bidder.

Sort of makes you question the safety of the bridge, does it not?

At the Blackhat Conference this past week, several of the exploits generating quite a bit of stir involve attacks on automatic toll systems (which use completely non-secure RFID), as well as attacks on e-passports (also using non-secure RFID).

Security experts have discussed the vulnerabilities of these systems nearly to the point of exhaustion, only to be dismissed as theoretical possibilities.

An article posted at Techdirt.com discusses this latest Blackhat exploit , and the last sentence in the article asks "So why weren't these systems designed with better security in the first place?"...which brings us back to the bridge.

Sadly, I am willing to bet anyone that every one of the companies who implemented these systems were absolutely made aware that they had to consider the design of the security of the system, and absolutely either chose to ignore security, or failed to validate security if they did choose to implement it.

The lowest bidder can easily cut security out of the bid, because everyone else does.

Perhaps the makers of the toll systems and passports can sue the Blackhat hackers, like NXP tried to do to the students who published the Oyster Card exploit. I am sure their lawyers would love to collect some fees.

Wednesday, August 6, 2008

Why Do They Choose To Ignore The Risk?

I was reading through some news items today, and ran across several stories asking why Freddie Mac chose to ignore advice from their risk management officers who were telling Freddie Mac CEO, Richard F. Syron, that the risky subprime loans they were backing were exposing them to huge risks (read the article here).

This reminded me of an article I recently penned. I am not sure it answers the question, but I think it makes a valid point:


Humans are generally well intentioned beings. We do not, however, begin life that way. Any of you who have children can certainly relate to this. A child is perhaps the most self centered being in the world. Children will fly into tantrums, hit, kick, bite, steal, and do whatever it takes to get what they both need and want. This is not because children are inherently evil. They simply do not know any other way to survive. When we attempt to teach our children how to do better it is no surprise that they do not welcome this gift of wisdom. After all, their method works to achieve the results they want, and changing gears is just too much work.

Some parents persevere in the endeavor to make their children understand the importance of being well mannered, sharing with others, and honesty. These parents are generally rewarded for their efforts in the long term, yet are often left biting their nails in frustration in the short term. It is, by any stretch of the imagination, no easy task, and many parents seek the assistance of others as they endeavor to stay the course in raising their children while attempting to avoid the pitfalls of frustration which so often force even the most determined to give in. We ask those we trust and love for assistance. We hire professionals into our homes to help us build better offspring. We send them off to schools to learn what they need to know to be all they can be. We buy books and study them, hoping to glean some insight on how to do better.

At times, however, we end up with children who don’t seem to reach maximum potential, and they grow into adults who struggle to make it in an often difficult world, and who frequently wreak havoc on a seemingly well designed sociological master plan. There is no need to expound on this; we all know what I am talking about. As Ayn Rand so eloquently illustrated in “Atlas Shrugged”, there are those that exploit and there are those that are exploited. Remarkably, the “exploiter” often begins life as the “exploited”. This is not always true, but it is true often enough to be noteworthy.

Why is it that we sometimes fail at this project? Volumes have been written with so many reasons and theories that it has created a multi-billion dollar industry for writers, doctors, psychologists, and the list goes on. Some suggest it may be diet. Others suggest it is the way we teach our children. Some feel it the music they listen to, the TV they watch, or the games they play. The way we raise our children changes with each generation, based on who is considered the expert of the day. One common thread which seems to remain intact, however, is perhaps the most valuable information of all. Parents who truly CARE about how they are raising their children seem to achieve success.

I need to stop for a moment and define what I mean by CARE. Truly caring about someone or something is, at its core, an unselfish act. It is about recognizing and setting aside personal gains, ego, fears, and barriers in order to focus on the achievement of an initiative which can stand as a testament to excellence. It is not about forcing your child to go to medical school so you can proudly boast to your friends associates that your child is a doctor. It is about doing what it takes to raise a child that can stand on his (her) own and proudly proclaim that all that he has become, whatever that may be, is in large part because you cared enough to guide him to find his passion and reach his maximum potential. To succeed at this, however, requires commitment and good judgment. The kind of commitment and judgment I am referring to is of the type that comes from careful introspective analysis in a non-egotistical manner. This is the type of commitment that considers the wisdom of others who have faced such challenges and have risen above them despite the obstacles they faced. This is the type of commitment which does not hand the task at hand over to someone else to do, while stepping back, only to lay blame on someone else when the outcome is not what was expected. This is the type of commitment and good judgment which is not afraid to question the judgment of others and raise the difficult questions, despite the fear associated with “rocking the boat” or questioning “common wisdom”. This is also the type of commitment and good judgment that leads to perhaps the most difficult task of all: The ability to admit when you have made a mistake and to change direction to fix the mistake and get back on track.

So what does this have to do with voting machines, our national mortgage crisis, and the current ePedigree solutions being proposed for ensuring authenticity of drugs from the global supply chain in the Pharmaceutical industry?

As we made the move into the modern age we live in, replete with technological marvels only a true Luddite would not embrace, we found ourselves with an ever-growing need to shed ourselves of many old ways. Voting on paper seemed to make no more sense than filling out withdrawal slips at a bank or writing checks at the grocery store. Sure, there are still those among us that embrace the old-fashioned way of performing these tasks. By and large, however, they are a dying breed. Paper-based voting systems required too much space, time, and money to tally the votes. It was clearly time to digitize the system. Voting machine companies and election committees from various states got together and began hammering out the details of the project, and the voting machines hit the ground running. Then disaster struck. Academics, reporters, and whitehat hackers discovered that the security of these systems was entirely inadequate for the purpose they were designed for. State election officials began decertifying these machines, and the court of public opinion pointed at the voting machine manufacturers and accused them of everything short of treason for their lack of attention to security. Being a security company, we decided it would be a good idea to study this situation and perhaps offer some assistance. As we discovered, the level of security of the voting machines was not a major concern for nearly all state certifying bodies at the time that these machines were first certified by the State. Some voting machine companies clearly understood what it would take to build a secure system, yet the requirements did not dictate a need for a secure system, and the voting machine companies couldn’t justify spending the money for security as it would make them uncompetitive.

Who is at fault here? Is it the election committee’s fault for not validating the security of the system? Is it the voting machine company’s fault for not insisting that the system had to be more secure and spending a little more money to make the security at least reasonable? Is it the fault of the American public for not seeing this coming? These are tough questions, but one question is easily answered: Who ended up paying for the failure? Yes, dear reader, we did.

Then there is the mortgage crisis we are all now quite familiar with. Almost everyone in the financial world knew of the enormous risks associated with sub-prime mortgages. Economists, academics, realtors, and simply sensible people tried to warn us of the dangers of what was happening in the market. Still, countless people continued to play this dangerous game, hoping to avoid being burned. Many people deluded themselves into believing those who characterized the experts that were warning us as “fear mongers” and “out of touch financially”. Hindsight is 20/20. We are paying the cost for this failure.

Now we come to the enormous ePedigree initiative. Counterfeit drugs are an enormous problem. Some estimates claim as much as 30% of drugs coming from some nations are counterfeit. Counterfeiting drugs has become a multi-billion dollar industry worldwide. Many operations which once dealt in illegal narcotics and other illegal drugs have turned to counterfeiting due to the enormity of the market and the relative ease with which those who deal in counterfeit drugs can operate (compared to those who produce illegal drugs). Clearly, something had to be done to combat this growing menace. The United States government, in cooperation with governments all over the world, decided to take action by requiring a pedigree for each and every drug produced and/or sold in the United States. By requiring a traceable pedigree for these drugs from producer to consumer, and every step along the way, in the event of a problem the point of breakdown could be detected, isolated and addressed. Initially, the rollout for this system was slated for 2010 (2009 for California), and has been pushed back to 2011. This is, without a doubt, a huge project with an enormous number of complexities involved in implementation. One of the first steps in this process that stakeholder have focused on is determining what technologies and methods would be employed to track these drugs. Will it be 2D barcodes, RFID, security chips, databases, auditing & legal resource? The list goes on. How will the information be shared? The complexity is staggering.

As a security expert, I thought it would be prudent to get involved in this process. Surely, I speculated, the organizations tasked with implementing such systems would be extremely interested in making sure that the security of the system was validated. I was perhaps a bit naïve in my zeal. Organizations involved in the Pharmaceutical manufacture and supply chain are clearly focused on compliance with a law which failure to comply with will lead to a complete inability to do business. I have witnessed a great deal of activity at the tactical level – putting together the components to comply with the law, but have yet to see any activity at the solution security level. The law simply does not call for validation of system security at any level that a counterfeiter could sidestep – these organizations are not allocating resources and mindshare to anything other than compliance. Hackers and perpetrators are much more determined, sophisticated, and resilient than government regulations around compliance. We all intuitively know this, yet where is the duty of Care to do something about it. Will this “Care” only emerge after enough people have died, or enough money has been wasted on a broken system, where people will be then be galvanized to be the hero and fix the problem, once the appropriate resources and attention has been allocated. What kind of “Caring” is this? Can a company afford to care if nobody else does?

So then I need to ask the same questions I asked earlier. Whose responsibility is it to validate the security of the system? Who is expected to CARE enough and demonstrate commitment and good judgment? Whose fault is it when the Pharmaceutical industry spends billions of dollars implementing a system that, if implemented without careful consideration of the security issues surrounding the deployment, is doomed to fail as did electronic voting systems and the mortgage markets? Only this time, people’s lives are directly at stake. Who is going to pay to implement the system, then pay to fix it when it fails, not to mention pay for the recourse to remedy wrongful deaths?

You and I will, of course.

So whose responsibility is it? Who will step up to the plate? Who can step up to the plate?

Karsten Nohl Discusses RFID Insecurities

Karsten Nohl, the security researcher who was part of a team that broke the crypto algorithm in the Mifare Classic RFID-based smart card, talks about his upcoming briefing at Black Hat in Las Vegas in an interview with Security Wire Weekly called Wireless Insecurities.

Nohl, a University of Virgina graduate student, has been active with the RFID Security Alliance and presented a threat model for Mifare at our May meeting. Hear his interview at http://securitywireweekly.blogs.techtarget.com/2008/08/01/sww-wireless-insecurities/

Monday, August 4, 2008

RFIDSA Presenting at RFID World on September 9.

Members of the RFID Security Alliance are presenting at RFID World. The presentation is called "RFID Security Should Not be an Afterthought." If you are going to be in Las Vegas for this event, you are invited to attend the session.

Date/Time: Tuesday, September 9, 2008, 1:00pm — 1:50pm

Description: RFID technology offers great benefits - supply chain solutions, for example, provide unprecedented visibility and increased efficiency. However, the technology also introduces a number of new business risks, among them:
-Fraud and error as a result of tag data manipulation
-Cloning of tags
-Malware and viruses stored on tags
-Hacker attacks at the point of sale, cyber shoplifting
-Interruption of business continuity as a result of attacks against IT infrastructure (readers, edge servers, backend systems)
To fully enjoy the benefits of RFID, these risks need to be addressed adequately. A holistic approach is required analyzing a RFID system end-to-end to identify potential threats and their business impact.. Members of the RFID Security Alliance will discuss strategies to minimize or mitigate these risks and how to comply with industry regulations and governing law (e.g. SOX, FDA). The discussion starts with a short presentation by Lukas Grunwald (NeoCatena).

More information about RFID World is at http://www.cmpegevents.com/web/rfid/home

Tuesday, July 15, 2008

The Expressway To What?

I recently had the opportunity to attend a meeting titled the "California Express Manufacturer Workshop", which turned out to be a very elegant presentation, held at SAP Laboratories in Palo Alto, California. For those of you unfamiliar with the California Express Solution, it is a conglomeration of six companies with the goal of creating a suite of solutions to get California companies who must comply with the upcoming ePedigree laws up and running as soon as possible. From the site:

The California Express Solution provides a framework for global serialization and ePedigree compliance to pharmaceutical and bio tech manufacturers, wholesale distributors, and contract producers of any size. We will help you prepare for quickly approaching mandates in the United States. The California Express Team includes these member companies: ACSIS, HP, Nosco, SupplyScape, Systech International, and InCode.
The California Express Team is cross-trained on all solution components, works on common issues such as serial number structures and provides educational workshops and webinars to the industry. The team has specific expertise and focus on solutions for SAP customers and the deployment of the SAP enterprise serialization infrastructure.


Being involved in the security industry, and working with RFID companies who are focused on RFID security, I was initially excited about this workshop. After all, I surmised, ePedigree is about securing drugs against counterfeits (at least in part, if not in its essence), and who wouldn't want help in implementing a secure RFID solution. As it turns out, security is one of the last things on the mind of the companies who are being forced to comply. Why is that the case? Because security is not mandated. Sure, if you ask the solution providers questions about security, they will tell you they are implementing it. The minute you start digging deeply into validating the security of the ePedigree solutions, you quickly find that it is more "security theater" than security.

I made several attempts to make contact with SupplyScape, who is at the forefront of this initiative, but my emails have all gone unanswered.

The reality of this entire situation is that making these organizations validate the security of these systems is more of a headache than they wish to deal with, which really means that the California Express Solution is an expressway to yet another failed security solution.

Unfortunately, the companies involved will probably come back to us after they have caused stakeholders BILLIONS of dollars due to a failure of the system, or if the FDA ever requires validation of the security of the system.

Until then, we will try to get the word out.

Monday, June 30, 2008

Don't Shoot The Messenger

Mark Roberti, owner of the popular RFID Journal (http://www.rfidjournal.com) recently posted a small piece on the RFID Journal Blog where he admonished Greg Day, an analyst for security company McAfee, for comments he made regarding the security issues surrounding contactless payments. While I feel Mr. Roberti has every right to express his opinion of Mr. Day, I was a bit disappointed in a comment he made which I felt characterized security experts as fear mongers:

"So security experts can try to scare people, but the truth is, consumers don't appear to have much to be concerned about at this point. "

I sent an the following email to Mr. Roberti:

Mark,
I read the article titled "Yes, Contactless Payments Are Safe" and found the final line more than a little alarming:
"So security experts can try to scare people, but the truth is, consumers don't appear to have much to be concerned about at this point."
While there are many instances we all can point to where scare tactics are used to promote agendas, not all security experts are trying to scare people. In fact, one of the basic tenants of the RFID Security Alliance is to avoid using scare tactics, and carefully presenting information as factually as possible and fostering a collaborative environment to discuss the issues surrounding RFID and security.
As a security expert, there are several points in the article that I would like to discuss. For example, the point of OTA dynamic security patches. Many systems designed to be managed in this manner are fraught with security issues. The iPhone, for example, has had many security patches applied to it in a similar manner (not OTA, but through a downloaded update), and is generally hacked again within 24-48 hours. OTA management systems, once breached, can become a means of mass hacking from literally thousands of miles away. I would love to discuss a threat model about this issue.
Security experts are not here merely to generate Fear, Uncertainty, and Doubt. Believe it or not, many of us truly care about being ethical and shy away from scaring people. Many security problems are caused by fear mongering, because people tend to make rash decisions out of fear, and that is rarely the best decision. Consumers do indeed have much to be concerned with, and security experts are working hard (around the clock) to address and FIX the problems. That is the true measure of our success. Please reconsider the tone of this article. RFID Journal is arguably the most prominent RFID publication in this nation. What you say carries a lot of weight, and the tone of this article may serve to alienate many stakeholders who are indeed concerned with creating secure RFID solutions.
Please consider attending a meeting of the RFID Security Alliance. I have invited you several times. Your presence would be welcomed.
Thank You,
Mike Ahmadi


Mr. Roberti graciously replied:

Mike,
It's interesting that you are alarmed by my comment about security experts and not alarmed by the original article in which Greg Day says that this is a huge threat to consumers. It's okay for Day to say something that is extremely detrimental to the NFC industry, but it's not okay for me to be critical of security experts?
If the Alliance has credibility, it should come out and condemn Day an his irresponsible comments and then set the record straight. I'm sure not all security experts are trying to scare people, but I frankly haven't seen a lot of evidence of that. Comment's like Day's are far more common.
Having said that, I'm interested in open and honest discussion of the issues. I suggest you post your comments about OTA on the blog page for others to read. I'm sure many readers will be interested.
Mark


My response:

Mark,
Thank you very much for your quick response. It is certainly okay for you to voice your opinion on any topic. I truly believe that is what makes the internet fantastic. My point is that you carry quite a bit of weight in what you say. I would like to posit that more people in the RFID industry are familiar with Mark Roberti than they are with Greg Day.
That being said, I do not feel the credibility of the RFID Security Alliance hinges on the condemnation of anyone. We are not here to admonish anyone. We are trying to foster open discussions of security issue surrounding the secure implementation of RFID systems. That is why the RFIDSA is open to all who wish to attend.
As for the comments Greg Day made in the article you mention, I could not find it through the link on your blog, but I did find the Reuter's article at the Reuter's site:
http://uk.reuters.com/articlePrint?articleId=UKNOA94822420080519
While I understand how many in the NFC industry may be concerned by some of Day's comments, I am curious as to why you feel his comments are any more or less irresponsible than making the blanket statement that Contactless Payments Are Safe. Once again, your words carry a lot of weight, and such statements should be carefully considered.
Is there any way we can perhaps foster more of an environment where the RFIDSA can work together with RFID Journal to deliver the message in a better way. I can understand your viewpoint about security experts being alarmist, but there are many of us that choose not to take that stance, and would like to foster a more cooperative environment. Your support can go a long way to creating an environment where we ALL achieve the credibility we would like to have.
Sincerely,


Mike Ahmadi

Mr. Roberti's response:

Mike, Here why I feel my comments are not irresponsible and his are. First, McAfee is a company that is well know and carries a great deal of weight with consumers. The article was published by Reuters, a news agency picked up by hundreds, maybe thousands, of newspapers around the world. It had the potential to influence millions of consumers, and yet Day provided no evidence or reasons for claiming NFC phones are such a huge threat. He said only that criminals will steal in small increments. He doesn’t explain what the security flaws are or why they can’t be addressed by the NFC industry. Reuters was equally irresponsible for not having an NFC person respond in the article.My blanket statement was not irresponsible because my statement is demonstrably true. Even if a hacker steels information stored on your NFC phone and makes a fraudulent purchase, you are not any more responsible for that purchase than you would be if the waiter you gave your card to last night used it to buy something. Also, to my knowledge, there has not been a single case where an NFC device being abused. Further, one would have to be insane to believe that the makers of phones and NFC chips will not continue to enhance the technology in an effort to make it safer.You may believe that my statement is inaccurate. But I think you would be hard pressed to say that I did not try to support it with the facts as I know them, as opposed to Day who does not support his argument. I recognize that I don’t know everything, so if you believe my statement to be wrong, then I would welcome you to publish an article on RFID Journal to say why. I have credibility because I am willing to criticize those in my industry who would not respect people’s privacy and because I am willing to publish views that are contrary and/or critical of my own. Not only am I willing, I believe it is essential to the RFID industry to do so. So I’m more than willing to work with any party to enlighten and inform the public and the RFID industry about potential problems.

mark

Mr. Roberti then posted a new entry:

Fairness
Yes, it is true that consumers have much to be concerned about and it is true that the cost of NFC fraud would be passed on to them. It's equally true that when credit card numbers are stolen from databases and when mag stripe cards are cloned, consumers pay the price for that too. I was wrong to generalize. All security experts aren't trying to scare people. But Day's comments were grossly irresponsible and potentially very damaging to the NFC industry and to consumers who could benefit from the technology should it take off.

I wish to thank Mr. Roberti for clarification of his statement, and wish to once again invite him to attend a meeting of the RFID Security Alliance. As of this date, all my requests to Mr. Roberti to attend a meeting have gone unanswered.

I am sure Mr. Roberti is a very busy person. He should, however, consider working directly with security experts in order to avoid such misunderstandings in the future.

Just my opinion, so take it or leave it!

Tuesday, May 20, 2008

ABI Research Response

I contacted the authors of the ABI Research Article mentioned in the previous post. Both Mr. Collins and Mr. Liard graciously accepted my LinkedIn invitation, and I used the messaging system to send them both a message. Here is a what I wrote:

Your recent paper titled "Developing a Corporate Plan for RFID Adoption: Enterprise RFID Blueprint and Program Management Considerations" fails to address security issues surrounding RFID. Was this intentional. We discussed this at the RFID Security Alliance, and find it a bit alarming that ABI Research, a trusted research firm, is failing to address this. Can you please expain?

Both Mr. Collins and Mr. Liard replied. Mr. Collins told me he would forward my inquiry to Mr. Liard, and Mr. Liard sent me this response:

Thanks for your interest and comments, Mike. The ABI Research RFID & Contactless team appreciates your feedback. The reason that security was not mentioned explicitly in the article is simply because it was a short, focused piece and the focus was not security. As a security specialist we can understand how you would be eager for the topic to be explicitly included as often as possible. Security is of course an important aspect of any RFID deployment and ABI Research often has highlighted issues and strategies with regard to implementing security-conscious RFID applications for many years and in many pieces of research. We are sure you will agree that to dismiss those efforts on the basis of that a single article is a bit unjust given the original intent of the piece: for users to consider value propositions and understand that RFID deployment plans must be structured to appreciate both the business process and technology change. The onus of educating enterprise end users on current and potential security considerations is not the lone responsibility of each item of research published nor of any single group or player in the RFID space, but rather, through combined messaging and commitment from all parties in the value chain. We continue to engage with and monitor companies specializing in RFID data and system security and will consider sharing more of our thoughts on RFID security in the public domain in the future.

Regards,
Michael J. Liard
Research Director
RFID & Contactless
ABI Research


I wish to sincerely thank both Mr. Collins and Mr. Liard for their replies.

Wednesday, May 14, 2008

Maybe If We Don't Talk About It The Problem Will Go Away.

When I was growing up there was a neighborhood kid whose parents chose to ignore his fits and general bad behavior, despite the fact that it was causing general discomfort to all those around him (myself included). Needless to say, he grew up to be the neighborhood bully, and eventually ended up going to prison for armed robbery. Ignoring him did not make the problem go away.

Unfortunately, that is the exact tactic many "experts" in the RFID industry are taking when it comes to RFID security. They are simply choosing to discuss nearly everything about RFID implementation EXCEPT security. Lets take, for example, an study recently published by ABI Research (a trusted research firm) titled Developing a Corporate Plan for RFID Adoption: Enterprise RFID Blueprint and Program Management Considerations. The publication is quite well written, and discusses practically all management considerations, with the exception of security.

A note to ABI Research and other experts out there. RFID security issues are not going to go away just because they are not discussed. I attempted to contact the authors of the article for comment, to no avail. EDIT: Both Mr. Collins and Mr. Liard did indeed reply to my request for comment. I wish to thank both of them.

That's okay. The RFID Security Alliance is not planning on going away either.

Wednesday, April 9, 2008

Is RFID Ready For Drug Pedigree ?

An article published on April 8th, 2008 in RFID Update asks the question "California Not Ready for Drug Pedigrees -- Is RFID?", and goes on to discuss how the California Board of Pharmacy has moved the compliance deadline to 2011 from the original 2009 deadline. The article goes on to discuss how RFID and other drug pedigree solutions need more time to mature before implementation.

What is important for all stakeholders to understand about the drug pedigree challenge is that it is not an RFID issue. It is a security issue. Drug pedigree is not about being able to easily inventory drugs, it is about being able to securely identify and track them. RFID is a technology which plays a small (albeit potentially a very significant) part in the drug pedigree solution chain. The benefits of the currently available RFID technologies definitely outweigh the risks of using a non-RFID based solution as a primary means of identifying and tracking drugs. What organizations need to begin focusing on is securing the drug pedigree solution on a systemic level. What are the concerns pharma has with deploying RFID solutions and what can be done to address those concerns? How significant is the issue compared to a protracted delay of deploying a solution? Can a solution be put in place with an understanding of potential current weaknesses and a road map to improving the weaknesses as resources permit?

RFID technologies are, without a doubt, ready for the challenge. We simply need to move forward and intelligently deploy solutions which are ready for the next improvement. We need to do this now, because drug counterfeiters are not slowing down their developments while we decide what to do.

Saturday, March 15, 2008

Mifare Hack Demonstrated and NXP Announces New Chips

In light of reports earlier this month detailing vulnerabilities of the Mifare Classic RFID cards, the Dutch Government has now issued a warning that the hack can be accomplished relatively easily. A team at Radboud University Nijmegen have detailed the process in a video published on the University website. This serves to illustrate the relative ease of reproducing the hack.

Of particular interest is the final paragraph from the article on the RFID Update website, which states:

"The long term impact of this hack on the public's perception of RFID security is unclear. It will likely depend on the extent to which nefarious hackers widely exploit the vulnerability."

I believe the long term impact will be determined by how well the public understands both the vulnerability and the proposed solutions, and how well organizations, such as the RFID Security Alliance, communicate the information. Otherwise, it is simply going to remain an opportunity to generate interesting headlines.

As Karsten Nohl, who published the original vulnerability findings told me:

"So far no nefarious hackers have contacted me to get the details of the cipher and it appears that all academics that share our results will not go out and cause any real-world system to break. After all, this could still take an ok outcome for industry if current systems upgrade reasonably soon. The message that will stick is that RFID aren't some magically secure new technology but rather suffer from the same shortcomings that haunt pretty much any security system."

NXP Semiconductors, the makers of the Mifare chips used in these cards, announced an update to the technology used in the Mifare cards which NXP is referring to as the Mifare Plus. According to the report in RFID Journal, cards using the new technology are backwards compatible with the Mifare Classic system.

Saturday, March 8, 2008

What drives adoption ?

I recently read the fascinating document produced by University Of Virginia student Karsten Nohl titled "Mifare Security". In this document, Karsten describes some of the issue with the Mifare RFID Security tag, and how Karsten was able to break the security. This has now raised much concern in the city of Boston, which is using such technology for their CharlieCards subway passes, as was pointed out in this article in CSO Online, as well as other articles scattered across the web.

The question I want to ask is what drives an organization, such as Boston's subway system, to adopt RFID technology for their system? Is it convenience? Does it look cool? Do they feel it will save them time and money? Does Mifare have a fantastic sales team? Do they want a more secure system? In other words, what was the ultimate OBJECTIVE of implementing an RFID solution? I am going to make the assumption that the objective was to save money (and saving time is exactly the same as saving money), and I want to know if whoever made the decision to implement the Mifare system created a Threat Model before deciding to build the infrastructure. A good model would address the question "What would it take to break the encryption of the Mifare chip?", which turns out to be about $1000. I would suspect somebody at Mifare knew this, in light of the findings of Nohl, which highlight the inherent weakness of the crypto used in the chips. If this is indeed the case, was Mifare (or whoever sold the Mifare system) forthcoming with this information? Did Mifare prepare their own Threat Model?

What is important to understand is that 100% security is simply not possible, and that is not what the objective should focus on. The objective should be focused on what level of security is required for the specific application. The Mifare technology used in the CharlieCard is perhaps more than adequate for access control in a closed environment (such as inside an office building), where it would be unlikely that someone would bother spending $1000 to crack tags so they can gain access to the executive dining room. Motivations, however, can be quite high when you can recharge subway passes and make several dollars each time you resell one of them to thousands upon thousands of users on the black market. What is even more interesting is the relatively low risk associated with the office building crack (if it happened). There is very little motivation for a cracker to attempt to "market" his crack of office access control passes to the "masses" yearning to enter a controlled area of corporate headquarters, where it is likely an intruder would be discovered anyway, due to the closed nature of the environment.

It all comes down to why you want to adopt the solution, and what risks adoption brings with it. Taking this approach is the first step.

Thursday, February 14, 2008

Welcome to the RFID Security Alliance WebLog

The goal in forming the RFID Security Alliance is to establish a De-Facto authoritative organization regarding the subject of security as it applies to the implementation of an RFID system.
The RFID Security Alliance is your one-stop shop for the latest information, collaboration and productivity within the secure RFID industry.
The latest in policy development, RFID news and industry trends brought to you all in central location: The RFID Security Alliance.