New Passive RFID Tech Poses Threat to Enterprise IoT
As RFID technology continues to evolve, IoT security measures struggle to keep pace.
The Internet of Things (IoT) industry is growing at a staggering pace. The IoT market in China alone will hit $121.45 billion by 2022 and industry analysts predict that more than 3.5 billion devices will be connected through IoT globally by 2023.
Among the most important technologies precipitating this breakneck growth is RFID or Radio Frequency Identification. RFID-tagged devices can help track inventory, improve the efficiency of healthcare and enhance services for customers in a variety of industries.
For example, many hospitals across the world are beginning to test the use of on-metal RFID tags to not only track their inventory of surgical tools–such as scalpels, scissors, and clamps–but to ensure that each tool is properly sterilized and fully maintained prior to new operations. The implications of the widespread application of RFID tracking in the healthcare system would be a dramatic reduction in the number of avoidable infections due to unsterilized equipment and a sharp increase in the efficiency of surgical procedures.
IDenticard Vulnerabilities in PremiSys ID System
Although passive RFID technology shows much promise for streamlining and improving the management of IoT, unresolved vulnerabilities in the technology’s security remain a bottleneck for both the implementation of RFID and the growth of the IoT industry.
In January, the research group at Tenable discovered multiple zero-day vulnerabilities in the PremiSys access control system developed by IDenticard, a US-based manufacturer of ID, access and security solutions.
The vulnerabilities – which included weak encryption and a default username-password combination for database access – would have allowed an attacker to gain complete access to employee personal information of any organization using the PremiSys ID system. Though IDenticard released a patch to resolve the vulnerabilities, the incident points to growing security risks around network-connected, RFID-tagged devices.
In the summer of 2017, these security risks were put on full display when researchers from the KU Leuven university discovered a simple method to hack the Tesla Model S’s keyless entry fob. The researchers claim that these types of attacks were possible (prior to the security patch rolled out by Tesla in June of 2018) because of the weak encryption used by the Pektron key’s system.
Despite the numerous security concerns that have surfaced in recent years, RFID is still one of the most tenable solutions for increasing the efficiency and safety of IoT. That said, for enterprise to take full advantage of the benefits of RFID technology, stronger security protocols and encryptions must be implemented.
Compounding the threat is the fact that many RFID-enabled enterprise networks are at an increased risk of breaches (especially those in the Industrial IoT, IIoT) due to their inability to detect vulnerabilities and breaches in the first place. In fact, a recent study published in January by Gemalto discovered that nearly 48% of companies in all industries are unable to detect IoT device breaches.
The Bain & Co. study pointed to security as the major obstacles to full-scale RFID/IoT adoption. With data breaches costing, on average, more than $3.86 million or $148 per record, new security measures must be taken if IoT is to fulfill its promises of en masse real-time connection between businesses, consumers, and their devices. Unsurprisingly, in the Gemalto survey interviewing 950 of the world’s leaders in IT and IoT businesses, more than 79% of them claim to want more robust guidelines for comprehensive IoT security.
According to The Open Web Application Security Project (OWASP), there are ten primary vulnerabilities present in IoT and many of these risk factors are directly related to the implementation of RFID technology.
Securing RFID-Enabled Enterprise IoT Devices
Of the many vulnerabilities in RFID/IoT devices and technologies, few impact consumers as directly as those presented by RFID scanners.
RFID scanners can glean information from any RFID-enabled device, not just credit cards and phones. Our IoT and IIoT, both growing at a breakneck pace and with security features lagging behind, are prime targets for exploitation.
Security analysts have raised concerns about the safety of data traveling on these networks for years. In fact, in a study conducted by IBM, it was found that fewer than 20% of routinely test their IoT apps and devices for security vulnerabilities. With data breaches growing at an alarming pace–2018 alone resulted in the exposure of more than 47.2 million records–many customers are asking, “What protections do we have against the growing threat against connected devices?”
As it happens, quite a lot. In 2017, a research group at the IAIK Graz University of Technology created an RFID-based system aiming to secure RFID data on an open Internet of Things (IoT) network. The engineers designed a novel RFID tag that exclusively uses the Internet Protocol Security layer to secure the RFID tag and its sensor data, regardless of what type of RFID scanner attempts to steal the tag data.
Their innovation lies in collecting the RFID sensor data first through a virtual private network (VPN) application. Using the custom RFID tag, communications are routed through the IPsec protocol, which provides secure end-to-end encryption between an RFID-enabled IoT device and the network to which it’s connected.
Solutions that identify and resolve potential IoT device vulnerabilities still need more work before we can expect widespread implementation. For one thing, the IPsec protocol, which is available on most consumer VPN applications, does not secure networks with 100% certainty.
Researchers at Horst Görtz Institute for IT Security (HGI) at Ruhr-Universität Bochum (RUB) recently discovered a Bleichenbacher vulnerability in numerous commercial VPNs, including those used by Cisco, Clavister, Huawei and Zyxel.
RFID Breaking Big in the Enterprise Market
When it comes to RFID security, conversations gravitate toward consumer applications like contactless payment fraud or bugs in wearable technology. Though RFID spending is mostly business-to-consumer, the next largest spending category is the enterprise, comprising nearly 30% of the total RFID market.
RFID’s market size is projected to grow an additional 30% through 2020, as enterprise embraces RFID tags in everything from supply-chain management to security keycard systems. One of the big enablers of IoT in enterprises has been the simple addition of “passive” RFID tags for day-to-day operational functions.
Passive RFID systems are comprised of RFID tags, readers/antennas, middleware, and (in many cases), RFID printers.
With the rate the technology has evolved, the modern market now has access to thousands of tag-types with increased range and sensitivity and a plethora of substance-specific designs (e.g. tags made specifically for metal, liquid, and other materials). This technology allows for unprecedented tracking for and security of inventory, personnel, and other company assets.
Passive RFID tags, which have no electronic components, cost roughly 1/100th of the price of their “active” counterparts. And, although they have a much lower range than their active counterparts, they require no internal power source and instead draw their power from electromagnetic energy emitted by the local RFID readers. Though a tag cannot be assigned an IP address, the reader is actually part of the IoT network and is identified by its IP address, which makes the latter vulnerable, as we’ve seen, to the same kinds of hacks that affect other devices when steps have not been taken to hide the IP address.
Because of these factors, passive RFID tags are ideal for companies and supply chains operating in extreme heat and cold, dust, debris and exposure to other elements.
With all of this taken into consideration, the question still remains, “What can the average consumer do to protect their IoT devices from hackers?”
One of the simplest solutions is to make a minor investment into some kind of blocking or wallet jamming card. If you have first generation contactless cards, ask your bank or credit card company to upgrade you to the encrypted second generation. While your data might be skimmed, it will be unreadable to the perpetrator due to the power of modern encryption protocols.
For example, a standard 256-bit protocol would take 50 supercomputers many billions of years to decrypt and the impracticalities of such an attack lead cybercriminals to target easier prey.
Ultimately, the accelerating pace of RFID tech will make our lives more convenient. With greater convenience, however, comes a greater need for security solutions. When it comes to RFID, one can only hope that the good guys stay one step ahead in the ongoing crypto arms race.
About the author: A former defense contractor for the US Navy, Sam Bocetta turned to freelance journalism in retirement, focusing his writing on US diplomacy and national security, as well as technology trends in cyberwarfare, cyberdefense, and cryptography.
Copyright 2010 Respective Author at Infosec Island