Privacy and Security in Radio-Frequency Identification Systems

Low-cost Radio Frequency Identification (RFID) tags may become one of the most pervasive computing technologies in history when affixed to consumer products as “smart-labels”. RFID systems essentially consist of microchip transponders, or tags, that respond to wireless signals from transceivers, or tag readers with unique identification numbers. Tag readers may identify tagged objects by looking up database records associated with that object’s tag ID. Typical implementations allow tags to be read without line-of-sight from distances of 2-8 meters, at a rate of several hundred tag reads per second. For years, Automatic Identification (Auto-ID) systems have played a crucial role in supply chain management, just-in-time inventory control, and point-of-sale product identification. Perhaps the most familiar Auto-ID system is the linear, or one-dimensional, Universal Bar Code designed in 1973. More recently, industries as varied as automobile manufacturing, microchip fabrication, and even cattle herding have adopted RFID systems as an Auto-ID platform. The higher-value products in these applications allow RFID tag costs of up to several dollars. However, for significant consumer market penetration to occur, RFID tags need to be priced around US$0.05. Advances in RFID technology broken this 5-cent barrier, making RFID an economical replacement for optical bar codes found on everyday consumer items. RFID tags have major performance and usability advantages over optical bar codes and could yield great productivity gains.

Because of this, the market size for RFID may be huge; possibly with trillions of tags. Unfortunately, the universal deployment of low-cost RFID tags may threaten the privacy and security of both individuals and organizations. For example, a corporate spy could monitor the inventory of a store stocking items labeled with insecure tags. Another threat is the tracking of individuals by the insecure tags they carry, violating their “location privacy”. Concerns over this issue were recently raised when a major tire manufacturer announced plans to embed RFID tags in their products. Addressing these issues in the low-cost RFID setting is especially challenging due to the extreme resource scarcity imposed by the US$0.05 price cap. Implementing standard cryptographic algorithms such as DES, AES, or SHA- 1 is not a feasible option for several years. Security solutions are needed to provide security and privacy, without prohibitively raising costs. In conjunction with the MIT Auto-ID Center, we have been addressing security and privacy issues in low cost RFID devices. Overviews of these security issues appear in and, while specific security mechanisms are proposed in. Policy issues related to RFID are discussed in. Our goal is to develop practical cryptographic primitive designs, design secure RFID protocols, and explore the cost versus security trade-offs of resource-scarce devices.