Passive Radio Frequency Identification (RFID) tags are increasingly being used as a low cost means to identify, monitor and track items.
A significant problem with passive RFID tags, however, is the lack of security for data stored on the tags. Many passive RFID tags offer little or no security, and even the most sophisticated passive tags are subject to attacks through methods such as “spoofing”. Spoofing refers to a process in which a device is used to eavesdrop on an exchange between an RFID tag and a reader, and the device is subsequently used to replay and imitate the response of the RFID tag, thereby causing an RFID reader to interpret (falsely) that said RFID tag is present when it is not.
In most RFID applications the RFID tags are read without any human involvement or intervention. In such situations spoofing presents a real risk, since the use of a spoofing device is unlikely to be detected. Similarly, other methods of attack present real threats to the security of data in an RFID system. This security flaw renders passive RFID infeasible for many applications in which security—either security of the tag data or security of the process for which the RFID tag is being used—is important.
Data security is likely to be a critical issue as RFID becomes more widely used in internet-based networks, where the data and network devices are exposed to attack.