RFID security concerns
A primary RFID security concern is the illicit tracking of RFID tags. Tags, which are world-readable, pose a risk to both personal location privacy and corporate/military security. More generally, privacy organizations have expressed concerns in the context of ongoing efforts to embed electronic product code (EPC) RFID tags in consumer products.
A second class of defense uses cryptography to prevent tag cloning. Some tags use a form of “rolling code” scheme, wherein the tag identifier information changes after each scan, thus reducing the usefulness of observed responses. More sophisticated devices engage in Challenge-response authentications where the tag interacts with the reader. In these protocols, secret tag information is never sent over the insecure communication channel between tag and reader. Rather, the reader issues a challenge to the tag, which responds with a result computed using a cryptographic circuit keyed with some secret value. Such protocols may be based on symmetric or public key cryptography. Cryptographically-enabled tags typically have dramatically higher cost and power requirements than simpler equivalents, and as a result, deployment of these tags is much more limited.
Still other cryptographic protocols attempt to achieve privacy against unauthorized readers, though these protocols are largely in the research stage. One major challenge in securing RFID tags is a shortage of computational resources within the tag. Standard cryptographic techniques require more resources than are available in most low cost RFID devices.
In an effort to make passports more secure, several countries have implemented RFID in passports. However, the encryption on UK chips was broken in under 48 hours. Since that incident, further efforts have allowed researchers to clone passport data while the passport is being mailed to its owner. Where a criminal used to need to secretly open and then reseal the envelope, now it can be done without detection, adding some degree of insecurity to the passport system.
A number of products are available on the market that will allow a concerned carrier of RFID-enabled cards or passports to shield their data. In fact the United States government requires their new employee ID cards to be delivered with an approved shielding sleeve or holder. There is growing evidence that aluminum shielding, essentially creating a Faraday cage, does work. Companies like RFID Protect in the UK, and ID Stronghold in the USA offer a range of shielding products based upon these principles.