Introduction

So far, we have learned how Radio FrequencyIdentification (RFID) works and how it is applied in both theory and real-world operations. Thischapter discusses how security is implemented in RFID, and the possible attacks that can occur onRFID systems and applications.

Before we can analyze possible attacks, we have to identify potential targets. A target can be an entire system (ifthe intent is to completely disrupt a business), or it can be any section of the overall system(from a retail inventory database to an actual retail item).

Those involved in information technology security tend to concentrate solely on protectingthe data. When evaluating and implementing security around RFID, it is important to remember thatsome physical assets are more important than the actual data. The data may never be affected, eventhough the organization could still suffer tremendous loss.

Consider the following example in the retail sector. If an individual RFID tag wasmanipulated so that the price at the Point of Sale (POS) was reduced from $200.00 to $19.95, thestore would suffer a 90 percent loss of the retail price, but with no damage to the inventorydatabase system. The database was not directly attacked and the data in the database was notmodified or deleted, and yet, a fraud was perpetrated because part of the RFID system had beenmanipulated.

In many places, physical access is controlled by RFID cards called proximity cards. If acard is duplicated, the underlying database is not affected, yet, whoever passes the counterfeitcard receives the same access and...