Newswise — Strengthened security for "smart tags" —the wireless devices that allow drivers to zip through automatic tollbooths or pass a security desk with the flash of a card—is the aim of a new initiative that has received $1.1 million from the National Science Foundation. Led by Kevin Fu of the University of Massachusetts Amherst, the researchers are developing much-needed cryptographic protocols, hardware and applications for the increasingly common devices.

Millions of consumers already use smart tags—wireless devices that use radio waves to identify and authenticate people and things—and they will become more numerous, says Fu. "Yet the privacy of the user can too easily be compromised; our research addresses that security gap," Fu says.

Electrical engineer Wayne Burleson of UMass Amherst, Adam Stubblefield from The Johns Hopkins University and security researcher Ari Juels of RSA Laboratories in Bedford, Mass., are collaborating on the project. The researchers' advisory team includes the San Francisco Bay Area Rapid Transit District (BART).

Smart tags—which include Radio-Frequency Identification (RFID) tags—are already used to track items from library books to merchandise to cattle. Increasingly, they are replacing the magnetic stripe cards used in security badges and mass transit cards, sometimes also serving as electronic cash. The tags will soon be incorporated into documents such as passports; their use is being explored for tracking medical records and prison inmates.

But the tags, which also include contactless smart cards and low-resource sensors, are a technology that has crept in from the edge of the Internet and they present new challenges in terms of security and privacy issues, says Fu. When any system grows ad-hoc without a lot of built-in security features, it's vulnerable to attack.

RFID tags, for instance, only need to be held within a certain distance of a "reader" antenna to be read. The tags contain a digital memory chip that has a unique code, much like a bar code. When the tag passes through the electromagnetic zone of a reader antenna, the antenna activates the RFID tag and reads the encoded data, which is then decoded and passed to a host computer. The convenience of not having to physically swipe a card also means that someone with the right equipment and know-how can "read" —and steal—information from a tag that's in the back pocket of someone standing in line.

The unique environment presented by smart tags—they can operate without human intervention and without a physically connected power source—presents unique security concerns, says Fu. Smart tags automatically respond to the device that reads them, so human users don't have the traditional means of giving or denying consent to the reader. This infrastructure of untrusted readers and tags requires an approach that preserves privacy while maintaining the flexibility and convenience that the tags offer.

The new consortium, dubbed the RFID ConsortiUm for Security and Privacy (RFID-CUSP), takes these operating conditions into account and is designing new cryptographic definitions, algorithms and models that will lay the solid foundation on which secure applications can be built. As part of their project, the researchers are working with the San Francisco Bay Area Rapid Transit District (BART). The project will result in the first completely open, publicly available software for experimenting with RFID security and privacy.

"The research that will come out of RFID-CUSP will be critical to our program's success and will benefit public transportation and its passengers," says William Wong, BART's principal engineer on the smart card program. "It will reduce fare evasion and improve security in the BART system."

While most of the current use for such tags is in isolated independent areas, such as a library desk or transit kiosk, these systems will increasingly become consolidated into a single shared tag, dubbed by some "the fingerprints of the Internet." This means that making it harder to duplicate a tag is paramount, says Fu. "We are addressing security at a holistic level," he says. "This includes looking at strengthening security at the lowest layer—the hardware—and at the levels of protocols and applications."

The devices are inexpensive, lightweight and very useful, says Fu. "Our approach is twofold. We seek to make sure that the privacy of the device bearer isn't compromised. At the same time, we must prevent fraud and abuse of RFID-based systems."

For more information see http://www.rfid-cusp.org

MEDIA CONTACT
Register for reporter access to contact details
TYPE OF ARTICLE
Feature
SECTION
CHANNELS
KEYWORDS
Rfid Smart Tags Wireless Devices Security Consumer Protection
COMMENTS | COMMENTING POLICY