Is RFID Secure Enough For Government Use?

I truly don't know the answer to this question, but am raising it because I'm concerned. The Department of Defense is already making heavy-duty use of RFID in many different contexts, and even broader use is planned as the technology is integrated with satellites and GPS to be able to track items around the globe in real-time.

Increased reliance on any technology, however, should bring with it an accompanying raft of questions about security, especially in the defense context. Some observers are, for instance, questioning what happens if RFID and other technologies used in our ports and in the battlefield should fall into the wrong hands.

A panel at the RFID World trade show last week explored other security and privacy issues. In one case, a panelist said, wireless technology in a retail store transferred customer data unencrypted from the cash registers to the back-office computer system, so thieves could sit in the nearby coffee shop with a laptop, pick up transmissions and write down credit card numbers.

Could you imagine the potential national-security ramifications of something like this? What would prevent enemy combatants or would-be terrorists from doing something similar from a van parked near the Port of Newark (NJ), say? Once they know what weapons we're shipping and where, they could do their best to disrupt those operations.

Another problem was recently raised by a cryptographer who says that the rush to get RFID tags down to five cents each has led to nonexistent security as manufacturers rush to cut costs. In fact, the researcher used a directional antenna and digital oscilloscope to monitor power use by RFID tags while they were being read. Patterns in power use could be analyzed to determine when the tag received correct and incorrect password bits, he said.

Meanwhile, RFID use in the military continues to rise. The Army's been using RFID for at least a decade. In 2001, approximately 85% of equipment and other supplies from the Defense Logistics Agency going to support our troops in Afghanistan's "Operation Enduring Freedom" were RFID-tagged. (This is according to a recent article in Army Logistician.)

Since March of 2005, according to "Defense Business Transformation," the Marines have been using RFID for all materiel bound for combat units.

Not to be outdone, the Air Force is using RFID to track expensive gyroscopes moving around its repair facility at the Robins Air Force Base.

More broadly, the Department of Defense is planning on using RFID to share information among 23 different countries. Also, some police departments are planning on using RFID-implanted badges, and pending legislation is pushing RFID as a means to curb drug counterfeiting.

This seems like an awful lot to be putting on a technology that, while it has a lot of benefit if used correctly, is still not in widespread use quite yet. (Outside of Wal-Mart, other large chains and their suppliers, of course.) I understand that security is only as good as the effort you put into it, and that's as true for RFID as it is for any other technology. But I wonder if we're jumping into something here before we completely understand its full ramifications.

What do you think? Weigh in below with your comments.