AMHERST, MASS.– The U.S. may boast the world’s largest economy, richest technology companies and a lion’s share of its top research universities. But when it comes to the subject of security of RFID (Radio Frequency ID) and other contactless technologies, America is still playing catch-up.
The U.S.’s failure to embrace smart card technology in the last decade, comparatively lax privacy laws and competition for scarce research dollars mean that the home of some of the world’s largest RFID deployments (Wal Mart, anyone?) is an also-ran in the fast-evolving field of RFID security research, say experts attending RFIDSec 11, a workshop on security issues relating to RFID and related technologies which is taking place on the campus of the University of Massachusetts, Amherst this week.
The RFID security gap was painfully evident this week at the conference, a highly regarded annual gathering that is in its 7th year. This is the first year that RFIDSec has been held in the U.S., and research from universities in Western Europe still dominate the program. Just one of twelve technical presentations at RFIDSec stem from work conducted at a U.S. university – Iowa State – with one additional paper a joint product of students at the University of Massachusetts (UMass) and a university in Italy. In the meantime, researchers
from the Netherlands, Germany, Austria make frequent visits to the
Conference attendees range from graduate students to industry representatives to star academics such as keynote presenter Adi Shamir, a Turing Prize winner for his contributions to the RSA algorithm.
The assembled represent an advance guard in a discipline that is certain to be in high demand in the years ahead, as companies implementing mobile transaction systems look for technical expertise to make those systems secure, said Kevin Fu, the conference chairman and an associate professor in the Department of Computer Science at the University of Massachusetts.
“When industry needs 100 smart people who are experts in (RFID security), these are the people they’ll call,” he said.
Security concerns about RFID and other contactless technologies aren’t new – in the U.S. or elsewhere. But Fu said that countries like The Netherlands, where RFIDSec was first launched, and Germany have a big jump on the U.S. in the field. That owes, in large part, to the scarcity of smart card use domestically. Most U.S. consumers still rely on magnetic stripe technology on credit- and debit cards, while most countries in Europe switched off the insecure magstripe technology more than a decade ago.
Strong privacy and data protection regulations in the EU also have created a fertile environment for researchers to test the limits and vulnerabilities of smart cards, while countries like Austria have already started experimenting with contactless technologies like NFC (Near Field Communications) in public places, Fu said.
Not so in the U.S. And, while companies like Google are beginning to toy with mobile payments, the infrastructure of readers to enable such mobile transactions is largely absent in the marketplace, with the exception of test markets like New York City and San Francisco.
That may not be a bad thing – given the security concerns.
At a workshop session, students, faculty and private sector participants demonstrated a range of attacks on RFID tags, such as a method for monitoring the electrical consumption of RFID tags in order to derive the value of the secret key used to do trusted transactions.
Many of the attacks are still workable only in the lab. But Fu said that theoretical attacks on insecure RFID and NFC implementations could soon become practical.
“These are risks that will become threats,” he said.
For those interested and able to have their way with RFID enabled phones, credit cards, passports and other devices, the good news is that jobs abound as well. Firms like Cryptography Research, mobile device security firm Mocana posted job offerings at the show. The University of Massachusetts has open positions for research scientists to work in its Security and Privacy Research Lab.
Adam Woodbury, a conference attendee who works for the MITRE Corporation, said his organization – which is federally funded – is prohibited from hiring non U.S. citizens, but has been challenged to find qualified applicants with backgrounds in fields like electrical engineering and knowledge about testing the security of RFID and other newer technologies.
The good news is that help may be on the way. Samuel Weber, Program Director for the National Science Foundation’s Trustworthy Computing Program, said he will use a talk at the RFIDSec conference to tell qualified researchers there how to make the best of federal funding for their research through NSF. The organization sponsors about 600 researchers in the U.S., including Fu at UMASS. Weber said that NSF is seeing and funding more research into areas like RFID, both through its Trustworthy Computing Program and through a similar program that is focused on cyberphysical security. The agency made money available, for example, for students to travel to- and attend the RFIDSec Conference from different parts of the U.S.
Still, Weber said that funding is limited and the agency needs to be particular about what kinds of research and events it will throw its weight behind.
“We have to pick and choose which workshops we fund and how. We have a limited budget, so we try to focus on areas where there’s a need for better support,” he said.