RFID Security and Privacy: Long-term Research or Short-term Tinkering

Mike Burmester [slides]

Florida State University, USA

Ari Juels [slides]

RSA Laboratories, USA

Alfred Kobsa [slides]

Univ. of California, Irvine, USA

David Molnar [slides]

Univ. of California, Berkeley, USA

Roberto Di Pietro [slides]

Università di Roma Tre, Italy

Melanie Rieback [slides]

Vrije Universiteit, Netherlands

RFID technology has raised a number of both real and imagined security and privacy fears and concerns. Since roughly 2001, a number of researchers have stepped up to the plate and proposed techniques for strengthening RFID security and privacy, while others have focused on attacking (and demonstrating weaknesses in) currently deployed RFID systems. Despite a few PhD theses devoted to this topic, it remains to be seen whether there are any new long-term fundamental issues involved in RFID security & privacy. Therefore, this panel's goal is to present and debate the panelists' diverse perspectives on the future (or lack thereof) of RFID security and privacy research.

One line of thought is that this topic is a mere fad. After all, RFID tags are computational amoebas, akin to dumb sensors that sense nothing. RFID tags do not network and do not collect anything; hence, the only interaction worth considering is between a tag and a reader. Is there anything challenging remaining beyond the set of cryptographically contortionist protocols and techniques already proposed in the literature?

An opposing point of view is that RFID technology has opened up a new and exciting avenue for research which is here to stay. Although some basic protocols have been designed, there are several important outstanding issues, including (but not limited to) the following. One purely technical issue that remains unaddressed is how to handle revocation of rogue readers. Inherent lack of on-board clocks makes revocation checking very difficult. There is also the problem of secure pairing of personal RFID tags (e.g., in passports and transponders) with other ubiquitous devices, e.g., cell-phones, laptops or PDAs. Another is the design of inexpensive and robust privacy "shields" for protecting RFID tags – carried by a potentially unwitting user – from leaking information. Yet another important unexplored issue is user perception and, more generality, usability aspects of RFID tags. This is surprising since, unlike sensors/WSNs or MANETs, RFID tags are expected to be close and relevant to the average user/consumer.

This international panel is composed of academic and industrial experts in cryptography, security/ privacy and usability, each with an impressive track record of research results in the respective aspects of RFID technology.