RFID Explained

SecurityFocus has a nice column summarizing the last year's worth of stories about RFID. Of course, you, diligent Slashdot reader, have read about many of these already. But for your slacker friends that need an RFID education in one easy-to-digest article, here you go.

Interesting technology

[Meat+Blaster]

I guess I don't see why we aren't using it already. This could drop inventory costs to a quarter of what they were before -- no more all-nighters trying to discover what's in stock and what isn't.

Isn't Wal-Mart adopting it?

Re:Interesting technology

[Carbonite]

This could drop inventory costs to a quarter of what they were before -- no more all-nighters trying to discover what's in stock and what isn't.

I'm betting that manual inventories would still be required periodically. It might only happen once a year instead of every quarter, but there would still have to be some proof for the accountants. This would be especially true in the first few years of the system, when the bugs are still being worked out.

Re:Interesting technology

[aggieben]

This is just completely irrational: Right now, you can buy a hammer, a pair of jeans, or a razor blade with anonymity.

Umm...not unless you buy with cash

Once you buy your RFID-tagged jeans at The Gap with RFID-tagged money, walk out of the store wearing RFID-tagged shoes, and get into your car with its RFID-tagged tires, you could be tracked anywhere you travel. Bar codes are usually scanned at the store, but not after purchase. But RFID transponders are, in many cases, forever part of the product, and designed to respond when they receive a signal. Imagine everything you own is "numbered, identified, catalogued, and tracked." Anonymity and privacy? Gone in a hailstorm of invisible communication, betrayed by your very property.
There's a simple solution: the tags will be removed from the products you buy at the store, much like current devices are. First, the store has incentive to re-use the tags. Yes, they may be cheap and get cheaper, but if they're reusable then most companies are going to want to reuse them. Secondly, if you had been reading anything else in the thread or simply been using your head, you would realize that even if the tags were to stay on the products, they couldn't be scanned from anywhere. The scanning range is only a few feet. Also, who's to say that there will be any connection between the id stored in the tag and your name? Companies would have no reason to keep track, and they're the only ones who could get that information. Also, for most products (e.g., non-electronic) destroying the tag would be somewhat trivial (put your Gap jeans in the microwave for a while, then see if they can invade your few feet of personal space).

Instead of spreading FUD, try promoting proper use and regulation of a new technology that could be very beneficial in a lot of areas.

Re:Interesting technology

[b29651]

Personally i have found that companies hire others to snoop in other stores to see what advantage a competitor has so yes i can picture them standing outside a competitors store analyzing the shoppers bags as they exit.My answer and response to this is to encourage all of my older friends to stand in line and insist on the removal of the tags before leaving the store cause older people seem to appreciate privacy and technology isnt as important to them.Can you imagine the employees having to explain these aren't bad to 80 year old ladies that think a robber can see what they have bought and is going to try to steal from them.

Re:Interesting technology

[MatthewB79]

While the arguments against abuse of the technology are obvious, the benefits to the consumer are not so obvious.

Have you ever gone to BestBuy and purchased a new piece of software, opened it at home and realized that you just bought a box with a manual and nothing else? Good luck explaining to the manager that someone must have opened the box and taken the jewel case before you purchased it. With RFID you would be protected from this situation by checking the contents of the box automatically at the register.
How about turning your car in for an oil change at the local Park-'n'-Lube, getting home and (without opening the hood of your car) using your ACME USB RFID scanner to verify that the oil filter was actually changed and the mechanic didn't just put the old one back on.

The usefullness of this technology is too great to just ban it outright.

Mark of the beast?

[cleancut]

Yes...this always comes up anytime some story regarding chips underneath skin. But it doesn't sound too difficult to slip a RFID tag underneath a hand or forehead.

Sounds an awful lot like this.

Simple Answer

[rabtech]

I think Congress should mandate that any product which contains an RFID tag must be clearly labelled as such, and the store must provide you the option of disabling the tag before leaving the store (perhaps a certain device you walk through or something?)

Products that have RFID tags only in the packaging could be exempt, since those tags don't stick with the product.

Re:Concerns

[Grax]

If you microwave your money and blow out the rfid tags will it still be legal tender?

Security paranoid?

[noitalever]

ok, so in the first part of this article the guy says

"When a transponder receives a certain radio query, it responds by transmitting its unique ID code, perhaps a 128-bit number, back to the transceiver. Most RFID tags don't have batteries (How could they? They're 1/3 of a millimeter!). Instead, they are powered by the radio signal that wakes them up and requests an answer."

Later he throws in this little paranoia bit about "Do you really want your car's tires broadcasting your every move?" What's that about? He knows they don't "broadcast" and that you'd have to be within several feet to monitor. You already have a frickin license plate on your car, so who cares? The good side of that is that you could prove that your tires were now living on someone else's car when they were stolen...

And in that line of thinking, how long will it take for commercial "scanners" to come around, so you can locate the chip and neutralize it? It just seems that people are freaking out about security when in reality, people can already track everywhere you go anyway. How many people out there use cash exclusively? No one I know. I can't WAIT for the day when I just walk out the door with a cart full of stuff and it's automatically taken out of my checking account. that would well be worth someone being able to count how many hammers I buy in a month.

Re:Security paranoid?

[Scrameustache]

Later he throws in this little paranoia bit about "Do you really want your car's tires broadcasting your every move?" What's that about? He knows they don't "broadcast" and that you'd have to be within several feet to monitor. You already have a frickin license plate on your car, so who cares?

Trancievers in every street light...
London would be the first city to implement it.

how long will it take for commercial "scanners" to come around, so you can locate the chip and neutralize it?

How long will it take for DMCA-like laws that make that practice illegal?

I can't WAIT for the day when I just walk out the door with a cart full of stuff and it's automatically taken out of my checking account. that would well be worth someone being able to count how many hammers I buy in a month.

Yes, and I can't wait for organised crime to automatically skim a lil' bit off the top of all our checking accounts as we walk past 'em.
Not much, just a few bucks per person, walk around in a crowd and you'd make a few thousand dollars in minutes...

Re:RFID explained

[realdpk]

You missed something. They are not exactly like bar code tags. Here you go:

They are like bar code tags, except that they are scanned by electromagnetic sensors through your clothing/belongings possibly without you knowing, and carry enough bit-depth to uniquely identify your specific item (serial number), rather than visible lasers at checkout counters, which can only identify the type of item it is, not exactly which specific item it is.

As you can see, it's a bit more complicated than you would have us believe.

Re:RFID explained

[bill_mcgonigle]

Boom! That's it. Yes, the paranoia is totally and completely stupid.

You're right - there's nothing to fear from RFID tags. What people have problems with are the evil deeds RFID tags could enable.

Again, people need not fear guns, they should fear homicidal maniacs. But like guns, RFID tags take the wrap because they're the enabling technology.

Re:It's about time!

[rot26]

Lighten up. I can't shop at Walmart because I still have all of my teeth, but the cost savings alone (retail inventory every 6 months is expensive in a big store) will make the ROI appealking to managers everywhere.

I can feel the prices dropping now. I also can't wait until Walmart starts putting MY employers out of business, in addition tothe thousands of other small-scale employers that they've already nuked.

Re:RFID explained

They have many good potential uses (retail stores would never have to do inventory again, which, speaking from experience, is a nightmare.), but there is a GREAT chance of misuse. Unlike barcodes, RFID tags can be updated, and changed. A great example of this is the movie Minority Report, in which the stores know Tom Cruise's character by name, and know what he has purchased (and attempt to interest him in accesories.) What I see as the first, and immediate problem for consumers is returning products. Wal-Mart will know that they sold you a product and if you try to return the SAME product, only purchased from a different store (such as a gift that you are unsure where it came from), they could refuse to accept the return by stating it did not come from their store. Great for the Wal-Mart bottom line, bad for the consumer.

Privacy

[msheppard]

From the article:

your privacy is at stake.

Am I the only one sick of "privacy" being used as an argument? It reminds me of "won't someone think of the children." The Constitution/Declaration of Independance do not stipulate privacy.

I'm beginning to think that privacy is costing us too much. If we had access to a plethora of medical information, perhaps we could do some data mining and identify some patterns that would benifit us more than we can imagine.

I'm trying to remember WHY I want all this privacy, why it's so impoartant my purchases be private, who is it I'm afraid of them knowing that I bought a copy of "swank" magazine. I guess if I was a politcian I wouldn't want people to know some things, but I'm just a pretty average citizen, I don't need someone else protecting my privacy.

Maybe an employer would do a backround check and find something - but if they won't hire me becuase of some obscure piece of information, maybe I don't want to work there. Perhaps I'm the kind of person who doesn't really have something like that to hide... it seems the only people concerned about privacy are trying to hide something. Now I'm beginning to ramble...

M@

Re:Privacy

[darthtuttle]

What happens when someone gets a list of everyone who's had an abortion and posts it somewhere so that others can go and shoot them all, or (this is less of an issue now, but would have been) a list of people taking AZT, so the gay bashers can go beat them up.

The ability to access and share information to help the world would be great, it if wasn't for selfish people who will use that information to their own advantage and the disadvantage of the people who the information is about.

Or how about the government monitoring everyone who reads 'Leaving the 21st Century' (not the book about music), 'The Anarchists Cookbook', '2600' or any number of other books.

Here's the thing about privacy, it's yours to give up. You are or will be a responsible adult who can make desicions about how your personal information is distributed and used. You can publish all the facts if you like.

You do need someone to protect your privacy, because you can't get it back once the cat is out of the bag, therefore you need to make the responsible choice about it's use. You can't do that if it's not protected, the desicion is made for you.

What happens when someone who takes Catherine McKinnon's thinking a little to far and decides to shoot people who look at porn (I don't think Catherine would ever do or suguest that).

We all have things to hide. Sure, we would all like to work somewhere were we are wanted for what we can do and not who we are, but the reality of the situation is some of us need to have jobs and we can't pick and choose. In Florida your employer could fire you for the fact that you look at porn in the privacy of your own home. Some companies have fired everyone in the company who was gay or lesbian. Even with protected status clauses often times you get fired for one reason, but they wanted you gone for another. Privacy protects that.

People say your information wants to be free, but I'm still waiting for them to free their credit card numbers and enough bank details to give me access to them.

Re:Privacy

[pmz]

If we had access to a plethora of medical information, perhaps we could do some data mining and identify some patterns that would benifit us more than we can imagine.

Access to aggregate information can accomplish nearly the same thing without identifying individual people in the process.

I'm trying to remember WHY I want all this privacy...

Okay, citing recent news, what if you were an "evil" sodomizer in Texas, who happened to get "evil sodomizer" stamped on his permanent criminal record, potentially harming him for life in the midst of a bigoted and unfair society?

Everyone has different reasons for desiring privacy. Most of those reasons are very subjective in light of religion, culture, and politics. Is there any logical reason why sodomy should be illegal? Absolutely not. What about if you are a Southern Baptist? Or a member of the KKK? What if a person with access to a national database finds you immoral, based on their own bias, and injects incriminating data into your profile? What if you are among the millions of people whose lifestyle doesn't match assumptions built into an arbitrary database schema?

Databases, by themselves, are benign. Databases in the context of human administration and consumption are terribly dangerous.

I guess if I was a politcian I wouldn't want people to know some things, but I'm just a pretty average citizen, I don't need someone else protecting my privacy.

This really answers your own question. There should be no barriers for average citizens to become politicians, if they choose. Representation by the people for the people, or something like that. Simply, privacy is necessary for democracy.

Re:Privacy

Whoa there... Though the Constitution does not specify a "right to privacy", the supreme court has determined that from various amendments, a right to privacy is inferred. Specifically the third, fourth, and fifth amendments. By the supreme court saying this, if I recall, from some right to privacy in buying contraceptives case, it makes it law. (That is part of their job and all, interpreting the law)

Anyway, though you don't seem to care about privacy because you aren't "trying to hide something", your apathy is a dangerous way of thinking.

Bit by bit, as parts of our privacy disappear we slowly also lose bits of freedom. It doesn't have to apply to illegal things people try to hide, but everyday things. Say you're a convicted felon, have done jail time, but are trying to turn over a new leaf. You've already lost your ability to move to a new town and start new; almost all companies do background checks. Companies are not supposed to discriminate based on records, but tell me: two equal candidates are applying for a job, one has auto-theft on his record, who gets hired? Granted, that freedom was given up for safety concerns, as are most, but our freedoms have been reduced by such.

Lets take things to a hypothetical future. What if RFIDs are used to an extreme? When you walk into a store, sales people can check and see who you are, cross referencing your clothing RFID's with a sales database and know everything you buy. Whats so bad about that? Well say you're looking for a job and apply at that store. Of course its illegal to discriminate based on anything but ability to do a job, but all-of-a-sudden that company knows some details of your private life. What if your purchases imply you're gay? Extreme right or left wing? Super-religious, or not? They can now do some very selective discrimination with out even giving you an interview. I know, I know, companies can discriminate with or without RFID's, but I think the question should be, why should they have a right to this sort of stuff without your permission?

It gets very dangerous giving up privacies and freedoms carelessly. A lot of freedoms are gone with good reason (no stealing, speeding, etc.). Some, I don't believe are necessary (courts allowing RIAA to demand data from an ISP without a subpoena). Once given up, its far harder to recover rights if you've made a mistake.

Re:Privacy

I had a good juicy flame to let loose with, but I think I'll shelve it and just share my anecdote, and why I feel there are good reasons to have "something to hide":

One of my parents died of a rare disease that is hereditary. I won't get into the gory details but, long story short, it is always fatal. The gene for it is dominant, so a person only needs to receive it from one parent for it to manifest itself. So I have a 50/50 chance of developing it later in life. Until recently, there was no way to know if a person is positive for it unless/until they start showing symptoms. But now DNA testing can give a positive/negative result with a simple blood draw.

I'm kinda chicken to take that test. I'm concerned that if I come up positive, and that fact gets leaked into the health insurance system, I could have a pretty difficult time ever getting affordable health insurance again. Affordable meaning "within one's means to pay".

You could argue that I'm not being open and honest, but personally I feel I have a valid reason to keep a secret. It's not my fault who my parents were. I don't trust my insurance company. It was assigned to me by my employer. It's not like I can go choose another one. I'd bet that, on a whim, my family history could be used against me if it were public. But unfortunately I have to rely on insurance for my health. And if you haven't got your health, then you haven't got anything.

Anonymous Coward

Re:Ironic

[brlewis]

Um, how exactly did bar codes change Big Brother's powers dramatically? Only for bar codes was 1984 a significant year, not for RFIDs.

Jamming?

[Pendersempai]

I'm no expert on RFID tags, but it seems that the signal they emit must be fairly faint if it is only a modified echo of the transmitted query. For passive tags, this means their emission can be no stronger (and in reality must be far weaker) than the strength of the query signal when it reached the tag. Transmitted through three dimensions, my college physics course tells me that these signals drop off proportionally to the inverse square of their distance -- and for RFID, whose query signal must be bounced back without additional power, the distance would have to be double that from interrogator to tag. And then we'd have to factor in the unavoidable inefficiency in the tag itself.

So the signal is going to be faint. Why can't we carry around a jammer? It wouldn't have to be very complicated to function quite elegantly -- it could passively monitor RFID query broadcasts and automatically reply with misleading noise. Since it can measure the signal strength of the query, it could use its own power source to magnify its response by, say, 20%. It seems that should be enough to drown the response from any tag in one's clothing, driver's license, or other effects. A switch could allow the user to disable it when he wants RFID signals to get through -- to have the cashier ring up his purchase, for example.

I can't imagine that the power requirement for extended usage would be that steep -- active (powered) RFID tags theoretically function for 10 years or longer. The circuitry, too, seems like it would be fairly trivial. I'd guess that they wouldn't be significantly more costly to produce than regular AA battery cases. Maybe they could even function for years on the juice of a button battery, and fit the form factor of a credit card.

So why doesn't CASPIAN or anyone else against RFID privacy violations mass-produce these things and sell them online for a couple bucks? I'd grab one just for the coolness factor, and I'm sure lots of privacy advocates would use them too. It'd certainly protect the privacy of anyone using one, and by making the collected data less reliable, even those without would indirectly benefit.

It wouldn't interfere with non-retail uses of RFID tags, since there is a specific spectrum range reserved for retail use -- something like 1.25-8.64mHz. And by introducing a degree of randomness into marketers' data, general trends (governed by the Central Limit Theorem) could still be deduced, whereas individual data points would be significantly less reliable. Hence, the data would be quite useful for tailoring goods to what most people want (a good thing) without allowing individual-level violation of privacy.

Re:Concerns - answered in follow up to article

[mrex]

As a real security professional (i.e. one that does not go around screaming that the sky is falling) and as someone who has worked with RFID for the military and for civilian uses (mainly Post Offices) for over six years, I find your article makes a number of glaring omissions that would allow any sensible human being to make a rational judgement about this technology.

You are a black pot, and to top it all off the kettle is orange.

Omissions: 1) Range verses size. Very basic issue. The smaller it is, the closer you have to be to it to pick up the signal. For a small passive tag we are talking inches (3-4 feet max). In order to track something from 200 yards (maximum range currently in use), you need an active tag (i.e. with a battery) and it has to be the size of a beer mat. I think you would notice it in your jeans. The signal generator in this case is also a non-trivial device. It is the size on a lamp-post and weights in excuss of 30Kg. Hardly PDA attachment material.

If your experience is as you claim it, I can only conclude that you are intentionally lying. There is no inherent, physics based limitation of "a few feet" to how far these tags can be read: to read the tags from further away, all one needs is a better receiver. Your statement assumes that a newer, better receiver will never be invented or brought to market. Doesn't the NSA do quite a bit of work already on picking up radio signals at a distance?!?

2)Storage area on the device is tiny. For the small passive devices you are referring to the storage area is less than 1Kilobyte. Not much space for your medical records here.

A KILOBYTE? Tell me, chum, how long is an IP address? A MAC Address? An IPv6 address? A 1 Kilobyte serial number is pretty damn big.

3)The logic associated with the tyre scenario. The association of the vehicle number and the tyre would not be stored on the tag. There is no space, and Read/Write tags are much more expensive (and larger). Easy to overwrite also. So for your big brother is watching scenario, you would need to replace every lamp-post on every highway with a signal generator, have assess to the database that cross-references your vehicle ID with the tag ids, and be able to monitor all of the signal generators in real-time to see what was happening.

OK...so...what's the problem? You don't think Big Brother has mastered the fine art of the database? Or a simple message passing network? It's not even as expensive as all that, as you wouldn't really need one for each lamp post, just one for each 'path'. One at the freeway entrance, one at each exit and the same for residential blocks - one at each end. Maybe, on freeways, a few here and there at mile markers and such.

It really seems intentional that you're overlooking the obvious -- that's not a typical trait of a "security professional".

Re:disabling RFIDs with mini-EMP?

Though I don't have a degree in physics, an EMP should only work on devices that are running current through their circuits. So, if an RFID tag has it's own power supply or doesn't have one (somehow, i'm still not too clear on that part), all you have to do is poll the RFID and then do the EMP pulse while the RFID is responding. This assumed that the device that the RFID is implanted in is completely void of power (ie, batteries out, all capacitors are discharged, etc). Didn't you learn anyhing while watching The Matrix :-)

Re:Active v Passive...

[Vaughn+Anderson]

ok, great. What's to say the cost of production on a more advanced RFID won't happen in one year?

No matter what evidence is shown at this point in time to prove how limited these things are, does _not_ prove anything for RFID tags on the market for next year. Physics or not, someone will find a new material for the antanae, make cheap batteries, make a more accurate reciever, dramatically cut the price of production, etc... and then all the arguments for June 27th, 2003 are completely irrelevant.

A good example is cell-phones, tell me that a cellphone small enough to fit into a pair of sunglasses will never happen. Then tell me that passive RFID tags will never be able to communicate farther than 10 feet...

It's funny, the scientists with the most knowledge tend to be the most skeptical about what is possible...