RFID Explained

SecurityFocus has a nice column summarizing the last year's worth of stories about RFID. Of course, you, diligent Slashdot reader, have read about many of these already. But for your slacker friends that need an RFID education in one easy-to-digest article, here you go.

There's a war going on,

and the only way to defend ourselves is with an electromagnetic pulse, our only defense against sentinel tags.

Interesting technology

[Meat+Blaster]

I guess I don't see why we aren't using it already. This could drop inventory costs to a quarter of what they were before -- no more all-nighters trying to discover what's in stock and what isn't.

Isn't Wal-Mart adopting it?

Re:Interesting technology

[MatthewB79]

I'm not trying to discount the dangers of abuse of RFID. Anyone who values privacy and security should be aware of the potential dangers. If some guy on the bus decides he going to snatch my CD player, it's not as if having an RFID tag in it was going to be a huge factor in tempting him.

somebody could come upto your home, maybe scan your burglar alarm to find out what type it is and check up on the 'net to see if it can be easily disabled? Somebody could scan through your window (or wall?) and see what type of computer, tv, vcr, dvd player you have? see what type of clothes you have in your cupboards? what dvds/cds in your collections?

This is interesting to me because I thought about this myself. The sticker on my window tells a burglar exactly what security system I use and who administers it.
Additionally, it has been said many times that the range of the RFID transmitter unit is not more than 3-5 feet. It's not like the drug-addict burglars are going to be picky and choosy over what model and brand name DVD player I have. "Oh wow, my RFID scan-o-matic says this guys got a brand new Mac G5, we better stop here and pick this thing up before we head to the next place!" Why can't my home security system be programmed with the contents of my living room and automatically set off an alarm if any of those tags leave the premises? We might see a shift in the way we look at home security. Instead of just trying to keep people out, there can be ways of keep our valuables in.

Re:Interesting technology

[Cpt_Kirks]

How? It's a short-range technology.

More POWER:

"Attention Wal-Mart Employees and Customers, we are now going to perform the hourly RF inventory. You have 30 seconds to put on your aluminum foil hats..."

diligent readers

But for your slacker friends that need an RFID education in one easy-to-digest article, here you go.

Oh, you mean the slacker friend who didn't spend his Friday afternoons reading frivilous websites, who managed to get that promotion instead of me. I'll forward him the link.

Shielding RFID against security

[nhaze]

Anyone who has used an RFID-based security pass card knows that they are easily shielded. Placing your RFID-secured product in an discreetly shielded bag would render the product nonexistant from RFID-probing security. I hope store that use it to augment theft security don't get lazy and think its unbeatable.

Re:Shielding RFID against security

[MosesJones]

True.. but if using smart shelves the store will know that the item has been removed from the shelf and now is no-longer in range of a scanner... this should cause an alert as that is not normal behaviour.

Most theft is internal so identifying patterns of behaviour could be an effective way of decreasing theft.

The RF elements are the hardest part of this as the power levels are so low, in the US its 4 watts max for the READER, and in Europe its .5 watts. When you consider that the passive tags use the power that the reader puts out you can imagine how sensitive to interference these things are.

Death of barcodes

[Rosco+P.+Coltrane]

The same thing is happening today. I'm here to tell you that the bar code's days are numbered.

When DigitalConvergence 's CEO and entrepreneur extraordinaire J. Jovan Philyaw hears about this, he'll start making free RFID scanners (CueDogs?) before you know it.

Big Brother? not necessarily.

[griffjon]

Everyone freaks out about RFIDs, but I remain in the camp that these could be really cool, as long as consumers (ok, geeks) figure out how to control them (by burning them out or just finding the darned things and removing them from unwanted places, like the back of a Yugo [1])

Ever lose your cell phone and have someone call it so you could find it? Imagin being able to do that with any random item? superglue a RFID onto it, and walk around with a semi-portable RFID scanner. OK, not as great due to the limited range of the things, but you could pretty easily determine if the keys were under the couch or not.

Now, the sucky thing will be if (when) manufacturers build RFIDs into places that you can't get to without destroying the item or voiding the warranty.

So, we need an opt-out method for RFIDs, which may be as simple as a way to find the lil' bastards and plier them flat, but beyond the scare, there's promise:

telnet homenetwork : fridgeport
Brr! it's cold in here [45F]! Can I have your username?
> JoeBachelor
And your password?
> gotb33r?
Welcome to your Refridgerator/Freezer system!
>cd fridge
>ls
Directory of /fridge:

Beer/
Beer/Shiner Bock (1)
Beer/MGD (5)

Condiments/
Condiments/ketchup package (13)
Condiments/mustard package (2.5)
Condiments/SoySauce package (1)
Condiments/Unidentifiable (5)
Condiments/mayonnaise (1) (warning: use-by-date 5 months expired!)

Vegetables/

Soda/
Coke (.5)
Mountain Dew (4)
non-caffeinated/
ActualFood/
lunchmeat_ham (1) (warning: use-by-date 1 week expired!)
cheese_cheddar (2) (warning: use-by-date is tommorow!)
End of directory. No healthy food available.
>man healthy
Sorry, you need to install the Mother or Health-Conscious-Girlfriend modules for these extensions
>make food
Unable to make food. Stop.
>exit.
Goodbye.

see?!!!!! see! this is my vision!

unrelated, I'm worried about /.s email garble today : Email
GriffJon@[ ]mail.com ['Hot' in gap]
hot in gap? what does that imply?

[1] That's a "Mall Rats" reference, for the rest of you.

Security paranoid?

[noitalever]

ok, so in the first part of this article the guy says

"When a transponder receives a certain radio query, it responds by transmitting its unique ID code, perhaps a 128-bit number, back to the transceiver. Most RFID tags don't have batteries (How could they? They're 1/3 of a millimeter!). Instead, they are powered by the radio signal that wakes them up and requests an answer."

Later he throws in this little paranoia bit about "Do you really want your car's tires broadcasting your every move?" What's that about? He knows they don't "broadcast" and that you'd have to be within several feet to monitor. You already have a frickin license plate on your car, so who cares? The good side of that is that you could prove that your tires were now living on someone else's car when they were stolen...

And in that line of thinking, how long will it take for commercial "scanners" to come around, so you can locate the chip and neutralize it? It just seems that people are freaking out about security when in reality, people can already track everywhere you go anyway. How many people out there use cash exclusively? No one I know. I can't WAIT for the day when I just walk out the door with a cart full of stuff and it's automatically taken out of my checking account. that would well be worth someone being able to count how many hammers I buy in a month.

Re:Security paranoid?

[Scrameustache]

Later he throws in this little paranoia bit about "Do you really want your car's tires broadcasting your every move?" What's that about? He knows they don't "broadcast" and that you'd have to be within several feet to monitor. You already have a frickin license plate on your car, so who cares?

Trancievers in every street light...
London would be the first city to implement it.

how long will it take for commercial "scanners" to come around, so you can locate the chip and neutralize it?

How long will it take for DMCA-like laws that make that practice illegal?

I can't WAIT for the day when I just walk out the door with a cart full of stuff and it's automatically taken out of my checking account. that would well be worth someone being able to count how many hammers I buy in a month.

Yes, and I can't wait for organised crime to automatically skim a lil' bit off the top of all our checking accounts as we walk past 'em.
Not much, just a few bucks per person, walk around in a crowd and you'd make a few thousand dollars in minutes...

Re:RFID explained

[realdpk]

You missed something. They are not exactly like bar code tags. Here you go:

They are like bar code tags, except that they are scanned by electromagnetic sensors through your clothing/belongings possibly without you knowing, and carry enough bit-depth to uniquely identify your specific item (serial number), rather than visible lasers at checkout counters, which can only identify the type of item it is, not exactly which specific item it is.

As you can see, it's a bit more complicated than you would have us believe.

Am I expected to place my ..

[burgburgburg]

shoes, pants, tires, body in shields whenever I leave my house? After the doctors spent all that time convincing me to take off the tin foil suit, you're telling me to put it back on?

learning by RF-ID in Linux...

[MosesJones]

For anyone who is interested in looking more at this area and has a Linux box....

For more info and then Download it here

If you want to build an RF-ID lab you need some cash to get tags and readers but this would help with the theory.

Re:Concerns - answered in follow up to article

[jimkski]

I think one of the responders (Stefan Sokolowski) to the article did a good job of shedding a little more light on some of these concerns:

As a real security professional (i.e. one that does not go around screaming that the sky is falling) and as someone who has worked with RFID for the military and for civilian uses (mainly Post Offices) for over six years, I find your article makes a number of glaring omissions that would allow any sensible human being to make a rational judgement about this technology.

Omissions:

1) Range verses size. Very basic issue. The smaller it is, the closer you have to be to it to pick up the signal. For a small passive tag we are talking inches (3-4 feet max). In order to track something from 200 yards (maximum range currently in use), you need an active tag (i.e. with a battery) and it has to be the size of a beer mat. I think you would notice it in your jeans. The signal generator in this case is also a non-trivial device. It is the size on a lamp-post and weights in excuss of 30Kg. Hardly PDA attachment material.

2)Storage area on the device is tiny. For the small passive devices you are referring to the storage area is less than 1Kilobyte. Not much space for your medical records here.

3)The logic associated with the tyre scenario. The association of the vehicle number and the tyre would not be stored on the tag. There is no space, and Read/Write tags are much more expensive (and larger). Easy to overwrite also. So for your big brother is watching scenario, you would need to replace every lamp-post on every highway with a signal generator, have assess to the database that cross-references your vehicle ID with the tag ids, and be able to monitor all of the signal generators in real-time to see what was happening.

And all this just to find out where you are. Are you really that important? I think ringing your mobile would be easier.

There is also a problem with reading many tags at once. The current limit is around 200 tags per second for the best sensor. The tag will respond and continue to respond at regular intervals (sub-second usually but dependant on set-up). Because they are all talking at once on the same frequency, the sensor cannot distinguish and ignore tags in real-time. It may recieve many responses from the same tag, and there is no way to tell the tag to shut up. So imagine the situation across a busy highway.

So then what IS the point?

[mekkab]

Okay, pretend I just robbed a bank (or people robbed a bank who were associated with the RFIDs on the car I was driving), THEN went driving in the country side, THEN broke down.
(your faith in cellphones is disturbing! Or maybe you get better service than I do. ;)

So Johnny law is hot to get their hands on me, but RFIDs don't do them any good.

What they CAN do is build up over a long perioud of time a limited account of where I go- if my car passes through a Toll Booth, that is. However if I travel the backroads, the would have to trace my credit card purchases. But what if I use cash? They have RFIDs in the bills. But HOW fine grain can they trace that cash? Some random guy cashes his friday paycheck, then gives a waitress a $5 tip (Cheap bastid!), which she then uses to get into a punk rock show, which is then used to pay back a local heavy for a loan, which is then given to the Church collection plate, which is then used to pay me back for the supplies I got for the church picnic (assuming they'd even want to be associated with me)... So I've got this bill that can't really be traced to me, per se.

From the RFID "trace" that's left, there was some money cashed on a friday, spent next week three states away, and the guy who cashed it never left.

SO my conjecture is that Credit Cards and ATM withdrawls are a far more effective means of tracking someone's habits. I understand my example doesn't mean using RFIDs won't be effective, but I think the privacy concerns are a little out of proportion. I welcome any better examples.

Re:Privacy

[darthtuttle]

What happens when someone gets a list of everyone who's had an abortion and posts it somewhere so that others can go and shoot them all, or (this is less of an issue now, but would have been) a list of people taking AZT, so the gay bashers can go beat them up.

The ability to access and share information to help the world would be great, it if wasn't for selfish people who will use that information to their own advantage and the disadvantage of the people who the information is about.

Or how about the government monitoring everyone who reads 'Leaving the 21st Century' (not the book about music), 'The Anarchists Cookbook', '2600' or any number of other books.

Here's the thing about privacy, it's yours to give up. You are or will be a responsible adult who can make desicions about how your personal information is distributed and used. You can publish all the facts if you like.

You do need someone to protect your privacy, because you can't get it back once the cat is out of the bag, therefore you need to make the responsible choice about it's use. You can't do that if it's not protected, the desicion is made for you.

What happens when someone who takes Catherine McKinnon's thinking a little to far and decides to shoot people who look at porn (I don't think Catherine would ever do or suguest that).

We all have things to hide. Sure, we would all like to work somewhere were we are wanted for what we can do and not who we are, but the reality of the situation is some of us need to have jobs and we can't pick and choose. In Florida your employer could fire you for the fact that you look at porn in the privacy of your own home. Some companies have fired everyone in the company who was gay or lesbian. Even with protected status clauses often times you get fired for one reason, but they wanted you gone for another. Privacy protects that.

People say your information wants to be free, but I'm still waiting for them to free their credit card numbers and enough bank details to give me access to them.

Always look on the positive side...

[DailyGrind]

Think of it this way... you will be able to go to a bar with your trusty wrist watch RFID scanner, go up to a pretty girl and be able to tell that yes indeed she is wearing a thong, one of those frilly kinds, no bra, her purse contain three condoms, ribbed, and a lubricant plus she has a Palm with bluetooth.... I could go on but it is hard to type with one hand....

Jamming?

[Pendersempai]

I'm no expert on RFID tags, but it seems that the signal they emit must be fairly faint if it is only a modified echo of the transmitted query. For passive tags, this means their emission can be no stronger (and in reality must be far weaker) than the strength of the query signal when it reached the tag. Transmitted through three dimensions, my college physics course tells me that these signals drop off proportionally to the inverse square of their distance -- and for RFID, whose query signal must be bounced back without additional power, the distance would have to be double that from interrogator to tag. And then we'd have to factor in the unavoidable inefficiency in the tag itself.

So the signal is going to be faint. Why can't we carry around a jammer? It wouldn't have to be very complicated to function quite elegantly -- it could passively monitor RFID query broadcasts and automatically reply with misleading noise. Since it can measure the signal strength of the query, it could use its own power source to magnify its response by, say, 20%. It seems that should be enough to drown the response from any tag in one's clothing, driver's license, or other effects. A switch could allow the user to disable it when he wants RFID signals to get through -- to have the cashier ring up his purchase, for example.

I can't imagine that the power requirement for extended usage would be that steep -- active (powered) RFID tags theoretically function for 10 years or longer. The circuitry, too, seems like it would be fairly trivial. I'd guess that they wouldn't be significantly more costly to produce than regular AA battery cases. Maybe they could even function for years on the juice of a button battery, and fit the form factor of a credit card.

So why doesn't CASPIAN or anyone else against RFID privacy violations mass-produce these things and sell them online for a couple bucks? I'd grab one just for the coolness factor, and I'm sure lots of privacy advocates would use them too. It'd certainly protect the privacy of anyone using one, and by making the collected data less reliable, even those without would indirectly benefit.

It wouldn't interfere with non-retail uses of RFID tags, since there is a specific spectrum range reserved for retail use -- something like 1.25-8.64mHz. And by introducing a degree of randomness into marketers' data, general trends (governed by the Central Limit Theorem) could still be deduced, whereas individual data points would be significantly less reliable. Hence, the data would be quite useful for tailoring goods to what most people want (a good thing) without allowing individual-level violation of privacy.