Slashdot Mirror

← Back to Stories (view on slashdot.org)

RFID Personal Firewall

Posted by samzenpus on from the just-for-you dept.

JanMark writes "Prof. Andrew Tanenbaum and his student Melanie Rieback (who published the RFID virus paper in March) and 3 coauthors have now published a paper on a personal RFID firewall called the RFID Guardian. This device protects its owner from hostile RFID tags and scans in his or her vicinity, while letting friendly ones through. Their work has won the Best Paper award at the USENIX LISA Conference."

58 comments

  1. Popups. by morgan_greywolf · · Score: 5, Funny

    Oh, great. I can just imagine walking through the mall and then being bombarded by all these popups. "Would you like Macy's to be able to access your RFID tags? [Ok] [Cancel] [X] Always Allow"

    --
    My blog
    1. Re:Popups. by chroot_james · · Score: 4, Funny

      What about "would you like Macy's to have no idea you're stealing their stuff? [yes][no][always][never]"

      --
      Reality is nothing but a collective hunch.
    2. Re:Popups. by westlake · · Score: 1
      Oh, great. I can just imagine walking through the mall and then being bombarded by all these popups.

      so what do the RFID tags tell Macy's that can't be extracted from a video scan?

      age, sex, style of dress, etc. since the beginning of time, salesmen have known what to look for in a prospect.

    3. Re:Popups. by plover · · Score: 0, Offtopic
      Actually, it's against the law in many places to carry a device designed to aid in shoplifting with the intent to use it to shoplift. The code here in Minnesota states:

      609.521 POSSESSION OF SHOPLIFTING GEAR.
      (a) As used in this section, an "electronic article surveillance system" means any electronic
      device or devices that are designed to detect the unauthorized removal of marked merchandise
      from a store.
      (b) Whoever has in possession any device, gear, or instrument designed to assist in
      shoplifting or defeating an electronic article surveillance system with intent to use the same to
      shoplift and thereby commit theft may be sentenced to imprisonment for not more than three
      years or to payment of a fine of not more than $5,000, or both.
      History: 1975 c 314 s 1; 1984 c 628 art 3 s 11; 1986 c 444; 1Sp2001 c 8 art 8 s 26
      This statute is used to charge people who carry aluminum-foil lined shopping bags to try to beat the detectors. It's interesting to note that the statute doesn't say the device actually *has* to be effective, only that it has to be *designed* to aid in shoplifting.

      As far as I know these statutes are usually applied only to people accused of shoplifting. Intent is very hard to prove on its own. If you carry an aluminum shopping bag into a store and leave again, they probably won't blink twice. If you are caught shoplifting AND have an aluminum-lined bag, they'll probably throw both charges at you. Oh, and don't forget that shoplifters are also forced by the courts to pay restitution to the victims. A typical investigation takes from one to two weeks worth of paperwork and other processing at a cost of about $40 per hour. Plus court costs. If they hire an expert to prove this is a shoplifting device, you'll pay for that as well.

      Please note: I am not a lawyer; this is not legal advice; and if you do try to use this equipment to shoplift in one of my stores I sincerely hope you get the full three-year sentence and $5,000 fine you deserve.

      --
      John
    4. Re:Popups. by Anonymous Coward · · Score: 0

      "Would you like to overload any RFID device or tag that attempts a connection? [No] [Yes] [Hell Yes] [Napalm]"

  2. Well... by Steppman2 · · Score: 4, Interesting

    I guess whit officially makes them white-hats, however, I'd still be worried about the ability to spoof a legitimate rfid or steal one and deactivate this firewall. Things that are considered by many to be foolproof make things that much worse when they fall through...

    1. Re:Well... by Anonymous Coward · · Score: 0

      this* Don't know where the hell "whit" came from...apologies.

  3. Condoms, anyone? by dotancohen · · Score: 2, Funny

    So these are little electronic rubbers, right?

    --
    It is dangerous to be right when the government is wrong.
    1. Re:Condoms, anyone? by Anonymous Coward · · Score: 0

      Something like that, I'd say they are tinfoils with selective holes.

  4. derivative work by Anonymous Coward · · Score: 0, Funny

    Now Linus Torvalds will write a personal RFID firewall and claim that it is totally original and not based on Andrew Tannembaum's personal RFID firewall... wooo BURN CITY take that groklaw losers!

    1. Re:derivative work by morgan_greywolf · · Score: 2, Funny
      Now Linus Torvalds will write a personal RFID firewall and claim that it is totally original and not based on Andrew Tannembaum's personal RFID firewall... wooo BURN CITY take that groklaw losers!


      And will Tannenbaum back him up this time, too?

      --
      My blog
    2. Re:derivative work by ClosedSource · · Score: 0, Flamebait

      Actually, I think it would be great if Tannenbaum were to come out in support of GPLv3. That should make the fanboys' heads spin 360 degrees.

  5. Demo Video by AugustZephyr · · Score: 5, Informative

    Video of The Guardian in action: http://www.rfidguardian.org/videos/rfid-guardian-0 250.mov

    1. Re:Demo Video by FinMacCool · · Score: 2, Funny

      Should we trust this guy to protect our RFID chips when he can't seem to protect his underwear by zipping his fly?

  6. Tin foil by Rastignac · · Score: 2, Funny

    That's the only safe protection, for sure.

    --
    -- Rastignac was here.
    1. Re:Tin foil by hey! · · Score: 2, Funny

      Just don't forget to wire the tin foil to a six foot copper stake driven into the Earth. It's a detail that is often neglected by the careless.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    2. Re:Tin foil by Anonymous Coward · · Score: 0

      In Japan, where RFID and other RF enabled tech is becoming main-stream, you can purchase RF shielded wallets, purses, pouches to carry your RF enabled cards within at most electronic stores.

  7. Faraday Cage by ParaphiliaNOS · · Score: 2, Insightful

    How much of this RFID traffic is good?  Why not market faraday cage coats and just leave the cellphone in an external pocket?  (Enumerate the GOOD and just ignore the BAD.)

    1. Re:Faraday Cage by Cruise_WD · · Score: 3, Interesting

      Makes sense, since that's a common strategy for dealing with spam: Block anything except emails from a known source.
      That comment just triggered an odd thought in my head... ...in the future, will we look back at spam gratefully, for all the practice it's given us in blocking unwanted intrusions into our systems in a (realtively) benign way? Or does it just demonstrate how easily the majority of people will ignore privacy and real security and make life hell for the rest of us?

      --
      [ cruise / casual-tempest.net / xenogamous.com / transference.org / quantam sufficit ]
    2. Re:Faraday Cage by ParaphiliaNOS · · Score: 1

      Spam and malware has either taken over or is being fought back depending on who you ask.  We will only look back on spam gratefully if we win the war on IT security before society becomes so aclimated and accustomed to deleteing spam, scanning for malware, checking for phishing, shreding documents, etc as normal course of life/work/home.

    3. Re:Faraday Cage by idsfa · · Score: 1

      It's been done.

    4. Re:Faraday Cage by ParaphiliaNOS · · Score: 1

      I know, but thanks for linking for everyone.  I asked already knowing that they exist.  I guess I was being more like those people who always shout that hardware firewalls are better than software.  Faraday cage :Router = "Unpluging your computer from the 'dangerous network' altogether":"Try really hard to not let known and unknown BAD from getting in."

  8. Old News by Mike89 · · Score: 3, Funny

    This is either old news, or there is some other reason the website looks like it's from 1996.

    1. Re:Old News by ParaphiliaNOS · · Score: 3, Interesting

      My assumption is either the staff are hardware people or have just prefer the security of static HTML.

      Staff: www.rfidguardian.org/people.html

    2. Re:Old News by Intron · · Score: 1

      Their next paper will be on CSS viruses and steps that can be taken to protect you from them.

      --
      Intron: the portion of DNA which expresses nothing useful.
    3. Re:Old News by idsfa · · Score: 1

      Now that would be old news.

    4. Re:Old News by Intron · · Score: 1

      Leave it to Microsoft to ruin a perfectly good joke.

      --
      Intron: the portion of DNA which expresses nothing useful.
  9. KISS by khafre · · Score: 4, Insightful

    If people are worried about others reading RFID tags at will, why not add a mechanical switch to the tag that must be pressed for the tag to power up? Just insist on it. If it doesn't have it, it goes in the microwave. Sheesh, add a cheap membrane switch, not a firewall.

    1. Re:KISS by jonatha · · Score: 1

      You want to add a mechanical switch to a chip that's roughly the size of a grain of rice?

      --
      The SCO lawsuit makes me wish my company were in Utah. We need a new building.
    2. Re:KISS by ParaphiliaNOS · · Score: 1

      Cheaper than a design revision and more renewable than EMP or microwave; why not get a shielded wallet or case?

    3. Re:KISS by westlake · · Score: 1
      If people are worried about others reading RFID tags at will, why not add a mechanical switch to the tag that must be pressed for the tag to power up?

      correct me if I am wrong, but I thought RFID tags were passive reflectors. which can be read without contact in somewhat the same sense as an optical bar code can be read without contact.

    4. Re:KISS by ParaphiliaNOS · · Score: 1

      They are passive in that they require RF traffic to power on, which can occur without contact.  But the RFID can still be disabled by mechanical means.  Parent was suggesting to 'turn off' RFID so that it wouldn't power up in the presence of a reader unless it was 'turned on.'  The concept is no different than your TV remote(RFID reader) not turning on your unplugged(broken ciruit) TV(RFID tag, albet powered).

    5. Re:KISS by kwalker · · Score: 1

      Considering the amount of times my friends have pocket-called me because the cheap membrane switches in the keypads of their cell phones got pressed, wouldn't something similar happen when cards are compressed while stuffed into a wallet?

      --
      ... And so it comes to this.
    6. Re:KISS by OneSmartFellow · · Score: 1

      That was my idea over 12 months ago, that's it, I'm sick of this, I'm suing for IP infringement, wah, wah fucking wah !

    7. Re:KISS by Anonymous Coward · · Score: 0

      Because one of the main uses of the tags is to be used as a theft deterent. Having a simple switch to power off the tags manually would defeat that purpose.

    8. Re:KISS by ParaphiliaNOS · · Score: 1

      Interesting design point.  I know your talking about CC RFID but lets hope the RFID firewall addresses this in production models.  When it comes to anything broadcasting financial or identifing information, regardless of it's formfactor, I'd like to be able to diable it reliably just in case.

    9. Re:KISS by sherpajohn · · Score: 1

      Um, cause by design RFID tags have no power source, they rely on an induction current from the reader for power?

      DOH!

      --

      Going on means going far
      Going far means returning
    10. Re:KISS by epee1221 · · Score: 1

      One simple answer to this, of course, is to not use the switch-enabled version for anti-theft purposes. Alternatively, you could just stick the tag inside the package where it cannot be tampered with (don't they do this already to keep them from just being removed?).

      --
      "The use-mention distinction" is not "enforced here."
    11. Re:KISS by BeBoxer · · Score: 2, Insightful

      Um, cause by design RFID tags have no power source, they rely on an induction current from the reader for power?

      They have circuits in them, and wires. The fact that the power source is external is irrelevant. By your logic, a lamp can't have a switch because it relies on current from the wall for power. DOH!

  10. Attack Barriers by blueZhift · · Score: 4, Interesting

    This reminds me of the anime Ghost in the Shell wherein people use sophisticated attack barriers to defend their cyberbrains from unwanted intrusions. It seems that we are approaching the need for personal firewalls much faster than anticipated driven by the desire of world governments to more closely monitor their citizens as well as consumer desire for more personal electronics. I'd say we probably have only a year or two before implantable cell phones/accessories start making an appearance. Soon thereafter the first viruses targeting those systems will show up. So the personal firewall business should be pretty good.

    --
    To the making of books there is no end, so let's get started
  11. Link to PDF by tttonyyy · · Score: 4, Informative

    For those that want more detail than the videos provide:

    http://www.cs.vu.nl/~melanie/rfid_guardian/papers/ acisp.05.pdf

    --
    biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
  12. buy ? by polar+red · · Score: 1

    where do i get one ?

    --
    Yes, I'm left. You have a problem with that?
  13. But is she hot? by pestie · · Score: 3, Funny

    Yeah, yeah, RFID, mark of the beast, firewall, virus, buzzword... whatever! This is Slashdot, and the important question is whether or not this Melanie Rieback chick is hot. 'Cause everyone knows that hot geek girls are the wet dream of every red-blooded male Slashdotter. And thanks to the magic that is Google, the answer appears to be, "Not bad... not bad at all!"

    1. Re:But is she hot? by Anonymous Coward · · Score: 0

      U think that's hot? (if subject is reading, no offense intended)

    2. Re:But is she hot? by Anonymous Coward · · Score: 0

      There's a chance you might grow up some day too.

  14. Well do you.... punk by MarkGriz · · Score: 1

    For the more adventuresome:

    "would you like Macy's to have no idea you're stealing their stuff? [yes][no][im-feeling-lucky]"

    --
    Beauty is in the eye of the beerholder.
  15. Why doesn't google... by Anonymous Coward · · Score: 0

    hire professor Andrew Tanenbaum!

  16. two things by idlake · · Score: 1

    (1) Yes, Mr. Tanenbaum, you have correctly mastered academic publishing: even the most inane ideas will get published if you just combine the right buzzwords (and this idea is inane indeed).

    (2) No, Mr. Tanenbaum, the right way to deal with SQL injection bugs related to RFID problems is data validation and testing; interfering with RFID tags is neither effective nor necessary.

  17. Too much complexity by OYAHHH · · Score: 1

    I'm,

    Sorry, but I don't need this much complexity in my life.

    Am I going to be forced to live in a cave?

    --
    Caution: Contents under pressure
  18. Tanenbaum's theory is false by crucini · · Score: 2, Informative
    I read Tanenbaum's paper when it came out. One of the soundbites:
    RFID malware is a Pandora's box that has been gathering dust in the corner of our 'smart' warehouses and home.

    This is not true. There is no Pandora's box. Read the paper and you'll see why.

    Tanenbaum and his co-authors exploited vulnerabilities in RFID middleware - the software that connects to an RFID reader. What makes this less interesting is that they wrote the middleware. Yes, they deliberately built in vulnerabilities like SQL injection, then crafted RFID tags to exploit them.

    Tanenbaum's team did not find any weaknesses in any commercial RFID middleware. And their entire premise is flawed. The weaknesses they scanned for, such as SQL injection, are not going to exist in the dominant RFID system, which is EPC. An EPC tag contains a binary number (frequently 96 bits). This bit vector is divided into fields for manufacturer, part number, and serial number. It is binary, not text. There is no way a malformed number could trigger an SQL injection vulnerability.
  19. RSA Already has technology? by Patent-Monkey · · Score: 1

    I see in US Patent 6,970,070 that RSA has an issued patent on a "a blocker device may comprise a mobile telephone, a portable computer, a personal digital assistant (PDA), a hardware-based authentication token such as an RSA SecurID.TM. token commercially available from RSA Security Inc..."

    Don't see it referenced on A HREF="http://www.rsasecurity.com/node.asp?id=1155" >their site.

  20. This Gives Me a Great Idea... by Anonymous Coward · · Score: 0

    Now that passports, new driver's licenses, debit/credit cards are all becoming RFID-enabled.
    Imagine also that someone comes up with the idea of creating a series of mens' wallets and womens' purses that repel RFID signals. I think that in time, this idea could become profitable.

    Yes, yes, I understand that RFID, at least for now, requires the reader to be fairly close (a few feet), but in time, readers and tags will become more nuanced and powerful. I for one, don't want to be walking around being scanned. If I need to present my ID, I'll do at the time of requirement by authorities.