Slashdot Mirror

← Back to Stories (view on slashdot.org)

RFID Guardian Protects Your Privacy

Posted by CowboyNeal on from the don't-look-at-me dept.

An anonymous reader writes "A new device devised by Amsterdam graduate student Melanie Rieback is designed to serve as a portable firewall for RFID tags. The portable battery-powered RFID Guardian uses an access control list to filter RFID queries, blocking queries that aren't approved. Rieback, who is also known for being the first researcher to develop a proof of concept RFID virus, hopes to offer version 3.0 of the RFID Guardian to the public at cost."

65 comments

  1. Back-compat? by Constantine+XVI · · Score: 1

    Is this like some sort of "jacket" you put your already existing RFID card into that blocks signals unless told otherwise, or is it something that would have to be added to new cards?

    --
    "I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
    1. Re:Back-compat? by KillerCow · · Score: 2, Informative

      Is this like some sort of "jacket" you put your already existing RFID card into that blocks signals unless told otherwise, or is it something that would have to be added to new cards?


      It is an active, selective jammer for existing cards.
    2. Re:Back-compat? by Sowilo · · Score: 3, Informative
      Is this like some sort of "jacket" you put your already existing RFID card into that blocks signals unless told otherwise, or is it something that would have to be added to new cards?

      From TFA:

      Eventual plans call for the Guardian to be incorporated into cell phones and PDAs, but the current model is a pocket-sized device that runs on its own battery and provides a circular 1m field of control over RFID tags, jamming any tags that the user does not want read.

      TFA goes on to explain exactly how it does it, but in a nutshell it has an internal list of RFID tags along with what it should do for each tag - block everything, only allow certain readers to access it, etc. If it's not allowed, then it blocks the RFID tag's response by jamming the signal.

      But since it works by detecting and jamming the signals sent, and not by any physical connection or link to the RFID tags themselves, it should function with any pre-existing RFID tag.
    3. Re:Back-compat? by wizzahd · · Score: 3, Funny

      It's a hat, duh. Do you realize how long it would take to make a tin foil jacket??

    4. Re:Back-compat? by Anonymous Coward · · Score: 0

      RTFA man!

    5. Re:Back-compat? by asills · · Score: 1

      Not quite.

      It only works with 13.56Mhz tags and only a not very widely used air protocol. This device requires intimate knowledge of the air protocol used to communicate with the tag. It must know exactly which frequencies the tag will communicate back on in order to function.

      The health care market is using 13.56Mhz tags, but they're not using the air protocol her device uses, so it won't know where to do the jamming. The consumer goods market isn't currently tagging on a per-item basis, but when they do get there it'll be 900Mhz tags using the EPC Gen2 standard (at least in the US), which does not use such a predictable frequency hopping mechanism. Her device won't be able to selectively jam only certain frequencies and will likely have to be even more noisy (jam the whole 900Mhz range? doubtful).

      --
      -- What did Spock find in Kirk's toilet? The captain's log.
    6. Re:Back-compat? by RfidShield · · Score: 1

      No, this is an active jamming device, and as the other readers indicate, may only work at a particular frequency or communications protocol. However Smart Tools offers an RFID Shield - a passive device that prevents your RFID card from being detected or communicating, and is independent of frequency or protocol. There's info and a picture at: http://smarttools.home.att.net/rfshield.htm

  2. proof of concept RFID virus by bulliver · · Score: 3, Funny

    So does that mean you could theoretically create a virus that would make all RFID enabled passports identify themselves as belonging to known/suspected terrorists? That would make for a million laughs on April 1...

    --
    Support the mob or mysteriously disappear.
    1. Re:proof of concept RFID virus by apathy+maybe · · Score: 3, Informative

      Here http://en.wikipedia.org/wiki/RFID#Viruses is a nice little bit, and a link to the original article. http://arstechnica.com/news.ars/post/20060315-6386 .html

      ArsTechnica links to http://www10.nytimes.com/2006/03/15/technology/15t ag.html?_r=5&th&emc=th&oref=slogin&oref=slogin&ore f=slogin&oref=slogin and to the real original webpage http://www.rfidvirus.org/index.html

      Basically, it uses buffer over flows to insert nasty code into a computer. The RFID chips contain the code and when read exploit problems in the reader. You can use commercially available tools to write your own RFID chips. Have fun.

      --
      I wank in the shower.
    2. Re:proof of concept RFID virus by bulliver · · Score: 1

      Thanks for the links. Despite the guy who modded me funny, it was a serious question

      --
      Support the mob or mysteriously disappear.
  3. why? by wizardforce · · Score: 2, Insightful

    this seems to me like they are trying to sweep the flaws of rfid uder the rug.- fix the main system and this wont be needed.

    --
    Sigs are too short to say anything truly profound so read the above post instead.
    1. Re:why? by maxume · · Score: 3, Insightful

      This isn't about sweeping something under the rug. It is about RFID coming whether you want it or not and having a straightforward way to avoid many of the issues that it is coming with.

      --
      Nerd rage is the funniest rage.
  4. Like encryption by Original+Replica · · Score: 2, Interesting

    or the radar detector, will this remain legal? Why have an RFID vs. the same info on a barcode, unless the design is to be able to read said info without your knowledge?

    --
    We are all just people.
    1. Re:Like encryption by The+Cisco+Kid · · Score: 2, Insightful

      Well, in the retail environment, the point is to be able to read them without touching each individual item. Inventory audit your warehouse, ring up an entire cart of stuff without having to pick it all out and set it on a convery and scan it one by one.

      There are plenty of legitimate uses for RFID. But I would agree it should always be used transparently, and once an item is yours, you should be able/allowed to remove the tag. (Note that passports, I beleive remain property of the US and are just issued to you for your use. The only reason I can figure the RFID is more desirable is perhaps it is harder to forge, since any fool can print a barcode)

    2. Re:Like encryption by Anonymous Coward · · Score: 3, Insightful
      Well, in the retail environment, the point is to be able to read them without touching each individual item. Inventory audit your warehouse, ring up an entire cart of stuff without having to pick it all out and set it on a convery and scan it one by one.

      Another big retail selling point is to set up scanners at doors and set off an alarm if an item passes through that is allegedly still in the store's inventory. You can bet retail chains will lobby against Guardian and similar technologies.

      ...not that the FCC would ever approve the device to start with.

    3. Re:Like encryption by JFitzsimmons · · Score: 3, Interesting

      It is harder to forge but not because of some stupid restriction like "the stuff is harder to get". Any fool can write a RFID tag with quite reasonably priced equipment as well. The security actually comes from the cryptographic hash of the digital data also on the RFID tag. Therefore, if the digital data matches the physical printing of the data, and the cryptographic hash checks out, then you have within a good degree of certainty that the passport is legit. Of course, who knows if the secret hashing algorithm has been leaked or not, but that's a totally different concern.

      With that said, a wireless technology is completely stupid for this sort of application. Any official checking a passport is going to be physically handling it anyway, so what's wrong with requiring a physical connection, like that in a smartcard?

      --
      Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
  5. Already insecure? by iknowcss · · Score: 1

    Considering the fact that this technology is so new, why can't we start by making RFID more secure in the purest sense? Today's other article about the "unimportance" of IT in a world without viruses is crazy to discuss when a majority of the world uses inherently insecure systems. Let's lock this one down now before it gets out of control.

    --
    Life is rarely fair. Cherish the moments when there is a right answer.
    1. Re:Already insecure? by Dunbal · · Score: 2, Insightful

      why can't we start by making RFID more secure in the purest sense?

            You want RFID security? Ok that's simple. DON'T USE IT. Otherwise, it's not secure - by its very nature.

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Already insecure? by iknowcss · · Score: 1

      I'm inclined to agree with your point. RFID is not a fun thought. Let's hope and pray it never becomes a requirement in daily life as computers seem to be going.

      --
      Life is rarely fair. Cherish the moments when there is a right answer.
  6. The advance of technology. by osu-neko · · Score: 4, Insightful

    One of these days, someone should invent something that can convey information like RFID, but not anyone can read it. In fact, make it so that it can be only read when I take it out and present it to the reader, rather than readable by anyone without be uncovering it. That makes sure only those I want can read it, and keeps it safe from being read without my knowledge, much less consent.

    I think I have an idea! I'm gonna go patent it now. I'll call it a "barcode"! Yeah, that's the ticket!

    --
    "Convictions are more dangerous enemies of truth than lies."
    1. Re:The advance of technology. by Dunbal · · Score: 2, Insightful

      nvent something that can convey information like RFID, but not anyone can read it. In fact, make it so that it can be only read

            You've just hit on the essential limitation of cryptography. Make up your damned mind, do you want people to read it, or not?

            If _someone_ (ie the GOOD guy) can read it, then AUTOMATICALLY the BAD guy also can read it - IF he manages to figure out the algorithm. QED. There is no more. Everyone who tries to sell you an idea where ONLY the "GOOD guy" can read it is talking out of his ass. Look at DRM, etc.

      --
      Seven puppies were harmed during the making of this post.
    2. Re:The advance of technology. by Original+Replica · · Score: 1

      umm, How can the bad guy read my barcode if I don't take it out of my pocket. You can't stand behind me in line and read the barcode in my passport. You can't make a device to read the barcodes on the licenses of other people in the elevator. But RFID is ripe for this. It's not a matter of cyptography, it's a matter of easy, obvious, physical control of the information.

      --
      We are all just people.
    3. Re:The advance of technology. by The+Cisco+Kid · · Score: 1

      The whole point of RFID for some applications is to be able to read them without physically sighting every one.

      For instance, store inventory. Walk down an aisle with an RFID reader - 5 minutes to a perfect count. Walk down the same aisle, with a barcode scanner, and scan every item one at a time - many hours, if yer lucky.

    4. Re:The advance of technology. by Lumpy · · Score: 1

      In fact, make it so that it can be only read when I take it out and present it to the reader, rather than readable by anyone without be uncovering it.

      go to your kitchen, cut 2 pieces of heavy duty aluminum foil to fit the inside of your wallet, put it in your dollar bill section.

      All done, wallet closed, RFID reader will NOT read it unless it is shoved in your butt crack. open wallet and remove card, it's readable.

      100% free, and works. Better would be to have a wallet made of RF shielding material. no "high tech" "firewall" needed.

      --
      Do not look at laser with remaining good eye.
    5. Re:The advance of technology. by sneezinglion · · Score: 2, Interesting

      The whole point of RFID for some applications is to be able to read them without physically sighting every one.

      For instance, store inventory. Walk down an aisle with an RFID reader - 5 minutes to a perfect count. Walk down the same aisle, with a barcode scanner, and scan every item one at a time - many hours, if yer lucky.
      Actually you made a mistake,it is 5 minutes to a perfect count, but only a perfect count of the rfid chips......It still does not tell you how many of the product is actually on the shelves.
    6. Re:The advance of technology. by cybereal · · Score: 2, Insightful

      Have you ever looked at a credit card and noticed how nearly every one has visibly obscured the numbers?

      An ancient theft attack vector is photography. Your bar code would be even easier to steal than a credit card number.

      Don't underestimate the thieves.

      --
      I read the script, and I think it would help my character's motivation if he was on fire. -Bender
    7. Re:The advance of technology. by nunya_bizns · · Score: 1

      I think a faraday cage would meet your needs. And there are already websites selling faraday cage product - here's one example for wallets - http://www.difrwear.com/products.shtml

    8. Re:The advance of technology. by Anonymous Coward · · Score: 0

      The smart thief can simply remove the chip and leave it hidden on the shelves, and if everyone assigned to inventory is as foolish as you it's never reported missing. On a completely unrelated note, where may I ask do you work?

    9. Re:The advance of technology. by plover · · Score: 2, Insightful
      Barcodes aren't the greatest answer, as they are vulnerable to spoofing.

      Imagine two barcodes that look like this:

      | || |l| || |11| | |||
      12345

      and this:

      | || || |l| |11| | |||
      12345

      Both look like barcodes (please forgive the characters used to dodge the lameness filter.) Both have HRIs (human readable interfaces) beneath them. But one is a forgery, and actually scans to the value 13245. Unless the person with the barcode scanner is actively verifying the numbers match (or is verifying other aspects of the document) the forgery is just as good to the laser beam as the original.

      The RFID tags are at least harder to forge, but provide weaker security in that they can be intercepted or surreptitiously read. Contact-based chips (a la Smartcards) would have been the best choice in terms of security, but probably much more costly in terms of hardware maintenance of the readers (cleaning, static electricity, etc.)

      That's all I had to say, but the lameness filter is making me add extra lines to make up for the junk characters. Perhaps I should have switched more bytes to exclamation points or ones or lower case Ls, that probably would have helped make up the difference. I suppose the wonderful ascii artists of the past few years have frightened Slash code into assuming that any graphic is too graphic.

      --
      John
  7. RFID Guardian Website by achillean · · Score: 3, Informative

    Here's the link to the official RFID Guardian website:

    http://www.rfidguardian.org/

    1. Re:RFID Guardian Website by Anonymous Coward · · Score: 0

      Dumbass. We don't want a link to the product. We want a link to the cute geek chick who invented it!

      Why oh why does she have to be wearing a big, bulky, form-hiding winter coat in that photo? :)

  8. Dupe by KillerCow · · Score: 2, Informative

    RFID Personal Firewall Dec 07, '06

    1. Re:Dupe by painQuin · · Score: 1

      Dec 07, '06


      We will call this day Dupe Day, or D-Day for short.

      A date that will live in infamy.
      --
      A guilty conscience means at least you've got one.
  9. What would really be fun by eric76 · · Score: 2, Funny

    What would really be fun is to have a little credit card sized radio that would play with the various RFID tags it found.

    Put it in your pocket and then walk down the aisles of your local WalMart.

    1. Re:What would really be fun by eric76 · · Score: 2, Funny

      To elaborate a bit, suppose a store used the RFID tags to ring up purchases at the store.

      Your RFID reader would read various tags while you walk down the aisles of a store. Then, while you are near the checkout line, it would transmit them to a reader (it would have more distance than a passive tag) and provide the ids it read to the reader as if it were a tag. Someone standing in line to buy $25 worth of purchases would find the store rang it up to include two or three tvs, stereos, a dozen pairs of shoes, ..., adding up to several thousand dollars.

      They would, I assume, notice that something was wrong and might have to ring them all up several times before you move away and they get the correct value.

    2. Re:What would really be fun by ExFCER · · Score: 1

      Brilliant...Truly. Copyright this idea now and sue the performance artist that makes a mint with world wide downloads of a hit single.

      I mod you... +1 insightful.

  10. Betcha by Dunbal · · Score: 1, Redundant

    Prediction: This device will be made illegal by the US government (in the name of terrorism prevention) in 5..4..3..

    --
    Seven puppies were harmed during the making of this post.
    1. Re:Betcha by plover · · Score: 2, Informative

      They don't have to. It's already illegal to use one for shoplifting in Minnesota, and I assume that most states have similar laws. All they have to do when they find one in your pocket is accuse you of trying to shoplift. Not only is the device itself pretty strong evidence, but you get 3 bonus years in jail if you're convicted.

      --
      John
  11. Even simpler blocker by noidentity · · Score: 5, Funny

    I've found an even simpler RFID blocking solution.

    1. Re:Even simpler blocker by Tatisimo · · Score: 1

      That stuff works to block GSM phones, too! And keeps your lunch so nice and warm... In your face, duct tape!

      --
      Give Kashyyyk back to the Wookies
    2. Re:Even simpler blocker by ockegheim · · Score: 1

      Yes, I made my hat out of it!

      --
      I’m old enough to remember 16K of memory being described as “whopping”
  12. Better than a Cage by Anonymous Coward · · Score: 0

    Hey, this sounds a lot more convenient than that Faraday cage that I made for my wallet.

  13. Genius! by homebrandcola · · Score: 5, Insightful

    The genius part was proving their was a threat, then inventing the solution to that threat.

    Fantastic business model.

    1. Re:Genius! by Anonymous Coward · · Score: 0

      Proving their what was a threat?

    2. Re:Genius! by Rogerborg · · Score: 0, Troll

      I have a much better way of preventing cancer of the uvula, or whatever it is she claims the problem with RFID is.

      --
      If you were blocking sigs, you wouldn't have to read this.
  14. Interesting (and not so legal) uses for this... by PAjamian · · Score: 4, Insightful

    This is a really interesting device, I wonder if it has some darker uses, though...

    Could you use this device to assist shoplifting by having it in your pocket when you walk past the RFID readers at the store entrance? This would effectively block the readers from being able to "see" the RFID security tags on the merchandise.

    Depending on how low-cost these devices are (they are planning to sell them at cost, after all), could someone attach one surreptitiously to the bottom of a modern car preventing the RFID tag built into the ignition key from being read, thereby disabling the car?

    Here in New Zealand, they recently passed a law requiring that all pet dogs have RFID chips implanted in them. It would be laughable if a small version of this were made which would could be attached to the collar of the dog to effectively disable the RFID chip implanted in them (admittedly I can't see this particular usage being helpful the the dog or the owner in any way, but it is funny to think about).

    Other issues:

    Since this is a powered transmitting device, it might not be legal to have it turned on while on board an airplane in flight. Since it can't be effective while turned off, it would still be possible to read passports of people in-flight unless protected by some other means (aluminum foil, farraday cage).

    --
    Windows is a bonfire, Linux is the sun. Linux only looks smaller if you lack perspective.
    1. Re:Interesting (and not so legal) uses for this... by cdrguru · · Score: 1

      1. Nobody is using RFID for store inventory control. They use far simpler resonators that are cheaper.

      2. Not sure, but most cars aren't using RFID. They use something sort of like RFID but not RFID.

      What's wrong with just using a wideband jammer, something like a spark-gap transmitter? It would block all radio signals within a one or two mile radius and completely solve any radio frequency problems.

    2. Re:Interesting (and not so legal) uses for this... by timmarhy · · Score: 1

      1. you don't know what your talking about - walmart use it for crying out loud. 2. you don't know what your talking about - if it's a chip powered by RF that id's itself when near a reciever, then's RFID.... wideband jamming? you do realise that takes more power then a couple of aa batteries can supply, and it is also going to result in the local authorities investigating who took out the local FM/AM channels and other radio channels and putting your arse in jail for a long time.

      --
      If you mod me down, I will become more powerful than you can imagine....
    3. Re:Interesting (and not so legal) uses for this... by plover · · Score: 2, Informative
      I assume the GP meant to say it this way: "Nobody is using RFID exclusively for inventory control" which is a correct statement. 'Inventory control' is the retailer's phrase meaning "shoplifting detectors", and if all you're interested in is stopping shoplifting, resonance tags (Checkpoint, et al) are a fraction of the price of RFID tags. All the stores using RFID that I'm familiar with are using it for much more than inventory control: logistics and transportation, warehousing, stock replenishment, and point of sale. (Although I will agree that Walmart's use has been focused primarily on high-value shoplifted items such as Gillette razor refills.)

      And not all chipped car keys use RFID. Some keys use the Dallas Semiconductor 1-wire technology, and require electrical contact to work. They can't be jammed by this little device.

      --
      John
    4. Re:Interesting (and not so legal) uses for this... by sgt_doom · · Score: 1
      Citizen PAjamian, you've immediately spotted the points of vulnerability:

      Great way to frame somebody - be it for murder or crimes Against The State.

      [The Carlyle Group - major RFID manufacturer and supplier]

      [Tommy Thompson, Republican candidate for the US Presidency who says: "All Americans should be microchipped."]

  15. Big Bad Wolf? by Anonymous Coward · · Score: 0

    I understand the significance and potential privacy issues connected with RFID tags, but in the larger scheme of things, it seems like a minor threat, and one that wouldn't cause me to lose any sleep at night, at least not yet.

  16. Just Say NO to RFID by kjzk · · Score: 0, Redundant

    I have a better solution, scrap RFID all together.

  17. Sign me up ... by SL+Baur · · Score: 1

    ... my "kidnap me I'm an American Citizen!" broadcasting passport is arriving any day now.

    See http://www.travel.state.gov/travel/cis_pa_tw/tw/tw _2190.html and understand that Tagum City (where the two American children were kidnapped) is the nearest city from my permanent home and where my son is.

  18. Won't last long by wesley78 · · Score: 1

    It's nice to see that this technology will be available, but I won't be long before it's regulated to the point of uselessness I think. RFIDs are going into too many things, and while 1 metre can be nice covering in some situations, it will be intrusive in others. First off Passports and Drivers licenses of many states carry RFID tags now. I can't imagine customs officials wanting to wait around while you turn off your jamming device or if a police officer would be happy if he tried to read the tag at your car instead of in the patrol car. Further, what if you're standing in line getting groceries and accidentally block the RFID of the person in front of you cause your standing too close. People better take the time to make sure they're set up correctly. A hack that increases the output power will probably be put to use by someone. I guess it boils down to that I don't trust legislators to let me keep my privacy and I don't trust non-technical people to properly set up a technical device.

  19. Melanie @ WhatTheHack by gbnewby · · Score: 3, Informative

    I saw Melanie's talk at What The Hack in summer 2005, and got to speak with her a little afterwards. That was before the virus made news, but her interests in RFID were in strong evidence. Here's the abstract: program.whatthehack.org Here's video (MP4) of her talk, "Fun and Mayhem with RFID:" rehash.whatthehack.org You can find other videos from WTH at the same site (disclosure: I'm there, too!)

  20. With the new Dutch passports this is a MUST by Anonymous Coward · · Score: 0

    For reasons I can't quite identify, the new Dutch RFID-equipped passports have NO shielding. I kid you not, they're readable from a distance, and no tinfoil in sight.

    Somehow Dutch people don't seem to be entitled to privacy, but this could be a EU directive so I'd be interested to hear from other EU residents.

    However, the upside is that it makes accidental damage much more plausible. If you microwave your US passport it'll be pretty clear that it was you, the lack of protection on the passport means that anyone working anywhere near a transmitting dish is going to be able to say "oops, got too close" and get away with it, even though it was in reality a 2 sec microwave visit :-).

    (note to wannabee zappers: do it in seconds at a time otherwise it'll burn and be visible..).

  21. Other questionable benefits? by Anonymous Coward · · Score: 0

    On a side note, making a five-finger discount just got easier...

    I picture this going on somewhere... "But sir, I didn't want anyone doing haxorz to my IDs, honest... I only forgot the merch was in my jacket."

  22. Web of trust for passports? by BlueParrot · · Score: 2, Insightful

    The reason bar codes are not sufficient is that once they are read, they can be easily copied. The same goes for any static message transmitted by an RFID tag. Also, the database can obviously be corrupted by an evil government or disgruntled worker. If you really want to have a forge-proof solution you will need to implement something like OpenPGP in every passport. I can't wait until the day where politicians and media will have to be careful with their creditability or risk having a significant number of people revoke their certificate... Want people to trust you about the foreign policy? Well lets just have a look at that signature of yours...

  23. Very valid point by Khyber · · Score: 1

    I used to work in retail, not all boxes of the same product had RFID on them. We still had to do a visual inventory.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  24. Firewall vs jamming by Tungbo · · Score: 1

    The reason this device is so complex appears to be
    the desire to allow reponses selectively.

    Wouldn't it be easier and cheaper to make a simple jamming device?
    Say in a small pouch for storing the passport, etc. with even weaker
    power so that only 1 foot radius is covered.
    When you need to use the passport, take it out of the pouch.

    1. Re:Firewall vs jamming by jimrob · · Score: 1

      Wouldn't it be easier and cheaper to make a simple jamming device? Say in a small pouch for storing the passport, etc. with even weaker power so that only 1 foot radius is covered. When you need to use the passport, take it out of the pouch.

      Yes... some type of device to disable the RFID unit. Perhaps some type of button... one which would turn it off when not in use?