Slashdot Mirror

← Back to Stories (view on slashdot.org)

RFID Guardian Protects Your Privacy

Posted by CowboyNeal on from the don't-look-at-me dept.

An anonymous reader writes "A new device devised by Amsterdam graduate student Melanie Rieback is designed to serve as a portable firewall for RFID tags. The portable battery-powered RFID Guardian uses an access control list to filter RFID queries, blocking queries that aren't approved. Rieback, who is also known for being the first researcher to develop a proof of concept RFID virus, hopes to offer version 3.0 of the RFID Guardian to the public at cost."

28 of 65 comments (clear)

  1. proof of concept RFID virus by bulliver · · Score: 3, Funny

    So does that mean you could theoretically create a virus that would make all RFID enabled passports identify themselves as belonging to known/suspected terrorists? That would make for a million laughs on April 1...

    --
    Support the mob or mysteriously disappear.
    1. Re:proof of concept RFID virus by apathy+maybe · · Score: 3, Informative

      Here http://en.wikipedia.org/wiki/RFID#Viruses is a nice little bit, and a link to the original article. http://arstechnica.com/news.ars/post/20060315-6386 .html

      ArsTechnica links to http://www10.nytimes.com/2006/03/15/technology/15t ag.html?_r=5&th&emc=th&oref=slogin&oref=slogin&ore f=slogin&oref=slogin and to the real original webpage http://www.rfidvirus.org/index.html

      Basically, it uses buffer over flows to insert nasty code into a computer. The RFID chips contain the code and when read exploit problems in the reader. You can use commercially available tools to write your own RFID chips. Have fun.

      --
      I wank in the shower.
  2. why? by wizardforce · · Score: 2, Insightful

    this seems to me like they are trying to sweep the flaws of rfid uder the rug.- fix the main system and this wont be needed.

    --
    Sigs are too short to say anything truly profound so read the above post instead.
    1. Re:why? by maxume · · Score: 3, Insightful

      This isn't about sweeping something under the rug. It is about RFID coming whether you want it or not and having a straightforward way to avoid many of the issues that it is coming with.

      --
      Nerd rage is the funniest rage.
  3. Like encryption by Original+Replica · · Score: 2, Interesting

    or the radar detector, will this remain legal? Why have an RFID vs. the same info on a barcode, unless the design is to be able to read said info without your knowledge?

    --
    We are all just people.
    1. Re:Like encryption by The+Cisco+Kid · · Score: 2, Insightful

      Well, in the retail environment, the point is to be able to read them without touching each individual item. Inventory audit your warehouse, ring up an entire cart of stuff without having to pick it all out and set it on a convery and scan it one by one.

      There are plenty of legitimate uses for RFID. But I would agree it should always be used transparently, and once an item is yours, you should be able/allowed to remove the tag. (Note that passports, I beleive remain property of the US and are just issued to you for your use. The only reason I can figure the RFID is more desirable is perhaps it is harder to forge, since any fool can print a barcode)

    2. Re:Like encryption by Anonymous Coward · · Score: 3, Insightful
      Well, in the retail environment, the point is to be able to read them without touching each individual item. Inventory audit your warehouse, ring up an entire cart of stuff without having to pick it all out and set it on a convery and scan it one by one.

      Another big retail selling point is to set up scanners at doors and set off an alarm if an item passes through that is allegedly still in the store's inventory. You can bet retail chains will lobby against Guardian and similar technologies.

      ...not that the FCC would ever approve the device to start with.

    3. Re:Like encryption by JFitzsimmons · · Score: 3, Interesting

      It is harder to forge but not because of some stupid restriction like "the stuff is harder to get". Any fool can write a RFID tag with quite reasonably priced equipment as well. The security actually comes from the cryptographic hash of the digital data also on the RFID tag. Therefore, if the digital data matches the physical printing of the data, and the cryptographic hash checks out, then you have within a good degree of certainty that the passport is legit. Of course, who knows if the secret hashing algorithm has been leaked or not, but that's a totally different concern.

      With that said, a wireless technology is completely stupid for this sort of application. Any official checking a passport is going to be physically handling it anyway, so what's wrong with requiring a physical connection, like that in a smartcard?

      --
      Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
  4. The advance of technology. by osu-neko · · Score: 4, Insightful

    One of these days, someone should invent something that can convey information like RFID, but not anyone can read it. In fact, make it so that it can be only read when I take it out and present it to the reader, rather than readable by anyone without be uncovering it. That makes sure only those I want can read it, and keeps it safe from being read without my knowledge, much less consent.

    I think I have an idea! I'm gonna go patent it now. I'll call it a "barcode"! Yeah, that's the ticket!

    --
    "Convictions are more dangerous enemies of truth than lies."
    1. Re:The advance of technology. by Dunbal · · Score: 2, Insightful

      nvent something that can convey information like RFID, but not anyone can read it. In fact, make it so that it can be only read

            You've just hit on the essential limitation of cryptography. Make up your damned mind, do you want people to read it, or not?

            If _someone_ (ie the GOOD guy) can read it, then AUTOMATICALLY the BAD guy also can read it - IF he manages to figure out the algorithm. QED. There is no more. Everyone who tries to sell you an idea where ONLY the "GOOD guy" can read it is talking out of his ass. Look at DRM, etc.

      --
      Seven puppies were harmed during the making of this post.
    2. Re:The advance of technology. by sneezinglion · · Score: 2, Interesting

      The whole point of RFID for some applications is to be able to read them without physically sighting every one.

      For instance, store inventory. Walk down an aisle with an RFID reader - 5 minutes to a perfect count. Walk down the same aisle, with a barcode scanner, and scan every item one at a time - many hours, if yer lucky.
      Actually you made a mistake,it is 5 minutes to a perfect count, but only a perfect count of the rfid chips......It still does not tell you how many of the product is actually on the shelves.
    3. Re:The advance of technology. by cybereal · · Score: 2, Insightful

      Have you ever looked at a credit card and noticed how nearly every one has visibly obscured the numbers?

      An ancient theft attack vector is photography. Your bar code would be even easier to steal than a credit card number.

      Don't underestimate the thieves.

      --
      I read the script, and I think it would help my character's motivation if he was on fire. -Bender
    4. Re:The advance of technology. by plover · · Score: 2, Insightful
      Barcodes aren't the greatest answer, as they are vulnerable to spoofing.

      Imagine two barcodes that look like this:

      | || |l| || |11| | |||
      12345

      and this:

      | || || |l| |11| | |||
      12345

      Both look like barcodes (please forgive the characters used to dodge the lameness filter.) Both have HRIs (human readable interfaces) beneath them. But one is a forgery, and actually scans to the value 13245. Unless the person with the barcode scanner is actively verifying the numbers match (or is verifying other aspects of the document) the forgery is just as good to the laser beam as the original.

      The RFID tags are at least harder to forge, but provide weaker security in that they can be intercepted or surreptitiously read. Contact-based chips (a la Smartcards) would have been the best choice in terms of security, but probably much more costly in terms of hardware maintenance of the readers (cleaning, static electricity, etc.)

      That's all I had to say, but the lameness filter is making me add extra lines to make up for the junk characters. Perhaps I should have switched more bytes to exclamation points or ones or lower case Ls, that probably would have helped make up the difference. I suppose the wonderful ascii artists of the past few years have frightened Slash code into assuming that any graphic is too graphic.

      --
      John
  5. RFID Guardian Website by achillean · · Score: 3, Informative

    Here's the link to the official RFID Guardian website:

    http://www.rfidguardian.org/

  6. Dupe by KillerCow · · Score: 2, Informative

    RFID Personal Firewall Dec 07, '06

  7. What would really be fun by eric76 · · Score: 2, Funny

    What would really be fun is to have a little credit card sized radio that would play with the various RFID tags it found.

    Put it in your pocket and then walk down the aisles of your local WalMart.

    1. Re:What would really be fun by eric76 · · Score: 2, Funny

      To elaborate a bit, suppose a store used the RFID tags to ring up purchases at the store.

      Your RFID reader would read various tags while you walk down the aisles of a store. Then, while you are near the checkout line, it would transmit them to a reader (it would have more distance than a passive tag) and provide the ids it read to the reader as if it were a tag. Someone standing in line to buy $25 worth of purchases would find the store rang it up to include two or three tvs, stereos, a dozen pairs of shoes, ..., adding up to several thousand dollars.

      They would, I assume, notice that something was wrong and might have to ring them all up several times before you move away and they get the correct value.

  8. Re:Back-compat? by KillerCow · · Score: 2, Informative

    Is this like some sort of "jacket" you put your already existing RFID card into that blocks signals unless told otherwise, or is it something that would have to be added to new cards?


    It is an active, selective jammer for existing cards.
  9. Even simpler blocker by noidentity · · Score: 5, Funny

    I've found an even simpler RFID blocking solution.

  10. Re:Back-compat? by Sowilo · · Score: 3, Informative
    Is this like some sort of "jacket" you put your already existing RFID card into that blocks signals unless told otherwise, or is it something that would have to be added to new cards?

    From TFA:

    Eventual plans call for the Guardian to be incorporated into cell phones and PDAs, but the current model is a pocket-sized device that runs on its own battery and provides a circular 1m field of control over RFID tags, jamming any tags that the user does not want read.

    TFA goes on to explain exactly how it does it, but in a nutshell it has an internal list of RFID tags along with what it should do for each tag - block everything, only allow certain readers to access it, etc. If it's not allowed, then it blocks the RFID tag's response by jamming the signal.

    But since it works by detecting and jamming the signals sent, and not by any physical connection or link to the RFID tags themselves, it should function with any pre-existing RFID tag.
  11. Re:Already insecure? by Dunbal · · Score: 2, Insightful

    why can't we start by making RFID more secure in the purest sense?

          You want RFID security? Ok that's simple. DON'T USE IT. Otherwise, it's not secure - by its very nature.

    --
    Seven puppies were harmed during the making of this post.
  12. Genius! by homebrandcola · · Score: 5, Insightful

    The genius part was proving their was a threat, then inventing the solution to that threat.

    Fantastic business model.

  13. Interesting (and not so legal) uses for this... by PAjamian · · Score: 4, Insightful

    This is a really interesting device, I wonder if it has some darker uses, though...

    Could you use this device to assist shoplifting by having it in your pocket when you walk past the RFID readers at the store entrance? This would effectively block the readers from being able to "see" the RFID security tags on the merchandise.

    Depending on how low-cost these devices are (they are planning to sell them at cost, after all), could someone attach one surreptitiously to the bottom of a modern car preventing the RFID tag built into the ignition key from being read, thereby disabling the car?

    Here in New Zealand, they recently passed a law requiring that all pet dogs have RFID chips implanted in them. It would be laughable if a small version of this were made which would could be attached to the collar of the dog to effectively disable the RFID chip implanted in them (admittedly I can't see this particular usage being helpful the the dog or the owner in any way, but it is funny to think about).

    Other issues:

    Since this is a powered transmitting device, it might not be legal to have it turned on while on board an airplane in flight. Since it can't be effective while turned off, it would still be possible to read passports of people in-flight unless protected by some other means (aluminum foil, farraday cage).

    --
    Windows is a bonfire, Linux is the sun. Linux only looks smaller if you lack perspective.
    1. Re:Interesting (and not so legal) uses for this... by plover · · Score: 2, Informative
      I assume the GP meant to say it this way: "Nobody is using RFID exclusively for inventory control" which is a correct statement. 'Inventory control' is the retailer's phrase meaning "shoplifting detectors", and if all you're interested in is stopping shoplifting, resonance tags (Checkpoint, et al) are a fraction of the price of RFID tags. All the stores using RFID that I'm familiar with are using it for much more than inventory control: logistics and transportation, warehousing, stock replenishment, and point of sale. (Although I will agree that Walmart's use has been focused primarily on high-value shoplifted items such as Gillette razor refills.)

      And not all chipped car keys use RFID. Some keys use the Dallas Semiconductor 1-wire technology, and require electrical contact to work. They can't be jammed by this little device.

      --
      John
  14. Re:Back-compat? by wizzahd · · Score: 3, Funny

    It's a hat, duh. Do you realize how long it would take to make a tin foil jacket??

  15. Re:Betcha by plover · · Score: 2, Informative

    They don't have to. It's already illegal to use one for shoplifting in Minnesota, and I assume that most states have similar laws. All they have to do when they find one in your pocket is accuse you of trying to shoplift. Not only is the device itself pretty strong evidence, but you get 3 bonus years in jail if you're convicted.

    --
    John
  16. Melanie @ WhatTheHack by gbnewby · · Score: 3, Informative

    I saw Melanie's talk at What The Hack in summer 2005, and got to speak with her a little afterwards. That was before the virus made news, but her interests in RFID were in strong evidence. Here's the abstract: program.whatthehack.org Here's video (MP4) of her talk, "Fun and Mayhem with RFID:" rehash.whatthehack.org You can find other videos from WTH at the same site (disclosure: I'm there, too!)

  17. Web of trust for passports? by BlueParrot · · Score: 2, Insightful

    The reason bar codes are not sufficient is that once they are read, they can be easily copied. The same goes for any static message transmitted by an RFID tag. Also, the database can obviously be corrupted by an evil government or disgruntled worker. If you really want to have a forge-proof solution you will need to implement something like OpenPGP in every passport. I can't wait until the day where politicians and media will have to be careful with their creditability or risk having a significant number of people revoke their certificate... Want people to trust you about the foreign policy? Well lets just have a look at that signature of yours...