Slashdot Mirror
Is RFID Really That Scary?
tcd004 writes "Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour. Paget went through the regular laundry list of security concerns over RFID: people can be tracked, their information accessed, their identities comprimised. Not so fast, says Mark Roberti of RFID Journal. Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes. The signals are too weak and the data is too obscure, according to Roberti. So who is right? Has RFID yet lead to a single instance of identity theft, illegal monitoring, or other security compromise?"
Tracking one person around a city with RFID would be a nuisance. You'd need multiple points, signal quality would vary wildly, it'd be painful in a way.
Opposingly, you can get a lot of aggregate data in a semi-closed system. I remember once at a public event I was covering (wearing my journalism hat for a moment) that I thought, "I wish I had an RFID system handy. I could identify all the University students in a moment -- I bet you not a one doesn't have their RFID card on them."
Tracking could be efficiently done in a system such as a mall or subway with exit monitoring.
SIG: HUP
Prevention is a better method of addressing an identified legitimate security concern than "waiting to see what happens."
I view it like vaccinations. I don't plan on getting measles this month, but I still had my MMR...
If you're really that worried about it, they do make wallets that block RFID signals. As to how effective they are I couldn't say, but there is much to be said for the placebo effect.
RFID really is something that needs to have an eye kept on, but sensationalist headlines make it seem worse than it is.
Of course, if you're really worried about it, there are options depending on what you need to protect.
Living With a Nerd
Yeah, let's rely on security through obscurity. That has always worked for us.
AC used RFID to steal my first post!
Paget: "You can read RFID from hundred of feet away."
Roberti: "It's never been done. Besides, you can't read it from that far away."
Reality: *facepalm*
I dunno if RFID isn't something to be worried about, but there is definitely a misunderstanding around here about how trackable it is.
It wasn't all that long ago that there was a story on Slashdot about how school uniforms were going to have RFID tags embedded in them and there were +5 comments about how pedophiles were going to sit in their van with a little screen showing the position of where each child in the city is. There's some impression that RFID tags broadcast their GPS co-ordinates into space or something. False.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Just because you don't know for sure that something has happened, that doesn't mean it hasn't. The problem with RFID "scraping" is that you will never know that it has occurred. My instinct tells me that it has been going on for some time. As for RFID in identity cards, passports, etc. I think that their security is mostly, to put it in the words of Bruce Schneier, just theater.
Sometimes, real fast is almost as good as real-time.
Is RFID, as described in the article really all that scary? No, not really. E.g.
30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.
So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...
This is the part that scares me:
Taken as a whole, Roberti asserts, the benefits of RFID tags -- to track merchandise and packages, and keep track of drugs and food -- far outweigh any downside.
Where I bought my specific pair of shoes for today likely is not in a database anywhere. With RFID it wouldn't need to be. You just scan the tag and ask the shoes. This potential privacy issue also lacks an implementation, but still represents more information than anyone specifically needs to have. I fear the unintended (or secretly-intended) consequences of all this consumerist stuff in our lives suddenly having a history.
Just because criminals have not yet taken to attacking RFID does not mean that it is beyond the realm of possibility that they will do so. I propose another question, though: what problem does RFID actually solve? In particular, why put it in credit cards and other cards that really do not benefit from RFID? Are those problems really worth the risks, particularly since RFID cards are hard to make secure (because of power constraints)?
Palm trees and 8
You mean security is weak on Barcode 2.0? Oh t3h n0ez!
OK, ok, long distance tracking is not feasible, what about short distance tracking? If the government put many many tracking devices everywhere, they could actually......track you? Or maybe he is right, it is much cheaper to just call google, and get all your history and locations and FB and Twitter and ......
What the hell does this have to do with anything? Before the mid-19th century one could have said atomic energy was a curious but mostly harmless phenomenon.
Was the antenna also hundreds of feet away? There's way too much weasel-room in that summary. Means nothing. Or the antenna could have been enormous. A stunt doesn't mean it can be easily or practically done. See: Space Age.
What is to stop an eastern european gang to outfit mules in western nations with mobile "pay wave" clone devices that siphon small transactions off of peoples credit cards as they walk through large crowds in train stations, concerts, and sporting events and channel that payment towards bank accounts in a similar way that they clone debit cards and siphon money from atm's now?
The signals are too weak and the data is too obscure
Both of which are solvable with ingenuity, time, work, and people. Some things both-colored hats have in ample supply.
THL phish sticks
I really like this post
The argument by Roberti is not one of defense, meaning that Chris or others are wrong, it is one of problem-stating. Yes, these issues exist, but you simply target your attack/interest to deal with them.
The data on my mandated RFID passport isn't obscure and if you want it, you need only wait at the airport for me. Personally, I have an RFID-shielding wallet, but many don't.
Even for obscure information, there can be places where many people with such RFIDs come together - whether at the subway, shopping centre, airport, school, workplace etc.
Once you know where people will be, short range is a lot less of a problem.
The must be some sort of way to use RFID technology to enhance the pr0ns, in that case it's all good otherwise it's downright evil.
The point that's being made about RFID is that the encryption method is not good enough for most uses when it comes to private information. If it becomes mainstream someone could EASILY begin to collect this information using a remote reader and collect it later without every touching the device again.
Imagine someone takes a small box about the size of sandwich. It could hold enough battery power to collect every single RFID scan for quite some time and then come by perhaps the next day with a laptop and receive it remotely as to never touch the device again in case it was found and being watched.
RFID tags are GREAT to identify you by an ID #... not hold SS # or other private information. Keep that stuff in a more secure manner. I'm no alarmist, and not even a hacker. But this is something someone with almost no tech experience could do... and make bank.
A few years ago a gentleman calling himself Major Malfunction decided to do a proof of concept at Defcon on the dangers of RFID. He set up a table with a box doing RFID queries. When the box got a return and found usable data, it snapped a picture.
Many Federal agents walked by the table. They were not pleased when they found out the nature of the experiment. The data was destroyed, but the point was made. RFID protective wallets sold *real* well that year...
Just because it hasn't already been used for nefarious purposes (and we don't know that for certain, do we? We just haven't seen public reports of it...) doesn't mean it can't and won't be done in the future. That guy's argument is as bogus as the "If you've done nothing wrong, you have nothing to hide" crap spouted by those who want to spy on everyone.
Little girls, like butterflies, need no excuse. -- L. Long
Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes
I challenge Mark to point to a single instance where Intercontinental Ballistic Missiles with Nuclear Warheads were successfully used for nefarious purposes.
Nothing?
Well then, I guess we can just stop all this silly nonsense about non-proliferation, missile defense shields, and international nuclear arms reduction treaties.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Rob:[To Barry]Just come on. What would it mean to you, that sentence: I haven't seen Evil Dead II yet?
-
Last week, I removed the blade guard from my saw, taped down the safety lever on my lawnmower and cut the ground pin from all of my power tools and I'm just KZERRRRT!
I work at a major airport where every badge has RFID. Might not ne a strong signal, but it'll get you on an airplane!
I am extremely skeptical of the current generation of RFID tags when used in practice out there in the wild.
About three years back I set up software to support a recycling scheme, whereby every household in a community (ca 10,000) were given a couple of plastic boxes in which to place recycled goods. The boxes where chipped *and* barcoded, and there were scales on the collection lorry to weigh the box and automatically scan the rfid chip at the same time, thus collecting usage data.
Three years on it turns out that the one thing we were not expecting - the rfid chips not to be reliable - has proven a major issue. The failure rate is not high, but we consistently have a score or more boxes needing replacing every month, which is a far higher rate than we were lead to expect. We did think it might be the manufacturer, but we've talked to several people doing similar things now and everyone has similar stories - the chips do fail.
Perversely - the barcodes, which we sealed in transparent plastic but didn't expect to last (hence going with rfid tags as major impact) have given us less than a dozen damaged to the point we can't scan them in the whole three years.
If with the proper antennas you can capture RFID tags from hundreds of feet away, then the signals can't be that weak. And what able the countless anti-theft RFID detectors in nearly every store that have already been deployed worldwide? What is to prevent them from being upgraded and connected to computer networks online?
Once they are online, they would be worth gold to a targeted advertiser like Google with search engine technology. There will be able to track RFID tags like HTTP-Cookies.
Before people though that a wlan bssid was too obscure for tracking. Now with Google and other companies that drive around the world collecting bssid data, in most case you can identify the physical location of a wlan access point with its bssid.
If it begins to be used to track people's movements about an area, say using fastpass / bridge toll / toll booth RFID in conjunction with other sources of information you can get a pretty good view of who is where and when and build patterns from that. If they begin to correlate the data and build a norm then the authorities can say they have probable cause to cause you grief. Cory Doctorow's book Little Brother
Roberti's big thing is that nobody's yet used RFID data in a crime. So the upshot is that as long as people just break it for research, it's still secure. And people wonder why the blackhats make out like bandits on the first breaches of any given protocol, because nobody protected against them when it was merely a subject of research. Good luck with that, tell me how that works out for you.
Just because you're paranoid doesn't mean they aren't out to get you
Fixed it: http://www.tombom.co.uk/blog Chris Paget's Blog
Never trust a man wearing a coat and tie!
Is RFID being used when it shouldn't? Is it really that much more difficult to swipe your card than wave it? My US passport really should not be broadcasting anything, it should be swiped since there is no need to read my information from afar. If we limit the use of RFID to tolls and package tracking etc where it makes sense to read information without any human interaction, many of the privacy issues can be prevented.
I'm not too savvy with the specifics of RFID, but I would really appreciate it if someone could explain to me, precisely, what protects against a simple replay attack?
What keeps me from building myself a $20 RFID transceiver, putting it in my pocket, walking through the most crowded area of the nearest subway, bumping into as many people as I can, and then pay for all my shit with your card?
As long as RFIDs respond to unique addresses without first authenticating the reader, they're unacceptable except in the supply chain. Wireless technologies need to take privacy into account at the design level. WLAN BSSIDs are unnecessary too. Authenticate the remote node by proving that both of you know a shared secret without revealing the secret. No shared secret, no identity information.
Conclusion: RFID tagging is less scary than existing privacy intrustions we gladly accept.
excitingthingstodo.blogspot.com
Cory Doctrow had a book that is a very good read in addition to telling how to mess with RFID surveillance if Big Brother happens. Free & CC
http://craphound.com/littlebrother/download/
First thing to do when reading someone's defence arguments is to consider if they actually are related to the original complaint. Here we see trade body/corporate/politician PR defence #1: deflect criticism by confusing the public about the original complaint simply by defending something related but different. As long as you can control the conversation, you're always going to come out smelling of roses.
Nobody cares about using RFID to track shipping. The concern is about using RFID to track personal data, like identity documents. The authorities may find use from using a reader to track who is using a bus station, perhaps with the best of intentions, but I'd rather they not be maintaining a record of my travels thanks. Certainly I am not looking forward to the day when I examine a pair of shoes at a shopping mall, decide against it only to receive a text suggestion of another pair l might like, and later hitting the web only to see a Google advert for similar shoes.
I don't even want to consider the potential for it's use illegally. Which, by the way, probably is not being performed much because at present there isn't much RFID use in this area. Remember how secure unpopular web browsers reportedly were, right until they started getting popular and suddenly it's all critical security bugs? Security is about risk, which means not only how weak something is but also how attractive it is as a target.
Do your credit cards come with EZ Pass or similar? Does your bank mail them to you with little metallic stickers affixed to the front of them? What makes you think it's any more secure in your wallet than in an evnelope? Why are banks doing this extra step if there's no security risk?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
RFID chips need to be right up close in order to charge, (assuming they don't have their own battery, which the ones attached to higher ticket items do), but once they transmit, the read distance is only limited by the sensitivity of your receiver. To me, that means, "From Orbit".
Maybe I'm over-simplifying, but 200 feet with home brew technology is pretty impressive. I have a feeling that the military has invested a few more pennies in radio technology over the years than Chris Paget.
But that's not the point, because when it comes to tracking people, you don't need to do it from orbit. Heck, this page referenced from the article makes it pretty clear that ubiquitous readers and internet communication is on the horizon. Heck, it's almost here.
People worry about being 'chipped', and maybe they will be, but I think it's kind of pointless. Everybody already carries around their wallet wherever they go, and I know when my credit card expires, the replacement will be armed and ready. That just annoys me! They don't need to read my card from orbit, because in order to track me, all I need to do is walk around the city. Past any random RFID machine which happens to be active. You know, like at doorways to every second retail outlet.
I wonder what would happen if I microwave the chip in my card? Would the magnetic strip still work?
Skit the tinfoil hat. I want my wallet lined with silver!
-FL
Like every privacy-busting technology, the public will welcome it with open arms.
If twenty years ago, the government passed a law saying that everybody had to carry a GPS and a microphone on them, so that the FBI could listen in and/or location them on demand; there would be a revolt.
Yet today, nearly everybody (and especially youth) carry cell phones.
If ten years ago, the government passed a law saying all households were required to contain a camera, for that the FBI could turn it on and look inside your house; there would be a revolt.
I predict in ten years, Microsoft's Kinect (and the Sony, Nintendo, etc. equivalents) will be used for this. Kids already *beg* their parents for game consoles in the living rooms, family rooms, and bedrooms.
If today, the government passed a law saying everybody was required to put RFID tags on everything, and keep them scan-able at all times; there would be a revolt.
I predict in twenty years, everybody will have RFID on everything and be unable to imagine society any other way.
Star Wars told us that democracy dies to thunderous applause.
It seems privacy dies to siren song of convenience.
Perhaps the signals are too weak I don't know, but for the record there is no such beast as too obscure. If it is not mathematically secure then it's not secure. How many times do we have to learn this lesson?
If you were on pluto with you cell phone there are antennas on earth that could receive you. Sure the scanner in the store may have a range of a couple of inches. If some black hat wants to hide an antenna in the back of a white van he is going to be able to read RFID tags from across the street.
Arguments about "small signal strength" are only relative. If the information is important enough someone is going to find a way to access it from the distance they need. The problem of isolation of a signal from a cloud of other signals is also then a problem of directionality and local isolation. A highly directional antenna and a line up of people going through a turnstyle make a way to isolate targets.
Criminals could setup a hidden antenna pointed at a turnstyle in subway system.
It will happen when the information becomes valuable enough for the criminals to take the effort.
The IBM PC first appeared in 1981. It was not until 1986 that the first PC virus appeared. It was not until many years after that before malware aimed at theft of data -- as opposed to mere vandalism -- became widespread. There's often a lag between the existence of a gaping security hole and the day when someone finally drives the first of many Mack trucks through it.
Proud member of the Weirdo-American community.
Mark [of the RFID Journal] challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes.
I think I've managed to leave town twice in my life while accidentally leaving a door unlocked. Nothing bad happened. So, I should conclude that I could leave doors unlocked all the time and I'd never see an unlocked door used for nefarious purposes?
I hope not all the logic at the RFID Journal is that bad...
All you have to do is hook a RFID detector up to an explosive device in a populated tourist area. Once the RFID detector senses enough unique RFID passport codes within a certain timeframe, BOOM!
RFID in passports were never a good idea.
http://travel.state.gov/passport/faq/faq_1741.html
There haven't been any known cases of a private citizen destroying a city with an atomic blast, so free nuclear weapons for everyone!
This Space Intentionally Left Blank
The signals are too weak and the data is too obscure
That's what we thought about our wireless routers, until Google started driving around and cataloging them into a data warehouse.
Once there is enough data, the data can be correlated with other data and turned into information.
Taggants are small chips of plastic embedded in all commercial explosives. They basically build up a whole bunch of thin layers of plastic, each layer distinctive. Think of the sequence of layers as a "manufacturing hash" allowing you to inspect the taggants and tell who made the explosives, and some additional information, pehaps some generic and some manufacturer-specific about that explosive. The multi-layered plastic is shredded into tiny pieces and mixed into the explosive.
It's so small and so light that at least some survives the explosion.
But there are those who are concerned that with years of wind, construction use explosions, taggants will be practically everywhere. So check the sight of a criminal explosion, and you have to start quantitatively sifting the debris to figure out which taggants are associated with the immediate problem, especially if there was recent construction nearby.
RFID may wind up the same way. Too many RFID devices, perhaps too little adherence to standards making boku crosstalk problems. It still wouldn't be a problem walking through the short-range theft detectors in a store, but long range RFID snooping might become very difficult, given time and ubiquity.
The living have better things to do than to continue hating the dead.
I'm no RFID-hater, but this is a totally bullshit argument. A hash key is a hash key; you don't need it to contain any meaning in itself. RFID keys are the real-world analog of cookies, and pretty much have the same risks. If you ever tie that meaningless blob to someone, you've got 'em.
"Believe me!" -- Donald Trump
If a microwave isn't available
1) Take a cheap camera flash
2) Replace strobe with AWG14 or 15 coiled about (ummmmmm.. say) 10 times around your finger (remove finger)
3) Charge flash (which isn't a flash anymore) and point to your favorite RFID chip, fire.
4) Enjoy your restored privacy
Disclaimer: Do not point towards your pace maker.
A quick google search reveals real crimes committed due to weaknesses in RFID systems:
http://news.cnet.com/Gone-in-60-seconds-the-high-tech-version/2100-7349_3-6069287.html
By the same logic, cancel your life insurance because you've never died before.
Cheat on your taxes because you've never been audited before.
Never use contraception before because you've never impregnated anyone before. Oh, sorry, this is Slashdot. Forget that one.
Give up on getting a girlfriend because you've never had one before. There, that's better.
Every single threat that is real and accepted today was at one point just a theoretical vulnerability. I still remember how we used to laugh at people who thought you could get a computer virus through email, then Microsoft brought us automatic execution of stuff in email, and voila, you could. Brute forcing DES was impractical once. Now it's not. Spamming people's fax machines was once never done. Now I get a couple a week.
Sometimes new technology hasn't been exploited not because it's invulnerable, but merely because it's new.
If someone raises this sort of argument, their either being willfully deceptive, or they're woefully naive.
I recall a demonstration of an RFID card-cloning device from several years ago, where as a proof-of-concept the builder of the clonig device covertly cloned an authorized RFID security card and opened a secured door with it. It was a controlled penetration test against an aware target, but it clearly worked. It was widely publicized. (I'm not sure if this is the same tester - I think so - but there are full build instructions for a cloner available here: http://cq.cx/proxmark3.pl )
It's very difficult to imagine that this attack has never been duplicated as part of a hostile act after so long. It's easy to imagine that such an attack would not be reported, however, because such an attack could actually be very difficult to detect without an independent system monitoring physical access (e.g. cameras) and without evidence of some security breach to spur an investigation into access and camera logs. A strictly information-gathering penetration could be accomplished with hardly a trace.
Just because an exploit hasn't been seen in the wild yet doesn't mean it's not out there.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
Oh really? Has anyone ever seen someone has shot someone with a gun? Well yes. Just because it hasn't happened yet, (if it hasn't) it will happen. Go wave your credit card at the gas pump, while the guy on the other side of the pump grabs your rfid signal and uses it to pay for his gas too.
Reading Slashdot comments on subjects like this reminds me of a moment in my ancient history that always sticks in my mind. My middle school (Junior High back then, 7th/8th grades) had a special program for students that showed exceptional skills. It was called Mentorship. It was basically designed to give us advanced classes while at the same time encouraging us to tutor others. Students from other classes could come to the Mentorship teachers and ask for a tutor and they in turn would get a volunteer from the Mentorship class to help.
After turning in a writing assignment where we had to create a crime/detective story the teacher was so proud of us that she said this (a little paraphrased, it was 25-odd years ago..)
"You are all so brilliant, every one of you got an A- or better on this paper. I see bright things in your futures. Some of the stories were so clever that I hope none of you ever grow up and get into a life of crime. Any one of you that did would be criminal masterminds and a scourge on this world. I'm sure none of you would do that, but it would be rather scary if you did."
Of course to me all I heard was, "You could be a great criminal genius, go for it!"
But reading through all of your comments makes me realize... there are many (note: I say many, not all) of you that, were you to put your minds to crime, would make the papers pretty quickly, and not in the "got caught doing..." way, I mean in the "is being sought by..." way.
ad astra per alia porci
You could even detect American vs. other passports
All you have to do is hook a RFID detector up to an explosive device in a populated tourist area. Once the RFID detector senses enough unique RFID passport codes within a certain timeframe, BOOM!
Chris demonstrated country-of-origin detection based on passport RFID values. The same thing works with military IDs.
-- Terry
Sir, step away from the plastic because it is inferior to paper.
Sire, step away from the Liensale encumbered by bank Notes & use more silver and gold.
Count, step away from the silver and gold and use more people: I hear Soilent Green stock is soaring.
Fellowservant of Christ, we are to love thy enemy because ill-will only reciprocates onto us.
without prejudice
"The signals are too weak and the data is too obscure, according to Roberti." Hey, AT&T - what did we learn about security through obscurity? Sorry, I can't hear you over the tone coming out of my Cap'n Crunch whistle. Nobody will ever figure out that your long-distance tone is 2600Hz, it's unthinkable! If nobody thinks the system is broken, nobody will fix it. Meanwhile, the rest of technology will improve and adapt, until a significant segment of the criminal population will be able to easily read these weak signals and use them for nefarious purposes. It won't happen overnight, but people have a way of doggedly pursuing an answer until it's found, and it won't matter how obfuscated or "obscure" the data is.
RFID-enabled credit cards broadcast all the data on the front of the card in plaintext when energized. So I'd say the answer is YES.
http://www.youtube.com/watch?v=vmajlKJlT3U
Look how old that video is.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Lockheed Martin recently put out a press release about their magnetic communications system (MCS), which works at distances of up to half a mile through solid rock:
http://www.popsci.com/technology/article/2010-08/lockheed-develops-magnetic-communication-mine-safety
Although the MCS probably uses large coils and low wavelengths on both sides to achieve that impressive distance, typical RFID cards have small coils. To make up for this, very strong digitally controlled magnetic fields could be used to couple to a coil from far away. For example, see this implementation of a static 0.7 tesla magnet:
http://www.technologyreview.com/biomedicine/25527/page1/
A strong enough, highly directional magnetic field and a sensitive enough detector could couple all the way to the theoretical maximum distance permitted by the RFID card's frequency. Like the MCS, that distance is one third the wavelength of 125 KHz (1.5 miles), or half a mile.
-- thalakan
No, neither guns nor RFID are that scary. Put a gun in the hands of a madman and it gets scary. Hand them out to all law enforcement personell while disarming the general population is pretty scary too (I'm in the UK).
What is scary in the case of RFID, is what can be done with them to track and log people's actions, location and travel history.
It's no big deal if you are milche cow because you won't be bothered while you chew the cud, but the rest of us might be concerned.
It ain't the silly little RFID. It's the system built around them. Once it's in place, it will be near impossible to remove it.
It's amusing that people whine about RFID, but go around wearing bluetooth headsets or running with Bluetooth sensors, while carrying cellphones, that operate on wifi radios where wifi points are available.
You were tracked long before RFID came out, and nothing bad has happened. :)
Well, SF MTA just changed to some kind of RFID chip - however, I can't even get it to read the chip through the plastic visor in my wallet or more than almost direct contact with the reader once its out the wallet. I don't know if this is because the readers are a POS or they are designed not to be read except with super close proximity, but it hardly makes me very worried.
The articles argument against RFID naysayers is a straw man.
Its like asking people when have they ever heard of a building being knocked over with a jetliner to justify not having security at the terminal before 9/11. If people can already see the downside to RFID then you can guarantee that it will be used for that downside. Just because current infrastructure makes it tedious to accomplish does not mean that its okay to roll with it. As a technology professional myself, I already know how easy people give up private data. If you rent from a video store you have given up on your Name/SSN/DOB/Addy & even a credit card. That is all anyone needs to start an identity theft ring.
Humans are cattle in line at the slaughter bin. 90% of the worlds population are cowards and liars. Most people do not say things like, give me liberty or give me death. If we did, then places like China, Iraq, Iran, Russia, or any other similar governmental system would not survive for long.
The chief concern with RFID tags like this isn't that some passerby can trigger your RFID tag to cough up a number; that's possible but impractical. The risk is that someone can point a directional antenna at a point where the RFID tag is activated by its intended use at a predicable location, and passively collect the transaction. Examples: FastTrax, PayWave, RFID passports
PayWave uses a 13.56 MHz transceiver frequency. This is about a 25 meter wavelength, so a high-gain directional antenna would be pretty obvious (rule of thumb: antenna size is one quarter or one half the wavelength of the frequency in question). The antenna systems used in PayWave are extremely inefficient, but when the range is almost "touch", that's not a bug, it's a feature. Adjacent registers with PayWave won't be interfering with each other or reading each others' transactions. However, RFID systems that use the 900MHz band are another matter. 900MHz has a wavelength of about 33cm/13 inches. A high-gain directional antenna would be about six inches wide, and anywhere from six to twenty-four inches long, producing 12dBd or better of gain for the longer size. It's not hard to conceal something like that in a tree aimed at a 7-11, or in a radio-neutral briefcase in an airport aimed at the passport-checking station at the security point.
So yes, bad guys can easily see the transaction, depending upon the wavelength used. The security is in the encryption of the transaction (or lack thereof). If the RFID device just pukes it's ID when tickled, that's bad. If there is a challenge-and-response cycle, not quite as worrying as you'd need many transactions recorded for a single device to crack it, though with keyless car entry systems, that's already happened (see http://www.cosic.esat.kuleuven.be/keeloq/keeloq-rump.pdf ).
Like almost anything else, it's all about implementation. You can never assume the transport between two devices is absolutely secure, and RFID is most definitely not an exception; indeed, it's the poster-child.
Everybody gets what the majority deserves.
I'm not worried about tracking at all. People who track others can go to great lengths, the government can go to great lengths. If not by some technological means (RFID toll tags, video matching licence plates from continuous speed cameras) then by physical means (spook tailing you on the street). All of this gets them where? To my house? That information they could find in the phone book. Maybe to my gay lover?
Then there's all the talk of marketing. Yeah so what? I'd much rather look at targeted ads from computer stores than the latest and greatest eye-liner from Loreal. Bring on this targetted marketing then maybe I just may take an interest in the ads. Heck I may even learn about a new product.
On the other hand keep RFID out of my passport, and my wallet. This is far more worrying than anything else. There's not a lot of people out there who wish to target and track one specific purpose for nefarious reasons. However as credit card skimming trends are showing, as soon as someone gets their hand on the ability to remotely skim credit card details (and remember this is how Paywave and Paypass work), you can bet your bottom dollar they'll be RFIDing as much as possible. The risk is even lower than with card skimming if they get it working.
why worry about RFID when you already cary a cellphone?
RFID codes by themselves are useless. Without some context, the bad guys don't know how to interpret their readings.
And, frankly, I believe him. My passport RFID carries more than just "obscure data", I would suspect. I've heard they're coming/(already here?) included in all ATM/Debit/Credit cards and, I assume, would carry more than obscure data. I don't care if it's being snooped by the guy standing next to me on the rail or a guy sitting on a bench across the store. If it's another weak link in an already jaded defense against ID theft, it should not be implemented in the first place.
I did not buy the RFID-blocking wallet, however. Was meaning to check out instructables one of these days but my tinfoil hat sometimes makes me forget.
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
Wal*mart says if a company wants to sell its product in Wal*mart it must have an RFID in it. It also seems that they do not intend to disable these RFIDs once you buy the product - one of the goals is to identify the specific item when you want to return it. (stopping the "My X broke but it's out of warranty so I'll buy a new one and return the old one" ploy).
I'll just use cash you say? If you bought anything with your credit card or with you ATM card each of those things is "pinned" to you. Things you get with cash get pinned to you by being associated with things you bought with plastic next time you walk through the door. You will be identified by the cloud of RFID devices one or two in each article of clothing you wear - in each item you carry. (each pinned to you)
Next time you walk into Wal*mart it's "Welcome Back Pentalive" need more jeans? t-Shirts? Since the data belongs to walmart, the next time you walk into another business that bought the database from WM they also will be "Welcome to McDonald's, Pentalive".
Hope you -never- go anywhere where you want to be anonymous (or at least never wear anything from WM.)
Yes we are in public and thus have no expectation of privacy. But is it Wal*mart's business if you have been shopping at Target recently? And if Wal*mart knows where you have been - all the Government has to do is ask nice and they know too. Remember the Government can setup RFID readers too. Then they don't have to ask. You walk through the metal detector at the airport, a loop of wire built right in can read all your RFIDs at the same time.
Arguments aside of "Well I will just microwave everything" does that really work or do you end up ruining that $100 pair of "Air Jordans" by melting parts? How about the RFID built into that nice laptop or netbook, or cell phone or iPad? Can't microwave those.
Also if Wal*mart demands RFIDS in everything, perhaps it will just be easier for companies to put RFIDS in any products that might be sold at Wal*mart or might be sold somewhere else? That nice new polo shirt you got at Target, no RFID there right? You sure? They also sell that kind of shirt at WM.
Iris scanning like Minority Report? Wear dark glasses, turn away from the sensor. RFID cloud? ? ? Wear your tinfoil spacesuit! I suppose it should be "I, for one, welcome my new location-tracking overlords."
If the government was interested in spying on your daily activities (and that's extremely unlikely if you're the type of person that goes "OH NOES RFID IS EVIL") they'd do it no matter what,they're not going to bother putting RFID trackers every 100 meters to track everybody's location. If you think so you might also want to break out the tinfoil hats. RFID has its applications and it shouldn't be used for transferring extremely sensitive data. Right now most of the arguments are at about the same level of saying a chip card is dangerous cause the data on the chip might not be encrypted and you could lose it and somebody might come along with a card reader. But really I love having to just sweep my wallet past the reader to get my student discount in the cafeteria instead of having to get the card out of my wallet and holding it 5 seconds in front of a bar code reader.
That's exactly right - all the Doctors are out to get you. Because they hate you. And they want your money. And power too. I mean they want power in general, not your power specifically.
And if you have children it's even worse, not only are they out to get you, but they're out to get your kids too!!!
RFID is attackable. Just swipe a little reader over some guy's ass when he isn't looking, or play like Chris Paget and add a little power. Pipe the card's output through a register with the amount you want to take as a "purchase" parameter, and the person won't have any clue their wallet was picked until they get their bank statement or a transaction is declined, whichever comes first.
Police has access to logs and used them in the past. Proof of RFID being used to spy on people right there.
Who logs in to gdm? Not I, said the duck.
The boxes where chipped *and* barcoded, and there were scales on the collection lorry to weigh the box and automatically scan the rfid chip at the same time, thus collecting usage data.
Three years on it turns out that the one thing we were not expecting - the rfid chips not to be reliable - has proven a major issue.
Did you totally ignore the subject of the story and replies to it? Have you considered that maybe some people don't like your tracking (especially if they weren't informed of it and didn't explicitly agree to it) and have found ways to detect and incapacitate your RFIDs?
I really don't worry too much about my RFID cards - I just keep them tucked up under my tinfoil hat.
Chris demonstrated country-of-origin detection based on passport RFID values. The same thing works with military IDs.
But could the detector be made discrete enough? Ie not require mains power, not require obvious antenna or other detection apparatus?
If so then... surely this is just fucking scary?
Or am I missing something here? Eg a bomb that goes off when theres enough US passport holders nearby. Or UK. Or whoever someone bears a grudge against.
People are going on with worries about identity theft or leakage of personal info via RFID tags and other people are going on about how thats just not a problem and not to worry. But if these things can be used to target specific groups with concealed bombs then takes it to a whole new level.
In the free world the media isn't government run; the government is media run.
Wasn't there an artile in here about some professor cloning RFID passports. Then he spoofed one with bin laden's and a few other wanted bomb makers info.
and then there's this:
http://it.slashdot.org/story/10/01/15/0744204/Airport-Access-IDs-Hacked-In-Germany
Freedumb!
"Just don't nod your head through this bit"
"And now, let us bow our heads..."
No it is not, your RFID equipped credit card could be skimmed when you simply walk by a hidden reader. I wouldn't be hard for someone to walk around a city with a RFID skimmer in their backpack and read cards all day long. If you read the title you'd know that you can do this from over 100 feet away.
FFS, have you read into any of the documents or specs surrounding paypass, paywave etc.
1) Contactless payment cards (The ones I've worked on) only have a range of 5-10 cm. You'd have to have some pretty obvious kit to pick them up from any further away
2) The most you can get off a contactless payment card is the card number, expiry dates and possibly name / issue number depending on spec. Congratulations, I'm sure you'll get far with that! Anything else required application cryptogram authentication, which requires a heap of keys from the payment processer.
3) Why can't people stop being paranoid about this technology and actually read into the pros and cons!!!
"The signals are too weak and the data is too obscure" Security through obscurity Typical.
Tell me where this is wrong:
Visible light is electromagnetic waves of a certain type. We use light to see objects that relflect light back to our eyes and thus we determine what we are looking at based on comparing it to objects we know about.
RF is electromagnetic waves of many types. RFID bounces radio off objects (tags) and thus the reader determines what it is looking at AFTER it looks up the return in a database.
It seems to me these are basically the same thing, but nobody is worried about being seen in Walmart buying something. They're just worried about RF doing what a pair of eyes can do.
With regard to RFID reading at a huge distance by third parties or whatever, so what? Without a database to look up the meaning of the tag return, what the heck does it matter if someone reads the tag? Cars have licence plates. You see them every day. Every tag is unique and ultimately identifiable to a specific vehicle and owner. Walk outside and look around or visit any parking lot. Car license plates everywhere.
Why is this not a worry? Because the average person can see car license tags but they don't have the DMV database to look up anything, and thus the tags are essentially meaningless. For people who DO need to know, well, they have access to the database. The meter maids and police and so on.
Now think about a Walmart full of clothes or packages of stuff. If you or I walk in with an RFID scanner, we might get thousands of hits. Same as walking across a parking lot seeing all the car license plates. But without Walmart's inventory database, the tags we would read have no meaning. Similarly, without the DMV database, the parking lots full of car license plates have no meaning.
It doesn't matter if somebody reads my passport ID. They're not likely to look like me or be able to pass for me at the immigration booth. Even if the passport is cloned, the database it connects to won't have been modified. The immigration workers will see there's a problem. The fake passport might even make it easier to spot.
Sigh. I know I know, I should be worried. But I know from experience, having a data string means nothing without context. And without context, there's a limit to what can be done with it, and the level of concern it needs.
I recently was sent out to purchase a feminine product. Does this mean that billboards will flash other feminine product ads at me. At least I only need to do this once a month.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.