Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is RFID Really That Scary?

Posted by timothy on from the relaaaaaax-citizen dept.

tcd004 writes "Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour. Paget went through the regular laundry list of security concerns over RFID: people can be tracked, their information accessed, their identities comprimised. Not so fast, says Mark Roberti of RFID Journal. Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes. The signals are too weak and the data is too obscure, according to Roberti. So who is right? Has RFID yet lead to a single instance of identity theft, illegal monitoring, or other security compromise?"

33 of 338 comments (clear)

  1. Yes and no by autocracy · · Score: 4, Interesting

    Tracking one person around a city with RFID would be a nuisance. You'd need multiple points, signal quality would vary wildly, it'd be painful in a way.

    Opposingly, you can get a lot of aggregate data in a semi-closed system. I remember once at a public event I was covering (wearing my journalism hat for a moment) that I thought, "I wish I had an RFID system handy. I could identify all the University students in a moment -- I bet you not a one doesn't have their RFID card on them."

    Tracking could be efficiently done in a system such as a mall or subway with exit monitoring.

    --
    SIG: HUP
    1. Re:Yes and no by morari · · Score: 5, Insightful

      My bank switched their debit cards over to ones with "PayWave". It's an RFID chip that allows me to just magically wave my card around in the air and pay for stuff at the checkout line. I immediately bought an RFID blocking wallet. I'm a lot more concerned about being tracked by the stores and the bank, being marketed to by telescreens on the sidewalk, etc. than I am about cyber-thieves.

      --
      "He who can destroy a thing, controls a thing." --Paul Atreides, Dune
    2. Re:Yes and no by CyberLord+Seven · · Score: 4, Informative
      It seems to me you are assuming that the RFID is the only method being used to track someone. I don't track people but it seems trivial to me that a device that identifies a single person out of a mob would be extremely useful.

      Instead of setting my head on a swivel and looking around suspiciously I need only keep my gaze directed at my open book (hiding my tracking device) while I walk around keeping track of my subject.

      Yes, alone, the device is useless; however, people in the business might find plenty of uses for it that you and I cannot imagine.

      --
      We have always been at war with Eurasia!
    3. Re:Yes and no by sjames · · Score: 4, Funny

      Wow. If we thought butt dialing was a problem, just wait until butt-buying starts.

      In soviet america, ass bankrupts you!

    4. Re:Yes and no by Anonymous Coward · · Score: 3, Funny

      ...ass bankrupts you!

      The anthem of divorced men everywhere.

    5. Re:Yes and no by i.r.id10t · · Score: 4, Funny

      But *only* after a jump to the left and a step to the right

      --
      Don't blame me, I voted for Kodos
    6. Re:Yes and no by MozeeToby · · Score: 4, Insightful

      It's hardly vendors that I would be concerned about. Given the increase in skimmers for magnetic readers at ATMs and cash registers how long do you really think before the concept spreads to RFID skimmers?

    7. Re:Yes and no by nabsltd · · Score: 4, Insightful

      I think one of the major turnoffs for me about mass market advertisiing is that it's so off base as to be annoying. I'm not in the market for a car, so to be subjected to ads for cars while I watch tv is a waste of my time.

      And targeted ads are even more annoying, because they still don't get it right.

      I was in the market for a car and did my research and bought one a week ago. But, I expect that "targeted" ads for cars will keep hitting my monitor and mailbox for at least the next six months, and I expect many of them will be for classes of vehicles that weren't anything I would ever consider.

      Two years ago these ads would have been a minor bother, and 2-12 months ago they might have been helpful, but for the next 5-10 years they'll be both wasteful and a major annoyance.

    8. Re:Yes and no by ffreeloader · · Score: 4, Insightful

      Being tracked when you use your card, because that is required just because you used it, and being tracked just because you walked past a checkout counter are two separate and distinct things.

      --
      "while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
    9. Re:Yes and no by thepotoo · · Score: 3, Funny

      I immediately bought an RFID blocking wallet.

      You mean you lined it with tinfoil? Yeah, me too. I've also got a stylish hat and matching suit made of the same material. The underwear is a little itchy at times, but you'll get used to it.

      --
      Obligatory Soundbite Catchphrase
    10. Re:Yes and no by blueZ3 · · Score: 4, Insightful

      I think you're making a mistaken assumption that ads are intended to drive you to make an immediate purchase. While that's one reason they're aired, another is brand recognition and familiarity. If you happen to be in the market for a car three years from now, it's likely that at least some of what those car companies have communicated in their ads will stick with you.

      This is especially true for less-well-known brands. Compare a Toyota ad ("We're having a sale this weekend") to a Hyundai ad ("Our cars are reliable and have feature x). Toyota expects you to already know and recognize the value of a Toyota, they're trying to get you into the showroom now, now! NOW! As a relative newcomer, Hyundai is working to get you comfortable enough to consider their car.

      --
      Interested in a Flash-based MAME front end? Visit mame.danzbb.com
    11. Re:Yes and no by Sigmon · · Score: 4, Funny

      But do you have to put your hands on your hips?

    12. Re:Yes and no by vadim_t · · Score: 3, Interesting

      Are you sure?

      The problem with targeted ads is that they can be creepy, inappropiate and unaware of context.

      For example, imagine you're walking on the street with your friend/boss/old fashined grandmother. Suppose you're into manga/anime. Would you want a billboard to switch to an ad for Miyuki-chan in Wonderland due to your past purchase of the Chobits manga?

      There are lots of things for which you'd really hate to see a targeted billboard ad for in the presence of the wrong people, or any people at all. Just for instance: certain kinds of anime/manga (or anime/manga at all, if you're unlucky to be stuck with people convinced that it's all tentacle porn), hygiene products (buy our incontienence pads!), the wrong kinds of magazines or games, music by an artist you'd rather people not know you listen to, and so on.

      Be careful with what you wish for. There is no guarantee the advertiser will make any effort not to display anything that could be embarrassing, and even if they try there's no guarantee that they'll succeed. I got a few rather odd recommendations from Amazon and am rather glad they don't pop up on the street at just the wrong moment.

    13. Re:Yes and no by 7-Vodka · · Score: 3, Insightful
      How fucking stupid are you?

      You're implying that you would like to see ads for things you are interested in. Well fucking wake up mate. There are lies, damn lies and then there are advertisements. Whatever useful information contained in an ad is completely outweighed by the bogus fucking lies they will tell you with the intent on selling you. And if that's not enough, they're obviously going to leave out anything that would encourage you to not buy their shit.

      Worst of all, have you ever even watched an ad? If any ads were reality, then chosing the right toothpaste would make you FUCKING HAPPY AS BLISS and using the right condom would get you laid by a supermodel and drinking the right liquor would make you a million dollars.

      Seriously, if you are clueless enough to ever even contemplate that you might benefit or enjoy watching an ad; you're already sold mate.

      --

      Liberty.

    14. Re:Yes and no by rhook · · Score: 3, Informative

      No it is not, your RFID equipped credit card could be skimmed when you simply walk by a hidden reader. I wouldn't be hard for someone to walk around a city with a RFID skimmer in their backpack and read cards all day long. If you read the title you'd know that you can do this from over 100 feet away.

    15. Re:Yes and no by dr2chase · · Score: 3, Funny

      Clearly, the plan is to link an advertising identity for most-embarrassing stuff to an RFID chip, and then surreptitiously tag people with that RFID tag.

  2. Re:first by NevarMore · · Score: 3, Funny

    AC used RFID to steal my first post!

  3. Just because you don't know... by woboyle · · Score: 3, Interesting

    Just because you don't know for sure that something has happened, that doesn't mean it hasn't. The problem with RFID "scraping" is that you will never know that it has occurred. My instinct tells me that it has been going on for some time. As for RFID in identity cards, passports, etc. I think that their security is mostly, to put it in the words of Bruce Schneier, just theater.

    --
    Sometimes, real fast is almost as good as real-time.
  4. Yes and no... by BobMcD · · Score: 4, Interesting

    Is RFID, as described in the article really all that scary? No, not really. E.g.

    30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.

    So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...

    This is the part that scares me:

    Taken as a whole, Roberti asserts, the benefits of RFID tags -- to track merchandise and packages, and keep track of drugs and food -- far outweigh any downside.

    Where I bought my specific pair of shoes for today likely is not in a database anywhere. With RFID it wouldn't need to be. You just scan the tag and ask the shoes. This potential privacy issue also lacks an implementation, but still represents more information than anyone specifically needs to have. I fear the unintended (or secretly-intended) consequences of all this consumerist stuff in our lives suddenly having a history.

    1. Re:Yes and no... by Qzukk · · Score: 3, Interesting

      there is not a single example of anyone who had their privacy infringed because of the tags.

      Other than the cases of people's tags' movements being used against them in divorce proceedings and stuff? http://www.msnbc.msn.com/id/20216302

      Oh wait, as long as the privacy goalposts can be moved at a whim, there is not a single example of anyone who had their privacy infringed because of the tags.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  5. Re:Great Idea by aurispector · · Score: 4, Insightful

    RFID isn't a security concern NOW. If they start putting them on, say, driver's licenses it's another story. Why would anyone think RFID is a good idea when every other system that can be abused IS abused? The new barcode like scanning squares (WTF are they called?) can hold plenty of information and can only be read when the cardholder deliberately presents the card for scanning.

    What is the advantage of RFID?

    --
    I have mod points. The reign of terror begins now.
  6. Here's a better Defcon RFID story... by bradorsomething · · Score: 5, Interesting

    A few years ago a gentleman calling himself Major Malfunction decided to do a proof of concept at Defcon on the dangers of RFID. He set up a table with a box doing RFID queries. When the box got a return and found usable data, it snapped a picture.

    Many Federal agents walked by the table. They were not pleased when they found out the nature of the experiment. The data was destroyed, but the point was made. RFID protective wallets sold *real* well that year...

    1. Re:Here's a better Defcon RFID story... by myowntrueself · · Score: 4, Insightful

      Ok how about this.

      US passports contain RFID tags.

      1. Is it possible to detect, from the RFID tag, at a distance, the presence of a US passport and to distinguish a US passport from other passports fitted with RFID tags?
      2. Is it possible to determine roughly how many US passports are within range?
      3. Is it possible to engineer such an RFID tag detector into the detonator of an explosive device while keeping said explosive device small enough and low powered enough to be easily concealable? (ie doesn't need mains electricity nor obvious antenna).

      I am just asking the question, I have no wish to see US passport holders blown to bits; but there *are* people who *would*.

      --
      In the free world the media isn't government run; the government is media run.
  7. Potential by ddillman · · Score: 3, Insightful

    Just because it hasn't already been used for nefarious purposes (and we don't know that for certain, do we? We just haven't seen public reports of it...) doesn't mean it can't and won't be done in the future. That guy's argument is as bogus as the "If you've done nothing wrong, you have nothing to hide" crap spouted by those who want to spy on everyone.

    --
    Little girls, like butterflies, need no excuse. -- L. Long
  8. My Challenge for Mark by RingDev · · Score: 3, Insightful

    Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes

    I challenge Mark to point to a single instance where Intercontinental Ballistic Missiles with Nuclear Warheads were successfully used for nefarious purposes.

    Nothing?

    Well then, I guess we can just stop all this silly nonsense about non-proliferation, missile defense shields, and international nuclear arms reduction treaties.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  9. If only the chips worked! by cruachan · · Score: 3, Informative

    I am extremely skeptical of the current generation of RFID tags when used in practice out there in the wild.

    About three years back I set up software to support a recycling scheme, whereby every household in a community (ca 10,000) were given a couple of plastic boxes in which to place recycled goods. The boxes where chipped *and* barcoded, and there were scales on the collection lorry to weigh the box and automatically scan the rfid chip at the same time, thus collecting usage data.

    Three years on it turns out that the one thing we were not expecting - the rfid chips not to be reliable - has proven a major issue. The failure rate is not high, but we consistently have a score or more boxes needing replacing every month, which is a far higher rate than we were lead to expect. We did think it might be the manufacturer, but we've talked to several people doing similar things now and everyone has similar stories - the chips do fail.

    Perversely - the barcodes, which we sealed in transparent plastic but didn't expect to last (hence going with rfid tags as major impact) have given us less than a dozen damaged to the point we can't scan them in the whole three years.

  10. Re:Not yet attacked != not attackable by jd · · Score: 3, Insightful

    Ummm, we can't be sure if nobody has attacked RFID. I seem to remember an international incident, not too long ago, where 50+ passports were successfully cloned - including those from countries implementing RFID on passports. At this time, there is zero information on whether the cloning was someone compromising the primary databases of the respective countries or whether it was done more directly by lifting information from passports in the open. It is extremely doubtful that we will ever be given that information, as no government is going to want to admit that people can access secure databases OR admit that the security on their passports is useless. (It has to be one of the two.)

    Since we cannot know where the vulnerability was, it is prudent to assume that ANY part of the chain could be broken. Only a complete fool would do otherwise. This means that whilst we cannot be certain RFID has been compromised, we MUST believe that it might have been. To assume, blithely, that of course it couldn't be RFID is stupid. Why? Because that results you in only looking at facts that meet your theory. A very bad practice, and one that no reputable journal would be caught dead doing. Of course, a trade magazine isn't really a reputable journal. No trade magazine is ever going to question the assumptions of those who both pay for the advertising and then pay for the journal afterwards.

    (Those familiar with certain works of Jeremy Brett may be familiar with the cry of "Data! I cannot work without data!")

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  11. Portable RFID chip Killer by mrops · · Score: 4, Interesting

    If a microwave isn't available

    1) Take a cheap camera flash
    2) Replace strobe with AWG14 or 15 coiled about (ummmmmm.. say) 10 times around your finger (remove finger)
    3) Charge flash (which isn't a flash anymore) and point to your favorite RFID chip, fire.
    4) Enjoy your restored privacy

    Disclaimer: Do not point towards your pace maker.

    1. Re:Portable RFID chip Killer by camperslo · · Score: 3, Informative

      Actually I think you'll need to put that coil in series with the flash.
      IIRC, an inverter charges a capacitor up to a few hundred volts D.C. across the flash which doesn't conduct until it is triggered by a brief higher-voltage pulse from a transformer. That pulse causes the gas to ionize (conduct). If the coil were across the flash, the cap would be shorted and couldn't build up a big charge to release in one high-energy burst. Maybe flash designs have changed, but that's how they've worked in the past.

    2. Re:Portable RFID chip Killer by Anonymous Coward · · Score: 5, Funny

      (remove finger)

      Holy shit man, I value my privacy but this seems extreme.

  12. Answer is YES by GameboyRMH · · Score: 4, Informative

    RFID-enabled credit cards broadcast all the data on the front of the card in plaintext when energized. So I'd say the answer is YES.

    http://www.youtube.com/watch?v=vmajlKJlT3U

    Look how old that video is.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  13. Re:Credit cards by evilviper · · Score: 3, Informative

    No it didn't, it had a little paper sticker on the front telling me to activate and sign it.

    Yes, some banks don't do so. Most do, however.

    The card readers need it to be practically touching it to work,

    An idiotic statement. Mass market RFID readers need to be within about 6 inches. However, there's NOTHING stopping someone from cranking up the power and getting far more distance out of it. How does 11 meters sound? http://www.foodproductiondaily.com/Supply-Chain/Long-distance-RFID-reader

    I don't think people are mass scanning my mail.

    With enough money on the line, they will be... Criminals go to great lengths to get credit card numbers with skimmers, fake ATMs, and the like. A tine scanner in a post office would be relatively easy and low-risk.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  14. The RFID in everything you buy at Wal*mart by pentalive · · Score: 3, Interesting
    Why isn't anyone worried about the Wal*mart RFID initiative?

    Wal*mart says if a company wants to sell its product in Wal*mart it must have an RFID in it. It also seems that they do not intend to disable these RFIDs once you buy the product - one of the goals is to identify the specific item when you want to return it. (stopping the "My X broke but it's out of warranty so I'll buy a new one and return the old one" ploy).

    I'll just use cash you say? If you bought anything with your credit card or with you ATM card each of those things is "pinned" to you. Things you get with cash get pinned to you by being associated with things you bought with plastic next time you walk through the door. You will be identified by the cloud of RFID devices one or two in each article of clothing you wear - in each item you carry. (each pinned to you)

    Next time you walk into Wal*mart it's "Welcome Back Pentalive" need more jeans? t-Shirts? Since the data belongs to walmart, the next time you walk into another business that bought the database from WM they also will be "Welcome to McDonald's, Pentalive".

    Hope you -never- go anywhere where you want to be anonymous (or at least never wear anything from WM.)

    Yes we are in public and thus have no expectation of privacy. But is it Wal*mart's business if you have been shopping at Target recently? And if Wal*mart knows where you have been - all the Government has to do is ask nice and they know too. Remember the Government can setup RFID readers too. Then they don't have to ask. You walk through the metal detector at the airport, a loop of wire built right in can read all your RFIDs at the same time.

    Arguments aside of "Well I will just microwave everything" does that really work or do you end up ruining that $100 pair of "Air Jordans" by melting parts? How about the RFID built into that nice laptop or netbook, or cell phone or iPad? Can't microwave those.

    Also if Wal*mart demands RFIDS in everything, perhaps it will just be easier for companies to put RFIDS in any products that might be sold at Wal*mart or might be sold somewhere else? That nice new polo shirt you got at Target, no RFID there right? You sure? They also sell that kind of shirt at WM.

    Iris scanning like Minority Report? Wear dark glasses, turn away from the sensor. RFID cloud? ? ? Wear your tinfoil spacesuit! I suppose it should be "I, for one, welcome my new location-tracking overlords."