An RFID tag is nothing more than a little chip attached to a paper-thin antenna. The chip's basic function is to store and transmit a small amount of information, usually just a unique identifier. What good is that? Well:
- RFID attached to shipping pallets can make it easier for companies to track and monitor shipments.
- By replacing UPC codes with RFID labels on individual products (like a can of soda), stores can track inventory, prevent shoplifting, and develop systems that automatically charge you for whats in your cart without you having to stop and scan each item.
- As a cheap short-range wireless transmission system, RFID is perfect for making printers who can tell you if you install the wrong ink or toner cartridge or cars that can sense the air pressure in your tires.
- Because RFID doesn't require physical contact, pass cards like those used for secure door access or subway systems will last far longer than those that use magnetic stripes. Further, because the cards only need to be waved in front of a reader, people can get through the control points a few seconds faster. Multiply by tens or hundreds of people a day and the over-all efficiency skyrockets.
- RFID chips can be implanted under the skin of animals to make them easy to identify if they become lost or stolen.
- Chips implanted in humans can be used in place of the medical alert bracelets which can come off or become hard to read over time.
Besides these, there are hundreds of visionary and useful things you can do RFID and these are just some of them. However, because there are little to no security controls included, most of the advantages quickly become outweighed by the disadvantages:
- If someone steals a pallet full of products from a warehouse, but leaves the RFID chip, the company probably wouldn't know for days or weeks afterward (however long it takes for a real human to go looking).
- A shoplifter with a handheld RFID blaster can remove the tags and walk right out of the store.
- Those RFID enabled printers can make sure you don't reuse cartridges or buy knockoff brands.
- Those quickpay and access RFIDs can be easily copied from a distance. Now the bag guy gets free tolls, free gas, or can walk right into your building while the system leaves you with the responsibility.
- The RFID you popped into your loved animal has been linked to cancer in dogs.
- RFID has been debated for mandatory implantation in Alzheimer's patients, illegal aliens, and even the military. Because the chips aren't protected, once implanted, they can be used to track the movements and activities of the subjects causing serious privacy concerns. In addition to the possible cancer risks, the chips have been known to tunnel through the skin over time causing damage as well as making it impossible for you to get an MRI in the future if you should need one.
- And how about the fact that your unsecured RFID chip could get hacked and become a tool for spreading viruses?
- Cameras can be programmed to look for specific kinds of RFID or specific people and snap a photo when you go by
- RFID can and WILL be used to track humans and their daily activities. Research is ongoing
As if that wasn't bad enough, consider the fact that making yourself "machine readable" makes it possible for someone to program a bomb with your "number" on it. As soon as you walk near the bomb, you're done for. Think that's extreme? Ask the guys fighting in the middle east if they want to see roadside bombs become more efficient and deadly than before.
Making RFID Safe
Why not just chuck this technology to the curb if it's so bad? Because it has so many valid and useful applications! RFID can be used to prevent infant abduction in hospitals, allow for advanced home management, and all of the other things we mentioned at the beginning of this article.
Stopping the progression of technology is a fool's game, but harnessing it and directing it to proper security while maintaining privacy is the path for the winning team. To do this, we need to look at three risk aspects of RFID:
1. Lack of authentication
One of the primary issues with RFID and the main thing that makes all the nightmare scenarios possible is that the dumb things broadcast to anyone and everyone. For any implementation of RFID to be acceptable, the chips must be programmed only to speak to proper readers who authenticated themselves first.
In other words, say you have a refrigerator that scans the food inside. When you put food inside, the fridge should program the food with a one-time code that makes it impossible for the chips in the packaging to respond to any other reader.
Note that the RFID in US passports have a system like this, but it's fairly weak and can be bypassed. But at least it's a start.
2. Lack of encryption
Even after a chip authenticates a reader, if it sends the data out in the open, anyone else nearby (or not so nearby) can read it too. All communications between a chip and authenticated reader must be encrypted to prevent eavesdropping by others.
3. Use of Long-term RFID
Implantation is permanent. Passports are good for 10 years. Companies plan to replace UPC barcodes with RFID that will transmit ID codes for the life of the product (from creation to landfill and beyond).
It doesn't make sense for every implementation of RFID to include authentication and encryption, but for the ones that don't (and even the ones that do), RFID must be a limited duration function.
First once a human is walking around with an RFID on them, privacy and safety concerns have to be addressed. Any RFID in products that people wear or carry on a daily basis should be disabled upon sale.
Second, RFID implementations will eventually be hacked by someone. All it takes is one person in the ENTIRE world to find a way to break the system and the security is no good anymore (like the millions and millions of pounds wasted with the UK passports). Secure implementations of RFID must consider this fact in their design and account for it.
RFID is fun and leads to many amazing and cool possibilities, but as it is now, it's dangerous, impractical, and irresponsible. Any company or government agency that implements them without first considering the drastic privacy and personal safety concerns is playing with disaster.
Even if RFID makers implement the measures I've suggested, people have a right to know there are tracking chips in the products they buy so they can make informed choices to participate or not. Laws need to be drafted to control the rampant planned and current abuse of RFID by companies and the government.
To become better informed of the dangers of RFID to personal privacy by over-zealous marketers, please see my article on Spychips