Spychips: How Government And Major Corporations Are Tracking Your Every Move: Katherine Albrecht
(See online!)

RFID technology is incredibly convenient. Imagine making it possible to make your clothes, your car keys, and even items in the fridge talk to sensors in your house. You'd always know where your socks are, never lose your keys, and be able to take inventory of your fridge with a quick scan from your phone. All of this is possible now with RFID, but it also assumes that no one is using it maliciously.

Spychips explains not only what is possible, but what is happening now where companies are testing and evaluating uses for RFID that are creepy, invasive, and downright wrong. Like many other advances in tech, we can't stop RFID and shouldn't either, but we do need to make sure it's used responsibly and that requires understanding the threat.

As anyone who reads much of my site knows, I'm not a fan of how RFID is being implemented. However, I'm not against the technology itself as it has many practical uses. For example, some hotels have begun putting washable RFID in the towels and bathrobes to keep people from stealing them.

Since the RFID towels have no privacy invading purpose at all and serve deter self-entitled punks who think it's ok to take hotel items, I will offer my tentative support for this. The main concern is feature creep meaning that depending how they implement this, they may also know which towels you used and when. I can't really see the hotels bothering to do so, but if they did, that would be crossing the line big time.

Source: http://intransit.blogs.nytimes.com/2011/04/11/gee-how-did-that-towel-end-up-in-my-suitcase/ (H/T to The Consumerist for the link)

An RFID tag hidden under a label

One of the many problems of RFID technology is that they can be hacked and used to spread viruses.

The device, which enables him to pass through security doors and activate his mobile phone, is a sophisticated version of ID chips used to tag pets. In trials, Dr Gasson showed that the chip was able to pass on the computer virus to external control systems. If other implanted chips had then connected to the system they too would have been corrupted, he said.

Mostly, this hasn't received a lot of attention to date because the computing power of RFID has historically been very low. But as the technology progresses, the consequences of not securing them properly becomes higher and higher. Tags: RFID, Spychips

An RFID tag hidden under a label

An RFID tag is nothing more than a little chip attached to a paper-thin antenna. The chip's basic function is to store and transmit a small amount of information, usually just a unique identifier. What good is that? Well:

Pros

• RFID attached to shipping pallets can make it easier for companies to track and monitor shipments.
• By replacing UPC codes with RFID labels on individual products (like a can of soda), stores can track inventory, prevent shoplifting, and develop systems that automatically charge you for whats in your cart without you having to stop and scan each item.
• As a cheap short-range wireless transmission system, RFID is perfect for making printers who can tell you if you install the wrong ink or toner cartridge or cars that can sense the air pressure in your tires.
• Because RFID doesn't require physical contact, pass cards like those used for secure door access or subway systems will last far longer than those that use magnetic stripes. Further, because the cards only need to be waved in front of a reader, people can get through the control points a few seconds faster. Multiply by tens or hundreds of people a day and the over-all efficiency skyrockets.
• RFID chips can be implanted under the skin of animals to make them easy to identify if they become lost or stolen.
• Chips implanted in humans can be used in place of the medical alert bracelets which can come off or become hard to read over time.

Though there hundreds of visionary and useful things you can do RFID, because they typically lack strong security controls there are serious risks that come with them too!

Cons

Don't underestimate how easy it would be to track and monitor people by the poorly-secured RFID tags they carry
(See online!)

• If someone steals a pallet full of products from a warehouse, but leaves the RFID chip, the company probably wouldn't know for days or weeks afterward (however long it takes for a real human to go looking).
• A shoplifter with a handheld RFID blaster can remove the tags and walk right out of the store.
• RFID enabled printers coffee machines can prevent you from reusing or buying off-brand replacement supplies.
• Those quickpay and access RFIDs can be easily copied from a distance. Now the bag guy gets free tolls, free gas, or can walk right into your building while the systems assign the responsibility to you.
• RFID has been debated for mandatory implantation in Alzheimer's patients, illegal aliens, and even the military. Because the chips aren't protected, once implanted, they can be used to track the movements and activities of the subjects causing serious privacy concerns. In addition to the possible cancer risks, the chips have been known to tunnel through the skin over time causing damage as well as making it impossible for you to get an MRI in the future if you should need one.

US passports now have RFID that researchers used to trigger an RFID smart bomb
• And how about the fact that your unsecured RFID chip could get hacked and become a tool for spreading viruses?
• Cameras can be programmed to look for specific kinds of RFID or specific people and snap a photo when you go by
• RFID can and WILL be used to track humans and their daily activities. Research is ongoing
• Making yourself "machine readable" makes it possible for someone to program a bomb with your "number" on it.

Making RFID Safe

On the plus side again, RFID can help prevent infant abduction or hospital mixups.

RFID, like most technology, isn't something that can (or necessarily should) be stopped. Intstead, we need to harness and direct the technology to reduce the threat. To do this, we need to look at three risk aspects of RFID:

1. Poor authentication

One of the primary issues with RFID and the main thing that makes all the nightmare scenarios possible is that unsecured RFID broadcasts to anyone and everyone. For any implementation of RFID to be acceptable, the chips must be programmed only to speak to proper readers who authenticated themselves first.

For example, say you have a refrigerator that scans the food inside. When you put food inside, the fridge should program the food with a one-time code that makes it impossible for the chips in the packaging to respond to any other reader.

Think no one cares what the contents of your fridge are? Think again.

2. Poor (or no) encryption

Even after a chip authenticates a reader, if it sends the data out in the open, anyone else nearby (or not so nearby) can read it too. All communications between a chip and authenticated reader must be encrypted to prevent eavesdropping by others.

3. Use of Long-term RFID

Implantation is permanent. Passports are good for 10 years. Companies plan to replace UPC barcodes with RFID that will transmit ID codes for the life of the product (from creation to landfill and beyond).

Every RFID implementations will eventually be hacked by someone. All it takes is one person in the world to find a way to break the system and the security is no good anymore (like the millions and millions of pounds wasted with the UK passports). Secure implementations can slow it down or help, but the best defense is NO RFID.

I can't see implants ever making sense and you definitely want to be sure the products you wear and carry around can't be used to wirelessly communicate with the world around them.

(Image is in the Public Domain)

The Hacker's Choice, a non-commercial group of computer security experts, has released a video showing a cloned passport being approved by a security scanner at a Dutch airport. When the reader scans the passport it is revealed to belong to one Elvis Aaron Presley, complete with picture.

RFID is not ready. Every country that has tried to use it for identification has failed and miserable.

Want to be battle? Because this is how you become cattle.

(Image used under: Creative Commons 2.0 [SRC])

The optional license will include a picture and radio frequency identification tag that can be scanned to verify a person's identity. The tag will not contain any personal information - only an assigned number, authorities said.

How reassuring. So they won't be able to take my data from it, but they'll be able to clone it and frame me or just use the unique ID to track me remotely. But they're going to be passing out sleeves that prevent it from being read remotely without your authorization. So if you don't find it bulky and actually use it, you'll be partially protected until it's time to pull it out to be read or if someone gets a few seconds alone with your wallet to pull it out and clone it.

(Image used under: Creative Commons 2.0 [SRC])

The website includes very loose information about what makes this chip so "uncloneable", but I highly doubt that it's true. An RFID chip is read by radio waves and as long as you can make a chip, computer, or anything else that transmits replicate the signal that the original chip did, you can clone it.

If they mean that you can't make one of these chips copy the data from another of these chips, I can see that as being possible, but what difference does that make in the end if I can use a different brand chip to open your secure door or travel the world in your name?

(Image used under: Creative Commons 2.0 [SRC])

Katherine Albrecht has written has written an article for Scientific American that everyone should read. For those who don't already know her, she's the leader of CASPIAN and one of the world's foremost experts on RFID privacy issues.

Here is a mini summary of some of the major points:

• Companies intend to replace barcodes with RFID
• Unlike barcodes which identify a product type (i.e. a can of soda), RFID will identify an INDIVIDUAL product (i.e. can of coke #48377625376)
• RFID tags can be read secretly from long distances (30 or more feet).
• RFID tags in licenses have minimal security (and even passports that have more security have been hacked already many times)
• IBM filed a patent that was granted in 2006 for a system of scanners at “shopping malls, airports, train stations, bus stations, elevators, trains, airplanes, restrooms, sports arenas, libraries, theaters, [and] mu­­se­­ums ? to track the movements of people by their RFID tags
• Alton Towers (an English amusement park) issues RFID wristbands to visitors and tracks their movements through the park. While they use it to create a keepsake "where you went" map for their customers, they prove that the system works in practice

Bad security is worse than none in some case

(Image used under: Creative Commons 2.0 [SRC])

This is hardly surprising. The wireless toll systems use RFID and there isn't an RFID system yet that hasn't been hacked that I know of. Anyway, by cloning anyone's transponder, you can pass through the tolls while the other sucker pays the bill. Also useful for committing crimes in someone else's name.

Wireless passports. Who could have guessed they'd have security problems.

(Image is used under the Pixabay license)

So much for "Fakeproof". Of course, anyone who knows about RFID and the way they work could see this coming.