An RFID tag hidden under a label

One of the many problems of RFID technology is that they can be hacked and used to spread viruses.

The device, which enables him to pass through security doors and activate his mobile phone, is a sophisticated version of ID chips used to tag pets. In trials, Dr Gasson showed that the chip was able to pass on the computer virus to external control systems. If other implanted chips had then connected to the system they too would have been corrupted, he said.

Mostly, this hasn't received a lot of attention to date because the computing power of RFID has historically been very low. But as the technology progresses, the consequences of not securing them properly becomes higher and higher. Tags: RFID, Spychips

An RFID tag hidden under a label

An RFID tag is nothing more than a little chip attached to a paper-thin antenna. The chip's basic function is to store and transmit a small amount of information, usually just a unique identifier. What good is that? Well:

Pros

• RFID attached to shipping pallets can make it easier for companies to track and monitor shipments.
• By replacing UPC codes with RFID labels on individual products (like a can of soda), stores can track inventory, prevent shoplifting, and develop systems that automatically charge you for whats in your cart without you having to stop and scan each item.
• As a cheap short-range wireless transmission system, RFID is perfect for making printers who can tell you if you install the wrong ink or toner cartridge or cars that can sense the air pressure in your tires.
• Because RFID doesn't require physical contact, pass cards like those used for secure door access or subway systems will last far longer than those that use magnetic stripes. Further, because the cards only need to be waved in front of a reader, people can get through the control points a few seconds faster. Multiply by tens or hundreds of people a day and the over-all efficiency skyrockets.
• RFID chips can be implanted under the skin of animals to make them easy to identify if they become lost or stolen.
• Chips implanted in humans can be used in place of the medical alert bracelets which can come off or become hard to read over time.

Though there hundreds of visionary and useful things you can do RFID, because they typically lack strong security controls there are serious risks that come with them too!

Cons

Don't underestimate how easy it would be to track and monitor people by the poorly-secured RFID tags they carry
(See online!)

• If someone steals a pallet full of products from a warehouse, but leaves the RFID chip, the company probably wouldn't know for days or weeks afterward (however long it takes for a real human to go looking).
• A shoplifter with a handheld RFID blaster can remove the tags and walk right out of the store.
• RFID enabled printers coffee machines can prevent you from reusing or buying off-brand replacement supplies.
• Those quickpay and access RFIDs can be easily copied from a distance. Now the bag guy gets free tolls, free gas, or can walk right into your building while the systems assign the responsibility to you.
• RFID has been debated for mandatory implantation in Alzheimer's patients, illegal aliens, and even the military. Because the chips aren't protected, once implanted, they can be used to track the movements and activities of the subjects causing serious privacy concerns. In addition to the possible cancer risks, the chips have been known to tunnel through the skin over time causing damage as well as making it impossible for you to get an MRI in the future if you should need one.

US passports now have RFID that researchers used to trigger an RFID smart bomb
• And how about the fact that your unsecured RFID chip could get hacked and become a tool for spreading viruses?
• Cameras can be programmed to look for specific kinds of RFID or specific people and snap a photo when you go by
• RFID can and WILL be used to track humans and their daily activities. Research is ongoing
• Making yourself "machine readable" makes it possible for someone to program a bomb with your "number" on it.

Making RFID Safe

On the plus side again, RFID can help prevent infant abduction or hospital mixups.

RFID, like most technology, isn't something that can (or necessarily should) be stopped. Intstead, we need to harness and direct the technology to reduce the threat. To do this, we need to look at three risk aspects of RFID:

1. Poor authentication

One of the primary issues with RFID and the main thing that makes all the nightmare scenarios possible is that unsecured RFID broadcasts to anyone and everyone. For any implementation of RFID to be acceptable, the chips must be programmed only to speak to proper readers who authenticated themselves first.

For example, say you have a refrigerator that scans the food inside. When you put food inside, the fridge should program the food with a one-time code that makes it impossible for the chips in the packaging to respond to any other reader.

Think no one cares what the contents of your fridge are? Think again.

2. Poor (or no) encryption

Even after a chip authenticates a reader, if it sends the data out in the open, anyone else nearby (or not so nearby) can read it too. All communications between a chip and authenticated reader must be encrypted to prevent eavesdropping by others.

3. Use of Long-term RFID

Implantation is permanent. Passports are good for 10 years. Companies plan to replace UPC barcodes with RFID that will transmit ID codes for the life of the product (from creation to landfill and beyond).

Every RFID implementations will eventually be hacked by someone. All it takes is one person in the world to find a way to break the system and the security is no good anymore (like the millions and millions of pounds wasted with the UK passports). Secure implementations can slow it down or help, but the best defense is NO RFID.

I can't see implants ever making sense and you definitely want to be sure the products you wear and carry around can't be used to wirelessly communicate with the world around them.

(Image used under: Fair Use doctrine)

The CFP2008 conference is coming up in late May. They're not taking registrations yet, but their information page is up at least. I wasn't able to attend last year, but the 2006 session was very cool.

The conference is the perfect place for paranoid anti-government/business privacy invasion types to congregate and complain as a group. Besides that, there are useful technical sessions about privacy technologies and such. I particularly liked the session hosted by Public Citizen where they described the ways they protect people against companies trying to stifle their free speech online. In cases where a blogger was issued take-down notices by big companies that didn't like what the blogger was saying, Public Citizen took their case for free and defended them. Very cool.

Also of note was the session about RFID where an industry crony "debated" the author of the book spychips (though to call it a debate is laughable). When the crony was challenged about his company's use of privacy protections and he didn't have any good answers for the crowd, he bacame flustered and accused us of being "technophobes" (HA!). What an idiot. But it was very entertaining 🙂

Anyway, if you'd like to meet some of the people in all the various consumer groups who are protecting your rights every day, this is an awesome way to do it.