- Arcane BookStore
- Security Jobs
- Security Resources
|RFID, its implications and how to defeat|
|Blog Articles - Articles|
|Written by mel bel|
|Saturday, 18 April 2009 09:06|
This is the possible future of radio frequency identification (RFID), a technology whose application has so far been limited largely to supply-chain management (enabling companies, for example, to keep track of the quantity of a given product they have in stock) but is now being experimented with for passport tracking, among other things. RFID is set to be applied in a whole range of consumer settings. Already being tested in products as innocuous as shampoo, lip balm, razor blades, clothing and cream cheese, RFID-enabled items are promoted by retailers and marketers as the next revolution in customer convenience. Consumer advocates say this is paving the way for a nightmarish future where personal privacy is a quaint throwback.
How RFID works
There are two types of RFID tags: active and passive. When most people talk about RFID, they talk about passive tags, in which a radio frequency is sent from a transmitter to a chip or card which has no power cell per se, but uses the transmitted signal to power itself long enough to respond with a coded identifier. This numeric identifier really carries no information other than a unique number, but keyed against a database that associates that number with other data, the RFID tag's identifier can evoke all information in the database keyed to that number.
An active tag has its own internal power source and can store as well as send even more detailed information.
The RFID value chain involves three parts: the tags, the readers and the application software that powers these systems. From there, the data generated by the application software can interface with other systems used in an enterprise, or, if they obtain the information or collect it themselves, concievably by governments or more nefarious organizations.
Where it's used today
Global companies such as Gillette, Phillips, Procter & Gamble, Wal-Mart and others see huge savings to be made from the use of RFID, and there are numerous pilot projects underway which are indicating savings in supply chains as well as the ability to add value to both product owner, product reseller and customer.
But they're just pilots, mostly. RFID is a long way from being everywhere, so far. Pharmaceutical tracking has long been held out as one of the flagship applications of RFID in the short term, yet just some 10 medications are expected be tagged using RFID technology on a large scale in the U.S. during 2006, analysts predict. Slow roll-outs are contrasting sharply with the optimism of a year ago, when evidence suggested tripling or even quadrupling of RFID for consumer goods tracking. Why? Uncertainty over pending legislation. There are a complex mixture of federal and new state laws (in particular Florida and California) intended to combat drug theft and counterfeiting that have implications for RFID. The details are still being worked out.
Where it's likely to be used tomorrow
Depending which analysts you believe, the market for RFID technology will represent between 1.5 and 30 Billion USD by the year 2010. Analyst firm IDTechEx, which tracks the RFID industry, believes more than 585 billion tags will be delivered by 2016. Among the largest growth sectors, IDTechEx forsees the tagging of food, books, drugs, tires, tickets, secure documents (passports and visas), livestock, baggage and more.
Buses and subways in some parts of the world are being equipped with RFID readers, ready for multi-application e-tickets. These are expected to make things easier for the commuter, and help stem the fraud from the current paper-ticket system. However the biggest problem facing rollouts of RFID for commercial micropayment tracking is apparently not technical, but involves agreeing on the fees charged by the clearing house and how credit from lost and discarded tickets will be divided.
One of the highest profile uses of RFID will be passport tracking. Since the terrorist attacks of 2001, the U.S. Department of Homeland Security has wanted the world to agree on a standard for machine-readable passports. Countries whose citizens currently do not have visa requirements to enter the United States will have to issue passports that conform to the standard or risk losing their non-visa status.
American and other passports are being developed that include RFID-based chips which allow the storage of considerable amounts of data such as fingerprints and digitized photographs. In the U.S., these passports are due to start being issued in October of 2006. Early in the development of these passports there were gaping security holes, such as the capability of being read by any reader, not just the ones at passport control (the upshot of this was that travelers carrying around RFID passports would have been openly broadcasting their identity, making it easy for wrongdoers to easily and surreptitiously pick Americans or nationals of other participating countries out of a crowd.)
Those security blunders were initially corrected by adding metal shielding to the passport cover to minimize its readability when closed, dialing back the range of the electronics and adding a special electronic protocol called Basic Access Control (or BAC). This scheme required the passport to be opened and scanned before its data could have been properly interpreted by an RFID receiver. Unfortunately, in early February 2006, Dutch security experts managed to listen in on the communications between a prototype BAC-protected passport and a receiver and cracked the protocol. Which means the international authority developing this new global passport standard may need to go back to the drawing board as of this writing, because bad guys could clearly stand in line at passport control and capture passport information. Details of the Dutch hack here.
Implications for privacy seekers
RFID has clear implications for those who are worried about their privacy and safety. Some of them are obvious, and some of them are not.
What makes RFID a more significant privacy threat than mobile phones is the fact that readers will be readily available and ubiquitously deployed. In other words, RFID readers will soon be an accepted element of everyday life, while eavesdropping equipment for mobile phones is unlikely to be.
How to thwart RFID technology
There are a few approaches you can take to thwart RFID tags ... but before you take proactive steps, note that sometimes the very absence of a tag or its signal in places it's expected could arouse suspicion. For instance, if you're carrying what is expected to be an RFID-tagged passport and your tag isn't working, say, you may invite unwanted scrutiny. Be careful which tags you choose to disrupt.
The simplest, most permanent approach to disable RFID tags is to destroy them. If you can detect them and wish to permanently render them useless, remove them and smash the small chip component with a hammer. If you're not sure whether a product you own contains a tag, consider putting it in a microwave to destroy the tag if the object is otherwise safe to be microwaved. Be careful with some plastics. Note there have been reports of RFID materials catching fire in microwaves.
If removing the tag is not practical, there are four general ways to disrupt RFID tag detection.
What strategy you should pursue depends on what RFID privacy threats you are trying to thwart and your technical expertise.