RFID News has a straightforward, clear explanation of the issues with RFID security and privacy, presenting possible solutions.

One primary issue is that RFID readers and tags generally communicate using unencrypted messages. This means scanners can read them plaintext. However, adding encryption to the tag would increase its size, complexity, and cost.

Encryption would also mean that all readers would have to be able to decrypt (unless you specifically did not want this, like for passports) else the tag would be useless.

The State Department added several new levels of security to passports after getting huge flack.

1. Encryption: The information would be encrypted in the RFID chip.
2. Access Control: The key to decrypt the data would be encoded in the passport and could only be obtained by scanning the passport with an optical reader. The passport reader would then decrypt the information using that key.
3. The passport covers would contain a metallic mesh that would create a Faraday Cage, essentially rendering unreadable the RFID chip when the passport covers were closed.

BTW, some envision RFID in everything, like on clothes. Thus, your RFID-enabled washing machine would be able to determine how best to wash your clothes. (Would it refuse to operate, issuing stern warnings if you mixed white and colored clothes? Would there be an override button to tell the machine to shut and just wash the clothest?)

The conspiracy theory

The most aggressive privacy concern groups claim that governments could potentially gain access to all commercially controlled RFID databases and, therefore, have full access to the consumer, travel, and general habits of its population. Or governments could achieve this by deploying wide-area RFID infrastructures where all the activities of its citizens could be tracked, from what they buy, to what they read, to where they travel, to what they watch on videos.

Paranoid? Maybe… But privacy advocates need to keep the pressure on governments to insure that this never happens.

Another problem is compatibility across all systems. Wal-Mart requires vendors to put RFID tags on pallets shipped to them. Not all vendors have, at least in part because doing so means buying the same equipment Wal-Mart uses. But maybe CostCo uses a completely different system. Sounds like the early days of BBSing when modems from different vendors had competing standards and didn’t always talk to each other.

2 Comments »

The RFID chip on US passports can be read when the passport is even slightly open, a design flaw that needs to be fixed. Why? Watch the proof of concept. A dummy with a barely open passport on a moving clothesline is scanned, then a bomb is triggered automatically. An outlandish example? Sure. But still…

In probable response to such critics, the State Department has added new levels of security to passports, but flaws still exist.

Given how insecure passport information appears to be, the ACLU says, imagine what could happen if Homeland Security builds that giant database with our personal and sensitive data on it.

From security expert Bruce Schneier writing in 2005.

The State Department downplayed these risks by insisting that the RFID chips only work at short distances. In fact, last week’s publication claims: “The proximity chip technology utilized in the electronic passport is designed to be read with chip readers at ports of entry only when the document is placed within inches of such readers.” The issue is that they’re confusing three things: the designed range at which the chip is specified to be read, the maximum range at which the chip could be read and the eavesdropping range or the maximum range the chip could be read with specialized equipment. The first is indeed inches, but the second was demonstrated earlier this year to be 69 feet. The third is significantly longer.

And remember, technology always gets better — it never gets worse. It’s simply folly to believe that these ranges won’t get longer over time.

2 Comments »

From the YouTube description

On today’s episode of Boing Boing tv, hacker and inventor Pablos Holman shows Xeni how you can use about $8 worth of gear bought on eBay to read personal data from those credit cards — cardholder name, credit card number, and whatever else your bank embeds in this manner.

Fears over data leaks from RFID-enabled cards aren’t new, and some argue they’re overblown — but this demo shows just how cheap and easy the “sniffing” can be.

Thus, RFID makes it easier to steal credit card info than before. No need to hack into a website or copy a card number at a restaurant, just read the RFID as the person walks by.

1 Comment »