brandondawson.org Drupal Website Developer and Consultant

12 Things you need to know about RFID

Here's 12 Fun Facts about RFID and Biometric Passports, from the Wiki: (From http://en.wikipedia.org/wiki/RFID and http://en.wikipedia.org/wiki/Biometric_passport)

Note: I've boldfaced parts of the individual snippets I found particularly relevant.

1.) RFID was actually invented --by the Soviet Union-- specifically as an espionage technology.

In 1946 Léon Theremin invented an espionage tool for the Soviet Union which retransmitted incident radio waves with audio information. Sound waves vibrated a diaphragm which slightly altered the shape of the resonator, which modulated the reflected radio frequency. Even though this device was a passive covert listening device, not an identification tag, it has been attributed as a predecessor to RFID technology. The technology used in RFID has been around since the early 1920s according to one source (although the same source states that RFID systems have been around just since the late 1960s).

2.) Despite countermeasures placed in RFID-enabled US passports, hackers have successfully read the chips from two feet away. (Far enough for so-called "skimming".)

To protect against such unauthorized reading, or "skimming", in addition to employing encryption the U.S. has also undertaken the additional step of integrating a very thin metal mesh into the passport's cover to act as a shield to make it more difficult to read the passport's chip when the passport is closed.[18] A U.S. company, Identity Stronghold, is now manufacturing an RFID-blocking sleeve to prevent any skimming while the passport is inside the sleeve. Research students from Vrije University in the Netherlands speaking at the August 2006 Black Hat conference in Las Vegas showed that RFID passports can be cloned relatively easily, and can be remotely spied upon despite the radio-blocking shields included in US designs. They found they could read the passports from 60 centimetres (23.6 inches) away if they are opened by just 1 cm (0.39 inches), using a device which can be used to hijack radio signals that manufacturers have touted as unreadable by anything other than proprietary scanners.

3.) While airports and other high-security environments may deploy additional countermeasures to deter would-be "skimmers", the same would be prohibitively expensive for non-high security environments associated with travel, such as hotels and convention centers:

Other passports such as the U.S. passport do not contain this particular flaw as they use a stronger key to encrypt the data exchange. Also, some readers provide shielding for the passport while it is being read, thus preventing signal leakage that might be intercepted by another device. Moreover, the fairly secure and monitored environment of the passport control area in airports would make it difficult for someone to illicitly set up the sensitive equipment necessary to eavesdrop on the communication between passports and readers from any significant distance. However, the same would not be true for hotels or other places that may ask to see passports.

4.) The RFID technology could actually be used to ENABLE terrorist activity, rather than preventing it.

Security expert Bruce Schneier has suggested that a mugger operating near an airport could target victims who have arrived from wealthy countries, or a terrorist could design an improvised explosive device which functioned when approached by persons from a particular country.

5.) They haven't even worked out all the bugs yet.

Wal-Mart and the United States Department of Defense have published requirements that their vendors place RFID tags on all shipments to improve supply chain management. Due to the size of these two organizations, their RFID mandates impact thousands of companies worldwide. The deadlines have been extended several times because many vendors face significant difficulties implementing RFID systems. In practice, the successful read rates currently run only 80%, due to radio wave attenuation caused by the products and packaging. In time it is expected that even small companies will be able to place RFID tags on their outbound shipments.

6.) Among the more novel applications to which RFID has been applied: tracking golf balls.

RFID transponder chips have been implanted in golf balls to allow them to be tracked. The uses of such tracking range from being able to search for a lost ball using a homing device, to a computerized driving range format that tracks shots made by a player and gives feedback on distance and accuracy.

(I include this because it makes the point about the distance from which RFID data can be read.)

7.) In Las Vegas, The House Always Wins, In The End. But with RFID, it'll become even more so, tailored to your specific weaknesses as a "gamer".

Some casinos are embedding RFID tags into their chips. This allows the casinos to track the locations of chips on the casino floor, identify counterfeit chips, and prevent theft. In addition, casinos can use RFID systems to study the betting behavior of players.

8.) RFID can, in fact, be used to implement real-time telemetry. (Which, then, can obviously be used for good or for evil.)

Active RFID tags also have the potential to function as low-cost remote sensors that broadcast telemetry back to a base station. Applications of tagometry data could include sensing of road conditions by implanted beacons, weather reports, and noise level monitoring.

9.) Yes, RFID can make patient tracking in hospitals easier. But not without serious side effects.

In October 2004, the FDA approved USA's first RFID chips that can be implanted in humans. The 134 kHz RFID chips, from VeriChip Corp. can incorporate personal medical information and could save lives and limit injuries from errors in medical treatments, according to the company. The FDA approval was disclosed during a conference call with investors. Shortly after the approval, authors and anti-RFID activists Katherine Albrecht and Liz McIntyre discovered a warning letter from the FDA that spelled out serious health risks associated with the VeriChip. According to the FDA, these include "adverse tissue reaction", "migration of the implanted transponder", "failure of implanted transponder", "electrical hazards" and "magnetic resonance imaging [MRI] incompatibility."

10.) No governmental licensing is required for many, if not most, of the radio frequencies involved, which puts the barrier of entry for would-be abusers of RFID even lower.

[Low-frequency (LF: 125–134.2 kHz and 140–148.5 kHz) (LowFID) tags and high-frequency (HF: 13.56 MHz) (HighFID) tags can be used globally without a license. Ultra-high-frequency (UHF: 868–928 MHz) (Ultra-HighFID or UHFID) tags cannot be used globally as there is no single global standard. In North America, UHF can be used unlicensed for 902–928& MHz (±13 MHz from the 915 MHz center frequency), but restrictions exist for transmission power.

11A.) RFID can actually worsen security, whether in civilian or military applications, rather than enhance it.

A primary RFID security concern is the illicit tracking of RFID tags. Tags which are world-readable pose a risk to both personal location privacy and corporate/military security. Such concerns have been raised with respect to the United States Department of Defense's recent adoption of RFID tags for supply chain management.

And the security concerns with RFID systems aren't limited to the physical devices:

EPCglobal Network, (an RFID-solutions vendor) by design, is also susceptible to DoS attacks. Using similar mechanism with DNS in resolving EPC data requests, the ONS Root servers become vulnerable to DoS attacks. Any organisation planning to embark on EPCglobal Network may cringe upon discovering that the EPCglobal Network infrastructure inherits security weaknesses similar to DNS'

Finally,

Ars Technica reported in March 2006 an RFID buffer overflow bug that could infect airport terminal RFID Databases for baggage, and also Passport databases to obtain confidential information on the passport holder.

11B.) Pro-RFID vendors care more about THEIR costs than YOUR privacy or security.

Cryptographically-enabled tags typically have dramatically higher cost and power requirements than simpler equivalents, and as a result, deployment of these tags is much more limited. This cost/power limitation has led some manufacturers to implement cryptographic tags using substantially weakened, or proprietary encryption schemes, which do not necessarily resist sophisticated attack. For example, the Exxon-Mobil Speedpass uses a cryptographically-enabled tag manufactured by Texas Instruments, called the Digital Signature Transponder (DST), which incorporates a weak, proprietary encryption scheme to perform a challenge-response protocol for lower cost.

11C.) RFID can be used to compromise the security of enabled passports at any part of the creation and delivery process.

In an effort to make passports more secure, several countries have implemented RFID in passports. However, the encryption on UK chips was broken in under 48 hours. Since that incident, further efforts have allowed researchers to clone passport data while the passport is being mailed to its owner. Where a criminal used to need to secretly open and then reseal the envelope, now it can be done without detection, adding some degree of insecurity to the passport system.

12.) RFID is the gift that keeps on stealing your privacy, long after its intended application is over.

Since the owner of an item will not necessarily be aware of the presence of an RFID tag and the tag can be read at a distance without the knowledge of the individual, it becomes possible to gather sensitive data about an individual without consent. If a tagged item is paid for by credit card or in conjunction with use of a loyalty card, then it would be possible to indirectly deduce the identity of the purchaser by reading the globally unique ID of that item (contained in the RFID tag).

Most concerns revolve around the fact that RFID tags affixed to products remain functional even after the products have been purchased and taken home and thus can be used for surveillance and other purposes unrelated to their supply chain inventory functions.

There you have it, folks. RFID is a great technology for (civilian) supply-chain management, but very, very bad in virtually any other use. Unfortunately, a wide array of interests and lobbys continue to try to push it as something it is not, with nothing more than their own convenience and costs in mind, not consumer or citizen interests.