Document Sample
RFID__its_implications_and_how_to_defeat Powered By Docstoc
					RFID, its implications and how to defeat

Word Count:

You‟ve likely heard of radio frequency identification (RFID) technology.
Here‟s what it is, where it‟s used today, where it‟s likely to be used
tomorrow, what it means for privacy seekers and how to defeat it.

RFID,privacy,anonymous proxy,anonymous web surfing,money laundering,scams

Article Body:
Imagine a future in which your every belonging is marked with a unique
number identifiable with the swipe of a scanner, where the location of
your car is always pinpoint-able and where signal-emitting microchips
storing personal information are implanted beneath your skin or embedded
in your inner organs.

This is the possible future of radio frequency identification (RFID), a
technology whose application has so far been limited largely to supply-
chain management (enabling companies, for example, to keep track of the
quantity of a given product they have in stock) but is now being
experimented with for passport tracking, among other things. RFID is set
to be applied in a whole range of consumer settings. Already being tested
in products as innocuous as shampoo, lip balm, razor blades, clothing and
cream cheese, RFID-enabled items are promoted by retailers and marketers
as the next revolution in customer convenience. Consumer advocates say
this is paving the way for a nightmarish future where personal privacy is
a quaint throwback.

How RFID works
There are two types of RFID tags: active and passive. When most people
talk about RFID, they talk about passive tags, in which a radio frequency
is sent from a transmitter to a chip or card which has no power cell per
se, but uses the transmitted signal to power itself long enough to
respond with a coded identifier. This numeric identifier really carries
no information other than a unique number, but keyed against a database
that associates that number with other data, the RFID tag's identifier
can evoke all information in the database keyed to that number.

An active tag has its own internal power source and can store as well as
send even more detailed information.

The RFID value chain involves three parts: the tags, the readers and the
application software that powers these systems. From there, the data
generated by the application software can interface with other systems
used in an enterprise, or, if they obtain the information or collect it
themselves, concievably by governments or more nefarious organizations.
Where it‟s used today
Global companies such as Gillette, Phillips, Procter & Gamble, Wal-Mart
and others see huge savings to be made from the use of RFID, and there
are numerous pilot projects underway which are indicating savings in
supply chains as well as the ability to add value to both product owner,
product reseller and customer.

But they‟re just pilots, mostly. RFID is a long way from being
everywhere, so far. Pharmaceutical tracking has long been held out as one
of the flagship applications of RFID in the short term, yet just some 10
medications are expected be tagged using RFID technology on a large scale
in the U.S. during 2006, analysts predict. Slow roll-outs are contrasting
sharply with the optimism of a year ago, when evidence suggested tripling
or even quadrupling of RFID for consumer goods tracking. Why? Uncertainty
over pending legislation. There are a complex mixture of federal and new
state laws (in particular Florida and California) intended to combat drug
theft and counterfeiting that have implications for RFID. The details are
still being worked out.

Where it‟s likely to be used tomorrow
Depending which analysts you believe, the market for RFID technology will
represent between 1.5 and 30 Billion USD by the year 2010. Analyst firm
IDTechEx, which tracks the RFID industry, believes more than 585 billion
tags will be delivered by 2016. Among the largest growth sectors,
IDTechEx forsees the tagging of food, books, drugs, tires, tickets,
secure documents (passports and visas), livestock, baggage and more.

Buses and subways in some parts of the world are being equipped with RFID
readers, ready for multi-application e-tickets. These are expected to
make things easier for the commuter, and help stem the fraud from the
current paper-ticket system. However the biggest problem facing rollouts
of RFID for commercial micropayment tracking is apparently not technical,
but involves agreeing on the fees charged by the clearing house and how
credit from lost and discarded tickets will be divided.

Passport tracking
One of the highest profile uses of RFID will be passport tracking. Since
the terrorist attacks of 2001, the U.S. Department of Homeland Security
has wanted the world to agree on a standard for machine-readable
passports. Countries whose citizens currently do not have visa
requirements to enter the United States will have to issue passports that
conform to the standard or risk losing their non-visa status.

American and other passports are being developed that include RFID-based
chips which allow the storage of considerable amounts of data such as
fingerprints and digitized photographs. In the U.S., these passports are
due to start being issued in October of 2006. Early in the development of
these passports there were gaping security holes, such as the capability
of being read by any reader, not just the ones at passport control (the
upshot of this was that travelers carrying around RFID passports would
have been openly broadcasting their identity, making it easy for
wrongdoers to easily – and surreptitiously – pick Americans or nationals
of other participating countries out of a crowd.)
Those security blunders were initially corrected by adding metal
shielding to the passport cover to minimize its readability when closed,
dialing back the range of the electronics and adding a special electronic
protocol called Basic Access Control (or BAC). This scheme required the
passport to be opened and scanned before its data could have been
properly interpreted by an RFID receiver. Unfortunately, in early
February 2006, Dutch security experts managed to “listen in” on the
communications between a prototype BAC-protected passport and a receiver
and cracked the protocol. Which means the international authority
developing this new global passport standard may need to go back to the
drawing board as of this writing, because „bad guys‟ could clearly stand
in line at passport control and capture passport information. Details of
the Dutch hack here.

Implications for privacy seekers
RFID has clear implications for those who are worried about their privacy
and safety. Some of them are obvious, and some of them are not.

- Can be read without your knowledge – Since the tags can be read without
being swiped or obviously scanned (as is the case with magnetic strips or
barcodes), anyone with an RFID tag reader can read the tags embedded in
your clothes and other consumer products without your knowledge. For
example, you could be scanned before you enter the store, just to see
what you are carrying. You might then be approached by a clerk who knows
what you have in your backpack or purse, and can suggest accessories or
other items.
- Can be read a greater distances with a high-gain antenna – For various
technical reasons, RFID reader/tag systems are designed so that distance
between the tag and the reader is kept to a minimum. However, a high-gain
antenna can actually read tags from much further away, leading to privacy
problems. Governments or others could punch through privacy screens and
keep tabs on people.
- Difficult to remove – RFID tags are hard for consumers to remove; some
are very small (less than a half-millimeter square, and as thin as a
sheet of paper) - others may be hidden or embedded inside a product where
consumers cannot see them. New technologies allow RFID tags to be printed
right on a product and may not be removable at all
- Disruptions if maliciously jammed – RF signals can be jammed, which
could complicate everyday life if RFID tags became essential. Imagine a
central bus or train station, maybe an airport, where suddenly everyone
could neither be ID'd or access their cash accounts. A single hour of
jamming during morning rush over a large area could cost a large city
untold millions of dollars in delayed commerce and transport. It would be
worse than a mass-transit strike, and easier to repeat.
- Could be linked to a credit card number – The Universal Product Code
(UPC) implemented with barcodes allows each product sold in a store to
have a unique number that identifies that product. Work is proceeding on
a global system of product identification that would allow each
individual item to have its own number. When the item is scanned for
purchase and is paid for, the RFID tag number for a particular item can
be associated with the credit card number it was purchased with.
- Potential for counterfeit – If an RFID tag is being used to
authenticate someone, anyone with access to an RFID reader can easily
capture and fake someone else‟s unique numeric identifier, and therefore,
in essence, their electronic 'signature'. If an RFID-tagged smartcard is
used for shopping, for instance, anyone who intercepted and reverse-
engineered your number, and programmed another card with it, could make
charges on your account.
- Marking for crime – Even after you leave a store, any RFID devices in
things you buy are still active. A thief could walk past you in the mall
and know exactly what you have in your bags, marking you as a potential
victim. Someone could even circle your house with an RFID scanner and
pull up data on what you have in your house before robbing it. As a
result, there are now discussions of “zombie” RFID tags that expire upon
leaving the store and reanimate if the product is ever returned to the
store and returned to the supply chain.
- Marking for violence – Military hardware and even clothing are
beginning to make use of RFID tags to help track these items through
supply chains. RFID is being used today by the U.S. military to track
materials in Iraq and Afghanistan. Some analysts are concerned about
particular items being associated with high-level officers that could
trigger roadside bombs via an RFID scan of cars going by. (Thankfully,
RFID tags retained close to the body can rarely be scanned. For instance,
UHF tags, the kind being most widely deployed, are virtually unreadable
near the body because of its high water content.)
Some have suggested that mobile phones are already as great a threat to
privacy as RFID. In the case of mobile phones, information about your
whereabouts and calling patterns is regularly available to your service
provider, a centralized and highly regulated source of information
gathering. An adversary with special-purpose equipment would also have
the capability of tracking your mobile phone, but this would require
significant expertise and investment. See our separate article "Cell
phone hazards".

What makes RFID a more significant privacy threat than mobile phones is
the fact that readers will be readily available and ubiquitously
deployed. In other words, RFID readers will soon be an accepted element
of everyday life, while eavesdropping equipment for mobile phones is
unlikely to be.

How to thwart RFID technology
There are a few approaches you can take to thwart RFID tags ... but
before you take proactive steps, note that sometimes the very absence of
a tag or its signal in places it‟s expected could arouse suspicion. For
instance, if you‟re carrying what is expected to be an RFID-tagged
passport and your tag isn‟t working, say, you may invite unwanted
scrutiny. Be careful which tags you choose to disrupt.

The simplest, most permanent approach to disable RFID tags is to destroy
them. If you can detect them and wish to permanently render them useless,
remove them and smash the small chip component with a hammer. If you‟re
not sure whether a product you own contains a tag, consider putting it in
a microwave to destroy the tag if the object is otherwise safe to be
microwaved. Be careful with some plastics. Note there have been reports
of RFID materials catching fire in microwaves.

If removing the tag is not practical, there are four general ways to
disrupt RFID tag detection.
- Blocking – Construct a conductive foil box (even tin foil is good)
around the tag. If you are concerned about RFID emissions from work
badges, school IDs, new generation drivers licenses, credit cards, and
even cash in the future containing RFID tags, buy or make an RFID-proof
wallet. RFID wallet project details are easy to find on the Internet.
- Jamming – Since RFID systems make use of the electromagnetic spectrum
like wireless networks or cellphones, they are relatively easy to jam
using a strong radio signal at the same frequency the tag operates.
Although this would only be an inconvenience for consumers in stores
(longer waits at the checkout), it could be disastrous in other
environments where RFID is increasingly being used, like hospitals, or in
military combat situations. Such jamming devices, however, would in most
cases violate government regulations on radio emissions. A group of
researchers in Amsterdam have theorized that a personal RFID jammer is
possible (their paper is linked to from the version of this article that
lives at our web site, www.powerprivacy.com) but the device seems only
theoretical at this time.
- Repeated interrogation – Active RFID tags that use a battery to
increase the range of the system can be repeatedly interrogated to wear
the battery down, disrupting the system.
- Popping – Generating a very strong pulse of radiation at the right
frequency can cause RFID tags to resonate and break.

What strategy you should pursue depends on what RFID privacy threats you
are trying to thwart and your technical expertise.

Shared By: