Schneier on Security
A blog covering security and security technology.
« Project Shamrock |
| DOJ Privacy Breach »
December 29, 2005
An RFID-Blocking Wallet
Here's how to make an RFID-blocking wallet out of duct tape.
Posted on December 29, 2005 at 2:40 PM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
We have disscussed this type of blocking of RFID signals with foil b4. It seems his simple experment worked, and i have tried this too with my work ID. But these readers only have a range of cm. What about a attacker with a custom reader that works at 100's meters? What will the range reduction be with simple Foil? Has anyone experimented with this?
Great. Now, can you make a hat out of the same material? :-)
Where is the market response to this? I want a ready-made one that closes with Velcro. I don't care about the color. It should be made to enclose (and protect) a guy's existing wallet. (I happen to like the design of my current tri-fold.)
"Where is the market response to this?"
I have not yet seen commercial products. I have no doubt that there will be, but after the chipped passports issue.
There will be a lot of variability due to gaps, etc., but it is reasonable to expect a 10-fold reduction in reader range. (That's the math for -40db with an r^4 law.) 40db is reasonable for the aluminum foil wallet.
For other more attractive possibilities there are also conductive cloth options. See http://www.lessemf.com/fabric.html for one vendor of conductive cloth. The cloth is expensive, but it seems reasonable to consider making pockets, purse, and computer bag liners out of conductive cloth. You can put the cell phone in an outer pocket if you want it to work.
Using shielded pockets and bags instead of shielded wallets makes sense for convenience when using RFID systems like the Washington, DC Metro cards.
Funny. The words "duct tape" and "instructions" somehow seem like they don't belong together. Plus it seems like its really the aluminum foil, not tape, that does the trick...perhaps an aluminum origami wallet will surface.
@Bryan: Mobil SpeedPass has been out for many years. Same thing. Same risks.
Why not instead avoid carrying anything that transmits RF in the first place?
Hmm, interesting question. What's more relevant, monitoring physical location with RFID, or tracking website usage with the NSA cookies reported today, or with meters like sitemeter.com (what shneier.com uses), doubleclick.net (what my bank uses), googleads, or blogads?
So, now that Chase has sent me a brand new rfid credit card, I really, really, really need one of these.
Placing them in licenses has been discussed, and one must carry their license (or other government-issued ID) when they drive, apply for a job, or to conduct most non-cash business.
(My own license already has a facial identification mapping, and my electronically-stored fingerprint, and so adding RFID doesn't seem too far-fetched.)
Many businesses are moving toward using these instead of keys.
For some, it will become almost unavoidable if one chooses to interact "normally" in society.
That said, most people don't realize that when they carry a cellphone (even with it off, apparently), they are basically carrying an identifying beacon.
@D (on cell phones)
a) I think most people realise it. b) it's of course not true when it's off (-: though YOUR cell phone might be customised not to be off when you think it is :-)
c) when we discuss GSM cell phones and more particularly UMTS ones; there's a very big difference. The phone takes much care not to give away your identity to casual observers and only normally sends a random identifier (TMSI) in the clear. Very occasionally it will send the IMSI which is personally identifying, but should not be easy to link to a particular subscriber.
It's the difference between your bank knowing what you spent on your credit card and the whole of the world being able to read it on the internet.
A problem does spring to mind...
How many times do you open/close the wallet untill the aluminium foil cracks and starts to reduce the sheilding...
You could also improve the design a bit by adding padding with the old "Hundred ohm foam" that is used to put DIL ICs on (if you can remember back before surface mount ;)
"when not in use" isn't the same as turned off - the article says the former meaning when the phone isn't making a call. It's true that when a (GSM) mobile is on it regularly communicates with the network - you can hear this as interference on e.g. a radio (or in my case the laptop).
The "market response" is already out there.
See this blog posting for a link to a commercially available shielded clothing. They have taken the shielded wallet out of their catalog since May, 2005. But you can still get shielded underwear and baseball caps!:
Great link Bruce: A couple of things though.
1. Why not use aluminum tape? available at any Home Depot.
2. What about the RFID signals the government is trying to put into my brain from their obitial mind control laser?
I would like to see a follow up to this link on the process for Duct taping my head to protect my frontal lobe. (:-D lol I am completely joking, cheers.)
I would expect this may result in a resurgence in the marketing of wallets made from the skins of "electric" eels.
What will happen if you take an RFID shielding wallet through an airport?
I keep my Oyster card for the London Underground system in my wallet and am glad that I am able to do so, just placing the wallet beside the reader to get let in and out. It's good because I never forget the thing and I really can't see what the security risk here is.
I may be wrong.
I did a little bit of looking up online and came up with a list of links discussing the cellphone issue, but unfortunately it tripped Bruce's spam filter and ear-marked it for "human review," and I suppose whomever human-reviewed it didn't wish to post it. It *is* a bit off-topic, so I understand.
What struck me about one post was that a cellphone technician told someone "that your phone is never truely off unless you have removed the battery and discharged this capacitor," and apparently some phones are designed to be "on" even if they are "off" (like Blackberrys--sound forensic analysis of those suckers are a pain.) But my something tells me that the power should not be enough for adequate transmission.
I may be wrong and have stumbled upon an urban myth. I just thought it interesting.
Anyway, I am being a bit off-topic and should return to the RFID discussion at hand. RFID has been controversial in my geographical area because we were one of the original major test areas for its development, and I have found them to be an annoyance when they are not disabled at the register (as they are supposed to be) as I have set the alarms off in other stores (than the origin store...which shouldn't happen since they supposedly use "unique ids," but it did) due to a concealed RFID tag in my clothing, which I ultimately had to cut out of the lining.
One of the Packetwars sponsors make this type of product. They provided thermal protection laptop pads as prizes. They have RF shielded passport holders and other stuff.
I guess you can make a hat out of duct tape, but I can't see anyone actually wanting to take one of them off after putting it on ;-)
Can you see Homeland Security someday outlawing duct tape? How will I ever put up my plastic to protect me from evil terrorists and their evil dirty bombs? I know, even that's a stretch for me to make a joke. I find the anti-RFID wallet cute, just like the tinfoil (or carbon absorbing) hats. Although I would like an on/off switch for the darn things. I only need to use them at certain times and don't need them "broadcasting" all the time. Not that I'm nervous about it, but why ask for trouble?
"that your phone is never truely off unless you have removed the battery and discharged this capacitor,"
That is correct in that the cap keeps some of the memory and clock chip up and running and can also keep the CPU on in low power mode (which it is anyway for the soft on off button).
What is also true is that the phone company can download software into your phone and this can be used to keep it on sufficiently to be used for various activities (such as waking up at predetermind times).
I have known about the software download issue for many years and actually wrote a paper back in 1998 about using the (then) latest crypto enhanced sim cards as a massively parrellel decryption engine (ala Chinese TV Lottery).
I like the material option personally, considering duct tape gets all sticky after awhile, especially in hot temp.
I was going to suggest just making an insert out of aluminum foil to keep with the bills, but I guess this company beat me to it. The advantage here is that it's compatable with your current, attractive wallet.
"that your phone is never truely off unless you have removed the battery and discharged this capacitor,"
Yes, when "off" there is still some minor functionality (updating the clock, monitoring the on/off button which is not a true switch, etc.) But the question of course is whether the _transmitter_ is turned on at this time. Cell phone makers do all sorts of tricks to maximize battery life by minimizing power consumption, and transmission is the most energy hungry thing modern phones do. It is extremely unlikely that a phone would transmit unnecessarily unless its firmware had been modified by a hostile party (which, however, is possible with many models of phone).
If the phone was transmitting when powered off (whether due to tampering, or a bad design), it would be detectable through the increased battery drain. For example when my "spare" phone is left on "standby" (i.e. no calls, but contacting the cell controllers every few minutes so they know where to route its incoming calls) it will flatten the battery in about 8 days, but when I left it turned off in a drawer for three months the battery level didn't drop so much as one bar. Clearly, the transmitter is not active when turned off.
"If the phone was transmitting when powered off (whether due to tampering, or a bad design), it would be detectable through the increased battery drain."
I'm not sure that's true. The receieve still works when the phone is on hook, and the cord still acts as an antenna. I don't know what kind of power drain this exhibits, but I do know that it's true.
"The receieve still works when the phone is on hook, and the cord still acts as an antenna."
Cord? I'm not following you. This is a cell phone I'm talking about, not a cordless handset.
There is and has been a solution to protecting your wallet and the cards inside. This is a very real problem and when the consumer realizes that your name, address, banking info etc. could easily be placed onto your RFID equipped cards, they will need this device. It is also very possible to erase or worse, change the data on your cards from several yards away. Check out www.walletgard.com
I am a vice-president of an east coast bank and I know for a fact that we are using chips in our cards to identify customers when they walk through the door. I am not sure what information is on the card but the thrust behind this is that major retailers who happen to have accounts at our bank are also reading you and your card when you walk into the store. Who knows what information they are getting. I checked out walletgard from the previous post and it seems like a good solution to protect my credit cards so I am placing my order today. In my opinion it's a lot better than alluminum foil or duct tape. Who needs that mess?
I just looked at the latest talk on the "Spychips" blog. These people at "Spychips" have no clue what is really going on. RFID tags are here to stay. They believe that they can stop ALL chips from entering the marketplace. They shouldn't flatter themselves. RFID is a great technology and will make all of lives easier and reduce costs of certain products/services. But, we must protect ourselves from unauthorized reading of the cards in our wallet. There is a great solution to this. I recently purchased WalletGard inserts and hey fit directly into my wallet, very sturdy, and gives me a feeling of protection. Spychips - give it up. RFID is here and going nowhere fast!
we've just had 3 posts in a row endorsing the same company. This is starting to look like spam, walletgard dudes.
BTW I had a look at your website and it looks like an interesting an useful product, however I'm somewhat puzzled as to how you claim to have patented this. These sorts of techniques for blocking RF leakage have been known for many years.
Here is a company who has a solution to protect your privacy blocking your identity cards with RFID.
At this time in German, but soon also in English.
Would and anti-static bag have the same effect?
Actually an anti-static bag fails when the card is moved into the magnetic range of around less than an inch. Identity Stronghold sells shielded card sleeves very cheap that block 13.56Mhz. See www.idstronghold.com
I've seen some postings that demonstrate that aluminum foil does not "foil" RFID readers all the time. How about copper or lead foil? Any more effective, all you EEs out there?
A real RFID Blocking Faraday cage is made of copper mesh, not steel or aluminum. I would be leary of steel or aluminium Faraday cages. They maybe effective against low powered RFID readers, but not high powered active antennas.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.