Schneier on Security
A blog covering security and security technology.
« When "Off" Doesn't Mean Off |
| Computer Problems at the NSA »
May 10, 2006
Five stories from Wired.
In related news, IBM thinks it has a solution to the RFID privacy problem:
The so-called Clipped Tag has a notched antenna that consumers can tear off, much like the end of a ketchup packet. Removing this panel drastically reduces the readable range of the device, from about 30 feet to less than 2 inches, according to IBM.
Posted on May 10, 2006 at 1:02 PM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
... so I can still sidel up to you in a crowded subway and read your passport or wallet in your pocket.
Of course, in that environment I could pick your pocket now. The difference is that you would know if your pocket had been picked.
Interesting how it was put in the "Clipped Tag" story. IBM proposes the range-limiting option as a better solution than a 'kill' command that "destroy[s] their marketing and inventory-tracking value." Isn't this an admission that the after-purchase tracking aspects of RFID are considered an essential facet of the technology?
One might argue that inventory tracking ends at the final sale, leaving marketing as the only remaining public reason for leaving embedded RFID tags active. And we're never officially told what the 'other' reasons are.
I don't understand IBM's "Clipped Tag" claims. So they reduced the emitted power below the sensitivity range of standard receivers. Isn't it possible to use more sensitive receivers?
I mean, if you had a real incentive to grab that data (money, state secrets, etc.), wouldn't you be willing to go to the trouble of throwing a few more amplifiers and a directional antenna in there?
"By and large the industry has acted in good faith," said Atkinson. "And (the Clipped Tag) is an example of that. It is an elegant reaction to concerns that are vastly overblown."
...and now it is the consumers' turn to have faith that our information is sufficiently protected and not misued in any way whatsoever.
Why should we let petty little "privacy" concerns ruin our Foundation of Innovation in Information Technology? After all, new technology is cool and neat and we want it now -- especially if it helps the bottom line of our think tank sponsors..... Hey! I know what you're thinking. We ARE independent and non-partison. All think tanks are. We're smarter than you. Deal with it.
So, if my assumption is correct, couldn't you have some form of conductive tear strip that, when pulled out, would disrupt the current? Then, there would be no power and, as a result, no emission.
(go easy on me EE's - I know I don't have my terminology correct) :D
Apparently, my assumption didn't post. My assumption is that there is some form of internal power source. (battery)
No battery. Its inductively powered essentially. Certain frequencies / ranges
use an external loop. Others like 12-13 MHz, 6 inch don't use a external loop .. it all one piece
Building a longer-range RFID reader is going to be more difficult than building a long-range wifi reader. RFID requires producing a strong magnetic field to power the tags.
And no, RFID does not have an internal power source.
Thanks for the clarification! That's why I posted the assumption (now known to be an incorrect one) upfront. I appreciate the education!
OK, point taken about powering the RFID chip. So you need to add a powerful transmitter as well.
As you say, it's harder. But the effort people would be prepared to go to necessarily scales with the reward. If these RFID chips are guarding kilo$-scale money (or priceless corporate/state secrets), it doesn't seem to me as if the "Clipped Tag" barrier is high enough.
RFID readers are at the current limits of technology as far as range regardless of how much power is sent at the thing. So this clipped tag WILL lower the range at which a receiver can read it. Of course as technology improves, that range will re-increase.
How about an RFID jammer I can carry in my pocket which listens REAL hard for RFID interrogation signals and then shouts really loud "LOW COST HOME LOANS! VIAGARA! BUY MY NEW BOOK! ENLARGE YOUR (etc)" back at the reader to drown out any other ones I may inadvertently be carrying or carrying intentionally but dont want read by just anybody? I could even market myself as an advertiser.
@Rich: another difference. My "spy-iPod" can store 20,000,000 passports worth of data, but if I pick your pocket I have to do something with all those physical passports before I can accumulate any more.
Also, if I am caught, I can zeroize an iPod instantly, but paper passports will leave incriminating evidence.
....interesting quote there: "It is the consumers' turn to have faith that our information is sufficiently protected and not misued in any way whatsoever"....um, right. Faith in the sense of "belief contrary to evidence," I suppose.
@bob: RSA Security has actually developed a jammer similar to your proposal, though not using spam :)
I still like the idea of clipping the antenna. With the full antenna you go through the "EZ Pass"/Fast Pass lane. If you have the clipped antenna you take out your document and swipe/scan it on the reader. Much harder for someone to snoop your tag talking to a legitimate reader.
I'd like to see Rich (above) sidle up to someone in subway with an antenna and battery back and try to snoop wallets. Anyone trying to scan my derriere with a briefcase will suffer the consequences! ;)
New personal security device: magnetic flux detector that beeps when you're in a field strong enough to activate you tags.
How about a flux capacitor...
If someone is fishing for data from RFID tags they will be perfectly happy with 5 or 10% success rate. Walking around an airport when it is busy will soon get a few thousand results even with security measures. Include a hidden camera triggered from a successful hit and you've got a nice set of data.
Something I picked up in the Wired article: the RFID in a passport is shielded until opened. They call it an "anti-skimming device" I suppose it's a foil-lined cover of sorts. So if that actually works, fluxing around in an airport will get you
nothing. And if not, a metal case for carrying your passport may become very popular...darn, should have patented that..
I am not a physicist, but I think it would actually be much harder to make a long-range magnetic flux power source for RFID tages. IIRC from college physics, EM waves (light/radio) are self-propogating, while magnetic fields are not. Meaning the power required for long range magneting field transmissions grows at a fantastically faster rate than is the case for radio. Any physicists want to verify this?
This seems to me like a slightly worse version of technology that's already known. I've seen specs for inductive tags where they are tearable to disrupt the conductive loop or to disrupt a pathway between the loop and a transmitter. I don't have the number on me (i'm not at work at the moment) but there's a german patent on the latter. It's an old one if i remember correctly... if it's not in the public domain yet it will be soon... and I don't believe it was prosecuted internationally anyway.
You gotta wonder why they only want to kill it by halves. The argument that the data still needs to be accessible doesn't work... If you can break a pathway you can just reinstate it when you take a product back (so long as you don't break the conductive loop... that might get complicated).
The fact is companies want to have all that data out there and accessible. There's no other reason that they'd choose this sort of technology over ones that do the job properly.
Are you sure about the magnetic flux?
I thought the newer (5 or 10 years) ones absorbed radio waves on one frequency and re-emitted them on a different one.
Assuming the "powered by magnetic fields" bit is a red herring (i.e. we have inverse square law on beaming power):
Yes, you can still use bigger antennae to read it from further away. The range reduction factor will stay the same. 30 feet to 2 inches is about a factor of 200. So if high-tech stalker GeekCreep used to be able to track you with his 4m antenna within a distance of 2km (figure plucked out of midair), once you tear the tag, he'll be able to track you within 100m.
Or it might possibly be worse - there are two directions to consider: beaming the power to activate the tag, and receiving the response. If GeekCreep's ability on a untorn tag was limited by his ability to beam power, and if the tag's power reception is unaffected by the tear, his range won't drop so much. (The article isn't clear on whether power reception is crippled by the tear - it might just cripple transmission.)
The reason given for maintaining residual capabilities (rather than killing or removing the chip outright) is for returns/warantees.
Why does everybody who mentions RFID ranges (aside from here, and a select few other places) act as though they're set in stone? Wifi signals are supposed to be limited to 300 feet outdoors, and yet people with very basic antennas are able to grab them from over a mile away. I realize that RFID is different since it's more of a fourth-power problem (it's powered by the transmitter, so you lose the square of the distance sending, and again receiving), but that just makes the problem harder, not impossible.
It seems to be an act of concerted, almost conspiratorial dishonesty on the part of every group and company that is in any way favorable to RFID.
In my unscientific tests, aluminum foil is very effective at blocking RFID chips, at least the kind in entry tags.
The entry tags we use at work will read at a distance of about 30 cm. With foil on the back (away from the reader!), about 5 cm, with foil all around, not readable at all even rubbing the card all over the reader, front and back.
Quoting ac: "I'd like to see Rich (above) sidle up to someone in subway with an antenna and battery back and try to snoop wallets. Anyone trying to scan my derriere with a briefcase will suffer the consequences! ;)"
Doesn't have to be a briefcase. How about a backpack? And do people put things on chairs next to you when you're sitting down? Do you pass next to people who are sitting down with things on their lap? Packages and shopping? You can still get reasonable gain out of some flat-panel antennas, or even the good ol' "tin can" variants (and hey, they even look like real shopping items!).
I wonder if instead of just clipping the antenna, you shorted it out, as well as disconnecting it? That would significantly reduce the chance of any EM field building across the devices input. A simple switch could even allow you to choose between normal operation (with an antenna) and shorted (antenna disconnected). Granted the physical aspects of a switch are a problem, but it should be significantly harder to read the device if I'm right.
This could be very useful for devices embedded in book-like cases, as the switch could be built into the spine - When the book is open, the antenna is connected and the RFID tag is readable. When the book is closed, the antenna is disconnected and the antenna input is shorted to prevent the tag being readable. For entry tags, what about a small press button on the device to enable reading?
A shorting switch, coupled with anti-skimming protection (Faraday cage?) would make it exceedingly difficult to ever read an RFID out of place.
Yes, it is a 4th power law, BUT you get antenna gain in both directions: once boosting the beamed power, once receiving the signal. So the required antenna diameter still scales linearly with desired detection distance.
just a thought. If powering the RFID is a problem with distance, would it be possible to split the power source from the reader?
ie. Have one small unit being carried in the area where you would like to skim, and then the reader a lot further away?
My guess is that most RFID units will have a similar layout (chip at the center, surrounded by the antenna). Why not just develop a hole puncher similar to that used by train conductors that severs the antenna from the chip completely. You shouldn't need that many permutations of the puncher to cover the majority of layouts. That should reduce read distance to less than the depth of the outer covering of the RFID tag.
A staple would be more useful that a hole:
You still need a continuous antenna to make the power source.
"One might argue that inventory tracking ends at the final sale, leaving marketing as the only remaining public reason for leaving embedded RFID tags active. And we're never officially told what the 'other' reasons are."
How long, do you think, will it last until you get a warranty for your bought goods according to the warranty agreement only with the original RFID chip working?
The clipped-tag RFID sounds like a perfect example of a "middle ground" on security and privacy that is no middle ground at all. It's like saying, "We won't force you to transmit your data in the clear, you can use whatever key you want up to 32 bits."
What it does serve, however, is a purpose much like the semi-working "off" switch: once someone with a modest level of security consciousness sees a clipped tag, they probably won't bother taking stronger methods to disable the RFID.
(On some rethinking I can imagine an almost perfect application for clippable tags, if the device to do the clipping is sufficiently proprietary and nonportable: RFIDs that are being used for theft-deterrence as well as inventory tracking won't register in the readers at the door.)
The goal here is to create a technology that sounds like it ensures privacy, but in fact retains the ability of the tag maker to retain a functional tag that might work at normal ranges with future versions of the reader technology. In fact it might work with a current solution they have not revealed.
It went something like this:
Problem: People and technologists complain about RFID tags working indefinitely and being readable, thus violating thier privacy.
Solution: Create a technology that remains readable, but seems and sounds infeasible given common expertise levels in the people who would complain. Thus stopping the complaints while retaining the ability to access everyone's data indefinitely.
This is an example of "Privacy Protection Theater" using intentionally flawed technical assumptions.
How about adding this to the solution that shop clerks could rip off the tag ends as they sell the goods and stamps your receipt with a big green RFID SAFE stamp.
It would actually help meet their design goals, which are perception and objectibility based and not technological.
Yeah, I agree a hole is a fine way to clip the range. A big pin often does the job on smaller RFID tags in softgoods.
Perhaps the threat of exposure will get to the point (pun not intended) where even an inch is too great a risk, thus meaning RFID will have to include two modes, contactless and contact (as opposed to the rather misleading distinction between small and large distances).
I actually somewhat like this proposal, but not for the intended reason.
One concerning aspect of RFID tags is that many inventory control tags are meant to be so small that they are hard to see, or else are otherwise deliberately concealed. But in order for clipping to work at all, the tag must be readily identifiable to the customer. In addition, the clipping process reinforces the hazards that the tag presents, and the fact that by clipping these hazards are merely mitigated, not eliminated.
Thus I would support a tag clipping proposal, if it was accompanied by legislated requirements for making the tags sufficiently obvious, and marked with some suitable text (like, say, "this device contains a unique ID number which enables it, this product, and you, to be tracked by anyone equipped with a suitable reader")
Then many people (myself included) will be able to locate the tag and finish the job with a soldering iron, hammer, garment unpicker, etc.
UHF tags can easily be thwarted by holding them in your hand, or covering them partially with Aluminum foil. HF tags can be jammed by a 13.56 MHz homemade jammer, as they are not frequency hoping as the UHF are. UHF tags operate by electromagnetic propagation where as HF and LF are magnetic fields. At any rate, it is a challenge to get this stuff to work when there are many tags and many readers, it is child's play to make them not work at all.
The idea of the clipped antenna is to provide visual confirmaiton that the RFID tag has had its read range drastically reduced. Its much more reassuring to see the antenna ripped off than to trust somebody to say "trust us, the software has set the kill bit inside the tag, but you can't confirm it."
The laws of physics can easily demonstrate that the range with a given antenna configuration (gain and efficiency) on the tag is limited to some theoretical maximum given a certain background and thermal noise level, regardless of the transmit power and detection gain of the reader.
If you want to completely disable the tag, simply remove it from the item and toss it down a deep hole. The hole punch idea to just remove the chip sounds cool.
The scary application is when you don't even know the tag is in the product to start with. Even scarier, the concept of stealth tags exist that only respond and reveal themselves to readers with the correct security key. These would be difficult to detect with a sweeping / reader tool.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.