RFID Personal Firewall

Absolutely fascinating paper: “A Platform for RFID Security and Privacy Administration.” The basic idea is that you carry a personalized device that jams the signals from all the RFID tags on your person until you authorize otherwise.

Abstract

This paper presents the design, implementation, and evaluation of the RFID Guardian, the first-ever unified platform for RFID security and privacy administration. The RFID Guardian resembles an “RFID firewall”, enabling individuals to monitor and control access to their RFID tags by combining a standard-issue RFID reader with unique RFID tag emulation capabilities. Our system provides a platform for coordinated usage of RFID security mechanisms, offering fine-grained control over RFID-based auditing, key management, access control, and authentication capabilities. We have prototyped the RFID Guardian using off-the-shelf components, and our experience has shown that active mobile devices are a valuable tool for managing the security of RFID tags in a variety of applications, including protecting low-cost tags that are unable to regulate their own usage.

As Cory Doctorow points out, this is potentially a way to reap the benefits of RFID without paying the cost:

Up until now, the standard answer to privacy concerns with RFIDs is to just kill them—put your new US Passport in a microwave for a few minutes to nuke the chip. But with an RFID firewall, it might be possible to reap the benefits of RFID without the cost.

General info here. They’ve even built a prototype.

Tags: , , ,

Posted on December 11, 2006 at 6:20 AM35 Comments

Comments

Ed T. December 11, 2006 7:01 AM

Taking a quick read on the document, it appears that the method it uses to “firewall” the RFID tags might well make it illegal to use in the USofA (warning: IANaL!), as it appears to transmit a jamming signal.

~EdT.

Particular Random Guy December 11, 2006 7:32 AM

I don’t see how they master randomized reply intervals as they aren’t constantly broadcasting fake IDs (which would make you quite conspicious).

MJ December 11, 2006 8:23 AM

From seeing their presentation at DefCon this year, what they do is this. The reply intervals are determined by the device ID which is world readable using an algorithm called Aloha. What happens is a read attempt is made (which can be detected and jammed) and then, if there is a collision, it backs off a certain amount of time based on the device ID. Then another read attempt is made. Since we know when this is coming (because we know the device ID) we can block that as well.

bob December 11, 2006 9:22 AM

Good idea, although it only works for RFID tags that you are aware of.

Marginally related question: where can I buy a (aftermarket?) Honda key where the key portion folds up into the fob in some fashion (a la VW) so that it is SMALLER than Grant’s tomb and will therefore fit in my pants pocket (like pre-CPU keys did?)

FP December 11, 2006 9:35 AM

I disagree with the statement that “with an RFID firewall, it might be possible to reap the benefits of RFID without the cost.”

This solution allows us control over the RFID tags that we carry.

However, it would be much better if we had that control to begin with, or if we did not need to have such control. I.e., if RFID tags had a mandatory on/off switch, or if the systems were properly designed with privacy and security in mind (e.g., if a passport’s RFID tag could only be accessed with a key that’s printed in the cover page), we would not need an RFID firewall.

I know, that’s like saying that we wouldn’t need internet firewalls if only all of our network applications were secure. But the paper’s point is like saying that having a firewall gives us the benefit of the internet, based on the assumption that we can not fix our applications. I question that premise.

Legislation, or market forces (make RFID issuers financially responsible for the privacy issues caused by them) would go a long way in achieving the same.

Ray Noldsrapp December 11, 2006 9:50 AM

Agree that it is an interesting solution, but also agree that it would likely be illegal in the USA on several fronts (but I am not a lawyer).

There’s got to be a point where all this stuff starts causing cell damage. I mean everything from the devices in my pocket to our local bazillion watt Doppler weather station…. Glad I wear my aluminum foil hat.

Mike Aiello December 11, 2006 9:59 AM

RSA tried this approach a few years back. With Blocker tags.

http://www.rsasecurity.com/rsalabs/staff/bios/ajuels/publications/blocker-full/blocker-full.pdf

Unfortunatly methods of activly “Jamming” RFID have several issues.

  1. Non-standard tags will not collide as expected (this is the reason RSA’s blocker tag is not for sale) The solution presented here does not address 100khz -> 200khz tags. The majority of older, cheaper and insecure tags which need protection respond in this frequency range.
  2. FCC and other governmental compliance.
  3. Batteries/Power required for many of the solutions (including the one presented here)

The best bet is to block the tags entierly with a faraday cage until you want them read.

Greg December 11, 2006 10:12 AM

It may well be legal since the power levels are so low. Its hard for the FCC etc to make the levels much lower because of cost of compliance for other devices (e.g. CellPhones spit out a lot of out of band noise ).

But then RFID tags that are desgined to “prevent” privacy could develop counters to this sort of thing. ie spread specturum and other things. But this would cost more per tag and perhaps limit there prevalence in the market.

cmills December 11, 2006 10:26 AM

“Marginally related question: where can I buy a (aftermarket?) Honda key where the key portion folds up into the fob in some fashion (a la VW) so that it is SMALLER than Grant’s tomb and will therefore fit in my pants pocket (like pre-CPU keys did?)”

How is that relevant to this discussion?

-ac- December 11, 2006 10:34 AM

Heh, I know they’d be a market for this type of personal security device. Next stop a pair of Levis with a zippered faraday cage pocket.

it might be possible to reap the benefits of RFID without the cost.
Just what that “cost” is would be an interesting discussion.

Stephan Engberg December 11, 2006 10:36 AM

I politely refer your attention to my talk at the EU RFID Consultation on RFID Security & privacy.

Here I walk through principles and issues on how individuals can Control RFID through builtin user-controlled access control management in the RFID itself.
http://www.rfidconsultation.eu/docs/ficheiros/Stephan_J_Engberg.pdf

This is based on work, we published at PST2004 – a link to the paper is here.
http://www.obivision.com/papers/PST2004_RFID_ed.pdf

The consumer will have exclusive control and the RFID will not even respond to requests. But still – through a principle of multiple keys that can be accessed on consumer authoristaion only – the consumer and provider can enable all the values provided by RFID.

John Ridley December 11, 2006 10:38 AM

For cards (credit, ID, etc) I think the faraday cage is a much better idea. Way smaller, way cheaper, way more reliable.

Where this would seem to be useful would be for RFIDs scattered around your body in clothing or whatever.

However, it’s unclear to me that it’s not a better solution to just destroy those tags; I don’t know what’s gained by keeping them. Also, if it’s strong enough to block tags in your shoes, it’s also going to cause unwanted interference to tags that others are wearing, unless it’s keyed to specifically jam only your tags (TFA indicates it jams based on proximity).

I don’t think there’s any chance this would get integrated into a cell phone, which would be probably the best current platform for it to run on; there’d be too much legal liability for a phone manufacturer to include that feature. If the phone happened to be capable of doing this anyway and the feature could be added via 3rd party software, it might happen.

Though I don’t think this is a practical idea, it is certainly an interesting concept, and certainly is worth someone studying and thinking about (this is what grad students are for, right?).

MJ December 11, 2006 11:15 AM

The only way it would interfere with others’ tags is if their tags had the same device ID as yours (which is a pretty small chance to say the least). And the benefit to this over destroying the tags is that this way, the tags are still usable. You can temporarily stop the device for a specific tag. You can also use the device as a reader to test how it was accessed. That way, if you detect an unauthorized user accessed it, you would know and could get a new tag.

This isn’t meant for tags you pick up incidentally and don’t know about, this is for tags you have, you need, and you know about.

bob December 11, 2006 11:29 AM

@cmills: it was relevant to the previous poster’s (Chris S, concerned a “switchable” faraday cage built into a car key) submission.

quincunx December 11, 2006 12:37 PM

So, honestly, is there any real use to RFIDs other than helping keep track of inventory?

It seems that others uses are mostly technocratic fetishism that will prove to be less useful than the old methods of doing things.

Davi Ottenheimer December 11, 2006 3:22 PM

Cory, master of understatement, says:

“This is a must-read paper for anyone who cares about electronic privacy and who wants to catch a glimpse of the future.”

Glimpse of the future? Look around, Cory.

This kind of schmaltzy soundbite turns me off about as much as the “Must see x of the year” buzz that you often see on some of the worst plays, movies, etc..

Davi Ottenheimer December 11, 2006 3:37 PM

The paper reads “If we are ever immersed in a sea of RFID chips, the RFID Guardian may provide a life raft.”

Having some sense of what it means to be immersed in a real sea, I find it interesting that they compare their device to a life raft (something you only step onto as a matter of absolute last resort).

In addition, it seems they’ve adopted the firewall concept for RFID at a time when firewalls are under incredible strain to become something much more intelligent.

In other words, assuming you accept the fact that RFID chips really will be barraged by requests/sends or lost in a sea of information, does it make sense to assume a model or manual ruleset and human intervention is going to be the right approach? The industry can barely (if at all) manage firewalls on the desktop…

Here’s another interesting quote from the paper:

“RFID Guardian seems immune to the DoS attacks that we can identify, either because they would also disturb regular RFID interaction, or because the RFID Guardian has enough resources to defend itself long enough to alarm its owner after the threat has continued for some while.”

I don’t follow the logic that just because a firewall, er “Guardian”, can alert you to an ongoing DoS attack that it should therefore be considered “immune”. Likewise it is hardly immune just because someone else might be impacted. DoS attackers often impact anyone on the way to or around their target today, why wouldn’t the same be true for RFID?

another_bruce December 12, 2006 12:52 AM

instead of firewalling your rfid tags, a technique susceptible to failure, why not carry a little thing in your wallet, scarcely larger than a rolled-up condom, stuffed with dozens of rfid tags, hide your signals in their chaff?

phil December 12, 2006 7:33 AM

…stuffed with dozens of rfid tags, hide your signals in their chaff?<<

The RFID protocols are designed to sort out dozens of different similar ID transmissions, making it quite resistant to this form of “chaffing”.

Anonymous December 12, 2006 12:20 PM

this is a bad idea. we need everyone and everything tagged with rfid. this will help us find the terrorists better.

Clive Robinson December 12, 2006 1:11 PM

@Stephan Engberg

“The consumer will have exclusive control and the RFID will not even respond to requests”

I wish that where realy true…

It depends on your definition of “respond to requests”,

If you mean “activly reply with confidential data” then it might just be possibly true but I very much doubt it (See Point 1 below).

If you mean “can I detect if it is there” it is most certainly not true. It is as easily detectable as any other electronics with tuned circuits (see Points 2 & 3 below).

Then ask yourself will RFIDs make us less safe from criminals and terrorists the answer is most definatly yes. Not just at the national level but more importantly at the personal level. (see Points 5&6).

Point 1,
Ask yourself the fairly sensible question,

“Do I think the RFID will not have an effective backdoor hidden away as a master / engineering code for production line testing or Law Enforcment etc”.

If you think not you probably do not work for the type of manufacture who would make RFIDs, or for the sort of three letter government agency that wants RFIDs in every thing and is happy to pay for what they want.

However even if an RFID did not have a backdoor it is still harmfull to your health vis criminal activity not cell damage (see point 4).

Point 2,
Basically unless you put a real honest ON/OFF switch in the RFID that stops its pickup coil picking up RF energy then the tag will be detectable by a Grid Dip Oscillator or it’s more modern equivalent (For an explination see http://en.wikipedia.org/wiki/Grid_dip_oscillator ).

The functionality you refer to above indicates that all embeded RFIDs must be able to respond to the “consumers” commands and therefore must remain at all times active… Therefor it cannot posibly have a real ON/OFF switch, so is open to this type of attack at all times.

Point 3,
As the RFID is not shielded it is very very likely to show up on a R.F. “Non-Linear Junction Detector” (For a simple explination see http://en.wikipedia.org/wiki/Nonlinear_junction_detector )

Point 4,
What is generally not mentioned is that both of the RF detection methods (points 2&3) can be fairly easily extended so they can also be used to FIngerprint / Profile the RFID.

So if you can work out the RFID manufacturer and the step / batch info then you are very likley to know what it is in by cross corelating with either public or private data to work out what devices the RFID was put in (and please don’t say this information will be kept secret it can not simply by the definition of the RFIDs basic function).

Point 5,
Basically the RFID Fingerprint (Point 4) can be used to fairly reliably detect and identify what you have in your pocket Passport / Credit Card / ID Card etc.

Which means that you as the person carrying it are very much dead in the water as far as a criminal is concerned, they know that you have what they want to steal befor they touch you.

Welcome to the world of “mugging by order”.

Point 6,
The sad thing is that the RFIDs will actually make us less secure against criminals and terorism than without them.

As a “known” terorist I now need genuine documents to travel from country to country (if I am unknown then my exisiting ones will do).

In the past I could get reliable fakes or genuine documents from corrupt officials. Both of these options are likley to be less reliable in the future.

SO what are my options, well a simple one is to walk around tourist areas with an “ID Shopping list”. If I see a person who matches an ID that I need I can simply get sufficiently close to the person to scan them to see if they have their travel documents on them. If not I keep on looking if they do I now have two options,

I can simply steal and keep them, but this will probably mean that they get invalidated within a short period.

Alternativly I can “suruptitiously steal” (pickpocket / lift from hotel room / bribe hotel clerk / cleaner etc) their travel documents. Photo the ID page, and dump the contents of the RFID into a reader. I then “suruptitiusly give” the person their travel documents back.

The person does not know that their ID has been very very effectivly stolen so has no reason to report it, or get new travel documents. I now take a genuine travel document (again stolen etc) and change the ID page and “clone” the RFID.

Modifing genuine passports is a well known tried and tested technique and usually preferable to trying to create an entire fake passport.

The result a genuine travel document that is going to pass most boarder gards irrespective of if they are “Online” or “Off line” to a database of valid travel documents…

What is different to this than the way travel documents are currently modified, that makes it less secure?

Well if I currently go ID shopping I do not know if the target has their travel documents on them so my chances of getting hold of them are a lot lot less than if I can scan the person and know they have them on them…

Put it another way if I have to mug ten people with aproximatly the same ID to get a travel document then it is likley the Police are going to notice the ID match and possibly realise the intent (and if smart cross check the ID against known criminals / terrorists).

If however I only mug one person and apparently steal only their valubales (ie they get Passport etc back very quickly) then as a Policeman I am more likley to think “street crime” than “ID theft”.

Bitsy December 12, 2006 1:30 PM

Sjaak Laan asks if this device will make it easier for shoplifters to steal RFID-protected products.

The device isn’t necessary. For years shoplifters have been constructing faraday cage bags to aid them in their shoplifting.

Stephan Engberg December 13, 2006 5:43 AM

@Clive

With present conditions, I would agree with your analysis and even throw in a few additional threats myself. For instance on the linkage with biometrics and the problem of Relay attacks.

But lets try to be sensible about this.

The goal is to make RFID based on Privacy by Design to ensure User Control but also wider Security by Design as the manufacturer have risk that also need to be protected such as anti-counterfeit and potential SLA-liability in authenticity verification towards customers which are important in pharmaceuticals, home medication and a range of other applications even post-sales.

a) First focus on eliminating the threats in normal use, ie. ensure the consumer has the key to control access to the chip and ensure damage control in case of attacks. Absolute transfer of control without algorithmic predictability of keys/identifiers or trusted parties is essential here.

b) Incorporate the fundamental understanding that identity or rather avoiding reuse of identifiers across context is the only way to protect against data in databases being linked. The RFID has to be able to shift Id, manage muiltipe identifiers and communicate without leaking identifiers.

c) Ensure you only use RFIDs for what their security can support. In other words – NO use of RFID for Person Id such as payments, access controls or passports (using auto id) because these are seriously vulnurable to relay attacks and reuse keys across context.

d) Consider the real threat of RFID “fingerprinting” in a world where RFID dont reply and the protocol dont leak data but may be detectable with special equipment. Even if possible, will there be mass deployment or is it only a theoretical threat in very special circumstances.

e) Consider the worst case/paranoia/conspiracy threats.

Will a generic backdoor remain undetected? Much better to install open and transparant front doors for legitimate security needs and thereby eliminte the reason for hidden backdoors.

Even so – given we cannot prevent a specific targetted attack with customised RFIDs, what is the real threat? Who is likely to be the wictim of this? Ensure costs and likelihood of success aredis-proportional.

The real problems to security are biometric surveillance, data linkability and the general lack of sustainable user-centric identity models. Because the database cannot be secured as perimeter security is failling.

May I kindly suggest that we start by looking constructively at how we make digital processes work with user control?

Instead of being so afraid that we leave the decisions to those that do not care about security, have interest in taking control over people or simply are not aware.

RFID technology will be part of the future, it is simply so obvious. But we still have time to decide HOW and especially design the controls rightly.

My point is simple and persistent – empowerment of the individual is the way to go and we have to encorporate Privacy and Security by Design in all technologies as these security problems are growing.

In the light of this article, notice User-controlled RIFD can co-exist with a external PDA “firewall” protection as an extra precaution and the PDA can even be used to manage the User-controlled RFIDs.

Also the PDA can be used as a transparancy tool to “wiretap” against any communication that cannot be explained .. and boom there goes the trust model.

But the energy and health care issues as well as operational design impact of a constant jamming field seems somewhat overkill and even counterproductive if you anywa create linkability in use.

Clive Robinson December 14, 2006 11:02 PM

@Stephan Engberg

Hmm where do I start…

First off you are looking at to high a level when you start talking about “controled data security” with regards to “Privacy” with RFIDs.

It is not possible to secure them at the lowest level (unpowered state), against quite basic attacks like “present not present” even when they do not “data respond” to interogation under “User control” (can only happen in powered up state).

All RFIDs by their very core design respond to several different R.F. frequencies. The RFID needs to do this to gain sufficient power for the chip onto a small value capacitor. This is acomplished by a “tuned circuit” and a diode to rectify the R.F. current induced into the tuned circuit. The tuned circuit is usually a “large area” “pick up coil” and a resonating capacitor used to increase the “Q”uality of the coil giving a higher output voltage and also giving it a degree of selectivity.

You can determin various things about this tuned circuit like it’s powered and unpowered “Q”, it’s charecteristic impedance curve against signal level and also it’s harmonic reponse. All of this with equipment that would have been avaialable during the Second World War…

Worse due to the nature of the tuned circuit design it resonates at many frequencies right up into the lower end of the microwave band. The frequency response is sufficiently conistant from device to device in the same product, and sufficiently different from product to product that it could easily form the basis of an RFID type identifier or “Fingerprint”….

As long as the pick up coil has a load of some form (ie it does not have to be a capacitor) it can be detected simply by the effect it has on the R.F. “H field”. Admitidly this is at very close proximity to the coil. Only when the loaded coil cannot see the “H field” will it not be detectable (i.e. sufficient screaning).

However, when you have the diode connected to the pick up coil and a load across it’s output all sorts of interesting things happen (again irrespective of if the coil is resonated).

First off the circuit is no longer pasive, but active, the Diode has a characteristic that is very nonlinear and generates lots and lots of interesting harmonics. These can be examined fairly easily at a considerably greater distance.

When combined with variable frequency scanning a very very large amount of information becomes avaialble. All you require is some method to analyse the information and corelate it with a database of “known RFID pick up circuits”.

At this point it is game over, and the RFID chip has not even powered up but it’s prescence and type have been determined, the only unknowns left are on the RFID chip, which is where you start to talk about “User Control” but as I said this is only when the chip is powered up and correctly reset and you are not there yet…

So as the chip starts to power up another set of interesting things happen. It behaves in an aparently random fashion untill there is sufficient power for the chip to reset it’s self correctly.

Well this “aparently random” behaviour is acompanied by R.F. radiation from the chip, This signal has certain charecteristics that again can be measured and guess what it can identify which batch the chip comes from. Also although random looking it is far from random and the chip is effectivly in a “temporary fault state” untill it has sufficient power to reset and start operating correctly.

Now whilst the chip is in the “twilight zone” the fun can realy start, do you remeber Differential Power Analysis?

Do you know what happens when DPA is coupled to “Power Fault Injection” in an RFID?

Well neither do most people simply because last time I looked nobody has seen fit to publish any significant data on it…

The only RFID DPA stuff I had seen used standard card readers and apparently only looked at the stable powered up state (looking for data leakage under normal operating conditions)…

What sort of secrets are going to leak in the “twilight zone” before the “User Control” becomes active?

Finaly the chip is powerd up and it has reset it’s self to a “sane state” and it starts to execute it’s code. What info does it leak before it gets to the “User Control” software?

Let us move on you actually have an RFID under your physical control that might contain data you are interested about

Have you heard about Pico Probe Fault Injection attacks?

They are like highly directed EMP attackes on individual areas of a chip.

What about Laser Fault Injection attacks?

The laser adds energy to individual transistors to flip bits in the CPU or other areas.

What about moduated R.F. Injection attacks?

Little written about these, but basically you use a low level R.F. signal, it gets envolope demodulated by components in or around the chip to produce offset voltages and signals to induce faults.

What about R.F. Remodulation attacks?

This is where you put the chip in an RF field and the functioning of the chip modulates the R.F. field. You pull the field of using an IQ demodulator and feed the info into a computer to mung the signal about in much the same way as with DPA.

Some of these attacks are still working against Smart Card chips, and I do not know of anybody trying them yet on RFIDs.

When and only When these questions have been answered and all of them designed out is it time to start looking at higher level security.

But wait ther is a problem, the CORE RFID design says RF Pick Up coil required, opps you can not design it out, and potentialy it can fingerprint the RFID…

Hmm are RFIDs secure by design then?

Answer = NO

Therefore are they fit for purpose when dealing with physical security such as “present not present” ?

Answer = NO

So on to your point A, you say,

“Absolute transfer of control without algorithmic predictability of keys/identifiers or trusted parties is essential here”

Ah it’s not going to happen. Due to production line reliability issues the manufacture is always going to have a master override to put the RFID chip into an unlocked and sane state. Just like JTAG on complex IC’s

With that resonable assumption, is the master override also going to wipe the contents of the mutable memory in the RFID. Probably not again due to reliability this time in the field. After all you don’t want to lose the information in a UPS depot where it is used to route every package do you? Especially when it’s some Script Kiddie Cracker doing a drive by…

Your point B, hmm not sure how you would do this in practice, but it is likley to add a hefty area of silicon and therfore cost on each RFID.

Your point C, I definatly agree, but will the U.S. Gov TLAs they want low cost and contactless technology in ID documents. They are very set on RFID and have effectivly forced it on the rest of the world. And more importantly the ball is already rolling quite quickly, who’s going to be big enough to stop it rolling?

Your Point D, well if there is finacial gain to be made by fingerprinting RFIDs then it will happen as a natural consiquence, both commercialy and criminaly. The more money to be made the faster it will happen 8(

As you can see from above there are a large number of unanswered questions about the fingerprinting of RFIDs.

As for your E see ===paranoia=== below 😉

Are generic back doors actually back doors when they are for testing. Microsoft fell foul of the JTAG pin on one of its chips in the X-Box which supposedly enabled sufficient information for a hack to get past some of Microsoft’s security features.

It is impossible to say what attacks will be profitable RFIDs are only just starting their life cycle they will be with us for 30+ years in one form or another due to the Passport requirment. Who knows what high value item they will get incorperated into, or used like a Smart Card as a security token to a high value DB etc.

With regard to ID, assume RFIDs are put into shirts jakets shoes etc for stock control. No apparent security issues there as far as a number of U.S. stores are concerned as they have already “rolled out” RFID systems. As the RFIDs need to be very very low cost as do the readers etc, there will be no features like rotating IDs etc.

Ask yourself as you pay with your credit/debit card at the check out if they are logging your Card ID against the RFID ID for “returns policy”. Assuming they are how many RFIDS does it take in what you wear to reasonably identify you at every RFID scanner you pass?

Even if you think they are all deactivated there will be some you miss for whatever reason.

The problem as I higlighted above is that as long as the RF part of the RFID is working fingerprinting is possible and therefore attacks on the system will almost certainly follow.

The big problem with trying to set an agenda is nowing what it is you are trying to achive. With RFIDs the whole technology shouts “Unknown Exploitable Side Channel Attack Built In”.

As has been observed on these blog pages in the past nothing is “fool proof” especialy when people doing system design do not have the ability to recognise their limitations. For instance the “Nike+iPod Sport Kit”

http://www.schneier.com/blog/archives/2006/12/tracking_people.html

And now back to my senario for your point E,

===paranoia===
A not worst case senario where several parts have already happened to people in the U.S. and it involves the use of RFIDs in a “stock tracking” role.

Take medication for instance do you care if I know you are carrying it. The answer in most younger peoples cases is probably yes.

So you invoke “User Control” and turn the RFID in the blister pack off, as work is touchy about drug usage (ie requires reporting of medications) and you find your condition difficult to talk about and more than a little distastful.

But I am for arguments sake your employer, I get a call from the Tecs to say that you have something on you that upsets the ID card reader for automatic door opening. And that it was caused by something in your jacket pocket that you did not want to take out or discuss with them.

All very suspicious, the obliging Tecs tell me that it is most likley an RFID which has “User Control” activated, as it excercises a bug in the scanner (due to it’s failing the “Present not Present” test). The tec mentions he has seen it before on several occasions. I ask what the cause is and he says “In most cases pill packs where the user has turned the RFID off”.

What do I do now ignore the issue (unlikley in this day and age). I decide to talk to you and you clam up and make me even more suspicious.

What next, do I get HR to ask you directly? Do I get security to give you a random search? Neither afterall after the little chat you are bound to know I told them to do it and you might sue hmm…

No I talk to the Tec again, he tells me he can find out what it is with a hand scanner. He scans you again to get the RFID charecteristics to get the manufacture / type / batch number info and looks it up in a Internet database. He sends me the URL of the result.

Oh look it’s a drug called Amitryptiline, I look it up and see that it is used for “treatment of depressive illness of psychotic or endogenous nature”. I see the word “psychotic” oh no what do I do after all I have a “Psyco” on the pay roll think of the “liability”. You become an “outsourced unit of work resource”.

Oh dear all you actually have is a bad case of nerve pain after shingles and the drug is a Tricyclic antidepressant most commanly used for this condition. Ah well you can always get another job or can you?

Who have I told, whose confidential employee screening database does it appear in that you where “Let go due to suspected mental health problems / instability”.

You find you can not get work at the same level and you do become depressed and you find it difficult to hold down even low paid jobs due to reliability problems. You don’t have medicare as you are unemployed and your depression gets worse. Now no employer will touch you as their health insurers say (confidentialy of course) employ him and we will significantly increase your premium.

Stephan Engberg December 19, 2006 1:46 AM

@ Clive

Hmm – with that approach you could just as well argue that people have an aura that can be measured.

You are talking about installing special surveillance equipment that do not use protocols but act on sidebands and more or less theoretical assumptions on what we could call “biometric” electromagnetic profiling of otherwise identical devices.

Your assumption of a linkage between the RFID “model” and a specific batch of products is purely theoretical.

I do not doubt that you with special and sensitive equipment can detect that something is in the field nor that you with very sensitive equipment can meassure that it is likely some sort of non-responding RF-device nor that you in a theoretical scenario might be able to from this analyse to first a type of RFID, perhaps even the specific production batch and in an extreme theory we cant even exclude you might be able to recognice the specific RFID.

This is made even mode difficult by the fact that you in the future will be carrying anywhere between say 5 and 50 RFIDs and more powerfull communication devices interferering in the field. Isolating a single non-communcating device without being detected yourself sounds like pure theory.

In relation with this article, tracking the “firewall” seems to be much easier than trying to detect RFIDs. The firewall will have to be constantly and acticely communicating with power to jam every relevant channel. But the jamming signal itself will be amplified by itself and it will force a response from retailers and regulatory authorities as the signal will disturb other communocation.

It seems to me that you repeat your statement, but not responding to what I wrote.

First of all, the basic idea of user control of RFID and device communication is the same except it is much cheaper, energy efficient, secure, operational and effective to put the user control & security in the RFID instead of trying to hide devices without security through jamming.

The basic point is that protocols are designed not to leak information. I do not see you provide any critical analysis of this except some conspiracy theory about hidden backdoors which we explicitely discuss in the paper.

If you read our paper on RFID, we focus on the likelihood of surveillance detection. The conclusion is that there is no way to guarantee against a specific chip having customised modifications – but the likelihood of getting away with tracking many customised RFIDs are very small provided they do not answer.

Long before going to such extremes as electromagnetic profilling of non-communicating devices, it would be far far easier, more reliable and cheaper to attack the person himself using automatic face recognition, voice recognition, smell or any other biometrics which inherently are out óf user control.

Your arguments on RFID payments and RFID are irelevant to this as I state clearly that you cannot use automatic Identification for security reasons.

Your “scenario” is a highly speculative situation and with a sufficient degree of paranoia we can think of millions of such cases including getting fired because a breath analysis state that you had a bear last weekend and thereby violating corporate alcohol-policies. Or getting fired or your carreer put on hold because an door-entry x-ray analysis of your bodyfat indicate a growing obesity-problem that the company does not want to carry any liability on.

Sorry, Clive. I am not saying you are wrong, but you are deep in the conspiracy and FUD field here. Your line of argument ends up in a no to technology altogether.

The necesary infrastructure to do this – even on a small local scale except perhaps the police when targetting a specific person – is in my view not realistic even with deep concern and distrust.

My question to you is the opposite – why dont you use your knowledge to make solutions? How do we counter non-legitimate biometric surveillance? Is legitimate biometrics surveillance that do not destroy trust & security theoretically possible?

TK December 29, 2006 12:31 AM

Where the RFID enabled item is credit card sized or passport sized it is more than adequate to use RF shielding pouches that effectivly form Faraday cages around the RFID item attenuating RF energy to the point there is not enough energy to energise the RFID circuitry. An “RFID Firewall” will be made illegal in countries where RFID transmisions are going to be protected from intentional interference. It is environmentally unsound too, requiring power and complex data processing, to achieve what a simple metalised mesh lined pouch could achieve without adding to the environmental EMR.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.