An RFID-Blocking Wallet
Here’s how to make an RFID-blocking wallet out of duct tape.
Entries Tagged "RFID"
Page 6 of 8
The Security of RFID Passports
My fifth column for Wired:
The State Department has done a great job addressing specific security and privacy concerns, but its lack of technical skills is hurting it. The collision-avoidance ID is just one example of where, apparently, the State Department didn’t have enough of the expertise it needed to do this right.
Of course it can fix the problem, but the real issue is how many other problems like this are lurking in the details of its design? We don’t know, and I doubt the State Department knows either. The only way to vet its design, and to convince us that RFID is necessary, would be to open it up to public scrutiny.
The State Department’s plan to issue RFID passports by October 2006 is both precipitous and risky. It made a mistake designing this behind closed doors. There needs to be some pretty serious quality assurance and testing before deploying this system, and this includes careful security evaluations by independent security experts. Right now the State Department has no intention of doing that; it’s already committed to a scheme before knowing if it even works or if it protects privacy.
My previous entries on RFID passports are here, here, and here.
RFID and Privacy
Boston Globe editorial on RFID and privacy:
It’s one of the cutest of those cute IBM Corp. TV commercials, the ones that feature the ever-present help desk. This time, the desk appears smack in the middle of a highway, blocking the path of a big rig.
”Why are you blocking the road?” the driver asks. ”Because you’re going the wrong way,” replies the cheerful Help Desk lady. ”Your cargo told me so.” It seems the cartons inside the truck contained IBM technology that alerted the company when the driver made a wrong turn.
It’s clever, all right—and creepy. Because the technology needn’t be applied only to cases of beer. The trackers could be attached to every can of beer in the case, and allow marketers to track the boozing habits of the purchasers. Or if the cargo is clothing, those little trackers could have been stitched inside every last sweater. Then some high-tech busybody could keep those wearing them under surveillance.
If this sounds paranoid, take it up with IBM. The company filed a patent application in 2001 which contemplates using this wireless snooping technology to track people as they roam through ”shopping malls, airports, train stations, bus stations, elevators, trains, airplanes, rest rooms, sports arenas, libraries, theaters, museums, etc.” An IBM spokeswoman insisted the company isn’t really prepared to go this far. Patent applications are routinely written to include every possible use of a technology, even some the company doesn’t intend to pursue. Still, it’s clear somebody at IBM has a pretty creepy imagination.
There’s a Slashdot thread on the topic.
RFID Car Keys
RFID car keys (subscription required) are becoming more popular. Since these devices broadcast a unique serial number, it’s only a matter of time before a significant percentage of the population can be tracked with them.
Lexus has made what it calls the “SmartAccess” keyless-entry system standard on its new IS sedans, designed to compete with German cars like the BMW 3 series or the Audi A4, as well as rivals such as the Infiniti G35 or the U.S.-made Cadillac CTS. BMW offers what it calls “keyless go” as an option on the new 3 series, and on its higher-priced 5, 6 and 7 series sedans.
Volkswagen AG’s Audi brand offers keyless-start systems on its A6 and A8 sedans, but not yet on U.S.-bound A4s. Cadillac’s new STS sedan, big brother to the CTS, also offers a pushbutton start.
Starter buttons have a racy flair—European sports cars and race cars used them in the past. The proliferation of starter buttons in luxury sedans has its roots in theft protection. An increasing number of cars now come with theft-deterrent systems that rely on a chip in the key fob that broadcasts a code to a receiver in the car. If the codes don’t match, the car won’t start.
Cryptography can be used to make these devices anonymous, but there’s no business reason for automobile manufacturers to field such a system. Once again, the economic barriers to security are far greater than the technical ones.
RFID in British License Plates
The British government is testing a scheme to put active—the kind that are independently powered—RFID chips in automobile license plates. They can be read at least 300 feet away, and probably much, much further.
RFID Passport Security Revisited
I’ve written previously (including this op ed in the International Herald Tribune) about RFID chips in passports. An article in today’s USA Today (the paper version has a really good graphic) summarizes the latest State Department proposal, and it looks pretty good. They’re addressing privacy concerns, and they’re doing it right.
The most important feature they’ve included is an access-control system for the RFID chip. The data on the chip is encrypted, and the key is printed on the passport. The officer swipes the passport through an optical reader to get the key, and then the RFID reader uses the key to communicate with the RFID chip. This means that the passport-holder can control who has access to the information on the chip; someone cannot skim information from the passport without first opening it up and reading the information inside. Good security.
The new design also includes a thin radio shield in the cover, protecting the chip when the passport is closed. More good security.
Assuming that the RFID passport works as advertised (a big “if,” I grant you), then I am no longer opposed to the idea. And, more importantly, we have an example of an RFID identification system with good privacy safeguards. We should demand that any other RFID identification cards have similar privacy safeguards.
EDITED TO ADD: There’s more information in a Wired story:
The 64-KB chips store a copy of the information from a passport’s data page, including name, date of birth and a digitized version of the passport photo. To prevent counterfeiting or alterations, the chips are digitally signed….
“We are seriously considering the adoption of basic access control,” [Frank] Moss [the State Department’s deputy assistant secretary for passport services] said, referring to a process where chips remain locked until a code on the data page is first read by an optical scanner. The chip would then also transmit only encrypted data in order to prevent eavesdropping.
So it sounds like this access-control mechanism is not definite. In any case, I believe the system described in the USA Today article is a good one.
Wireless Interception Distance Records
Don’t believe wireless distance limitations. Again and again they’re proven wrong.
At DefCon earlier this month, a group was able to set up an unamplified 802.11 network at a distance of 124.9 miles.
The record holders relied on more than just a pair of wireless laptops. The equipment required for the feat, according to the event website, included a “collection of homemade antennas, surplus 12 foot satellite dishes, home-welded support structures, scaffolds, ropes and computers”.
Bad news for those of us who rely on physical distance to secure our wireless networks.
Even more important, the world record for communicating with a passive RFID device was set at 69 feet. (Pictures here.) Remember that the next time someone tells you that it’s impossible to read RFID identity cards at a distance.
Whenever you hear a manufacturer talk about a distance limitation for any wireless technology—wireless LANs, RFID, Bluetooth, anything—assume he’s wrong. If he’s not wrong today, he will be in a couple of years. Assume that someone who spends some money and effort building more sensitive technology can do much better, and that it will take less money and effort over the years. Technology always gets better; it never gets worse. If something is difficult and expensive now, it will get easier and cheaper in the future.
RFID Cards for U.S. Visitors
The Department of Homeland Security is testing a program to issue RFID identity cards to visitors entering the U.S.
They’ll have to carry the wireless devices as a way for border guards to access the electronic information stored inside a document about the size of a large index card.
Visitors to the U.S. will get the card the first time they cross the border and will be required the carry the document on subsequent crossings to and from the States.
Border guards will be able to access the information electronically from 12 metres away to enable those carrying the devices to be processed more quickly.
According to the DHS:
The technology will be tested at a simulated port this spring. By July 31, 2005, the testing will begin at the ports of Nogales East and Nogales West in Arizona; Alexandria Bay in New York; and, Pacific Highway and Peace Arch in Washington. The testing or “proof of concept” phase is expected to continue through the spring of 2006.
I know nothing about the details of this program or about the security of the cards. Even so, the long-term implications of this kind of thing are very chilling.
The Sorting Door Project
From The Register:
A former CIA intelligence analyst and researchers from SAP plan to study how RFID tags might be used to profile and track individuals and consumer goods.
“I believe that tags will be readily used for surveillance, given the interests of various parties able to deploy readers,” said Ross Stapleton-Gray, former CIA analyst and manager of the study, called the Sorting Door Project.
Sorting Door will be a test-bed for studying the massive databases that will be created by RFID tags and readers, once they become ubiquitous. The project will help legislators, regulators and businesses make policies that balance the interests of industry, national security and civil liberties, said Stapleton-Gray.
In Sorting Door, RFID readers (whether in doorways, walls or floors, or the hands of workers) will collect data from RFID tags and feed them into databases.
Sorting Door participants will then investigate how the RFID tag’s unique serial numbers, called EPCs, can be merged with other data to identify dangerous people and gather intelligence in a particular location.
Battlefield RFID Listening Rocks
From the Financial Times:
The US military is developing miniature electronic sensors disguised as rocks that can be dropped from an aircraft and used to help detect the sound of approaching enemy combatants.
The devices, which would be no larger than a golf ball, could be ready for use in about 18 months. They use tiny silicon chips and radio frequency identification (RFID) technology that is so sensitive that it can detect the sound of a human footfall at 20ft to 30ft. The project is being carried out by scientists at North Dakota State University, which has licensed nano-technology processes from Alien Technology, a California-based commercial manufacturer of RFID tags for supermarkets.
This kind of thing has been discussed for a while. One of the best discussions is still Martin Libicki’s paper from the mid-1990s, “The Mesh and the Net: Speculations on Armed Conflict in a Time of Free Silicon.” (It’s available as a book, and online.)
Sidebar photo of Bruce Schneier by Joe MacInnis.