Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is RFID Really That Scary?

timothy posted more than 4 years ago | from the relaaaaaax-citizen dept.

Privacy 338

tcd004 writes "Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour. Paget went through the regular laundry list of security concerns over RFID: people can be tracked, their information accessed, their identities comprimised. Not so fast, says Mark Roberti of RFID Journal. Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes. The signals are too weak and the data is too obscure, according to Roberti. So who is right? Has RFID yet lead to a single instance of identity theft, illegal monitoring, or other security compromise?"

cancel ×

338 comments

Sorry! There are no comments related to the filter you selected.

first (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#33305308)

first

Re:first (3, Funny)

NevarMore (248971) | more than 4 years ago | (#33305342)

AC used RFID to steal my first post!

Yes and no (4, Interesting)

autocracy (192714) | more than 4 years ago | (#33305324)

Tracking one person around a city with RFID would be a nuisance. You'd need multiple points, signal quality would vary wildly, it'd be painful in a way.

Opposingly, you can get a lot of aggregate data in a semi-closed system. I remember once at a public event I was covering (wearing my journalism hat for a moment) that I thought, "I wish I had an RFID system handy. I could identify all the University students in a moment -- I bet you not a one doesn't have their RFID card on them."

Tracking could be efficiently done in a system such as a mall or subway with exit monitoring.

Re:Yes and no (5, Insightful)

morari (1080535) | more than 4 years ago | (#33305382)

My bank switched their debit cards over to ones with "PayWave". It's an RFID chip that allows me to just magically wave my card around in the air and pay for stuff at the checkout line. I immediately bought an RFID blocking wallet. I'm a lot more concerned about being tracked by the stores and the bank, being marketed to by telescreens on the sidewalk, etc. than I am about cyber-thieves.

Re:Yes and no (1)

pdboddy (620164) | more than 4 years ago | (#33305438)

You are tracked by your bank and CC company every time you use your card anyways.

Being spammed by advertising, that's a more legitimate concern in my eyes.

Re:Yes and no (2, Interesting)

veganboyjosh (896761) | more than 4 years ago | (#33305874)

I keep seeing this argument being brought up, in all kinds of contexts. (Facebook targeted ads, web history, etc.) I think one of the major turnoffs for me about mass market advertisiing is that it's so off base as to be annoying. I'm not in the market for a car, so to be subjected to ads for cars while I watch tv is a waste of my time. I don't eat at fast food restaurants, so billboards for big macs are just a scourge on the landscape. If the billboard was advertising something I was interested in, then I believe I might find it less intrusive and less annoying. When I do see ads for music, movies, etc, that I'm interested in, I truly do look forward to seeing new ads from these companies.

Re:Yes and no (4, Funny)

sjames (1099) | more than 4 years ago | (#33305584)

Wow. If we thought butt dialing was a problem, just wait until butt-buying starts.

In soviet america, ass bankrupts you!

Re:Yes and no (2, Funny)

Gazoogleheimer (1466831) | more than 4 years ago | (#33305634)

at my dormitory, my absolute favorite way to open the locked door (magnetic strike) controlled by a RFID reader is to open the door with my ass.

Re:Yes and no (1)

Critical Facilities (850111) | more than 4 years ago | (#33305812)

at my dormitory, my absolute favorite way to open the locked door (magnetic strike) controlled by a RFID reader is to open the door with my ass

So nice to see the fruit of higher education.

Re:Yes and no (2, Funny)

bmw (115903) | more than 4 years ago | (#33305952)

Pelvic thrust is the way to go.

Re:Yes and no (1)

MozeeToby (1163751) | more than 4 years ago | (#33305608)

If you can feel where the RFID chip is in the card you can crush it (assuming it is the only chip that your card has of course). I've done this accidentally with my ID card at work, a simple pair of pliers should do the trick and you'll never have to worry about it again.

Re:Yes and no (4, Informative)

CyberLord Seven (525173) | more than 4 years ago | (#33305400)

It seems to me you are assuming that the RFID is the only method being used to track someone. I don't track people but it seems trivial to me that a device that identifies a single person out of a mob would be extremely useful.

Instead of setting my head on a swivel and looking around suspiciously I need only keep my gaze directed at my open book (hiding my tracking device) while I walk around keeping track of my subject.

Yes, alone, the device is useless; however, people in the business might find plenty of uses for it that you and I cannot imagine.

Re:Yes and no (1)

Dancindan84 (1056246) | more than 4 years ago | (#33305544)

Because reading a book while you walk through a crowd is less suspicious than looking around while walking through a crowd?

Re:Yes and no (1)

KiloByte (825081) | more than 4 years ago | (#33305682)

These days, it will be a smartphone.

Re:Yes and no (1)

oodaloop (1229816) | more than 4 years ago | (#33305436)

I was thinking of the Starbucks next door. Probably hundreds of defense contractors with their access badges walk through there every day, probably more than a few with their RFID passports and other IDs too.

Re:Yes and no (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#33305924)

I heard that once RFID's are in place, the only things that need to upgrade are the actual reading technology, not the signal emission. The RFID itself doesn't need to broadcast any further than a couple meters - its the scanners who pick up the stuff that need improving.

So - right now, we have those issues with signal quality and and obscurity - but thats only going to improve. Would you want to adopt this kind of technology solely on how its going to be used now or are people going to start thinking long term and consider the ramifactions of this a few years down the road.

Re:Yes and no (1)

men0s (1413347) | more than 4 years ago | (#33305962)

It also depends what data is contained on the card. Suppose all that it held was a student number. Well, that's fine and dandy and I suppose you could create fake student IDs to get discount software, check out books at the library, and take advantage of other Uni perks. But - of course - that means you'd be committing identity theft.

For example, the State of Michigan started issuing enhanced drivers licenses with an RFID chip in them [michigan.gov] to allow passport-free travel between the US and other WHTI countries. Supposedly, the only thing on them is a unique key. So if you want to walk around Detroit with an RFID reader and "track" people, good luck: the only thing you're tracking is the unique keys. You'd need access to whatever database in order to tie that unique key to a specific person.

I'm not saying that identity theft wouldn't happen - it would - just that you'd have no idea who you were trying to impersonate and that spoofing a drivers license has a whole lot of potential for misuse than some college kid's ID.

It's like a vaccination... (2, Insightful)

Anonymous Coward | more than 4 years ago | (#33305326)

Prevention is a better method of addressing an identified legitimate security concern than "waiting to see what happens."

I view it like vaccinations. I don't plan on getting measles this month, but I still had my MMR...

Re:It's like a vaccination... (2, Interesting)

Peach Rings (1782482) | more than 4 years ago | (#33305718)

Yeah the other guy is basically saying: "There haven't been known cases of identity theft from RFID use, therefore the system is secure and we should expand it!" despite being shown conclusively that it is not secure and widespread use of RFID could be a disaster.

Not really. (1)

willyd357 (1293166) | more than 4 years ago | (#33305330)

If you're really that worried about it, they do make wallets that block RFID signals. As to how effective they are I couldn't say, but there is much to be said for the placebo effect.

Re:Not really. (2, Informative)

oodaloop (1229816) | more than 4 years ago | (#33305470)

I've got one. I put my RFID badge in it, and it still scanned at the same distance I always hold it in the same time (1 to 2 seconds). I've half a mind to line it with aluminum foil.

Re:Not really. (1)

rubycodez (864176) | more than 4 years ago | (#33305660)

also try an anti-static bag and let us know how it goes. most geeks have loads of those we're saving

Re:Not really. (1)

oodaloop (1229816) | more than 4 years ago | (#33305716)

Nah, I'll just wear one of those wrist thingies.

http://xkcd.com/649/

Just like many other things of this nature... (2, Insightful)

Pojut (1027544) | more than 4 years ago | (#33305332)

RFID really is something that needs to have an eye kept on, but sensationalist headlines make it seem worse than it is.

Of course, if you're really worried about it, there are options [thinkgeek.com] depending on what you need to protect [thinkgeek.com] .

Re:Just like many other things of this nature... (1)

WrongSizeGlass (838941) | more than 4 years ago | (#33305380)

but sensationalist headlines make it seem worse than it is.

OGM!! Facebook now has RFID!!

Re:Just like many other things of this nature... (1)

hAckz0r (989977) | more than 4 years ago | (#33305932)

I would not laugh too loud. Facebook is adding 'location information', so the next step would naturally be 'verifying' that location. That wont be hard once your drivers licence, credit cards, and other 'store convenience cards' all have RFID embedded for their own brand of convenience.

I can see a hypothetical situation now:

Officer: "No need to sign any traffic ticket Son, we know who you are, and you can find your ticket and licence info on the departments facebook page for the County's "Deadbeats, Speeders, and Delinquents" until the posted amount is paid in full."

They might even just forget that traffic court could possibly find you 'not guilty', and hope that you just pay the fine to get off that facebook page. That would save them a heap of money if you just pay the fine and don't show up in court to fight the charges.

Re:Just like many other things of this nature... (2, Funny)

dwye (1127395) | more than 4 years ago | (#33305816)

Both those RFID-blocking wallets are out of stock. Are you just a dupe of the Vast RFID Conspiracy, or was that deliberate disinformation? Wait, ThinkGeek is related to SlashDot, too, so Cmdr Taco must be in on it, too! And I ran out of aluminum foil in my kitchen, just last night. Oh, God! I must be in on it, too! We're all doomed!

Ah, paranoia. The Delusion of the Gods!

Great Idea (0, Offtopic)

tmosley (996283) | more than 4 years ago | (#33305338)

Yeah, let's rely on security through obscurity. That has always worked for us.

Re:Great Idea (0)

Anonymous Coward | more than 4 years ago | (#33305408)

Is it just me, or has this argument been brought up in pretty much every thread for the last few days, regardless of how completely inappropriate or unrelated?

Re:Great Idea (4, Insightful)

aurispector (530273) | more than 4 years ago | (#33305440)

RFID isn't a security concern NOW. If they start putting them on, say, driver's licenses it's another story. Why would anyone think RFID is a good idea when every other system that can be abused IS abused? The new barcode like scanning squares (WTF are they called?) can hold plenty of information and can only be read when the cardholder deliberately presents the card for scanning.

What is the advantage of RFID?

Re:Great Idea (1)

siriuskase (679431) | more than 4 years ago | (#33305524)

Are you talking about the 2D barcode on drivers licenses? The one they scan when you go into vote?

Re:Great Idea (0)

Anonymous Coward | more than 4 years ago | (#33305590)

I think he is referring to QR codes.

Re:Great Idea (1)

Anarki2004 (1652007) | more than 4 years ago | (#33305578)

Those scanning squares are called "2d bar codes". I think one of the advantages of RFID (at least for financial transactions) is supposed to be ease of use. But as you stated, the bar code is just as easy and far more secure.

Re:Great Idea (1)

Anarki2004 (1652007) | more than 4 years ago | (#33305602)

Bah...I forgot to mention in that post that they are also called "matrix codes".

Re:Great Idea (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#33305668)

Whoa...

Re:Great Idea (1)

FooAtWFU (699187) | more than 4 years ago | (#33305678)

I dunno. It won't be a big deal in your wallet, but if you're taking it out for a moment anyone could take a picture of it; at least the RFID requires some fancy equipment to exploit.

What would really be secure is some sort of smart electronic device for payments that does, like, real cryptography over RFID. Part of your next-gen Japan-style mobile phone, perhaps. Which is already as trackable as its GSM and 802.11 radios.

The signals are too weak... (2, Insightful)

gandhi_2 (1108023) | more than 4 years ago | (#33305448)

The signals are too weak and the data is too obscure

Both of which are solvable with ingenuity, time, work, and people. Some things both-colored hats have in ample supply.

Re:The signals are too weak... (0)

Anonymous Coward | more than 4 years ago | (#33305698)

Technically black & white aren't colors. :(

Cognitive dissonance? (0)

Anonymous Coward | more than 4 years ago | (#33305360)

Paget: "You can read RFID from hundred of feet away."
Roberti: "It's never been done. Besides, you can't read it from that far away."
Reality: *facepalm*

Hmm (1)

MobileTatsu-NJG (946591) | more than 4 years ago | (#33305362)

I dunno if RFID isn't something to be worried about, but there is definitely a misunderstanding around here about how trackable it is.

It wasn't all that long ago that there was a story on Slashdot about how school uniforms were going to have RFID tags embedded in them and there were +5 comments about how pedophiles were going to sit in their van with a little screen showing the position of where each child in the city is. There's some impression that RFID tags broadcast their GPS co-ordinates into space or something. False.

Re:Hmm (1)

GiveBenADollar (1722738) | more than 4 years ago | (#33305496)

Yes and no. If the technology was invasive enough it could potentially track your location by what reader you were near. My work is currently testing a scheme to monitor the movements of personnel based on their RFID badges. I don't count it as an invasion of privacy because I don't expect privacy at work, but If the government/businesses tried to do the same thing with my visa card it would be grounds for carrying cash. The potential for abuse is there. Also, the potential range is much greater than advertised.

Re:Hmm (-1, Troll)

Marxist Hacker 42 (638312) | more than 4 years ago | (#33305628)

Cash already carries an RFID strip- it's in every $20 bill.

Re:Hmm (1)

GiveBenADollar (1722738) | more than 4 years ago | (#33305674)

Pretty sure that's been debunked. It's due to the iron in the ink, not an RFID transmitter. If it were true then the treasury has some of the most advanced and cheapest RFIDs on the planet.

Re:Hmm (2, Insightful)

ElectricTurtle (1171201) | more than 4 years ago | (#33305748)

That is an urban legend. There are metals in the paper that induct microwaves and heat (even burn/explode), but these are not RFID chips.

Figures that somebody whining about capitalism and libertarians in their sig would spread such FUD.

Re:Hmm (1)

MobileTatsu-NJG (946591) | more than 4 years ago | (#33305690)

Yes and no. If the technology was invasive enough it could potentially track your location by what reader you were near.

You say that as if that's a trivial thing to do. If we were talking about one entity rolling out RFID readers across the country and tying those to something you're likely to carry, sure, be afraid. Just remember to stop carrying a cell phone and credit cards, those are betraying you RIGHT NOW.

Re:Hmm (1)

GiveBenADollar (1722738) | more than 4 years ago | (#33305858)

Trivial, perhaps not, but how long until we have targeted advertisements based on personal information gleaned from your RFID credit cards? It's a lot easier than any other identification method, and it's just the thing marketers would use. The point isn't that they contain personal information, but that they broadcast it to the world. When I use my credit card it goes into a database, that's fine I control when I use it, with an RFID card I lose the control over who can read that information. That's the difference.

Re:Hmm (1)

MobileTatsu-NJG (946591) | more than 4 years ago | (#33305920)

The point isn't that they contain personal information, but that they broadcast it to the world.

No, they broadcast it about 20 feet.

When I use my credit card it goes into a database, that's fine I control when I use it, with an RFID card I lose the control over who can read that information. That's the difference.

You don't take the card with you, then. Heck, wrap it in a small faraday cage. From a practical standpoint you haven't saved yourself much.

Re:Hmm (0)

Anonymous Coward | more than 4 years ago | (#33305720)

Dozens of RFID detectors that do broadcast GPS coordinates into space will be responsible for that part.

Re:Hmm (1, Troll)

MobileTatsu-NJG (946591) | more than 4 years ago | (#33305784)

Dozens of RFID detectors that do broadcast GPS coordinates into space will be responsible for that part.

You mean the RFID's with huge batteries that need constant charging and aren't called "RFID"s anymore?

Re:Hmm (1)

sjames (1099) | more than 4 years ago | (#33305902)

The standard reader certainly can't get coordinates, but there is absolutely no reason the RFID tags can't be used like a radar transponder. Use a directional antenna to send out the needed signal and use the response time to get distance. There's no need for it to send GPS coordinates.

That may be going a bit far considering the range is currently only proven out to 100 feet or so (still a long way for a "proximity device") but it's not technically impossible.

Just because you don't know... (3, Interesting)

woboyle (1044168) | more than 4 years ago | (#33305366)

Just because you don't know for sure that something has happened, that doesn't mean it hasn't. The problem with RFID "scraping" is that you will never know that it has occurred. My instinct tells me that it has been going on for some time. As for RFID in identity cards, passports, etc. I think that their security is mostly, to put it in the words of Bruce Schneier, just theater.

Yes and no... (4, Interesting)

BobMcD (601576) | more than 4 years ago | (#33305384)

Is RFID, as described in the article really all that scary? No, not really. E.g.

30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.

So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...

This is the part that scares me:

Taken as a whole, Roberti asserts, the benefits of RFID tags -- to track merchandise and packages, and keep track of drugs and food -- far outweigh any downside.

Where I bought my specific pair of shoes for today likely is not in a database anywhere. With RFID it wouldn't need to be. You just scan the tag and ask the shoes. This potential privacy issue also lacks an implementation, but still represents more information than anyone specifically needs to have. I fear the unintended (or secretly-intended) consequences of all this consumerist stuff in our lives suddenly having a history.

Re:Yes and no... (1)

Lord Ender (156273) | more than 4 years ago | (#33305638)

The tags are in the tags, not the shoes. Do you leave your tags on your shoes? And how often do you walk across networked RFID transceivers, anyway?

Re:Yes and no... (1)

BobMcD (601576) | more than 4 years ago | (#33305772)

The tags are in the tags, not the shoes.

Maybe at present, but not always. They put them in tires, do they not? And tires have stickers, not tags. Further this could change at any time with the simple excuse of 'sometimes tags fall off', so I'm not seeing that as a meaningful rebuttal.

And how often do you walk across networked RFID transceivers, anyway?

Not very often. Not yet, anyway.

Re:Yes and no... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33305694)

Is RFID, as described in the article really all that scary? No, not really. E.g.

30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.

So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...

This is the part that scares me:

I read an article awhile back about the ability to steal the information coming from the RFID Tags on cars.Then modify a RFID tag to store that data. So when the person went through the bridge or w/e the other person was charged instead.

-Clinton Hood

Not yet attacked != not attackable (1)

betterunixthanunix (980855) | more than 4 years ago | (#33305390)

Just because criminals have not yet taken to attacking RFID does not mean that it is beyond the realm of possibility that they will do so. I propose another question, though: what problem does RFID actually solve? In particular, why put it in credit cards and other cards that really do not benefit from RFID? Are those problems really worth the risks, particularly since RFID cards are hard to make secure (because of power constraints)?

Re:Not yet attacked != not attackable (3, Insightful)

jd (1658) | more than 4 years ago | (#33305622)

Ummm, we can't be sure if nobody has attacked RFID. I seem to remember an international incident, not too long ago, where 50+ passports were successfully cloned - including those from countries implementing RFID on passports. At this time, there is zero information on whether the cloning was someone compromising the primary databases of the respective countries or whether it was done more directly by lifting information from passports in the open. It is extremely doubtful that we will ever be given that information, as no government is going to want to admit that people can access secure databases OR admit that the security on their passports is useless. (It has to be one of the two.)

Since we cannot know where the vulnerability was, it is prudent to assume that ANY part of the chain could be broken. Only a complete fool would do otherwise. This means that whilst we cannot be certain RFID has been compromised, we MUST believe that it might have been. To assume, blithely, that of course it couldn't be RFID is stupid. Why? Because that results you in only looking at facts that meet your theory. A very bad practice, and one that no reputable journal would be caught dead doing. Of course, a trade magazine isn't really a reputable journal. No trade magazine is ever going to question the assumptions of those who both pay for the advertising and then pay for the journal afterwards.

(Those familiar with certain works of Jeremy Brett may be familiar with the cry of "Data! I cannot work without data!")

Unpossible! (1)

Khue (625846) | more than 4 years ago | (#33305404)

You mean security is weak on Barcode 2.0? Oh t3h n0ez!

What about short distance? (1)

stanlyb (1839382) | more than 4 years ago | (#33305406)

OK, ok, long distance tracking is not feasible, what about short distance tracking? If the government put many many tracking devices everywhere, they could actually......track you? Or maybe he is right, it is much cheaper to just call google, and get all your history and locations and FB and Twitter and ......

Re:What about short distance? (1)

oodaloop (1229816) | more than 4 years ago | (#33305520)

I think the bigger risk is cloning the signal and making false IDs. Many places simply require you swipe your badge to enter. If you could clone the signal from someone's badge, how hard would it be to make a fake one to gain entrance to where they work? Same goes for your passport, keyfob for buying gas, etc.

Tired of this argument. (0)

Anonymous Coward | more than 4 years ago | (#33305424)

Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes.

What the hell does this have to do with anything? Before the mid-19th century one could have said atomic energy was a curious but mostly harmless phenomenon.

Re:Tired of this argument. (1)

stanlyb (1839382) | more than 4 years ago | (#33305854)

Don't forget the cocaine. The name Coca-Cola is not pointless.....

hundreds of feet? (0)

Anonymous Coward | more than 4 years ago | (#33305430)

Was the antenna also hundreds of feet away? There's way too much weasel-room in that summary. Means nothing. Or the antenna could have been enormous. A stunt doesn't mean it can be easily or practically done. See: Space Age.

Drive By Charging (2, Interesting)

fadethepolice (689344) | more than 4 years ago | (#33305434)

What is to stop an eastern european gang to outfit mules in western nations with mobile "pay wave" clone devices that siphon small transactions off of peoples credit cards as they walk through large crowds in train stations, concerts, and sporting events and channel that payment towards bank accounts in a similar way that they clone debit cards and siphon money from atm's now?

Re:Drive By Charging (1)

jklovanc (1603149) | more than 4 years ago | (#33305788)

Completely different scenario. In the current situation the cloned card submits information to a valid terminal. That valid terminal then talks to a server to complete the transaction. In the second RFID instance a valid card submits information to an invalid terminal. This terminal then has to talk to a server to complete the transaction. The crux is that the invalid terminal must be validated by the server before it will be able to submit information. Even if they could get a merchant id and password it would be closed down pretty fast.

wow (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33305458)

I really like this post [dallasmoversams.com]

Not a defense. (1)

Dayta (65733) | more than 4 years ago | (#33305460)

The argument by Roberti is not one of defense, meaning that Chris or others are wrong, it is one of problem-stating. Yes, these issues exist, but you simply target your attack/interest to deal with them.

The data on my mandated RFID passport isn't obscure and if you want it, you need only wait at the airport for me. Personally, I have an RFID-shielding wallet, but many don't.

Even for obscure information, there can be places where many people with such RFIDs come together - whether at the subway, shopping centre, airport, school, workplace etc.

Once you know where people will be, short range is a lot less of a problem.

Other applications (1)

CDOS_CDOS run (669823) | more than 4 years ago | (#33305464)

The must be some sort of way to use RFID technology to enhance the pr0ns, in that case it's all good otherwise it's downright evil.

That's not the point... it's that it can be easily (2, Insightful)

CodePwned (1630439) | more than 4 years ago | (#33305468)

The point that's being made about RFID is that the encryption method is not good enough for most uses when it comes to private information. If it becomes mainstream someone could EASILY begin to collect this information using a remote reader and collect it later without every touching the device again.

Imagine someone takes a small box about the size of sandwich. It could hold enough battery power to collect every single RFID scan for quite some time and then come by perhaps the next day with a laptop and receive it remotely as to never touch the device again in case it was found and being watched.

RFID tags are GREAT to identify you by an ID #... not hold SS # or other private information. Keep that stuff in a more secure manner. I'm no alarmist, and not even a hacker. But this is something someone with almost no tech experience could do... and make bank.

Here's a better Defcon RFID story... (5, Interesting)

bradorsomething (527297) | more than 4 years ago | (#33305492)

A few years ago a gentleman calling himself Major Malfunction decided to do a proof of concept at Defcon on the dangers of RFID. He set up a table with a box doing RFID queries. When the box got a return and found usable data, it snapped a picture.

Many Federal agents walked by the table. They were not pleased when they found out the nature of the experiment. The data was destroyed, but the point was made. RFID protective wallets sold *real* well that year...

Re:Here's a better Defcon RFID story... (0)

Anonymous Coward | more than 4 years ago | (#33305582)

I remember getting my ID scanned by that vendor, the Goons came by and "politely" asked him to destroy the SD card he stored everything on.

Re:Here's a better Defcon RFID story... (1)

ElectricTurtle (1171201) | more than 4 years ago | (#33305876)

That guy should honestly receive an honorary "I spotted the fed!" t-shirt at every DefCon for the rest of his life.

Re:Here's a better Defcon RFID story... (0)

Anonymous Coward | more than 4 years ago | (#33305760)

http://www.wired.com/threatlevel/2009/08/fed-rfid/

Re:Here's a better Defcon RFID story... (1)

CFBMoo1 (157453) | more than 4 years ago | (#33305800)

Almost sounds like last year at DefCon according to this article. Or someone didn't get the memo from the earlier incident your talking of.

https://www.infosecisland.com/articleview/616-Feds-at-DefCon-Alarmed-After-RFIDs-Scanned.html

Re:Here's a better Defcon RFID story... (1)

ElectricTurtle (1171201) | more than 4 years ago | (#33305826)

But... but... Mark Roberti says it hasn't ever been successfully misused! How is this possible?!?! Could it be that he doesn't know shit and is just shilling for an industry he effectively represents and serves?

Potential (3, Insightful)

ddillman (267710) | more than 4 years ago | (#33305516)

Just because it hasn't already been used for nefarious purposes (and we don't know that for certain, do we? We just haven't seen public reports of it...) doesn't mean it can't and won't be done in the future. That guy's argument is as bogus as the "If you've done nothing wrong, you have nothing to hide" crap spouted by those who want to spy on everyone.

My Challenge for Mark (3, Insightful)

RingDev (879105) | more than 4 years ago | (#33305526)

Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes

I challenge Mark to point to a single instance where Intercontinental Ballistic Missiles with Nuclear Warheads were successfully used for nefarious purposes.

Nothing?

Well then, I guess we can just stop all this silly nonsense about non-proliferation, missile defense shields, and international nuclear arms reduction treaties.

-Rick

Re:My Challenge for Mark (1)

BobMcD (601576) | more than 4 years ago | (#33305922)

Mark seems to live in a world where,

"Guns don't kill people - no one does".

I defer to a higher power here... (1)

Dripdry (1062282) | more than 4 years ago | (#33305528)

Rob:[To Barry]Just come on. What would it mean to you, that sentence: I haven't seen Evil Dead II yet?

he's right (1)

sjames (1099) | more than 4 years ago | (#33305534)

Last week, I removed the blade guard from my saw, taped down the safety lever on my lawnmower and cut the ground pin from all of my power tools and I'm just KZERRRRT!

Airport Security (0)

Anonymous Coward | more than 4 years ago | (#33305540)

I work at a major airport where every badge has RFID. Might not ne a strong signal, but it'll get you on an airplane!

If only the chips worked! (3, Informative)

cruachan (113813) | more than 4 years ago | (#33305550)

I am extremely skeptical of the current generation of RFID tags when used in practice out there in the wild.

About three years back I set up software to support a recycling scheme, whereby every household in a community (ca 10,000) were given a couple of plastic boxes in which to place recycled goods. The boxes where chipped *and* barcoded, and there were scales on the collection lorry to weigh the box and automatically scan the rfid chip at the same time, thus collecting usage data.

Three years on it turns out that the one thing we were not expecting - the rfid chips not to be reliable - has proven a major issue. The failure rate is not high, but we consistently have a score or more boxes needing replacing every month, which is a far higher rate than we were lead to expect. We did think it might be the manufacturer, but we've talked to several people doing similar things now and everyone has similar stories - the chips do fail.

Perversely - the barcodes, which we sealed in transparent plastic but didn't expect to last (hence going with rfid tags as major impact) have given us less than a dozen damaged to the point we can't scan them in the whole three years.

Re:If only the chips worked! (1)

Lord Ender (156273) | more than 4 years ago | (#33305658)

Wait: you RFID scan peoples' garbage when you collect it? Do you take photos, too? That would be some really interesting data.

Re:If only the chips worked! (1)

cruachan (113813) | more than 4 years ago | (#33305768)

The boxes are for particular recyclables - plastic bottles, tin cans, newspaper etc. We record weight against household so we can track who recycles and who doesn't (we give out prizes for participation), and look at it on an are level to see what differences there are and so how we could improve performance.

Not as fun as snapping garbage :-)

RFID the hardware equivalent of HTTP-cookies (0)

Anonymous Coward | more than 4 years ago | (#33305574)

If with the proper antennas you can capture RFID tags from hundreds of feet away, then the signals can't be that weak. And what able the countless anti-theft RFID detectors in nearly every store that have already been deployed worldwide? What is to prevent them from being upgraded and connected to computer networks online?

Once they are online, they would be worth gold to a targeted advertiser like Google with search engine technology. There will be able to track RFID tags like HTTP-Cookies.

Before people though that a wlan bssid was too obscure for tracking. Now with Google and other companies that drive around the world collecting bssid data, in most case you can identify the physical location of a wlan access point with its bssid.

Normal movement pattern vs abnromal (1)

natespizer (1362373) | more than 4 years ago | (#33305624)

If it begins to be used to track people's movements about an area, say using fastpass / bridge toll / toll booth RFID in conjunction with other sources of information you can get a pretty good view of who is where and when and build patterns from that. If they begin to correlate the data and build a norm then the authorities can say they have probable cause to cause you grief. Cory Doctorow's book Little Brother [amazon.com]

so let me get this straight (2, Interesting)

waddgodd (34934) | more than 4 years ago | (#33305706)

Roberti's big thing is that nobody's yet used RFID data in a crime. So the upshot is that as long as people just break it for research, it's still secure. And people wonder why the blackhats make out like bandits on the first breaches of any given protocol, because nobody protected against them when it was merely a subject of research. Good luck with that, tell me how that works out for you.

Why is there no link to the article? (1)

jimwelch (309748) | more than 4 years ago | (#33305730)

Fixed it: http://www.tombom.co.uk/blog [tombom.co.uk] Chris Paget's Blog

Used improperly? (1)

MrMe (172559) | more than 4 years ago | (#33305732)

Is RFID being used when it shouldn't? Is it really that much more difficult to swipe your card than wave it? My US passport really should not be broadcasting anything, it should be swiped since there is no need to read my information from afar. If we limit the use of RFID to tolls and package tracking etc where it makes sense to read information without any human interaction, many of the privacy issues can be prevented.

What About Replay Attacks? (0)

Anonymous Coward | more than 4 years ago | (#33305738)

I'm not too savvy with the specifics of RFID, but I would really appreciate it if someone could explain to me, precisely, what protects against a simple replay attack?

What keeps me from building myself a $20 RFID transceiver, putting it in my pocket, walking through the most crowded area of the nearest subway, bumping into as many people as I can, and then pay for all my shit with your card?

As long as... (0)

Anonymous Coward | more than 4 years ago | (#33305754)

As long as RFIDs respond to unique addresses without first authenticating the reader, they're unacceptable except in the supply chain. Wireless technologies need to take privacy into account at the design level. WLAN BSSIDs are unnecessary too. Authenticate the remote node by proving that both of you know a shared secret without revealing the secret. No shared secret, no identity information.

Compare with a mobile phone (2, Insightful)

gurps_npc (621217) | more than 4 years ago | (#33305756)

With a mobile phone you can get far higher grade information. It actively pings the cell tower, so it's detectable range is much greater. It gives identifiable information, that can in obviosuly be used to call that person. People are themselves not likley to 'forget' it.

Conclusion: RFID tagging is less scary than existing privacy intrustions we gladly accept.

Re:Compare with a mobile phone (1)

Hatta (162192) | more than 4 years ago | (#33305896)

You assume that we accept cell phones. You also forget that cell phones can be turned off.

Little Brother (1)

DevConcepts (1194347) | more than 4 years ago | (#33305780)

Cory Doctrow had a book that is a very good read in addition to telling how to mess with RFID surveillance if Big Brother happens. Free & CC
http://craphound.com/littlebrother/download/ [craphound.com]

Sigh, usual bait and switch crap. (1)

DaveGod (703167) | more than 4 years ago | (#33305814)

First thing to do when reading someone's defence arguments is to consider if they actually are related to the original complaint. Here we see trade body/corporate/politician PR defence #1: deflect criticism by confusing the public about the original complaint simply by defending something related but different. As long as you can control the conversation, you're always going to come out smelling of roses.

Nobody cares about using RFID to track shipping. The concern is about using RFID to track personal data, like identity documents. The authorities may find use from using a reader to track who is using a bus station, perhaps with the best of intentions, but I'd rather they not be maintaining a record of my travels thanks. Certainly I am not looking forward to the day when I examine a pair of shoes at a shopping mall, decide against it only to receive a text suggestion of another pair l might like, and later hitting the web only to see a Google advert for similar shoes.

I don't even want to consider the potential for it's use illegally. Which, by the way, probably is not being performed much because at present there isn't much RFID use in this area. Remember how secure unpopular web browsers reportedly were, right until they started getting popular and suddenly it's all critical security bugs? Security is about risk, which means not only how weak something is but also how attractive it is as a target.

Credit cards (1)

evilviper (135110) | more than 4 years ago | (#33305830)

Do your credit cards come with EZ Pass or similar? Does your bank mail them to you with little metallic stickers affixed to the front of them? What makes you think it's any more secure in your wallet than in an evnelope? Why are banks doing this extra step if there's no security risk?

Cookies readable from orbit. (1)

Fantastic Lad (198284) | more than 4 years ago | (#33305836)

RFID chips need to be right up close in order to charge, (assuming they don't have their own battery, which the ones attached to higher ticket items do), but once they transmit, the read distance is only limited by the sensitivity of your receiver. To me, that means, "From Orbit".

Maybe I'm over-simplifying, but 200 feet with home brew technology is pretty impressive. I have a feeling that the military has invested a few more pennies in radio technology over the years than Chris Paget.

But that's not the point, because when it comes to tracking people, you don't need to do it from orbit. Heck, this page [howstuffworks.com] referenced from the article makes it pretty clear that ubiquitous readers and internet communication is on the horizon. Heck, it's almost here.

People worry about being 'chipped', and maybe they will be, but I think it's kind of pointless. Everybody already carries around their wallet wherever they go, and I know when my credit card expires, the replacement will be armed and ready. That just annoys me! They don't need to read my card from orbit, because in order to track me, all I need to do is walk around the city. Past any random RFID machine which happens to be active. You know, like at doorways to every second retail outlet.

I wonder what would happen if I microwave the chip in my card? Would the magnetic strip still work?

Skit the tinfoil hat. I want my wallet lined with silver!

-FL

Welcoming RFID (0)

Anonymous Coward | more than 4 years ago | (#33305892)

Like every privacy-busting technology, the public will welcome it with open arms.

If twenty years ago, the government passed a law saying that everybody had to carry a GPS and a microphone on them, so that the FBI could listen in and/or location them on demand; there would be a revolt.
Yet today, nearly everybody (and especially youth) carry cell phones.

If ten years ago, the government passed a law saying all households were required to contain a camera, for that the FBI could turn it on and look inside your house; there would be a revolt.
I predict in ten years, Microsoft's Kinect (and the Sony, Nintendo, etc. equivalents) will be used for this. Kids already *beg* their parents for game consoles in the living rooms, family rooms, and bedrooms.

If today, the government passed a law saying everybody was required to put RFID tags on everything, and keep them scan-able at all times; there would be a revolt.
I predict in twenty years, everybody will have RFID on everything and be unable to imagine society any other way.

Star Wars told us that democracy dies to thunderous applause.
It seems privacy dies to siren song of convenience.

No such thing as too obscure (0)

Anonymous Coward | more than 4 years ago | (#33305960)

Perhaps the signals are too weak I don't know, but for the record there is no such beast as too obscure. If it is not mathematically secure then it's not secure. How many times do we have to learn this lesson?

signal strength antenna size (1)

RichMan (8097) | more than 4 years ago | (#33305976)

If you were on pluto with you cell phone there are antennas on earth that could receive you. Sure the scanner in the store may have a range of a couple of inches. If some black hat wants to hide an antenna in the back of a white van he is going to be able to read RFID tags from across the street.

Arguments about "small signal strength" are only relative. If the information is important enough someone is going to find a way to access it from the distance they need. The problem of isolation of a signal from a cloud of other signals is also then a problem of directionality and local isolation. A highly directional antenna and a line up of people going through a turnstyle make a way to isolate targets.

Criminals could setup a hidden antenna pointed at a turnstyle in subway system.

It will happen when the information becomes valuable enough for the criminals to take the effort.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>