Forgot your password?
typodupeerror
Privacy Security Your Rights Online

Is RFID Really That Scary? 338

Posted by timothy
from the relaaaaaax-citizen dept.
tcd004 writes "Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour. Paget went through the regular laundry list of security concerns over RFID: people can be tracked, their information accessed, their identities comprimised. Not so fast, says Mark Roberti of RFID Journal. Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes. The signals are too weak and the data is too obscure, according to Roberti. So who is right? Has RFID yet lead to a single instance of identity theft, illegal monitoring, or other security compromise?"
This discussion has been archived. No new comments can be posted.

Is RFID Really That Scary?

Comments Filter:
  • Yes and no (Score:5, Interesting)

    by autocracy (192714) <slashdot2007 AT storyinmemo DOT com> on Thursday August 19, 2010 @01:58PM (#33305324) Homepage

    Tracking one person around a city with RFID would be a nuisance. You'd need multiple points, signal quality would vary wildly, it'd be painful in a way.

    Opposingly, you can get a lot of aggregate data in a semi-closed system. I remember once at a public event I was covering (wearing my journalism hat for a moment) that I thought, "I wish I had an RFID system handy. I could identify all the University students in a moment -- I bet you not a one doesn't have their RFID card on them."

    Tracking could be efficiently done in a system such as a mall or subway with exit monitoring.

  • by woboyle (1044168) on Thursday August 19, 2010 @02:00PM (#33305366)
    Just because you don't know for sure that something has happened, that doesn't mean it hasn't. The problem with RFID "scraping" is that you will never know that it has occurred. My instinct tells me that it has been going on for some time. As for RFID in identity cards, passports, etc. I think that their security is mostly, to put it in the words of Bruce Schneier, just theater.
  • Yes and no... (Score:5, Interesting)

    by BobMcD (601576) on Thursday August 19, 2010 @02:02PM (#33305384)

    Is RFID, as described in the article really all that scary? No, not really. E.g.

    30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.

    So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...

    This is the part that scares me:

    Taken as a whole, Roberti asserts, the benefits of RFID tags -- to track merchandise and packages, and keep track of drugs and food -- far outweigh any downside.

    Where I bought my specific pair of shoes for today likely is not in a database anywhere. With RFID it wouldn't need to be. You just scan the tag and ask the shoes. This potential privacy issue also lacks an implementation, but still represents more information than anyone specifically needs to have. I fear the unintended (or secretly-intended) consequences of all this consumerist stuff in our lives suddenly having a history.

  • Drive By Charging (Score:1, Interesting)

    by fadethepolice (689344) on Thursday August 19, 2010 @02:07PM (#33305434) Journal
    What is to stop an eastern european gang to outfit mules in western nations with mobile "pay wave" clone devices that siphon small transactions off of peoples credit cards as they walk through large crowds in train stations, concerts, and sporting events and channel that payment towards bank accounts in a similar way that they clone debit cards and siphon money from atm's now?
  • wow (Score:1, Interesting)

    by Anonymous Coward on Thursday August 19, 2010 @02:08PM (#33305458)

    I really like this post [dallasmoversams.com]

  • by bradorsomething (527297) on Thursday August 19, 2010 @02:10PM (#33305492)
    A few years ago a gentleman calling himself Major Malfunction decided to do a proof of concept at Defcon on the dangers of RFID. He set up a table with a box doing RFID queries. When the box got a return and found usable data, it snapped a picture.

    Many Federal agents walked by the table. They were not pleased when they found out the nature of the experiment. The data was destroyed, but the point was made. RFID protective wallets sold *real* well that year...
  • Re:Yes and no... (Score:1, Interesting)

    by Anonymous Coward on Thursday August 19, 2010 @02:25PM (#33305694)

    Is RFID, as described in the article really all that scary? No, not really. E.g.

    30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.

    So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...

    This is the part that scares me:

    I read an article awhile back about the ability to steal the information coming from the RFID Tags on cars.Then modify a RFID tag to store that data. So when the person went through the bridge or w/e the other person was charged instead.

    -Clinton Hood

  • by waddgodd (34934) on Thursday August 19, 2010 @02:26PM (#33305706) Homepage Journal

    Roberti's big thing is that nobody's yet used RFID data in a crime. So the upshot is that as long as people just break it for research, it's still secure. And people wonder why the blackhats make out like bandits on the first breaches of any given protocol, because nobody protected against them when it was merely a subject of research. Good luck with that, tell me how that works out for you.

  • by Peach Rings (1782482) on Thursday August 19, 2010 @02:27PM (#33305718) Homepage

    Yeah the other guy is basically saying: "There haven't been known cases of identity theft from RFID use, therefore the system is secure and we should expand it!" despite being shown conclusively that it is not secure and widespread use of RFID could be a disaster.

  • Re:Yes and no (Score:3, Interesting)

    by veganboyjosh (896761) on Thursday August 19, 2010 @02:40PM (#33305874)
    I keep seeing this argument being brought up, in all kinds of contexts. (Facebook targeted ads, web history, etc.) I think one of the major turnoffs for me about mass market advertisiing is that it's so off base as to be annoying. I'm not in the market for a car, so to be subjected to ads for cars while I watch tv is a waste of my time. I don't eat at fast food restaurants, so billboards for big macs are just a scourge on the landscape. If the billboard was advertising something I was interested in, then I believe I might find it less intrusive and less annoying. When I do see ads for music, movies, etc, that I'm interested in, I truly do look forward to seeing new ads from these companies.
  • by mrops (927562) on Thursday August 19, 2010 @03:02PM (#33306242)

    If a microwave isn't available

    1) Take a cheap camera flash
    2) Replace strobe with AWG14 or 15 coiled about (ummmmmm.. say) 10 times around your finger (remove finger)
    3) Charge flash (which isn't a flash anymore) and point to your favorite RFID chip, fire.
    4) Enjoy your restored privacy

    Disclaimer: Do not point towards your pace maker.

  • Re:Yes and no... (Score:4, Interesting)

    by Qzukk (229616) on Thursday August 19, 2010 @03:43PM (#33307000) Journal

    there is not a single example of anyone who had their privacy infringed because of the tags.

    Other than the cases of people's tags' movements being used against them in divorce proceedings and stuff? http://www.msnbc.msn.com/id/20216302 [msn.com]

    Oh wait, as long as the privacy goalposts can be moved at a whim, there is not a single example of anyone who had their privacy infringed because of the tags.

  • Re:Yes and no (Score:4, Interesting)

    by vadim_t (324782) on Thursday August 19, 2010 @04:06PM (#33307354) Homepage

    Are you sure?

    The problem with targeted ads is that they can be creepy, inappropiate and unaware of context.

    For example, imagine you're walking on the street with your friend/boss/old fashined grandmother. Suppose you're into manga/anime. Would you want a billboard to switch to an ad for Miyuki-chan in Wonderland [wikipedia.org] due to your past purchase of the Chobits manga?

    There are lots of things for which you'd really hate to see a targeted billboard ad for in the presence of the wrong people, or any people at all. Just for instance: certain kinds of anime/manga (or anime/manga at all, if you're unlucky to be stuck with people convinced that it's all tentacle porn), hygiene products (buy our incontienence pads!), the wrong kinds of magazines or games, music by an artist you'd rather people not know you listen to, and so on.

    Be careful with what you wish for. There is no guarantee the advertiser will make any effort not to display anything that could be embarrassing, and even if they try there's no guarantee that they'll succeed. I got a few rather odd recommendations from Amazon and am rather glad they don't pop up on the street at just the wrong moment.

  • by pentalive (449155) on Thursday August 19, 2010 @05:51PM (#33308480) Journal
    Why isn't anyone worried about the Wal*mart RFID initiative?

    Wal*mart says if a company wants to sell its product in Wal*mart it must have an RFID in it. It also seems that they do not intend to disable these RFIDs once you buy the product - one of the goals is to identify the specific item when you want to return it. (stopping the "My X broke but it's out of warranty so I'll buy a new one and return the old one" ploy).

    I'll just use cash you say? If you bought anything with your credit card or with you ATM card each of those things is "pinned" to you. Things you get with cash get pinned to you by being associated with things you bought with plastic next time you walk through the door. You will be identified by the cloud of RFID devices one or two in each article of clothing you wear - in each item you carry. (each pinned to you)

    Next time you walk into Wal*mart it's "Welcome Back Pentalive" need more jeans? t-Shirts? Since the data belongs to walmart, the next time you walk into another business that bought the database from WM they also will be "Welcome to McDonald's, Pentalive".

    Hope you -never- go anywhere where you want to be anonymous (or at least never wear anything from WM.)

    Yes we are in public and thus have no expectation of privacy. But is it Wal*mart's business if you have been shopping at Target recently? And if Wal*mart knows where you have been - all the Government has to do is ask nice and they know too. Remember the Government can setup RFID readers too. Then they don't have to ask. You walk through the metal detector at the airport, a loop of wire built right in can read all your RFIDs at the same time.

    Arguments aside of "Well I will just microwave everything" does that really work or do you end up ruining that $100 pair of "Air Jordans" by melting parts? How about the RFID built into that nice laptop or netbook, or cell phone or iPad? Can't microwave those.

    Also if Wal*mart demands RFIDS in everything, perhaps it will just be easier for companies to put RFIDS in any products that might be sold at Wal*mart or might be sold somewhere else? That nice new polo shirt you got at Target, no RFID there right? You sure? They also sell that kind of shirt at WM.

    Iris scanning like Minority Report? Wear dark glasses, turn away from the sensor. RFID cloud? ? ? Wear your tinfoil spacesuit! I suppose it should be "I, for one, welcome my new location-tracking overlords."

  • Re:Yes and no (Score:3, Interesting)

    by hedwards (940851) on Thursday August 19, 2010 @07:27PM (#33309232)
    That's true, however it's not anywhere near as strong an effect as it used to be. The web has done wonders for democratizing marketing. While you don't know who it is that's writing anything, it's a lot harder for companies to hide poor quality when anybody can write a review, and you can typically get a pretty decent idea of the general situation from the various subject specific fora out there.

    The ad might get them a bit of mindshare, but if they haven't created some brand loyalty amongst owners they can really quickly run out of word of mount advertising.
  • Re:Yes and no (Score:3, Interesting)

    by vadim_t (324782) on Thursday August 19, 2010 @11:57PM (#33310638) Homepage

    You can find a perfectly PG ad that would have embarrassing implications to any observers quite easily.

    For instance, with anime:

    If you try to project an image of being a cultured man, you probably don't want billboards suggest you would be interested in gory things like Elfen Lied [wikipedia.org], Fist of the North Star or Ninja Scroll.

    If to your friends you try to appear like a "real man", you probably won't like seeing an ad for things like Ponyo and Chi's Sweet Home [wikipedia.org].

    If you know crazy religious people of the kind that have an issue with Harry Potter because it's "witchcraft", ads for Slayers or Fullmetal Alchemist could be a problem.

    Perhaps you'd rather not admit to being a huge fan of Dragon Ball Z who collects all available material on it.

    And so on. Particularly in the realm of music and movies there's hardly anything guaranteed to be safe. To some people, knowing you like anime by Studio Ghibli just implies you like watching the classics. To others it means you're a creepy nerd who's failed to grow up and still watches kids' cartoons.

  • Re:Yes and no (Score:3, Interesting)

    by theshowmecanuck (703852) on Friday August 20, 2010 @12:30AM (#33310782) Journal
    The gist of the naysayer in the article is that it is better to close the gate AFTER the horses get out than before. Typical human behaviour that has existed since time immemorial.

Lo! Men have become the tool of their tools. -- Henry David Thoreau

Working...