Is RFID Really That Scary? 338
tcd004 writes "Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour. Paget went through the regular laundry list of security concerns over RFID: people can be tracked, their information accessed, their identities comprimised. Not so fast, says Mark Roberti of RFID Journal. Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes. The signals are too weak and the data is too obscure, according to Roberti. So who is right? Has RFID yet lead to a single instance of identity theft, illegal monitoring, or other security compromise?"
Yes and no (Score:5, Interesting)
Tracking one person around a city with RFID would be a nuisance. You'd need multiple points, signal quality would vary wildly, it'd be painful in a way.
Opposingly, you can get a lot of aggregate data in a semi-closed system. I remember once at a public event I was covering (wearing my journalism hat for a moment) that I thought, "I wish I had an RFID system handy. I could identify all the University students in a moment -- I bet you not a one doesn't have their RFID card on them."
Tracking could be efficiently done in a system such as a mall or subway with exit monitoring.
Just because you don't know... (Score:3, Interesting)
Yes and no... (Score:5, Interesting)
Is RFID, as described in the article really all that scary? No, not really. E.g.
30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.
So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...
This is the part that scares me:
Taken as a whole, Roberti asserts, the benefits of RFID tags -- to track merchandise and packages, and keep track of drugs and food -- far outweigh any downside.
Where I bought my specific pair of shoes for today likely is not in a database anywhere. With RFID it wouldn't need to be. You just scan the tag and ask the shoes. This potential privacy issue also lacks an implementation, but still represents more information than anyone specifically needs to have. I fear the unintended (or secretly-intended) consequences of all this consumerist stuff in our lives suddenly having a history.
Drive By Charging (Score:1, Interesting)
wow (Score:1, Interesting)
I really like this post [dallasmoversams.com]
Here's a better Defcon RFID story... (Score:5, Interesting)
Many Federal agents walked by the table. They were not pleased when they found out the nature of the experiment. The data was destroyed, but the point was made. RFID protective wallets sold *real* well that year...
Re:Yes and no... (Score:1, Interesting)
Is RFID, as described in the article really all that scary? No, not really. E.g.
30 to 40 million people carry RFID tags on their windshields to allow them to cross bridges, and more carry them in their wallets, and there is not a single example of anyone who had their privacy infringed because of the tags.
So the fear that the government would use RFID to gain data that they already have is likely debunked. Also the tracking is largely moot. They can do that in all sorts of other ways...
This is the part that scares me:
I read an article awhile back about the ability to steal the information coming from the RFID Tags on cars.Then modify a RFID tag to store that data. So when the person went through the bridge or w/e the other person was charged instead.
-Clinton Hood
so let me get this straight (Score:2, Interesting)
Roberti's big thing is that nobody's yet used RFID data in a crime. So the upshot is that as long as people just break it for research, it's still secure. And people wonder why the blackhats make out like bandits on the first breaches of any given protocol, because nobody protected against them when it was merely a subject of research. Good luck with that, tell me how that works out for you.
Re:It's like a vaccination... (Score:3, Interesting)
Yeah the other guy is basically saying: "There haven't been known cases of identity theft from RFID use, therefore the system is secure and we should expand it!" despite being shown conclusively that it is not secure and widespread use of RFID could be a disaster.
Re:Yes and no (Score:3, Interesting)
Portable RFID chip Killer (Score:5, Interesting)
If a microwave isn't available
1) Take a cheap camera flash
2) Replace strobe with AWG14 or 15 coiled about (ummmmmm.. say) 10 times around your finger (remove finger)
3) Charge flash (which isn't a flash anymore) and point to your favorite RFID chip, fire.
4) Enjoy your restored privacy
Disclaimer: Do not point towards your pace maker.
Re:Yes and no... (Score:4, Interesting)
there is not a single example of anyone who had their privacy infringed because of the tags.
Other than the cases of people's tags' movements being used against them in divorce proceedings and stuff? http://www.msnbc.msn.com/id/20216302 [msn.com]
Oh wait, as long as the privacy goalposts can be moved at a whim, there is not a single example of anyone who had their privacy infringed because of the tags.
Re:Yes and no (Score:4, Interesting)
Are you sure?
The problem with targeted ads is that they can be creepy, inappropiate and unaware of context.
For example, imagine you're walking on the street with your friend/boss/old fashined grandmother. Suppose you're into manga/anime. Would you want a billboard to switch to an ad for Miyuki-chan in Wonderland [wikipedia.org] due to your past purchase of the Chobits manga?
There are lots of things for which you'd really hate to see a targeted billboard ad for in the presence of the wrong people, or any people at all. Just for instance: certain kinds of anime/manga (or anime/manga at all, if you're unlucky to be stuck with people convinced that it's all tentacle porn), hygiene products (buy our incontienence pads!), the wrong kinds of magazines or games, music by an artist you'd rather people not know you listen to, and so on.
Be careful with what you wish for. There is no guarantee the advertiser will make any effort not to display anything that could be embarrassing, and even if they try there's no guarantee that they'll succeed. I got a few rather odd recommendations from Amazon and am rather glad they don't pop up on the street at just the wrong moment.
The RFID in everything you buy at Wal*mart (Score:4, Interesting)
Wal*mart says if a company wants to sell its product in Wal*mart it must have an RFID in it. It also seems that they do not intend to disable these RFIDs once you buy the product - one of the goals is to identify the specific item when you want to return it. (stopping the "My X broke but it's out of warranty so I'll buy a new one and return the old one" ploy).
I'll just use cash you say? If you bought anything with your credit card or with you ATM card each of those things is "pinned" to you. Things you get with cash get pinned to you by being associated with things you bought with plastic next time you walk through the door. You will be identified by the cloud of RFID devices one or two in each article of clothing you wear - in each item you carry. (each pinned to you)
Next time you walk into Wal*mart it's "Welcome Back Pentalive" need more jeans? t-Shirts? Since the data belongs to walmart, the next time you walk into another business that bought the database from WM they also will be "Welcome to McDonald's, Pentalive".
Hope you -never- go anywhere where you want to be anonymous (or at least never wear anything from WM.)
Yes we are in public and thus have no expectation of privacy. But is it Wal*mart's business if you have been shopping at Target recently? And if Wal*mart knows where you have been - all the Government has to do is ask nice and they know too. Remember the Government can setup RFID readers too. Then they don't have to ask. You walk through the metal detector at the airport, a loop of wire built right in can read all your RFIDs at the same time.
Arguments aside of "Well I will just microwave everything" does that really work or do you end up ruining that $100 pair of "Air Jordans" by melting parts? How about the RFID built into that nice laptop or netbook, or cell phone or iPad? Can't microwave those.
Also if Wal*mart demands RFIDS in everything, perhaps it will just be easier for companies to put RFIDS in any products that might be sold at Wal*mart or might be sold somewhere else? That nice new polo shirt you got at Target, no RFID there right? You sure? They also sell that kind of shirt at WM.
Iris scanning like Minority Report? Wear dark glasses, turn away from the sensor. RFID cloud? ? ? Wear your tinfoil spacesuit! I suppose it should be "I, for one, welcome my new location-tracking overlords."
Re:Yes and no (Score:3, Interesting)
The ad might get them a bit of mindshare, but if they haven't created some brand loyalty amongst owners they can really quickly run out of word of mount advertising.
Re:Yes and no (Score:3, Interesting)
You can find a perfectly PG ad that would have embarrassing implications to any observers quite easily.
For instance, with anime:
If you try to project an image of being a cultured man, you probably don't want billboards suggest you would be interested in gory things like Elfen Lied [wikipedia.org], Fist of the North Star or Ninja Scroll.
If to your friends you try to appear like a "real man", you probably won't like seeing an ad for things like Ponyo and Chi's Sweet Home [wikipedia.org].
If you know crazy religious people of the kind that have an issue with Harry Potter because it's "witchcraft", ads for Slayers or Fullmetal Alchemist could be a problem.
Perhaps you'd rather not admit to being a huge fan of Dragon Ball Z who collects all available material on it.
And so on. Particularly in the realm of music and movies there's hardly anything guaranteed to be safe. To some people, knowing you like anime by Studio Ghibli just implies you like watching the classics. To others it means you're a creepy nerd who's failed to grow up and still watches kids' cartoons.
Re:Yes and no (Score:3, Interesting)