RFID Guardian Protects Your Privacy

An anonymous reader writes "A new device devised by Amsterdam graduate student Melanie Rieback is designed to serve as a portable firewall for RFID tags. The portable battery-powered RFID Guardian uses an access control list to filter RFID queries, blocking queries that aren't approved. Rieback, who is also known for being the first researcher to develop a proof of concept RFID virus, hopes to offer version 3.0 of the RFID Guardian to the public at cost."

why?

[wizardforce]

this seems to me like they are trying to sweep the flaws of rfid uder the rug.- fix the main system and this wont be needed.

The advance of technology.

[osu-neko]

One of these days, someone should invent something that can convey information like RFID, but not anyone can read it. In fact, make it so that it can be only read when I take it out and present it to the reader, rather than readable by anyone without be uncovering it. That makes sure only those I want can read it, and keeps it safe from being read without my knowledge, much less consent.

I think I have an idea! I'm gonna go patent it now. I'll call it a "barcode"! Yeah, that's the ticket!

Re:The advance of technology.

[Dunbal]

nvent something that can convey information like RFID, but not anyone can read it. In fact, make it so that it can be only read

      You've just hit on the essential limitation of cryptography. Make up your damned mind, do you want people to read it, or not?

      If _someone_ (ie the GOOD guy) can read it, then AUTOMATICALLY the BAD guy also can read it - IF he manages to figure out the algorithm. QED. There is no more. Everyone who tries to sell you an idea where ONLY the "GOOD guy" can read it is talking out of his ass. Look at DRM, etc.

Re:Already insecure?

[Dunbal]

why can't we start by making RFID more secure in the purest sense?

      You want RFID security? Ok that's simple. DON'T USE IT. Otherwise, it's not secure - by its very nature.

Genius!

[homebrandcola]

The genius part was proving their was a threat, then inventing the solution to that threat.

Fantastic business model.

Interesting (and not so legal) uses for this...

[PAjamian]

This is a really interesting device, I wonder if it has some darker uses, though...

Could you use this device to assist shoplifting by having it in your pocket when you walk past the RFID readers at the store entrance? This would effectively block the readers from being able to "see" the RFID security tags on the merchandise.

Depending on how low-cost these devices are (they are planning to sell them at cost, after all), could someone attach one surreptitiously to the bottom of a modern car preventing the RFID tag built into the ignition key from being read, thereby disabling the car?

Here in New Zealand, they recently passed a law requiring that all pet dogs have RFID chips implanted in them. It would be laughable if a small version of this were made which would could be attached to the collar of the dog to effectively disable the RFID chip implanted in them (admittedly I can't see this particular usage being helpful the the dog or the owner in any way, but it is funny to think about).

Other issues:

Since this is a powered transmitting device, it might not be legal to have it turned on while on board an airplane in flight. Since it can't be effective while turned off, it would still be possible to read passports of people in-flight unless protected by some other means (aluminum foil, farraday cage).

Re:Like encryption

[The Cisco Kid]

Well, in the retail environment, the point is to be able to read them without touching each individual item. Inventory audit your warehouse, ring up an entire cart of stuff without having to pick it all out and set it on a convery and scan it one by one.

There are plenty of legitimate uses for RFID. But I would agree it should always be used transparently, and once an item is yours, you should be able/allowed to remove the tag. (Note that passports, I beleive remain property of the US and are just issued to you for your use. The only reason I can figure the RFID is more desirable is perhaps it is harder to forge, since any fool can print a barcode)

Re:why?

[maxume]

This isn't about sweeping something under the rug. It is about RFID coming whether you want it or not and having a straightforward way to avoid many of the issues that it is coming with.

Re:The advance of technology.

[cybereal]

Have you ever looked at a credit card and noticed how nearly every one has visibly obscured the numbers?

An ancient theft attack vector is photography. Your bar code would be even easier to steal than a credit card number.

Don't underestimate the thieves.

Re:Like encryption

[Anonymous Coward]

Well, in the retail environment, the point is to be able to read them without touching each individual item. Inventory audit your warehouse, ring up an entire cart of stuff without having to pick it all out and set it on a convery and scan it one by one.

Another big retail selling point is to set up scanners at doors and set off an alarm if an item passes through that is allegedly still in the store's inventory. You can bet retail chains will lobby against Guardian and similar technologies.

...not that the FCC would ever approve the device to start with.

Re:The advance of technology.

[plover]

Barcodes aren't the greatest answer, as they are vulnerable to spoofing.

Imagine two barcodes that look like this:

| || |l| || |11| | |||
12345

and this:

| || || |l| |11| | |||
12345

Both look like barcodes (please forgive the characters used to dodge the lameness filter.) Both have HRIs (human readable interfaces) beneath them. But one is a forgery, and actually scans to the value 13245. Unless the person with the barcode scanner is actively verifying the numbers match (or is verifying other aspects of the document) the forgery is just as good to the laser beam as the original.

The RFID tags are at least harder to forge, but provide weaker security in that they can be intercepted or surreptitiously read. Contact-based chips (a la Smartcards) would have been the best choice in terms of security, but probably much more costly in terms of hardware maintenance of the readers (cleaning, static electricity, etc.)

That's all I had to say, but the lameness filter is making me add extra lines to make up for the junk characters. Perhaps I should have switched more bytes to exclamation points or ones or lower case Ls, that probably would have helped make up the difference. I suppose the wonderful ascii artists of the past few years have frightened Slash code into assuming that any graphic is too graphic.

Web of trust for passports?

[BlueParrot]

The reason bar codes are not sufficient is that once they are read, they can be easily copied. The same goes for any static message transmitted by an RFID tag. Also, the database can obviously be corrupted by an evil government or disgruntled worker. If you really want to have a forge-proof solution you will need to implement something like OpenPGP in every passport. I can't wait until the day where politicians and media will have to be careful with their creditability or risk having a significant number of people revoke their certificate... Want people to trust you about the foreign policy? Well lets just have a look at that signature of yours...