RFID Guardian Protects Your Privacy

An anonymous reader writes "A new device devised by Amsterdam graduate student Melanie Rieback is designed to serve as a portable firewall for RFID tags. The portable battery-powered RFID Guardian uses an access control list to filter RFID queries, blocking queries that aren't approved. Rieback, who is also known for being the first researcher to develop a proof of concept RFID virus, hopes to offer version 3.0 of the RFID Guardian to the public at cost."

Back-compat?

[Constantine XVI]

Is this like some sort of "jacket" you put your already existing RFID card into that blocks signals unless told otherwise, or is it something that would have to be added to new cards?

Re:

[KillerCow]

Is this like some sort of "jacket" you put your already existing RFID card into that blocks signals unless told otherwise, or is it something that would have to be added to new cards?

It is an active, selective jammer for existing cards.

Re:

[Sowilo]

Is this like some sort of "jacket" you put your already existing RFID card into that blocks signals unless told otherwise, or is it something that would have to be added to new cards?

From TFA:

Eventual plans call for the Guardian to be incorporated into cell phones and PDAs, but the current model is a pocket-sized device that runs on its own battery and provides a circular 1m field of control over RFID tags, jamming any tags that the user does not want read.

TFA goes on to explain exactly how it does i

Re:

[asills]

Not quite.

It only works with 13.56Mhz tags and only a not very widely used air protocol. This device requires intimate knowledge of the air protocol used to communicate with the tag. It must know exactly which frequencies the tag will communicate back on in order to function.

The health care market is using 13.56Mhz tags, but they're not using the air protocol her device uses, so it won't know where to do the jamming. The consumer goods market isn't currently tagging on a per-item basis, but when they do get

Re:

[wizzahd]

It's a hat, duh. Do you realize how long it would take to make a tin foil jacket??

Re:

[RfidShield]

No, this is an active jamming device, and as the other readers indicate, may only work at a particular frequency or communications protocol. However Smart Tools offers an RFID Shield - a passive device that prevents your RFID card from being detected or communicating, and is independent of frequency or protocol. There's info and a picture at: http://smarttools.home.att.net/rfshield.htm [att.net]

proof of concept RFID virus

[bulliver]

So does that mean you could theoretically create a virus that would make all RFID enabled passports identify themselves as belonging to known/suspected terrorists? That would make for a million laughs on April 1...

Re:proof of concept RFID virus

[apathy maybe]

Here http://en.wikipedia.org/wiki/RFID#Viruses [wikipedia.org] is a nice little bit, and a link to the original article. http://arstechnica.com/news.ars/post/20060315-6386 .html [arstechnica.com]

ArsTechnica links to http://www10.nytimes.com/2006/03/15/technology/15t ag.html?_r=5&th&emc=th&oref=slogin&oref=slogin&ore f=slogin&oref=slogin [nytimes.com] and to the real original webpage http://www.rfidvirus.org/index.html [rfidvirus.org]

Basically, it uses buffer over flows to insert nasty code into a computer. The RFID chips contain the code and when read exploit problems in the reader. You can use commercially available tools to write your own RFID chips. Have fun.

Re:

[bulliver]

Thanks for the links. Despite the guy who modded me funny, it was a serious question

why?

[wizardforce]

this seems to me like they are trying to sweep the flaws of rfid uder the rug.- fix the main system and this wont be needed.

Re:

[maxume]

This isn't about sweeping something under the rug. It is about RFID coming whether you want it or not and having a straightforward way to avoid many of the issues that it is coming with.

Like encryption

[Original Replica]

or the radar detector, will this remain legal? Why have an RFID vs. the same info on a barcode, unless the design is to be able to read said info without your knowledge?

Re:

[The Cisco Kid]

Well, in the retail environment, the point is to be able to read them without touching each individual item. Inventory audit your warehouse, ring up an entire cart of stuff without having to pick it all out and set it on a convery and scan it one by one.

There are plenty of legitimate uses for RFID. But I would agree it should always be used transparently, and once an item is yours, you should be able/allowed to remove the tag. (Note that passports, I beleive remain property of the US and are just issued to

Re:

[Anonymous Coward]

Well, in the retail environment, the point is to be able to read them without touching each individual item. Inventory audit your warehouse, ring up an entire cart of stuff without having to pick it all out and set it on a convery and scan it one by one.

Another big retail selling point is to set up scanners at doors and set off an alarm if an item passes through that is allegedly still in the store's inventory. You can bet retail chains will lobby against Guardian and similar technologies.

...not that t

Re:Like encryption

[JFitzsimmons]

It is harder to forge but not because of some stupid restriction like "the stuff is harder to get". Any fool can write a RFID tag with quite reasonably priced equipment as well. The security actually comes from the cryptographic hash of the digital data also on the RFID tag. Therefore, if the digital data matches the physical printing of the data, and the cryptographic hash checks out, then you have within a good degree of certainty that the passport is legit. Of course, who knows if the secret hashing algorithm has been leaked or not, but that's a totally different concern.

With that said, a wireless technology is completely stupid for this sort of application. Any official checking a passport is going to be physically handling it anyway, so what's wrong with requiring a physical connection, like that in a smartcard?

Already insecure?

[iknowcss]

Considering the fact that this technology is so new, why can't we start by making RFID more secure in the purest sense? Today's other article about the "unimportance" of IT in a world without viruses is crazy to discuss when a majority of the world uses inherently insecure systems. Let's lock this one down now before it gets out of control.

Re:

[Dunbal]

why can't we start by making RFID more secure in the purest sense?

      You want RFID security? Ok that's simple. DON'T USE IT. Otherwise, it's not secure - by its very nature.

Re:

[iknowcss]

I'm inclined to agree with your point. RFID is not a fun thought. Let's hope and pray it never becomes a requirement in daily life as computers seem to be going.

The advance of technology.

[osu-neko]

One of these days, someone should invent something that can convey information like RFID, but not anyone can read it. In fact, make it so that it can be only read when I take it out and present it to the reader, rather than readable by anyone without be uncovering it. That makes sure only those I want can read it, and keeps it safe from being read without my knowledge, much less consent.

I think I have an idea! I'm gonna go patent it now. I'll call it a "barcode"! Yeah, that's the ticket!

Re:

[Dunbal]

nvent something that can convey information like RFID, but not anyone can read it. In fact, make it so that it can be only read

You've just hit on the essential limitation of cryptography. Make up your damned mind, do you want people to read it, or not?

If _someone_ (ie the GOOD guy) can read it, then AUTOMATICALLY the BAD guy also can read it - IF he manages to figure out the algorithm. QED. There is no more. Everyone who tries to sell you an idea where ONLY the "G

Re:

[Original Replica]

umm, How can the bad guy read my barcode if I don't take it out of my pocket. You can't stand behind me in line and read the barcode in my passport. You can't make a device to read the barcodes on the licenses of other people in the elevator. But RFID is ripe for this. It's not a matter of cyptography, it's a matter of easy, obvious, physical control of the information.

Re:

[cybereal]

Have you ever looked at a credit card and noticed how nearly every one has visibly obscured the numbers?

An ancient theft attack vector is photography. Your bar code would be even easier to steal than a credit card number.

Don't underestimate the thieves.

Re:

[The Cisco Kid]

The whole point of RFID for some applications is to be able to read them without physically sighting every one.

For instance, store inventory. Walk down an aisle with an RFID reader - 5 minutes to a perfect count. Walk down the same aisle, with a barcode scanner, and scan every item one at a time - many hours, if yer lucky.

Re:

[sneezinglion]

The whole point of RFID for some applications is to be able to read them without physically sighting every one.

For instance, store inventory. Walk down an aisle with an RFID reader - 5 minutes to a perfect count. Walk down the same aisle, with a barcode scanner, and scan every item one at a time - many hours, if yer lucky.

Actually you made a mistake,it is 5 minutes to a perfect count, but only a perfect count of the rfid chips......It still does not tell you how many of the product is actually on the shelves.

Very valid point

[Khyber]

I used to work in retail, not all boxes of the same product had RFID on them. We still had to do a visual inventory.

Re:

[Lumpy]

In fact, make it so that it can be only read when I take it out and present it to the reader, rather than readable by anyone without be uncovering it.

go to your kitchen, cut 2 pieces of heavy duty aluminum foil to fit the inside of your wallet, put it in your dollar bill section.

All done, wallet closed, RFID reader will NOT read it unless it is shoved in your butt crack. open wallet and remove card, it's readable.

100% free, and works. Better would be to have a wallet made of RF shielding material. no "

Re:

[nunya_bizns]

I think a faraday cage would meet your needs. And there are already websites selling faraday cage product - here's one example for wallets - http://www.difrwear.com/products.shtml [difrwear.com]

Re:

[plover]

Barcodes aren't the greatest answer, as they are vulnerable to spoofing.

Imagine two barcodes that look like this:

| || |l| || |11| | |||
12345

and this:

| || || |l| |11| | |||
12345

Both look like barcodes (please forgive the characters used to dodge the lameness filter.) Both have HRIs (human readable interfaces) beneath them. But one is a forgery, and actually scans to the value 13245. Unless the person with the barcode scanner is actively verifying the numbers match (or is verifying other aspe

RFID Guardian Website

[achillean]

Here's the link to the official RFID Guardian website:

http://www.rfidguardian.org/ [rfidguardian.org]

Dupe

[KillerCow]

RFID Personal Firewall [slashdot.org] Dec 07, '06

Re:

[painQuin]

Dec 07, '06

We will call this day Dupe Day, or D-Day for short.

A date that will live in infamy.

What would really be fun

[eric76]

What would really be fun is to have a little credit card sized radio that would play with the various RFID tags it found.

Put it in your pocket and then walk down the aisles of your local WalMart.

Re:

[eric76]

To elaborate a bit, suppose a store used the RFID tags to ring up purchases at the store.

Your RFID reader would read various tags while you walk down the aisles of a store. Then, while you are near the checkout line, it would transmit them to a reader (it would have more distance than a passive tag) and provide the ids it read to the reader as if it were a tag. Someone standing in line to buy $25 worth of purchases would find the store rang it up to include two or three tvs, stereos, a dozen pairs of shoe

Re:

[ExFCER]

Brilliant...Truly. Copyright this idea now and sue the performance artist that makes a mint with world wide downloads of a hit single.

I mod you... +1 insightful.

Betcha

[Dunbal]

Prediction: This device will be made illegal by the US government (in the name of terrorism prevention) in 5..4..3..

Re:

[plover]

They don't have to. It's already illegal to use one for shoplifting [justia.com] in Minnesota, and I assume that most states have similar laws. All they have to do when they find one in your pocket is accuse you of trying to shoplift. Not only is the device itself pretty strong evidence, but you get 3 bonus years in jail if you're convicted.

Even simpler blocker

[noidentity]

I've found an even simpler RFID blocking solution [google.com].

Re:

[Tatisimo]

That stuff works to block GSM phones, too! And keeps your lunch so nice and warm... In your face, duct tape!

Re:

[ockegheim]

Yes, I made my hat out of it!

Genius!

[homebrandcola]

The genius part was proving their was a threat, then inventing the solution to that threat.

Fantastic business model.

Re:

[Rogerborg]

I have a much better way [wikipedia.org] of preventing cancer of the uvula, or whatever it is she claims the problem with RFID is.

Interesting (and not so legal) uses for this...

[PAjamian]

This is a really interesting device, I wonder if it has some darker uses, though...

Could you use this device to assist shoplifting by having it in your pocket when you walk past the RFID readers at the store entrance? This would effectively block the readers from being able to "see" the RFID security tags on the merchandise.

Depending on how low-cost these devices are (they are planning to sell them at cost, after all), could someone attach one surreptitiously to the bottom of a modern car preventing the RFID tag built into the ignition key from being read, thereby disabling the car?

Here in New Zealand, they recently passed a law requiring that all pet dogs have RFID chips implanted in them. It would be laughable if a small version of this were made which would could be attached to the collar of the dog to effectively disable the RFID chip implanted in them (admittedly I can't see this particular usage being helpful the the dog or the owner in any way, but it is funny to think about).

Other issues:

Since this is a powered transmitting device, it might not be legal to have it turned on while on board an airplane in flight. Since it can't be effective while turned off, it would still be possible to read passports of people in-flight unless protected by some other means (aluminum foil, farraday cage).

Re:

[cdrguru]

1. Nobody is using RFID for store inventory control. They use far simpler resonators that are cheaper.

2. Not sure, but most cars aren't using RFID. They use something sort of like RFID but not RFID.

What's wrong with just using a wideband jammer, something like a spark-gap transmitter? It would block all radio signals within a one or two mile radius and completely solve any radio frequency problems.

Re:

[timmarhy]

1. you don't know what your talking about - walmart use it for crying out loud. 2. you don't know what your talking about - if it's a chip powered by RF that id's itself when near a reciever, then's RFID.... wideband jamming? you do realise that takes more power then a couple of aa batteries can supply, and it is also going to result in the local authorities investigating who took out the local FM/AM channels and other radio channels and putting your arse in jail for a long time.

Re:

[plover]

I assume the GP meant to say it this way: "Nobody is using RFID exclusively for inventory control" which is a correct statement. 'Inventory control' is the retailer's phrase meaning "shoplifting detectors", and if all you're interested in is stopping shoplifting, resonance tags (Checkpoint, et al) are a fraction of the price of RFID tags. All the stores using RFID that I'm familiar with are using it for much more than inventory control: logistics and transportation, warehousing, stock replenishment, and

Re:

[sgt_doom]

Citizen PAjamian, you've immediately spotted the points of vulnerability:

Great way to frame somebody - be it for murder or crimes Against The State.

[The Carlyle Group - major RFID manufacturer and supplier]

[Tommy Thompson, Republican candidate for the US Presidency who says: "All Americans should be microchipped."]

Sign me up ...

[SL Baur]

... my "kidnap me I'm an American Citizen!" broadcasting passport is arriving any day now.

See http://www.travel.state.gov/travel/cis_pa_tw/tw/tw _2190.html [state.gov] and understand that Tagum City (where the two American children were kidnapped) is the nearest city from my permanent home and where my son is.

Won't last long

[wesley78]

It's nice to see that this technology will be available, but I won't be long before it's regulated to the point of uselessness I think. RFIDs are going into too many things, and while 1 metre can be nice covering in some situations, it will be intrusive in others. First off Passports and Drivers licenses of many states carry RFID tags now. I can't imagine customs officials wanting to wait around while you turn off your jamming device or if a police officer would be happy if he tried to read the tag at your

Melanie @ WhatTheHack

[gbnewby]

I saw Melanie's talk at What The Hack in summer 2005, and got to speak with her a little afterwards. That was before the virus made news, but her interests in RFID were in strong evidence. Here's the abstract: program.whatthehack.org [whatthehack.org] Here's video (MP4) of her talk, "Fun and Mayhem with RFID:" rehash.whatthehack.org [whatthehack.org] You can find other videos from WTH at the same site (disclosure: I'm there, too!)

Web of trust for passports?

[BlueParrot]

The reason bar codes are not sufficient is that once they are read, they can be easily copied. The same goes for any static message transmitted by an RFID tag. Also, the database can obviously be corrupted by an evil government or disgruntled worker. If you really want to have a forge-proof solution you will need to implement something like OpenPGP in every passport. I can't wait until the day where politicians and media will have to be careful with their creditability or risk having a significant number o

Firewall vs jamming

[Tungbo]

The reason this device is so complex appears to be
the desire to allow reponses selectively.

Wouldn't it be easier and cheaper to make a simple jamming device?
Say in a small pouch for storing the passport, etc. with even weaker
power so that only 1 foot radius is covered.
When you need to use the passport, take it out of the pouch.

Re:

[jimrob]

Wouldn't it be easier and cheaper to make a simple jamming device? Say in a small pouch for storing the passport, etc. with even weaker power so that only 1 foot radius is covered. When you need to use the passport, take it out of the pouch.

Yes... some type of device to disable the RFID unit. Perhaps some type of button... one which would turn it off when not in use?