Is RFID Really That Scary? 338
tcd004 writes "Defcon participant Chris Paget demonstrated his ability to capture RFID data from people hundreds of feet away for the PBS NewsHour. Paget went through the regular laundry list of security concerns over RFID: people can be tracked, their information accessed, their identities comprimised. Not so fast, says Mark Roberti of RFID Journal. Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes. The signals are too weak and the data is too obscure, according to Roberti. So who is right? Has RFID yet lead to a single instance of identity theft, illegal monitoring, or other security compromise?"
It's like a vaccination... (Score:2, Insightful)
Prevention is a better method of addressing an identified legitimate security concern than "waiting to see what happens."
I view it like vaccinations. I don't plan on getting measles this month, but I still had my MMR...
Just like many other things of this nature... (Score:3, Insightful)
RFID really is something that needs to have an eye kept on, but sensationalist headlines make it seem worse than it is.
Of course, if you're really worried about it, there are options [thinkgeek.com] depending on what you need to protect [thinkgeek.com].
Re:Yes and no (Score:5, Insightful)
My bank switched their debit cards over to ones with "PayWave". It's an RFID chip that allows me to just magically wave my card around in the air and pay for stuff at the checkout line. I immediately bought an RFID blocking wallet. I'm a lot more concerned about being tracked by the stores and the bank, being marketed to by telescreens on the sidewalk, etc. than I am about cyber-thieves.
Re:Great Idea (Score:5, Insightful)
RFID isn't a security concern NOW. If they start putting them on, say, driver's licenses it's another story. Why would anyone think RFID is a good idea when every other system that can be abused IS abused? The new barcode like scanning squares (WTF are they called?) can hold plenty of information and can only be read when the cardholder deliberately presents the card for scanning.
What is the advantage of RFID?
The signals are too weak... (Score:3, Insightful)
The signals are too weak and the data is too obscure
Both of which are solvable with ingenuity, time, work, and people. Some things both-colored hats have in ample supply.
That's not the point... it's that it can be easily (Score:3, Insightful)
The point that's being made about RFID is that the encryption method is not good enough for most uses when it comes to private information. If it becomes mainstream someone could EASILY begin to collect this information using a remote reader and collect it later without every touching the device again.
Imagine someone takes a small box about the size of sandwich. It could hold enough battery power to collect every single RFID scan for quite some time and then come by perhaps the next day with a laptop and receive it remotely as to never touch the device again in case it was found and being watched.
RFID tags are GREAT to identify you by an ID #... not hold SS # or other private information. Keep that stuff in a more secure manner. I'm no alarmist, and not even a hacker. But this is something someone with almost no tech experience could do... and make bank.
Potential (Score:4, Insightful)
My Challenge for Mark (Score:4, Insightful)
Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes
I challenge Mark to point to a single instance where Intercontinental Ballistic Missiles with Nuclear Warheads were successfully used for nefarious purposes.
Nothing?
Well then, I guess we can just stop all this silly nonsense about non-proliferation, missile defense shields, and international nuclear arms reduction treaties.
-Rick
Re:Not yet attacked != not attackable (Score:4, Insightful)
Ummm, we can't be sure if nobody has attacked RFID. I seem to remember an international incident, not too long ago, where 50+ passports were successfully cloned - including those from countries implementing RFID on passports. At this time, there is zero information on whether the cloning was someone compromising the primary databases of the respective countries or whether it was done more directly by lifting information from passports in the open. It is extremely doubtful that we will ever be given that information, as no government is going to want to admit that people can access secure databases OR admit that the security on their passports is useless. (It has to be one of the two.)
Since we cannot know where the vulnerability was, it is prudent to assume that ANY part of the chain could be broken. Only a complete fool would do otherwise. This means that whilst we cannot be certain RFID has been compromised, we MUST believe that it might have been. To assume, blithely, that of course it couldn't be RFID is stupid. Why? Because that results you in only looking at facts that meet your theory. A very bad practice, and one that no reputable journal would be caught dead doing. Of course, a trade magazine isn't really a reputable journal. No trade magazine is ever going to question the assumptions of those who both pay for the advertising and then pay for the journal afterwards.
(Those familiar with certain works of Jeremy Brett may be familiar with the cry of "Data! I cannot work without data!")
Re:Hmm (Score:3, Insightful)
Figures that somebody whining about capitalism and libertarians in their sig would spread such FUD.
Compare with a mobile phone (Score:3, Insightful)
Conclusion: RFID tagging is less scary than existing privacy intrustions we gladly accept.
Re:Just because you don't know... (Score:3, Insightful)
From my understanding RFID usually don't carry that much data except for a unique identifier. Ok so I se a Hex value. However you may not know what type of RFID it is is for. Eg. Is it for your credit card or is it just that book you got out of the campus book store. Perhaps it is for your medical history that you got implanted in you skin. Maybe it is your Dogs virtual ID Tag implanted.
Say if I dropped a Passord of a vital system in the Middle of New York City and you pick it up. And that password is for only one system what is the chance you will find the system and get in.
That said we should be sure that RFID for say on Credit Cards and on other major checking systems should have additional checks to it. However for say Inventory and automatic checkouts it should be ok.
Re:Yes and no (Score:5, Insightful)
It's hardly vendors that I would be concerned about. Given the increase in skimmers for magnetic readers at ATMs and cash registers how long do you really think before the concept spreads to RFID skimmers?
Re:Yes and no (Score:5, Insightful)
I think one of the major turnoffs for me about mass market advertisiing is that it's so off base as to be annoying. I'm not in the market for a car, so to be subjected to ads for cars while I watch tv is a waste of my time.
And targeted ads are even more annoying, because they still don't get it right.
I was in the market for a car and did my research and bought one a week ago. But, I expect that "targeted" ads for cars will keep hitting my monitor and mailbox for at least the next six months, and I expect many of them will be for classes of vehicles that weren't anything I would ever consider.
Two years ago these ads would have been a minor bother, and 2-12 months ago they might have been helpful, but for the next 5-10 years they'll be both wasteful and a major annoyance.
Re:My Challenge for Mark (Score:1, Insightful)
Mark challenges Paget to point to a single instance where RFID was successfully used for nefarious purposes
I challenge Mark to point to a single instance where Intercontinental Ballistic Missiles with Nuclear Warheads were successfully used for nefarious purposes.
August 1957 [wikipedia.org] - present.
Nuclear-tipped ICBMs used as a deterrent to keep enemy states at bay. This is them being used.
Have the commies taken over the world yet? No? This is them being successfully used.
Re:Yes and no (Score:5, Insightful)
Being tracked when you use your card, because that is required just because you used it, and being tracked just because you walked past a checkout counter are two separate and distinct things.
Re:Yes and no (Score:3, Insightful)
You could also determine when a group of people are not around their home and use this information to decide when to rob their house. If all of the residents and their nearest neighbors have all been scanned at movie theaters, clubs, or restaurants in the last half hour you could break-in with the expectation that no one would be around to catch you in the act for a certain period of time.
There are plenty of other creative abuse cases for RFID other than tracking.
Re:Yes and no (Score:5, Insightful)
I think you're making a mistaken assumption that ads are intended to drive you to make an immediate purchase. While that's one reason they're aired, another is brand recognition and familiarity. If you happen to be in the market for a car three years from now, it's likely that at least some of what those car companies have communicated in their ads will stick with you.
This is especially true for less-well-known brands. Compare a Toyota ad ("We're having a sale this weekend") to a Hyundai ad ("Our cars are reliable and have feature x). Toyota expects you to already know and recognize the value of a Toyota, they're trying to get you into the showroom now, now! NOW! As a relative newcomer, Hyundai is working to get you comfortable enough to consider their car.
Re:Portable RFID chip Killer (Score:3, Insightful)
Unfortunately, along with the rest of our debased currency, we've taken most of the copper out of pennies. Eventually I expect plastic penny coins, once the price of zinc goes up.
Re:Here's a better Defcon RFID story... (Score:5, Insightful)
Ok how about this.
US passports contain RFID tags.
1. Is it possible to detect, from the RFID tag, at a distance, the presence of a US passport and to distinguish a US passport from other passports fitted with RFID tags?
2. Is it possible to determine roughly how many US passports are within range?
3. Is it possible to engineer such an RFID tag detector into the detonator of an explosive device while keeping said explosive device small enough and low powered enough to be easily concealable? (ie doesn't need mains electricity nor obvious antenna).
I am just asking the question, I have no wish to see US passport holders blown to bits; but there *are* people who *would*.
Re:Yes and no (Score:2, Insightful)
No, it works like that in regular America, too.
Hot pieces of ass bankrupt people all the time.
Re:Yes and no (Score:4, Insightful)
You're implying that you would like to see ads for things you are interested in. Well fucking wake up mate. There are lies, damn lies and then there are advertisements. Whatever useful information contained in an ad is completely outweighed by the bogus fucking lies they will tell you with the intent on selling you. And if that's not enough, they're obviously going to leave out anything that would encourage you to not buy their shit.
Worst of all, have you ever even watched an ad? If any ads were reality, then chosing the right toothpaste would make you FUCKING HAPPY AS BLISS and using the right condom would get you laid by a supermodel and drinking the right liquor would make you a million dollars.
Seriously, if you are clueless enough to ever even contemplate that you might benefit or enjoy watching an ad; you're already sold mate.
Reasons for the RFID failures (Score:2, Insightful)
The boxes where chipped *and* barcoded, and there were scales on the collection lorry to weigh the box and automatically scan the rfid chip at the same time, thus collecting usage data.
Three years on it turns out that the one thing we were not expecting - the rfid chips not to be reliable - has proven a major issue.
Did you totally ignore the subject of the story and replies to it? Have you considered that maybe some people don't like your tracking (especially if they weren't informed of it and didn't explicitly agree to it) and have found ways to detect and incapacitate your RFIDs?