I’ve raised the issue before of RFID (radio frequency identification). If you’ve missed the posts, go here and here . You can always visit Spychips to get a good run-down on the dangers of RFID, but let me summarise for you:
- RDID devices can be inserted into clothes or products – they send a wireless, unique identification number to an RFID reader – and this data capture can be used to track an item.
- manufacturers want to replace the bar code with RFID – it helps them with warehouse inventory and supply chain sure, but it also means that the item (and its purchaser) can be tracked. You can be tied to an RFID-enabled item you buy when you use a credit card for example. What will be recorded is: the store the item was purchased from; date and time bought; your name, your address and so on. The manufacturer might then start bombarding you with targeted advertising through your email or via brochures sent to your home.
- as far as I am aware, there is no legislation or standards controlling the use of RFIDs – you may have them in your clothes right now and be unaware. Go here to find out how to spot an RFID chip and disable it. Apparently, the chips can be as small as the tip of a pencil – a mere dot.
You may have a passport with an RFID chip in it. It makes sense: the chip can contain a lot of information that immigration officials scan quickly. But….the chip can be scanned from a distance by an RFID reader. It’s not just immigration officials who can download your information, it’s anyone (a hacker for example) with a reader within close proximity. And poof: there goes your identity onto an RFID reader, ready to be used by who knows. I’ve read that these scanners can be pretty small and able to be concealed up a sleeve.
Now, you would imagine that a bunch of hardened, security savvy US law enforcement and intelligence dudes would be wise to RFID and its dangers – wouldn’t you? Yes, well, apparently not. There’s a secret squirrel conference that happens yearly in the US, known as DefCon. It’s attended by Federal agents and discusses the latest cyber vulnerabilities and the hackers who exploit them. Some attend under their real name and affiliation, but many attend undercover, secret squirrel.
Imagine their surprise when many of them had their RFID-enabled ID tags scanned and read. Attendees might have had the card in their back pocket, in a backpack, in a wallet or in a shirt pocket. Many of them passed by a table with an RFID reader in full view but were stunned, shocked, gobsmacked (as we say in Oz) when conference attendees were told about the presence of the reader and that it had captured personal information. To add insult to injury, they were told a camera snapped the card holder’s picture as well! So those attending in secret squirrel disguise may have been identified by their photo for example.
Quel horror! Big, HUGE scare. Red faces and egg on face all round I’d say. Apparently, it was all part of a project devised by security consultants to highlight privacy issues around RFID (sure hope they obtained permission to do this, otherwise I sniff a huge cat fight coming up).
Here are some scenarios to make you think about RFID dangers:
- you’re sitting at a restaurant, enjoying dinner with family or friends. Meanwhile, a hacker seated at a table nearby with a portable reader is downloading your RFID-enabled credit card – account number, expiry date, name.
- you’re standing in a queue, waiting to check-in at some international airport, passport in hand. Terrorists with a portable reader are downloading your passport details or they are busy identifying all Americans within the terminal by reading as many passports as they can.
- a hacker scans the access card number you use to get into your office building. Perhaps the hacker bumps into you, knowing you’re an employee of a certain organisation, and scans your back pocket where the security ID is kept. Since these cards are usually in sequential order, the hacker selects a number, clones the card and impersonates an employee.
There are so many scenarios I could give you. Apparently, if you chuck an RFID chip in the microwave and nuke it for 5 secs, that will kill it (but be careful as I’ve read the thing can explode too). You can also pierce the chip with a knife or cut off its antenna but you need to know how to spot an RFID chip first – so make sure you read this Spychip FAQ.
UPDATE: seems the new UK ID cards are very easy to download data from the RFID chip embedded within it. It took 12 minutes for someone to electronically copy the ID card microchip and all its information.
Entry filed under: RFID.