On RFID Tags & Privacy
For one of the first times in my college education, I have the option of writing a term paper on a topic that actually interests me. It’s for a required computer science course about computing, society and professionalism. I will be writing a lengthy paper delving into the privacy implications of RFID tags. One of the prerequisites for the paper is that we must initially be undecided about the issue, which is where I stand right now.
What are RFID tags?
RFID tags are tiny electronic modules used to uniquely identify tagged objects or people over a wireless protocol. At the moment, they cost around 5 cents a piece when mass produced and are comprised of a chip and antenna in their most basic form. RFID tags are available in a variety of formats from paper based units to plastic encased ones while some are even ingestible or implantable.
Two forms of RFID tags.
Tag uses are extremely diverse. Wal-Mart uses them to track pallets and was able to get its suppliers to use RFID tags to make their supply chain more cost efficient. In that case, RFID tags are used to store proprietary tracking numbers, product codes, serial numbers and the like. The wireless characteristic of RFID tags makes them easier and faster to work with than bar codes, not to mention modern RFID readers (although I believe RFID interrogators is the preferred term with some RFID tags having read/write abilities instead of just ROM) are able to interact with multiple tags at once unlike bar code scanners. RFID tags also hold up to 128KB of memory currently - much more data than any bar code can hold.
Pharmaceutical companies are beginning to embed RFID tags into medicine containers, many countries have RFID-tagged passports, universities have begun issuing RFID-tagged student ID cards, Exxon Mobil and Visa have point-of-sale RFID tags to help consumers purchase items conveniently and an FDA-approved company has developed an implantable RFID tag to access one’s medical records, with plans to expand to GPS-capable tags. You have no doubt come into contact with RFID tags in your daily life whether you’re aware of it or not.
What’s the problem?
RFID tags have incredibly handy uses embodying the spirit of doing things faster, cheaper and more conveniently. But do those boons of RFID tags outweigh the risks associated with having a ubiquitous RFID-tagged society? First off, you need to understand the technical aspects of interacting with RFID tags. There are low frequency passive tags which receive their power wirelessly from RFID readers and typically have a range of under 3 feet. Then there are active tags (generally high frequency) with batteries to sustain the microchip and transmit RF signals to a range of up to 30 feet but usually around 10 feet. Most consumer-oriented tags, like Exxon Mobil’s SpeedPass, are passive and cheaper to manufacture. However, at the Defcon hacking convention in 2005, hackers were able to successfully read a passive RFID tag from close to 70 feet. Big Brother anyone?
While tags that deal with personally-identifying information employ encryption and authentication safety measures, they’re not fool proof. Remember when the WEP encryption technology for Wi-Fi was secure? Neither do I. There will always be ways to circumvent these safety measures. For example, when using a point-of-sale RFID tag, the tag usually gives the reader a unique key code that it throws into an algorithm to see if it is legit. That’s all kittens and daisies but what about when our Defcon friend intercepts the key code from 70 feet away with a man-in-the-middle attack and is then able to buy anything he wants? Granted it is more involved than this in reality with various encryption schemes, but there is definitely potential for malicious activity; activity that isn’t possible to be done wirelessly with magnetic stripe credit cards.
One aspect of RFID tag privacy deals with taking personal information as described above, and another angle to RFID privacy deals with tracking people. Imagine that it is 10 years in the future; there are no bar codes, magnetic stripe usage has been overcome by RFID tags and everything is pretty much wireless. In a nutshell, everyone has an RFID tag somewhere on them. As such, stores, restaurants, banks, malls and cities in general will be massively outfitted with RFID readers. Take the opt-in IBM project codenamed Margaret for example:
As they pass through the doors, the card would alert a customer information system. Bank staff could personally greet high-net-wealth customers, or customers could be greeted by name by tellers, who would already have their account information on-screen when they arrive at the counter.
Projects like that are lending RFID tags to uses based around identifying people, likely making it easier for others to maliciously do the same. B&M stores could discover when you walk in with your tagged buyer rewards card and immediately see that you’ve spent $15,000 in plasma TVs in the last two months, making it all the easier for a salesman to bug you throughout your stay. I’d rather the store just consider me visitor #349 instead of Paul Stamatiou, tech guru likely to help customers and tell them to buy their electronics for cheaper online. If stores had the capability to recognize frequent customers, they could fill in detailed information about that person’s history and preferences in a database.
That brings me to the next RFID privacy issue. MIT Professor Jerry Saltzer once said that privacy is a database correlation issue and he was entirely correct. What that means is that you give out little bits of personal information about yourself to various entities, but one entity never has all of your information. For example, Entity A might have a database listing your DOB and favorite color. Entity B’s database has your SSN, address and last 10 DVDs rented. Entity C’s database knows your mother’s maiden name, the name of the high school you attended, your height, hair color and this goes on with numerous entities. All it takes for someone to know everything about you is access to the databases and a simple matching by your name or other personally-identifying parameter.
With RFIDs, this process is made much easier as logging your data evolves from a manual task to an automatic, wireless one. Companies would be able to create a detailed profile about you and your habits without your knowledge.
Overall
The things I have discussed regarding potential problems with RFID tags and privacy involved loose hypothetical situations. It is likely much harder to crack the encryption of a modern RFID tag than I made it appear. My main point is the potential for there to be an issue and with the current RFID tag trend predicting a surge of tag adoption in the near future, privacy issues need to be addressed now. Detailed personal information will always be encrypted and secured (although doing that costs more, so there is a monetary incentive for smaller companies to ignore encryption) but the RFID tag’s unique key code and things of that sort can be picked off by any RFID reader without authentication (or at least that’s the impression I have), thus turning the key code into an identifier for making sense of logged aggregate data.
Remember the time AOL accidentally released search query logs? The logs did not contain any users’ names, but instead contained random id numbers. With those id numbers, it was easy for people to draw connections between queries and figure out who was who.
Now for the point of this article - where do you stand? Do you prefer the utter convenience that RFID tags bring to consumers or loathe RFID tags for allowing others to potentially track you? I’m not one to get paranoid over security measures but after doing considerable RFID research, the future of RFID uses makes me wonder what companies or tech savvy RFID hackers will know about me and my activities.
Society needs to find a middle-ground for the uses of RFID tags. They are great for supply chain inventory management and other industry uses, but I question how far we need to go with using RFID tags for personal and consumer needs.
For those interested in reading about RFID tags in more depth, I recommend taking a look at this book and this one.
We’ve covered quite a few RFID projects on HAD: http://www.hackaday.com/search/?q=rfid
My first post ever was a spoofing device by Jonathan Westhues who later did the Verichip clone. http://cq.cx/index.pl
You should also check out Adam Laurie, who cracked the British passport. http://www.rfidiot.org/
Several Defcon hackers contributed to this book, which has been recommended to me: http://www.amazon.com/RFID-Security-Frank-Thornton/dp/1597490474/
Thanks for the comment Eliot - you pointed me to some great resources.. now I want to purchase the hardware to hack around with RFIDs myself haha.
Excellent article Paul. When I wrote about RFIDs last summer, I came to pretty much the same conclusion as you. I’m fine with retailers using RFIDs to track inventory, but medical RFIDs and other personal RFIDs are something I’d like to avoid.
Part of the problem is RFIDs are so small, you can forget you even have them. For example, I bought a used car and the first time I took it through a toll booth the gate raised without me grabbing a ticket. I was confused, so I buzzed for assistance (I didn’t want to get off the highway and have to pay full price because I didn’t have a ticket). The person came out and said I was good to go. After explaining to him the situation, it turns out I had the previous owner’s EZPass still on the car.
Now imagine if I happened to stumble over someone’s medical RFID tag. I could assume the identity of the person with the proper equipment and knowledge.
Putting more personal information on RFID tags is a stupid idea. Until better security is built into the RFID spec, I’d like to avoid them as much as possible.
Hello Paul,
I am writng from still sunny Greece. :)
This is my first post here although I have been an avid reader of your blog for quite some time.This was a great article and I learned quite a lot from it , since I had heard of the technology but hadn’t gotten myself into it too much.I can safely say that your paper will be quite good judging from this post.
Okay, Paul, here is my story and I would like to hear if you think that the following is possible.
A couple of years ago (in 2005) I bought a then-new leather wallet in Vienna. In a store that I wouldn’t have expected to have that tag system.
This year, I went to San Francisco. On Haight St I was entering a store, and the anti-thief thingy didn’t “peep”. Walking around in the store I found myself some random shirt, bought it and the moment I left, the peeper was striking alarm and the owner of the shop confronted me and I told him that this hasn’t happened before. I suspected my new mastercard to do some magic magnetic trick or whatever. So he told me that it might be tagged and I should look if that tag might have activated, since that can load new information onto it itself when walking in a store. SO FINALLY, I found this tag and I was quite shocked. Is that possible, that it loaded itself with that kind of info? I am sure that the store in Vienna didn’t have a thief system.
Thanks bye
I have a U.S. issued RFID passport. It’s a little thicker than the normal passports and has some tamper warnings on it but other than that, it looks like a regular one.
I am not sure however, how much I like it. Certain countries have fast-track lines which speeds up the process by simply scanning their RFID tags but when entering the U.S. only a few places have it. The security concerns me a little as well. I do not carry when I don’t have to and I am weary of giving it to people just because of the simplicity of it being held close to something and read.
Well, that was timely. I just made a suggestion yesterday on my own blog about having fast-food restaurants use RFID objects (like Mobil Speedpass) to allow customers to order quicker.
So, you could say, yes, that I’m a supporter of heavier RFID integration. Hackers will be hackers. Let’s not stomp out progress because of a few bugs.
Or else we’d all be running TRS-80 Color Computers with tape storage and 300 baud external modems. Suh-weet!
RFIDs can cause cancer. I really don’t think that you would care more or less about your privacy if you may end up dead in the end.
Here is the preliminary:MedicalNews
Why doesn’t this show up in your “review” of the subject? That’s all.
@Leo - because there is no clear evidence proving that. The same thing goes for cell phones causing cancer, Wi-Fi access points causing cancer and pretty much anything with a signal. I can tell you, you should be much less worried about a passive/low-powered low frequency RFID tag compared to the powered Wi-Fi router you work next to all day or the cell phone in your pocket. Think about it.
@Leo: RFIDs are passive devices. When it’s not near a scanner an RFID is no more than a little piece of glass, plastic, silicon, and a tiny antenna… no more likely to cause cancer than a watch, earing, or any number of other things that your body is regularly exposed to. Even when an RFID is scanned, it’s so low energy that I can’t imagine it’d do any harm. Your body is constantly exposed to radio waves, I don’t see how a tiny low energy RFID is going to do any more damage than your cell phone. That said, some people claim cell phones cause cancer too…
@Paul - there is no clear evidence about many things; but where there is some serious concern, there must be some legitimate doubt about whether or not the “there is no clear evidence about that” rule applies. Circumstantial evidence, when repeatedly verified under the same settings, start to gain enough momentum for somebody to worry.
The WiFi router is not getting implanted within body tissue. An RFID will, because that is the plan, eventually. Therefore, the legitimate concern is much more solid in this case. What if you implanted a cell phone transmitter in your body, or a WiFi receiver in. Remember that in the case of an implanted chip, your passive/low - powered low frequency RFID tag will be operating within millimeters next to live, dividing cells.
The point is simple. Can you certify that your informing the public about this is complete without touching this side of the issue? Can you certify that there is enough amount of circumstantial evidence so that your review of the subject is complete? If you are to focus only on one side it is ok. If you want something more appealing to the general public, then perhaps you should also take notice of that.
As a Slashdot reader said, “Makes me think twice about wanting one for my dog. . .”
Just some food for thought.
@Leo - When writing this article, I had no intention of talking about any potential safety risks associated with RFID tags. My upcoming school paper is simply about RFID tags and the privacy issues associated with it, which is why this post didn’t touch on it. I’m not trying to biased by leaving that out; that just wasn’t the point of this article.
I am still extremely skeptical of RFID tags posing a greater risk than powered devices you use daily, even if those devices aren’t implanted under your skin. A cell phone emits way more energy/signals/etc than any RFID tag meant for consumer use, which cancels out the fact that the tag might be implanted in you because the output is so minimal. I’m not sure if what I’m saying makes sense, but from what I remember of my circuit theory and design classes, this is nothing to be worried about. I’d be more worried living next to HV power lines.
In that case, I should get myself a led box if I ever plan on using that stuff.
hi paul,
a very interesting article. I’m a student computer science from The Netherlands and I had a lecture on this subject about 3 years ago. The lecturer had some interesting points regarding RFID and privacy (although maybe a little far fetched sometimes).
As an example he sketches a rather grim scenario with two parks: a paradise with lush green hills and a park with homeless people and trampled grass fields. He went on about the dangers of storing personal information on RFID chips embedded in cloths or even on the persons body. With the information this particular person could be rejected at the gates of the nice green park because, for instance, his monthly income isn’t high enough or his bank account is empty. I was kind of frightened by the idea that the gates would close as you approached them. That would mean companies could reject me from other places too. As more personal information is stored in the RFID chips, you could be rejected in stores, malls or even hospitals.
Personally I don’t want to see it this way, but it could become reality to some extend (I’m still optimistic though). Luckily you’re right about our personal data being scattered. The real danger starts when the different pieces of data are connected.
I’m not a big fan of people tracking, or potentially tracking me and storing my personal data. But I do think RFID is a great help in ways Wallmart is using it for the tracking of goods. And I really like the subject, as I had to write a paper on it as well, it’s great material for discussion.
@Leo: Do you own a cell phone? Do you have a computer? What about an alarm clock? How about a tinfoil hat?
Let’s see… your argument is this: If the world starts using RFID (which has already happened), we all die. Nice.
If we DON’T die, can we get some kind of compensation from you for creating panic in the streets?
Aaaagh… probably not. It’s tough to collect from the guys down at the loony bin. They never seem to have any assets worth going after. Or maybe they’re just super-smart and have all their money locked up in gold bars buried out in the desert.
Watch out for the fluorescent lights, Leo. That’s the real source of death. Waterworld had it all wrong. The buzzing is the prelude to agonizing death. If you ever hear it, run. Don’t look back.
Nice trick - trying to get Paul to certify that RFID’s are safe. Huh? Do you avoid retail anti-theft systems if they don’t say “Certified by Paul Stamatiou to be safe for guys named Leo”.? Bizarre. Heck, I’ll certify all RFID’s for you Leo. Now, (poof!), you’re safe! Really, it was no trouble at all. Now, you can sleep soundly knowing that all is right in the world. Lawrence has certified RFID’s are safe. No thanks necessary. Oh, but I’m not going to certify AM Radio waves no matter how much you beg. We are probably days away from turning this planet into a wasteland.
I like the idea of RFID in logistics and libraries, but I fear what can be done with the technology.
I can live with “small scale” RFIDs.
public transport tickets that you don’t have to take out and feed through the machine- I can live with that.
stores tracking inventory- ditto.
someone knowing who I am before I get there- no. No thanks.
(then again I do have a new passport with the “fat page”- US govt. required it of it’s allies, I think. )
@Lawrence:
Ok, I was really waiting for the first ‘Tin foil hat’ reference. Thanks for the laugh.
I’ll show my ignorance of some aspects of science by mentioning a product I would love to see. Don’t know if it’s possible, but wouldn’t it be shocking/revealing/educational to have a cheap pair of sunglasses that would let you ’see’ all the RF around you?
I think it would astound most people..
I’ve decided after all my years on this planet that the leading cause of death and cancer is life itself. Carbs good, carbs bad, fat bad, some fat good. Count calories. Count protein. Coffee bad, coffee good. Alcohol bad, red wine good. Cholesterol bad, good cholesterol good.
I think if I’m going to get cancer from RF, it will probably be from when I was holding the antenna on an Army jamming rig. I yelled down to the operator ‘Don’t press transmit until I say OK!’. He heard ‘OK!’ (yes, sitcoms are usually based in reality) Needless to say, I would have to eat RFID chips at every meal for life to equal that one blast.
@Leo:
You have good points. There is anecdotal evidence to support the fear. The FDA is pulling drugs left and right lately, so their credibility is somewhat lacking, as are most government agencies.
That being said, Paul is writing a paper for school and discussing it on his blog, not writing an expose piece for Reuters.
As for my personal opinion on RFID; Chip me up!
Make it as secure as possible. Put a GPS in it to find me when I wander away. Let me buy Yoo-hoo and Twizzlers without carrying my wallet.
@titanium_geek - I’m with you man, using it for things such as store inventory I think are good to go. However, I won’t be getting one of the RFID embedded Visa cards my bank is going to try and “give” me. No thanks. I’ll take the extra 2 seconds it takes at the checkout line to pull out my card and swipe it. Not that hard. I don’t think I would ever feel comfortable storing such things as medical records or any other personal info on the tags either, no thanks!
Check this link from Engadget - “…and in a demonstration for The New York Times, easily hacked a University of Massachusetts computer science professor’s newfangled RFID credit card. In short order (and with his permission), a researcher working with RSA Labs was able to steal the professor’s name and credit card number that was being transmitted in cleartext…”
@MattD - nice find with the quote. I can’t believe the RFID credit card was transmitting data in cleartext..
@Pstam - I can’t either, I think RFID is going to blow up and be the next thing, RFID tags in everything! But I don’t like the idea of it one bit. And like I said before, I will NOT be getting an RFID tagged credit/debit card from my bank.
I think that personal RFID chips could be useful if they where secure. The problem with security is that if it has to be read, then someone can figure out how to read it. Some information could be useful to be handy at all times. For instance, imagine being able to walk into the store, grab up your merchandise and then just leave with it. You pay on your way out via the RFID chip associated with your bank account. Say you’re in a car accident, the perimedics come to get you and using a little RFID reader, they can tell if you have any health conditions, alergies, or anything else medically useful.
Now, not just anyone could access this stuff, nor would they have a reason. Me personally, I don’t care much about privacy because I’m an open kind of guy. However, certain information like SS# Driver’s license, bank account, etc… just don’t need everyone to have access to them.
Perhaps if the message they transmitted was encrypted and no key was transmitted, the key would have to be understood by both parties. In which case, the security of the information being passed would rely on the security of the stored key value.
In any case, I actually think it’s a good idea. But then again I’m lazy and I don’t like waiting in lines.