title:

A RFID warning shot

By Scott Bradner

Radio Frequency Identification (RFID) is a part of the present and may well be a major part of our future, these facts are, at best, a mixed bag. It would not be quite so bad if the vendors of RFID products and companies that say they want to use them better understood security and privacy.

For those of you who have been cave dwellers over the last few years, RFIDs are small electronic devices, normally with no battery or power supply, that can interact wirelessly to identify itself to a scanner. The best known example of an RFID is the very simple devices that companies like Wal-Mart are asking their suppliers to put on pallets of goods and that drug companies are beginning to attach to containers of drugs in the distribution chain. (See Privacy as an Afterthought - http://www.nwfusion.com/columnists/2004/0301bradner.html) These RFIDs basically wireless barcodes that respond with a unique serial number when queried by a wireless scanner. Companies with large database infrastructures, like Wal-Mart, can keep track of where individual cartons of goods are in their supply chain or, someday far too soon, what individual products are in a shoppers physical shopping cart.

But not all RFIDs are that simple. Some, like the ones being considered for the next generation of US passports, can report back a bunch of passport-holder-specific data and others like the electronic key used in some cars and the ExxonMobile SpeedPass, include a cryptographic challenge-response interaction in an attempt to make sure that the RFID is not a counterfeit.

These have not been particularly good days for the RFID business. A number of researchers at Johns Hopkins, working with researchers from RSA Laboratories, have shown that the RFIDs used in the SpeedPass and in the keys for some Ford vehicles can be spoofed and spoofed reasonably easily. (http://rfidanalysis.org) The researchers demonstrated that the RFID chips used weak encryption keys, which the researchers found they could break within a few hours. Thus, a car theft ring could use a fake scanner to query the car owner's car key in their pocket as they stood in an elevator, for example. The heft ring could then break the keys and go pick up the car using normal car burglary tools knowing that they could fool the electronic interlock into thinking they had the right key. Texas Instruments, which makes the circuits used in the Ford keys and the SpeedPass does have similar circuits with longer, and thus harder to break, keys in them but Ford and Exxon decided to use the cheaper but weaker chips instead. Texas Instruments is not immune from blame here, they are using a secret encryption algorithm, which violates the most basic good-encryption rules.

At the same time US National Institute of Science and Technology (NIST) has shown that RFIDs to be used in the US Passports can be read from as far away as 30 feet. This would make it easy to sport people carrying US passports and capture the information about them, and maybe capture the passport holder himself.

Finally, Wal-Mart and other merchants investigating the use of RFIDs seem to be genetically blind to the privacy issues inherent in setting up a system that would allow individuals to be singled out by wirelessly determining the pattern and values reported back by the RFIDs embedded in their clothing and possessions.

I wonder how much bad news the RFID business can absorb before they begin to figure out that there are still problems to be solved before its time to deploy. So far, they have shown a remarkable level of absorbency.

disclaimer: From time to time the local community complains about Harvard's ability to absorb property near the campus but the above absorbency puzzlement is mine not the university's.