Digg this story   Add to del.icio.us  
RFID Chips Are Here
Scott Granneman, 2003-06-26

RFID chips are being embedded in everything from jeans to paper money, and your privacy is at stake.

Bar codes are something most of us never think about. We go to the grocery store to buy dog food, the checkout person runs our selection over the scanner, there's an audible beep or boop, and then we're told how much money we owe. Bar codes in that sense are an invisible technology that we see all the time, but without thinking about what's in front of our eyes.

Bar codes have been with us so long, and they're so ubiquitous, that its hard to remember that they're a relatively new technology that took a while to catch on. The patent for bar codes was issued in 1952. It took twenty years before a standard for bar codes was approved, but they still didn't catch on. Ten years later, only 15,000 suppliers were using bar codes. That changed in 1984. By 1987 - only three years later! - 75,000 suppliers were using bar codes. That's one heck of a growth curve.

So what changed in 1984? Who, or what, caused the change?

Wal-Mart.

When Wal-Mart talks, suppliers listen. So when Wal-Mart said that it wanted to use bar codes as a better way to manage inventory, bar codes became de rigeur. If you didn't use bar codes, you lost Wal-Mart's business. That's a death knell for most of their suppliers.

The same thing is happening today. I'm here to tell you that the bar code's days are numbered. There's a new technology in town, one that at first blush might seem insignificant to security professionals, but it's a technology that is going to be a big part of our future. And how do I know this? Pin it on Wal-Mart again; they're the big push behind this new technology.

So what is it? RFID tags.

RFID 101

Invented in 1969 and patented in 1973, but only now becoming commercially and technologically viable, RFID tags are essentially microchips, the tinier the better. Some are only 1/3 of a millimeter across. These chips act as transponders (transmitters/responders), always listening for a radio signal sent by transceivers, or RFID readers. When a transponder receives a certain radio query, it responds by transmitting its unique ID code, perhaps a 128-bit number, back to the transceiver. Most RFID tags don't have batteries (How could they? They're 1/3 of a millimeter!). Instead, they are powered by the radio signal that wakes them up and requests an answer.

Most of these "broadcasts" are designed to be read between a few inches and several feet away, depending on the size of the antenna and the power driving the RFID tags (some are in fact powered by batteries, but due to the increased size and cost, they are not as common as the passive, non-battery-powered models). However, it is possible to increase that distance if you build a more sensitive RFID receiver.

RFID chips cost up to 50 cents, but prices are dropping. Once they get to 5 cents each, it will be cost-efficient to put RFID tags in almost anything that costs more than a dollar.

Who's using RFID?

RFID is already in use all around us. Ever chipped your pet dog or cat with an ID tag? Or used an EZPass through a toll booth? Or paid for gas using ExxonMobils' SpeedPass? Then you've used RFID.

Some uses, especially those related to security, seem like a great idea. For instance, Delta is testing RFID on some flights, tagging 40,000 customer bags in order to reduce baggage loss and make it easier to route bags if customers change their flight plans.

Three seaport operators - who account for 70% of the world's port operations - agreed to deploy RFID tags to track the 17,000 containers that arrive each day at US ports. Currently, less than 2% are inspected. RFID tags will be used to track the containers and the employees handling them.

The United States Department of Defense is moving into RFID in order to trace military supply shipments. During the first Gulf War, the DOD made mistakes in its supply allocation. To streamline operations, the U.S. military has placed RFID tags on 270,000 cargo containers and tracks those shipments throughout 40 countries.

On a smaller level, but one that will instantly resonate with security pros, Star City Casino in Sydney, Australia placed RFID tags in 80,000 employee uniforms in order to put a stop to theft. The same idea would work well in corporate PCs, networking equipment, and handhelds.

In all of these cases, RFID use seems reasonable. It is non-intrusive, and it seems to balance security and privacy. Other uses for RFID, however, may be troublesome.

Visa is combining smart cards and RFID chips so people can conduct transactions without having to use cash or coins. These smart cards can also be incorporated into cell phones and other devices. Thus, you could pay for parking, buy a newspaper, or grab a soda from a vending machine without opening your wallet. This is wonderfully convenient, but the specter of targeted personal ads popping up as I walk through the mall, a la Minority Report, does not thrill me.

Michelin, which manufactures 800,000 tires a day, is going to insert RFID tags into its tires. The tag will store a unique number for each tire, a number that will be associated with the car's VIN (Vehicle Identification Number). Good for Michelin, and car manufacturers, and fighting crime. Potentially bad for you. Who will assure your privacy? Do you really want your car's tires broadcasting your every move?

The European Central Bank may embed RFID chips in the euro note. Ostensibly to combat counterfeiters and money-launderers, it would also enable banks to count large amounts of cash in seconds. Unfortunately, such a move would also makes it possible for governments to track the passage of cash from individual to individual. Cash is the last truly anonymous way to buy and sell. With RFID tags, that anonymity would be gone. In addition, banks would not be the only ones who could in an instant divine how much cash you were carrying; criminals can also obtain power transceivers.

Several major manufacturers and retailers expect RFID tags to aid in managing the supply chain, from manufacturing to shipping to stocking store shelves, including Gillette (which purchased 500 million RFID tags for its razors), Home Depot, The Gap, Proctor & Gamble, Prada, Target, Tesco (a United Kingdom chain), and Wal-Mart. Especially Wal-Mart.

The retail giant, the largest employer in America, is working with Gillette to create "smart shelves" that can alert managers and stockboys to replenish the supply of razors. More significantly, Wal-Mart intends for its top 100 suppliers to fully support RFID for inventory tracking by 2005. Wal-Mart would love to be able to point an RFID reader at any of the 1 billion sealed boxes of widgets it receives every year and instantly know exactly how many widgets it has. No unpacking, no unnecessary handling, no barcode scanners required.

RFID Issues

Right now, you can buy a hammer, a pair of jeans, or a razor blade with anonymity. With RFID tags, that may be a thing of the past. Some manufacturers are planning to tag just the packaging, but others will also tag their products. There is no law requiring a label indicating that an RFID chip is in a product. Once you buy your RFID-tagged jeans at The Gap with RFID-tagged money, walk out of the store wearing RFID-tagged shoes, and get into your car with its RFID-tagged tires, you could be tracked anywhere you travel. Bar codes are usually scanned at the store, but not after purchase. But RFID transponders are, in many cases, forever part of the product, and designed to respond when they receive a signal. Imagine everything you own is "numbered, identified, catalogued, and tracked." Anonymity and privacy? Gone in a hailstorm of invisible communication, betrayed by your very property.

But let's not stop there. Others are talking about placing RFID tags into all sensitive or important documents: "it will be practical to put them not only in paper money, but in drivers' licenses, passports, stock certificates, manuscripts, university diplomas, medical degrees and licenses, birth certificates, and any other sort of document you can think of where authenticity is paramount." In other words, those documents you're required to have, that you can't live without, will be forever tagged.

Consider the human body as well. Applied Digital Solutions has designed an RFID tag - called the VeriChip - for people. Only 11 mm long, it is designed to go under the skin, where it can be read from four feet away. They sell it as a great way to keep track of children, Alzheimer's patients in danger of wandering, and anyone else with a medical disability, but it gives me the creeps. The possibilities are scary. In May, delegates to the Chinese Communist Party Congress were required to wear an RFID-equipped badge at all times so their movements could be tracked and recorded. Is there any doubt that, in a few years, those badges will be replaced by VeriChip-like devices?

Surveillance is getting easier, cheaper, smaller, and ubiquitous. Sure, it's possible to destroy an RFID tag. You can crush it, puncture it, or microwave it (but be careful of fires!). You can't drown it, however, and you can't demagnetize it. And washing RFID-tagged clothes won't remove the chips, since they're specifically designed to withstand years of wearing, washing, and drying. You could remove the chip from your jeans, but you'd have to find it first.

That's why Congress should require that consumers be notified about products with embedded RFID tags. We should know when we're being tagged. We should also be able to disable the chips in our own property. If it's the property of the company we work for, that's a different matter. But if it's ours, we should be able to control whether tracking is enabled.

Security professionals need to realize that RFID tags are dumb devices. They listen, and they respond. Currently, they don't care who sends the signal. Anything your companies' transceiver can detect, the bad guy's transceiver can detect. So don't be lulled into a false sense of security.

With RFID about to arrive in full force, don't be lulled at all. Major changes are coming, and not all of them will be positive. The law of unintended consequences is about to encounter surveillance devices smaller than the period at the end of this sentence.


Scott Granneman teaches at Washington University in St. Louis, consults for WebSanity, and writes for SecurityFocus and Linux Magazine. His latest book, Linux Phrasebook, is in stores now.
    Digg this story   Add to del.icio.us  
Comments Mode:
Great Summary 2003-06-27
Anonymous
RFID Chips Are Here 2003-06-27
Anonymous (5 replies)
RFID Chips Are Here 2003-06-27
Anonymous (1 replies)
Re: RFID Chips Are Here 2008-02-02
Anonymous
RFID Chips Are Here 2003-06-28
Anonymous
RFID Chips Are Here 2003-07-01
Anonymous
Re: RFID Chips Are Here 2007-10-24
Anonymous (1 replies)
Re: Re: RFID Chips Are Here 2008-10-23
Anonymous (1 replies)
Re: Re: Re: RFID Chips Are Here 2008-11-07
Anonymous
Re: RFID Chips Are Here 2009-11-06
Anonymous
RFID Chips Are Here 2003-06-27
DruG5t0r3
RFID Chips Are Here 2003-06-27
Stefan Sokolowski (33 replies)
RFID Chips Are Here 2003-06-27
Pascal Allain
RFID Chips Are Here 2003-06-27
Anonymous (2 replies)
RFID Chips Are Here 2003-06-27
Anonymous
RFID Chips Are Here 2003-07-01
Stefan Sokolowski
RFID Chips Are Here 2003-06-27
Anonymous (5 replies)
RFID Chips Are Here 2003-06-27
Anonymous
RFID Chips Are Here 2003-06-27
Anonymous (1 replies)
RFID Chips Are Here 2003-07-04
Anonymous
RFID Chips Are Here 2003-06-28
Anonymous
RFID Chips Are Here 2003-06-29
Tom Parker (tom.parker@pentest-limited.co
RFID Chips Are Here 2003-07-01
Anonymous
RFID Chips Are Here 2003-06-27
Anonymous (6 replies)
RFID Chips Are Here 2003-06-27
Mark Robertson
RFID Chips Are Here 2003-06-27
Bagheera
RFID Chips Are Here 2003-06-27
Anonymous
RFID Chips Are Here 2003-06-29
Anonymous
RFID Chips Are Here 2003-06-30
Y2K Again
RFID Chips Are Here 2003-07-01
Stefan Sokolowski
RFID Chips Are Here 2003-06-27
Fluxxx
RFID Chips Are Here 2003-06-27
Anonymous
RFID Chips Are Here 2003-06-27
Anonymous (3 replies)
RFID Chips Are Here 2003-07-04
Aywitb
Re: RFID Chips Are Here 2008-01-22
Anonymous
RFID Chips Are Here 2003-06-27
Anonymous
RFID Chips Are Here 2003-06-27
Carl Kaehler
RFID Chips Are Here 2003-06-27
Anonymous
RFID Chips Are Here 2003-06-27
Anonymous
RFID Chips Are Here 2003-06-27
Anonymous
RFID Chips Are Here 2003-06-27
Anonymous
RFID Chips Are Here 2003-06-28
Anonymous
RFID Chips Are Here 2003-06-28
TKB
to Stefan Sokolowski 2003-06-28
TKB
RFID Chips Are Here 2003-06-28
DigitalSpirit
RFID Chips Are Here 2003-06-28
Anonymous
RFID Chips Are Here 2003-06-29
Anonymous
RFID Chips Are Here 2003-07-01
Anonymous
RFID Chips Are Here 2003-07-01
Anonymous
RFID Chips Are Here 2003-07-01
CISSPs are often the jr. security people
RFID Chips Are Here 2003-07-02
Another Real Life security Professional
RFID Chips Are Here 2003-07-03
Anonymous
RFID Chips Are Here 2003-07-08
Anonymous
RFID Chips Are Here 2003-07-08
Penguinisto
Re: RFID Chips Are Here 2005-10-18
Anonymous
Re: RFID Chips Are Here 2007-08-19
Anonymous
Re: RFID Chips Are Here 2008-01-22
no body
Re: RFID Chips Are Here 2008-02-28
Samuel Fischer
Re: RFID Chips Are Here 2008-06-15
Anonymous
Re: RFID Chips Are Here 2008-11-05
Daniel
Re: RFID Chips Are Here 2009-04-08
Anonymous
My RAM dies on a static discharge. 2003-06-27
webgiant (6 replies)
My RAM dies on a static discharge. 2003-06-27
Wrex (1 replies)
My RAM dies on a static discharge. 2003-06-30
Roger (1 replies)
RFID Chips Are Here 2003-06-27
Anonymous
I like the idea of RFID chips 2003-06-27
Peter (5 replies)
People with bar codes! 2006-04-03
Anonymous
Re: I like the idea of RFID chips 2008-04-04
Anonymous
Re: I like the idea of RFID chips 2008-06-17
Anonymous
Re: I like the idea of RFID chips 2009-07-15
Anonymous
RFID Chips Are Here 2003-06-27
TJ
Mark of the Beast 2003-06-27
Charbroiled
mCloak is Here... 2003-06-27
Bob
RFID Chips Are Here 2003-06-27
Anonymous
Trust 2003-06-27
sh64109
RFID Chips Are Here 2003-06-27
Dave Dooling
RFID Chips Are Here 2003-06-27
Anonymous
Anonymous Purchases 2003-06-27
Steve Pannekoeken
RFID Chips Are Here 2003-06-27
Anonymous
track anyone's RFID tags 2003-06-28
RFtracker.com
RFID Chips Are Here 2003-06-28
Anonymous
RFID Chips Are Here 2003-06-28
Anonymous
RFID Chips Are Here 2003-06-28
Anonymous
You forgot about Built in burn outs 2003-06-28
Gypsy Rogers
RFID Chips Are Here 2003-06-28
J
RFID Chips Are Here 2003-06-28
Jack@jackmatthews.com
RFID Chips Are Here 2003-06-29
elg
RFID Chips Are Here, so is EMP 2003-06-30
Anonymous (1 replies)
RFID Chips Are Here, so is EMP 2003-07-02
AnonymousGeoff
RFID Chips Are Here 2003-06-30
Anonymous
RFID Chips Are Here 2003-06-30
Amera
RFID Chips Are Here 2003-06-30
Vance
RFID Chips Are Here 2003-06-30
Anonymous
RFID Chips Are Here 2003-07-01
Anonymous
RFID Chips Are Here 2003-07-01
Anonymous
RFID Chips Are Here 2003-07-02
Anonymous
RFID Chips Are Here 2003-07-02
Fred Dunn (1 replies)
Re: RFID Chips Are Here 2007-04-16
Anonymous
RFID Chips Are Here 2003-07-03
Anonymous (1 replies)
Re: RFID Chips Are Here 2010-01-24
Anonymous
unique id's 2003-07-03
Anonymous (1 replies)
unique id's 2003-07-08
Anonymous (1 replies)
Re: unique id's 2008-03-13
Anonymous
RFID Chips and thiefs 2003-07-08
Anonymous (1 replies)
Re: RFID Chips and thiefs 2009-04-13
Anonymous
RFID Chips Are Here 2005-08-03
Anonymous
RFID Chips Are Here 2005-11-15
Brandon
RFID Chips Are Here 2006-01-05
ParanoidNot
RFID Chips Are Here 2006-03-13
Anonymous
RFID Chips Are Here 2006-07-26
Anonymous (1 replies)
Re: RFID Chips Are Here 2006-08-23
Anonymous
RFID Chips Are Here: Chips in Humans 2006-12-03
Anonymous (1 replies)
RFID Chips Are Here// Rev 13:16 2007-04-26
Joanna Oznowicz-Davis
Orwell Was Right 2007-08-18
Anonymous (1 replies)
Re: Orwell Was Right 2007-10-04
Anonymous (1 replies)
Re: Re: Orwell Was Right 2007-12-18
Anonymous
Too far 2007-10-05
KATRINA (2 replies)
Re: Too far 2007-10-19
Anonymous
Re: Too far 2007-11-11
Anonymous
RFID Chips Are Here. 2007-10-14
Anonymous
RFID Chips Are Here 2007-11-11
Anonymous
RFID Chips Are Here 2007-12-18
Anonymous (1 replies)
Re: RFID Chips Are Here 2007-12-23
Anonymous
RFID Chips Are Here 2008-01-17
Anonymous (1 replies)
Re: RFID Chips Are Here 2008-01-22
Anonymous (1 replies)
Revolution is the only answer 2008-03-14
ginger (1 replies)
Re: Revolution is the only answer 2008-07-08
Anonymous
RFID Chips Are Here 2008-01-30
steve
RFID Chips Are Here 2008-02-06
Anonymous
RFID Chips Are Here 2008-02-08
Anonymous
RFID Chips Are Here 2008-02-21
Anonymous
RFID Chips Are Here 2008-03-07
Anonymous
RFID Chips Are Here 2008-03-27
Justin Lamb
RFID Chips Are Here 2008-04-14
J Schukow (1 replies)
Re: RFID Chips Are Here 2010-01-24
Anonymous
RFID Chips Are Here 2008-04-23
Anonymous
WE HAD FREEDOMS 2008-04-28
Anonymous (1 replies)
Re: WE HAD FREEDOMS 2008-05-17
Anonymous (1 replies)
RFID Chips Are Here 2008-06-01
Anonymous
RFID Chips Are Here 2008-06-05
Anonymous
RFID Chips Are Here 2008-08-12
Destroy the NewWorldOrder (1 replies)
Re: RFID Chips Are Here 2009-01-28
Anonymous
movie very on topic 2008-08-14
Anonymous (1 replies)
Re: movie very on topic 2008-10-03
Anonymous
RFID Chips Are Here 2008-10-18
Anonymous
RFID Chips Are Here 2009-01-25
Anonymous
RFID Chips Are Here 2009-02-01
Anonymous
RFID Chips Are Here 2009-04-16
Sum1uk
RFID Chips Are Here 2009-04-23
Anonymous
RFID Chips Are Here 2009-04-24
Anonymous
RFID Chips Are Here 2009-08-21
Anonymous
RFID Chips Are Here 2009-10-08
Anonymous
RFID Chips Are Here 2009-10-08
Anonymous
RFID Chips Are Here 2009-11-09
Anonymous
RFID Chips Are Here 2010-02-01
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus