This is the most hysterical piece of security journalism I have read in a long time.

Through the sea of links, you are taken on a voyage of discovery, and the conclusions that can be made are:

1) There is a good living to me made from recycling other peoples material that you have found on the Internet.

2) Don't try to embellish the content if you don't know what you are talking about. You will be made to look a proper berk by someone who does.

As a real security professional (i.e. one that does not go around screaming that the sky is falling) and as someone who has worked with RFID for the military and for civilian uses (mainly Post Offices) for over six years, I find your article makes a number of glaring omissions that would allow any sensible human being to make a rational judgement about this technology.

Omissions:

1) Range verses size. Very basic issue. The smaller it is, the closer you have to be to it to pick up the signal. For a small passive tag we are talking inches (3-4 feet max). In order to track something from 200 yards (maximum range currently in use), you need an active tag (i.e. with a battery) and it has to be the size of a beer mat. I think you would notice it in your jeans. The signal generator in this case is also a non-trivial device. It is the size on a lamp-post and weights in excuss of 30Kg. Hardly PDA attachment material.
2)Storage area on the device is tiny. For the small passive devices you are referring to the storage area is less than 1Kilobyte.
Not much space for your medical records here.

3)The logic associated with the tyre scenario. The association of the vehicle number and the tyre would not be stored on the tag. There is no space, and Read/Write tags are much more expensive (and larger). Easy to overwrite also. So for your big brother is watching scenario, you would need to replace every lamp-post on every highway with a signal generator, have assess to the database that cross-references your vehicle ID with the tag ids, and be able to monitor all of the signal generators in real-time to see what was happening.

And all this just to find out where you are.
Are you really that important? I think ringing your mobile would be easier.

There is also a problem with reading many tags at once. The current limit is around 200 tags per second for the best sensor. The tag will respond and continue to respond at regular intervals (sub-second usually but dependant on set-up). Because they are all talking at once on the same frequency, the sensor cannot distinguish and ignore tags in real-time. It may recieve many responses from the same tag, and there is no way to tell the tag to shut up. So imagine the situation across a busy highway.

Hope this helps to re-assure people that it is very dangerous to listen to people who don't know what they are talking about.

Stefan Sokolowski CISSP
Security Director
Unisys
UK



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/169/20588#20588