downthetubes Pages

Saturday, 6 January 2007

Surely straight from the imagination of Charles Stross...

Dutch researchers have recently announced a piece of kit called "RFID Guardian", which sounds like something straight out of the devilish imagination of SF author Charles Stross (I'm still trying to finish the mind-boggling Accelerando) and could be one in the eye for the corporates and criminals who see ways of exploting this chip technology, already being rolled out by supermarkets to track things like razor blades - a top shoplifted item.

As the inventors of the RFID Guardian explain in their web sites:
Radio Frequency Identification (RFID) is the latest phase in the decades-old trend of the miniaturization of computers. RFID transponders are tiny resource-limited computers that do not have a battery that needs periodic replacement, inductively powered by their external reading devices, called RFID readers. Once the RFID tag is activated, the tag then decodes the incoming query and produces an appropriate response by modulating the request signal, using one or more subcarrier frequencies. RFID Tags can do a limited amount of processing, and have a small amount (<1024 bits) of storage.

RFID tags are useful for a huge variety of applications, as well as open to abuse. Some of the applications include: supply chain management, automated payment, physical access control, counterfeit prevention, and smart homes and offices. RFID tags are also implanted in all kinds of personal and consumer goods, for example, passports, partially assembled cars, frozen dinners, ski-lift passes, clothing, and public transportation tickets.
Implantable RFID tags for animals allow concerned owners to label their pets and livestock. The Verichip Corporation has also created a slightly adapted implantable RFID chip, the size of a grain of rice, for use in humans. Since its introduction, the Verichip was approved by the US Food and Drug Administration, and this tiny chip is currently deployed in both commercial and medical systems.
This sounds similar to the technology we saw used in the original Star Trek series - Kirk and Spock adapted their subcutaneous transponders to escape a cell in the bizarre space Nazi story Patterns of Force. But I digress...
There are dangers to RFID, too. Businesses and governments are not the only ones interested in it. Civil liberties groups, hackers and criminals are also keenly interested in this new development, albeit for very different reasons. Civil liberties groups are concerned about RFID technology being used to invade people's privacy; RFID tags enable unethical individuals to snoop on people and surreptitiously collect data on them without their approval or even knowledge. For example, RFID-enabled public transit tickets could allow public transit managers to compile a dossier listing all of a person's travels in the past year -- information which may be of interest to the police, divorce lawyers, and others.

... A completely different category of threats arises when hackers or criminals cause valid RFID tags to behave in unexpected (and generally malicious) ways. Typically, computer-bound or mobile RFID readers query RFID tags for their unique identifier or on-tag data, which often serves as a database key or launches some real-world activity. For example, when an RFID reader at a supermarket checkout counter reads the tag on a product, the software driving it could add the item scanned to the list of the customer's purchases, tallying up the total after all products have been scanned.

Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionally) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags. No one thought this possible until now. Later in this website we provide all the details on how to do this and how to defend against it in order to warn the designers of RFID systems not to deploy vulnerable systems.

The RFID Guardian that's been developed is what I call a mobile device - when it detects someone trying to query an RFID tag on your person ( transit passes, perhaps even credit cards), it smartly looks-up a previously compiled access control list to find out what to do. That could be nothing, or else the device will answer the query with data the user specifies, or else it will broadcast noise on the frequency in question to drown out the tag. Should it not have instructions for the tag in question, it asks the user for a decision.

BoingBoing describes it as "a must-read paper for anyone who cares about electronic privacy and who wants to catch a glimpse of the future".

With the interest in these things constantly on the rise, there's a lot of concern about the civil liberty implications of this technology, and the dangers they pose. More at: www.rfidvirus.org and www.rfidguardian.org

Lest you think all this a bit way out, students at the University of Washington have developed a device which can track the RFID technology used in the Nike+/ipod set up, enabling someone to track or, more scarily stalk a user. It seems that because the technology used isn't encrypted, the transmitter in your Nike+ sneaker can be read up to 60 feet away. So a stalker would quickly be able to build up a picture of that person's habits while using the set up, opening them up to all sorts of potential dangers, not least of which being the stalker would know when the person was out of their house.

CNN reported on the invention after security expert Bruce Schneier described the issues raised as "very scary" on his informative blog. Because the radio frequency identification, or RFID, transmitter broadcasts a unique identifier, people can be tracked by it, the University of Washington researchers said in their paper on Nike+iPod Sport Kit (click for PDF). The team said they built a surveillance device, which cost about $250, and integrated the surveillance system with Google Maps.

No comments:

Post a Comment