Sunday, July 19, 2009

Much Ado about RFID Passports

Just read an interesting article on some guy going paranoid about RFID passports, thinking that he will get kidnapped or something just by reading the information stored in the RFID tag. Well, one thing is for certain. This guy does not know anything about RFID.

There are different kinds of RFID tags, and for the passive RFID tags, you'll need to get real close before you can detect the information stored in the tags. I used to handle RFID tags that could only be detected if it is tapped onto the antenna. Yes... It's that close. And guess what? These tags could not be detected if it's in close contact with a human body.

So rest assured that RFID passports won't subject you to constant scrutiny. Of course that is provided that such passive tags are in use. I do admit that there are active tags that have a longer range, but last I've heard, you still cannot detect such tags just by pointing an antenna towards a person.

RFID is not designed for such purposes.

7 comments:

Unknown said...

dude, all your data can be stolen easily

Anonymous said...

Precisely.

The "big brothers" are not going to tell u if they (eventually, if not already) have a device that can scan u and read ur RFID from 10 feet away...

chantc said...

Let me state another example. Singapore EZLink card is based on contactless technology, not unlike the RFID technology.

Do you think people will be able to deduct money from your ezlink card from 10 feet away?

Furthermore, do you know the strength of the antenna that must be used in order to detect a passive RFID tag from a distance? You'll get a headache just by standing within the field.

That is what I meant by paranoid. I've done RFID projects before and frankly, I don't see any of these "privacy" issues coming up.

Even though RFID has the capability of storing more information, that does not mean that they will store it inside the tags.

This is provided if someone designed the RFID project with security in mind though.

chantc said...

Just read an elvis e-passport article. I believe that this is a perfect example of a RFID project that was not designed with security in mind.

RFID is safe, if you take into consideration all these factors.

Anonymous said...

This is what you've been warned about: "Feds at DefCon Alarmed After RFIDs Scanned" (4 Aug 2009)

http://www.wired.com/threatlevel/2009/08/fed-rfid/

The commercial RFID stuff you've been dabbling with are using "mickey-mouse" equipment. The real stuff are not being released to the public.

As for "getting headache due to signal strength", that's just a logical-sounding argument to put the masses at ease: no headache => no powerful equipment => my data is safe. What they don't tell you is there are other ways of doing this (the guys at the conference weren't getting headaches) --- physics is more advanced that what they teach in school.

chantc said...

Thanks for the link. This is what I like about blogging. Sharing of information.

The headache thingie I was writing about was more on some experiences I had working on industrial RFID solutions. Granted I was right beside the controller and the antenna for a few weeks straight. :)

Anyway, I agree with what was written in the link you have posted. However, it's not clear on whether the RFID cards that were scanned are active/passive RFID tags.

I've not touched RFID tags for some time but my gut feel is that they are active RFID tags, which actually extends the range of the tags.

This boils down to my original point on whether the RFID solution is designed with security in mind. Talk to any of the RFID manufacturers and they can tell you on ways to limit the range of the RFID tag. It's just how you want to design the RFID tag. It is highly possible to have a passive RFID tag that could only be read when it's being tapped on the reader. The question is whether you want it to be. I guess that's also your original point.

RFID was previously touted for logistic solutions. How the product came to being in use in access control is beyond me. But if they are using it, it would be good to encrypt the information being stored in the RFID tag. There are ways to ensure that even with an employee ID, your cloned RFID tag cannot gain access to the main system.

Those doing RFID solutions should know what I'm talking about. :) Of course there's no such thing as fool-proof in software security. But technology is always upgrading itself.

Like to re-iterate. Sometimes it's not about the technology, but the way you use it. Design the solution with security in mind.

chantc said...

Just thought about what I posted previously and I realised that the "security" features I mentioned about to prevent cloning of the tags may not exist if one has knowledge on the circuitry of the RFID tags. My mistake...

I guess the only way that I know of to prevent cloning is to design the tag in such a way (passive) that readers can only read from it if the tag is tapped on the reader. The cheaper tags have this capability. :)

Visit Rhinestic's Knick Knacks @ Etsy for handmade goods and supplies!

Related Posts Plugin for WordPress, Blogger...