Friday, October 28, 2005

RFID, A Necessary Evil; or an Invasion of Privacy?

With the State Department's (United States) announcement of adding RFID (Radio Frequency ID) chips to passports, the controversies surrounding this technology are again making headlines. Please note that other countries, especially in the European Union are also implementing RFID technology for identification purposes.

The Pakistan Passport Authority is already using RFID tags in it's passports. This might be an interesting place to study it's effectiveness because Pakistan seems to continue to be a sanctuary for terrorists and is known to be a origin and transshipment point for a lot of drug smuggling.

In recent years, RFID has been the "buzz word" in the security industry, however there are those that challenge it's long-term effectiveness. There are also those who fear that it will be abused, violating our rights to privacy and even other's from the religious community, who fear RFID is the mark of the beast mentioned in the Book of Revelation (Revelation 13:16).

The definition of RFID in Wikipedia is "an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. An RFID tag is a small object that can be attached to or incorporated into a product, animal, or person. RFID tags contain antennas to enable them to receive and respond to radio-frequency queries from an RFID transceiver. Passive tags require no internal power source, whereas active tags require a power source."

The proverbial question is RFID a necessary means of protecting ourselves, or in the end will the technology be abused to violate privacy, such as spyware and adware have already done.

This technology has been around for awhile. Currently, Wal-Mart and the United States Department of Defense are using this technology to manage their supply chains, as well as, prevent pilferage and theft. With decreasing costs, we can expect to see a lot more of this technology deployed by both the private and public sectors in the near term.

Besides being used for identification, RFID tags are being used as quick pay devices for fuel and tolls, theft tracking devices, to track animals and there have even been some implanted in humans.

Some of the security concerns already raised are if the ability to read them is too universal, they could pose a risk to personal location privacy, especially in the corporate/military environments. Another concern being raised by privacy groups are RFID devices being embedded in products (which aren't removed when purchased) that could be tracked from great distances. Because of this, they could be used for so-called "marketing" purposes, which invade personal privacy.

There are also concerns that these "tags" could be cloned.

If these tags could be cloned, they could be used in producing false identification, which is alarming considering the technology is being used for high security applications like "proximity cards used to access secure facilities, or vehicle immobilizer anti-theft systems which use an RFID tag embedded in the vehicle key. It is also a problem when RFID is used for payment systems, such as contactless credit cards (Blink, ExpressPay), the ExxonMobil Speedpass, and even in RFID enhanced casino chips."

"With wireless technology, RFID tags can be scanned from afar. Because of this, there is even more potential for abuse than the reencoding of magnetic stripe technology. There are defenses built into these tags, which fall into two categories. There are those use "cryptographic protocols. A typical example of the "RF-based" defense relies on the fact that passive RFID tags can only be activated by a reader in close proximity, due to the limited transmission range of the magnetic field used to power the tag. RFID manufacturers and customers occasionally cite this limitation as a security feature which (intentionally or otherwise) has the effect of limiting scanning range. However, while this approach may be successful against direct tag scanning, it does not necessarily prevent "eavesdropping" attacks, in which an attacker overhears a tag's response to a nearby, authorized reader. Under ideal conditions, these attacks have proven successful against some RFID tags at a range of more than sixty feet."

"A second class of defense uses cryptography to prevent tag cloning. Some tags use a form of "rolling code" scheme, wherein the tag identifier information changes after each scan, thus reducing the usefulness of observed responses. More sophisticated devices engage in challenge-response protocols where the tag interacts with the reader. In these protocols, secret tag information is never sent over the insecure communication channel between tag and reader. Rather, the reader issues a challenge to the tag, which responds with a result computed using a cryptographic circuit keyed with some secret value. Such protocols may be based on symmetric or public key cryptography. Cryptographically-enabled tags typically have dramatically higher cost and power requirements than simpler equivalents, and as a result, deployment of these tags is much more limited. This cost/power limitation has led some manufacturers to implement cryptographic tags using substantially weakened, or proprietary encryption schemes, which do not necessarily resist sophisticated attack."

Last, but not least, there are "social" factors to be considered. Even with the best technology available, we have seen many technologies "hacked" that are supposed to protect us today. In the past couple of years, we have also seen massive data intrusions, many of which were accomplished by simple theft and or insider collusion.

In fact, a lot of the organized gangs committing fraud today, have access to a lot of displaced "highly educated" computer scientists, which already assist them in hacking technology at every turn for their criminal purposes. This is especially true of the area, formerly known as the Soviet Union, where a lot of these gangs are based.

One of the reasons, we are considering this technology is certainly the 9-11 attacks. We can implement the best technology available, however unless it is worldwide, the "bad and the ugly" will be able to obtain identification based on other identification. In fact several of the 9-11 attackers did just this in Virginia. In other words, it probably wouldn't have made any difference if RFID technology was in place in the 9-11 disaster.

Technology is merely a tool. Even though it continues to amaze me at how quickly it advances, it doesn't replace the human mind. While RFID technology is a tool to use for our protection, we must continue to examine, whether or not, it has potentials for abuse.

No comments: