RFID: Readily Fooled Indeed
Among the presentations that raised eyebrows at the recent DefCon convention in Las Vegas was one from RFID Guardian: A portable device that "offers personal RFID security and privacy management for people," as the Website of the RFID Guardian Project puts it.
In other words, the RFID Guardian can detect RFID tags and readers in the immediate vicinity and emulate tags, and then spoof RFID readers into believing that there tags present when there are none, or that there are no tags when they're actually present.
Developed by a team led by Melanie Rieback, a Ph.D. student at Vrije University in the Netherlands, the Guardian is currently in the prototype stage. But Rieback, an American doing her graduate work under Professor Andrew Tanenbaum of Vrije, definitely sees it as the forerunner of a consumer device.
"As this technology becomes more and more prevalent, we want to make the whole RFID world transparent to consumers," explains Rieback. "So people can do something about all this RFID around them and make conscious choices about whether they want to have it."
The implications for providers and users of RFID technology are clear: If a handheld device can jam, fool, or otherwise disrupt RFID signals, the usefulness of RFID tags for theft-prevention, inventory tracking, and merchandise identification could quickly evaporate. Rieback offers one example: At a conference in Washington, D.C., she encountered an official from the U.S. Department of Commerce who mentioned that the federal government is considering using RFID tags to help secure classified documents.
"I said, 'Well you know there are tools out there that are capable of imitating more than one tag, or making it look they're not there at all, right?'
"He turned white. Hopefully he went back to his superiors and said, 'Maybe this is not such a hot idea after all.' "
Security issues have quickly grown up around RFID technology as its uses in the marketplace have multiplied. Security researcher Jonathan Westhues, known for producing a "clone" of a Motorola Flexpass RFID "proximity card" for unlocking doors and similar applications, demonstrated earlier this year that he could do the same with a VeriChip -- an implantable, RFID chip for various medical applications.
"It took me a month of evenings to clone my first Flexpass, with basically no equipment," Westhues writes on his Website. "Using my latest hardware, I was able to clone a VeriChip -- which, like the Flexpass, is an ID-only tag with no security -- with only a few hours' work."
"What's important to realize here is that RFID is a really good tracking technology that doesn't stand up at all to a determined attacker," observes Dan Kaminsky, senior security researcher for DoxPara Research. "The entire computer security community looks at RFID as a slow motion train wreck."
Rieback, who has published her work online and in academic journals, is a "white-hat" hacker who says she's alerting the RFID industry to the vulnerabilities inherent in the technology. "Yes, we've introduced this concept of the RFID Guardian and it has dual uses," Rieback explains. "It's the same with a chainsaw: You can use it for good or for bad. [The RFID industry] needs to be aware of the potential vulnerabilities, so they can take action to correct them."
What's more, says Rieback, the genesis of the RFID Guardian was a basic flaw in the technology design that keeps the cost of tags high.
"I realized it would be better to externally regulate the access to RFID tags, as opposed to having the access control mechanism on the tag itself," she explains. "If you offload the authentication controls and the access control to a full-fledged computer, then you can bring the cost per-tag down."
Security expert Richard Stiennon, the founder and chief research analyst at IT-Harvest Inc., doesn't quite buy that argument. Offloading the security and control mechanisms, he says, requires a third device. "Up to now if you incorporate those in the tag, then the total cost of management is much lower. Any time you introduce a third element like that you're increasing the complexity the system."
Rieback and her colleagues are working on miniaturizing the Guardian components so that it can be plugged into -- or even built into -- a device like a PDA.
"The idea is if we can build something about the size of a little card, with a compact Flash interface, it's conceivable we could come up with a version that can be mass produced and then commercially distributed."
In the meantime, if you're worried about RFID readers in your environment, security experts suggest getting a Mylar-lined purse or backpack. "That's the passive line of defense as opposed to the active," notes Stiennon.
— Richard Martin, Senior Editor, Unstrung