The Web site http://www.rfidanalysis.org/ has a wealth of information from the researchers who carried out the RFID authentication scheme cracking, including some helpful background on RFID more generally.
Archive for January, 2005
More on RFID Authentication Scheme Cracking
Sunday, January 30th, 2005RFID-based Authentication Scheme Cracked
Saturday, January 29th, 2005A research team at Johns Hopkins has found a means to crack an RFID-based authentication system used for car ignitions.
The radio-frequency security system being used in more than 150 million new Fords, Toyotas and Nissans involves a transponder chip embedded in the key and a reader inside the car. If the reader does not recognize the transponder, the car will not start, even if the key inserted in the ignition is the correct one.
It’s similar to the new gasoline purchase system in which a reader inside the gas pump is able to recognize a small key-chain tag when the tag is waved in front of it. The transaction is then charged to the tag owner’s credit card.
Researchers said they were able to crack that code, too.
“We stole our own car, and we bought gas stealing from our own credit card,” said Avi Rubin, a professor of computer science at Johns Hopkins who led the research team.
Texas Instruments, which is responsible for the system’s development, claims that the exploit is too cumbersome to be practical for thieves; the researchers suggest that car owners be provided with metallic sheaths to protect the keys from eavesdropping when not in use.
U.S. House of Representatives and RFID
Friday, January 28th, 2005The U.S. House of Representatives has issued a solicitation for information on RFID applications for personnel tracking:
“The United States House of Representatives (USHR) is soliciting industry for commercially available products that can provide an integrated technological solution for accounting for building occupants immediately following building evacuations and, during the immediate 24-hour period thereafter, the status of all House building occupants (Members, staff, contractors/vendors and visitors)…”
Of course, for every use there’s a potential abuse… if this were implemented as some sort of “active badge” scheme to track individuals (albeit through a kind of “point surveillance,” knowing that they’re near/passing given points, and not a continuous awareness), one could imagine being able to intuit interesting things from traffic patterns. The sense of the solicitation is for a system that would turned on only upon need (e.g., to know if everyone in the building is safely out of the building); some care ought to be taken in system design to ensure that all data not necessary to that primary purpose is deidentified or destroyed.
Congressional Internet Caucus Solicits RFID Demos
Thursday, January 27th, 2005“The Congressional Internet Caucus — in conjunction with its Advisory Committee — is organizing an RFID Technology Exhibition & Policy Primer for Members of Congress and staff on Wednesday, March 9, 2005 in the Hart Senate Office Building. The event will feature demonstrations of RFID technology designed to introduce policymakers to the technology and to the burgeoning marketplace.
The policy primer portion of the event will introduce policymakers to the associated policy considerations that may include privacy, security, health, and spectrum…”
Bottom-Up Integration of a Surveillance State
Wednesday, January 26th, 2005On the SV_RFID list (Yahoo! Groups), it was asked:
> So who is going to build the infrastructure in order to support RFID? Or are
> we expecting that mesh networks will integrate all of the sensor’s and do this
> by 2015?
My response:
I think your question is akin to asking, in 1990, “Who’s going to build this ‘Internet’ thing?” I think we’ll all be surprised by what all grows…
And I think our “surveillance state” concerns ought to extend to watching out for that same kind of bottom-up integration. I wrote something a while back, commenting on a skeptical view of privacy threats by AIM Global, wherein it was suggested that no way would we see a nationwide, government-constructed RFID surveillance network.
What likely won’ happen is the government sinking $1T into a network. What will happen will be $1T worth of private-sector investment in command, control & communications, which, over time, will become more and more tightly integrated. So, per that posting, all of the banks will want to join in to a common network for anti-crime support. Or all of the highways will be integrated, to smooth and shape vehicular traffic. And malls will collect and barter demographic and traffic information, wherever they might be able to make a marginal buck. And critical transportation hubs will be strewn with government sensors; some of those data will likely be provided to private sector collectors, perhaps swapped for the data the airlines are being pressured for. etc., etc.
Having monitored NSF, DARPA and other DOD awards over the past year or so, there’s a ton of attention going into sensor networks, including autonomous, self-organized ones. By 2015, I don’t think the question will be, “How are all these things going to integrate?,” but, “Anyone remember when all these things weren’t integrated?”
Abercrombie & Fitch Plans for RFID
Wednesday, January 26th, 2005Abercrombie & Fitch have announced plans for testing and possible use of RFID in tagging retail consumer goods.
…
Today at the RFID ROI Summit, Neco Can, senior director of application development at Abercrombie & Fitch, said the retailer is trialling the technology.
He told silicon.com: “We’re testing it. We’ve got a couple of plans, we’re looking carefully at it.”
“We’re seeing whether it’s doable or not,” he added. “Everybody is [looking at RFID].”
When questioned on whether Abercrombie & Fitch is looking at case- and pallet-level tagging, Can said: “I don’t believe the case model is the right one,” and added Abercrombie & Fitch’s supply chain would be best suited to item-level tagging.
…
ALA Resolution on RFID
Tuesday, January 25th, 2005The American Library Association’s resolution on RFID:
From: owner-member-forum@ala.org [mailto:owner-member-forum@ala.org] On
Behalf Of Don Wood
Sent: Tuesday, January 25, 2005 7:43 AM
To: member-forum@ala.org
Subject: [MEMBER-FORUM:378] RESOLUTION ON RADIO FREQUENCY IDENTIFICATION (RFID) TECHNOLOGYAND PRIVACY PRINCIPLES
RESOLUTION ON RADIO FREQUENCY IDENTIFICATION (RFID) TECHNOLOGY AND PRIVACY PRINCIPLES
WHEREAS, Radio Frequency Identification (RFID) is a technology that uses various electronic devices, such as microchip tags, tag readers, computer servers, and software, to automate library transactions; and
WHEREAS, the use of RFID technology promises to improve library operations by increasing the efficiency of library transactions, reducing workplace injuries, and improving services to library users; and
WHEREAS, many libraries are adopting or in the process of adopting RFID technology to automate library circulation, inventory management, and security control; and
WHEREAS, consumers, consumer groups, librarians, and library users have raised concerns about the misuse of RFID technology to collect information on library users’ reading habits and other activities without their consent or knowledge; and
WHEREAS, protecting user privacy and confidentiality has long been an integral part of the mission of libraries; and
WHEREAS, the ALA Code of Ethics states, “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted”; and
WHEREAS, Privacy: An Interpretation of the Library Bill of Rights states that “The American Library Association affirms that rights of privacy are necessary for intellectual freedom and are fundamental to the ethics and practice of librarianship,” and calls upon librarians “to maintain an environment respectful and protective of the privacy of all users”; and
WHEREAS, the ALA Intellectual Freedom Committee recognizes the importance of developing policies and guidelines for appropriate implementation of RFID technology in light of the profession’s commitment to preserving user privacy and its concern for preserving the trust of library users; and
WHEREAS, the ALA Intellectual Freedom Committee and the ALA Office for Information Technology Policy, recognizing the immediate need to draft privacy principles to protect and promote ALA’s values, joined with the Book Industry Study Group (BISG) to form a working group dedicated to developing a set of privacy principles to govern the use of RFID technology by all organizations and industries related to the creation, publication, distribution, and retail sale of books and their use in libraries; now, therefore, let it be
RESOLVED, that the American Library Association endorse the “BISG Policy Statement Policy #002: RFID – Radio Frequency Identification Privacy Principle” (Exhibit I) developed by the IFC and the OITP with the BISG and other working groups; and be it further
RESOLVED, that ALA affirm established privacy norms within and across the business, government, educational, and nonprofit spectrum, specifically acknowledging two essential privacy norms:
� Data transferred among trading partners related to customer and/or patron transactions shall be used solely for related business practices and no unauthorized transaction shall be permitted.
� Data related to customer and/or patron transactions shall not compromise standard confidentiality agreements among trading partners or information users; and be it further
RESOLVED, that the ALA adopt the following “RFID Privacy Principles” developed by the IFC and OITP with the BISG RFID working group:
All businesses, organizations, libraries, educational institutions and non-profits that buy, sell, loan, or otherwise make available books and other content to the public utilizing RFID technologies shall:
1) Implement and enforce an up-to-date organizational privacy policy that gives notice and full disclosure as to the use, terms of use, and any change in the terms of use for data collected via new technologies and processes, including RFID.
2) Ensure that no personal information is recorded on RFID tags which, however, may contain a variety of transactional data.
3) Protect data by reasonable security safeguards against interpretation by any unauthorized third party.
4) Comply with relevant federal, state , and local laws as well as industry best practices and policies.
5) Ensure that the four principles outlined above must be verifiable by an independent audit; and be it further
RESOLVED, that the ALA continue to monitor and to address concerns about the potential misuse of RFID technology to collect information on library users’ reading habits and other activities without their consent or knowledge; and be it further
RESOLVED, that the ALA develop implementation guidelines for the use of RFID technologies in libraries.
*****************
Adopted by the ALA Council
January 19, 2005
Boston, Massachusetts
GPS and Pervasive Monitoring
Sunday, January 16th, 2005Discussion of GPS and pervasive monitoring.
[Satellite Security Systems Inc.'s] clients include school districts such as the District and Fairfax County, state and federal government agencies, police departments and companies. But there are plenty of individual customers, too — people interested in keeping tabs on new teenage drivers, Alzheimer’s patients, philandering spouses.
…
D.C. Public Schools is taking a more aggressive approach to monitoring. The information it receives on each bus and child is detailed: a driver’s route throughout the day, when the bus stops, when the doors open and close, the speed, and when the ignition is turned on or off. The system also features a database that will hold information on all the children — names, addresses, contact information, disabilities, allergies and when their school day begins and ends.
Where RFID will be largely a “point surveillance” technology, GPS provides a more continuous track, at the cost of willingness of the target to be observed, of course (apart from those situations where a covert device is used).