RFID (Radio Frequency ID) tags are little paper stickers with circuitry hidden inside that can broadcast identification data when probed with the appropriate radio signal. They’re cheap- close-to-free, yet each one has a unique number, and that number is large enough that essentially every thing in the universe can have its own tag. They’re extremely useful for things like warehouse inventory, where radio transponders can continuously query the entire contents, and track the location of each and every pallet, carton, and box on the shelves.
I have one on the windshield of my car; it automatically debits my account when I go through local tollbooths. Passports have them.
Credit card companies are starting to put them into what they call “contactless cards”. The day is coming when you walk into the grocery story, stuff things into a bag or into your pockets, and walk away without going through checkout.
There are even implantable versions that can be placed under the skin. Currently, these are used for pet identification, but there’s no reason why they can’t be used on humans.
Problem: it turns out that it’s fairly easy to spoof existing RFID systems, including those being used for critical applications such as passports and, well, credit cards.
The brilliant Discovery Channel science education show Mythbusters was planning to do an episode on testing ways to spoof RFID cards. They’ve done this before with things like radar detectors and alcohol breath testers.
Adam Savage, one of the show’s co-hosts, explains what happened when they tried to contact Texas Instruments, a major manufacturer of RFID tags and readers, while doing research for the show:
Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else… They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it’s on Discovery’s radar and they won’t let us go near it.
If the system is that weak, I don’t want it anywhere my bank account, my security, my health care, or my anonymity. RFID is scary enough on it’s own, but this response shows that those pushing RFID know that it is bogus, and want to keep that quiet, rather than fixing the problems before chipping the whole world.
Let’s be clear: the plan is to make RFID mandatory, in driver’s licences and other forms of official ID. “Show us your papers” becomes obsolete if you can’t hide your papers, if they’re actually planted under your skin, and it gets worse if somebody can claim to be you by showing your “papers” in places you’ve never been.
Very, very scary.
From Consumerist, how to get everything about a credit card, while it’s in someone’s pocket, using a reader bought for $8 over eBay. This requires basically patting the victim’s wallet with the reader — but this is essentially electronic pickpocketing, and it’s not hard to extend the range of the reader.
The RFID Buzz blog goes into my daily feed so I can keep up.