Thursday, May 25, 2006

RFID "Security" failings

There is an interesting article on RFID's security problems. "RFID" means "Radio Frequency Identification" and is being touted as the newest way to track goods and services, and people. An RFID tag emits a response when activated by a scanner or other device. So, if you have an RFID tag on a shipping container, a scanner can quickly and easily ID the container from a few feed or yards away, without the need for line-of-sight visibility. So, if you have a frighter full of hundreds of thousands of containers, or a Fedex truck filled with hundreds of RFID'd shipments, a scanner can scan all of them, and quickly know what is in the freighter or truck. Much easier than scanning each one individually using barcodes, say.

With "easy" comes "easy to hack," or break into. Wired has an article showing that this can easily be done. Good reading, and informative. The bottom line is -- once again, we have a cool technology that is not "ready for primetime" that is being pushed for adoption before the kinks are "dekinked." Wal-Mart is pushing the technology because it will save them a lot of money in logistics. However, at what cost? When leave the Wal-Mart parking lot after you buy that RFID'd stuff, can some thief scan you as you leave, follow you home or hijack you and steal it? If you have an RFID passport, can some random person walk by you and pull your ID without even touching you? Can a walk in downtown Manhattan or LA result in a thousand thieves reading your personal information from your RFID tagged ID cards? That is the issue, and the issue is not yet resolved. My guess is that the security issues will be addressed, but not fully, because of the huge profit potential. Just as the financial services companies do not yet have an incentive to really ensure online transactions are really coming from you, RFID users are not incented to protect your privacy. So, my advice is, beware and cautious when dealing with this technology, both as a consumer and as a user.

Other articles on this include an article from Techworld from last year, and InformationWeek from November, 2004. This has been an issue for a while, and it is still a problem, showing that this is not an easy problem to solve -- so, again, treat RFID with suspicion.