by Chad Perrin
TechRepublic
07 October 2008
Have
you wondered about the security implications of RFID chips in your
driver’s license, credit cards, and passport? The growing
prevalence of RFID transponders in these items, and others, can
raise security concerns. You should know what issues arise, and
what you can do about them.
Anyone
who has read Cory Doctorow’s Little Brother—mentioned
in a previous article, "Five
good security reads"—should already have some inkling
of how RFID technologies can become liabilities. While the events
of Doctorow’s novel are unlikely to occur in the immediate
future, there are potential dangers to poorly implemented RFID
policies that can affect you right now.
Between
the RFID
chips in new US passports and similar measures required by
Department of Homeland Security regulations pursuant to the Real
ID Act of 2005, US citizens could very soon be walking
advertisements of their own personal information. Even the crudest
uses of such information—just detecting specific classes of
people based on the gross RF transponder characteristics of a
given nation’s passports, such as detecting the presence of US
citizens based on the manner in which data is encoded on passport
RFID chips—can lead to significant security problems. It has
been suggested, for instance, that a
person’s nationality, detected in proximity to an explosive
device, could be used to trigger the device. It’s a simple
way for a terrorist to make sure a bomb targets at least one
person of a targeted nationality.
This isn’t
merely the domain of expensive projects by professionals.
Hobbyists can acquire and learn to use RFID “experimentation”
kits for under $100. Blaming the purveyors of such tools would be
the height of foolishness, of course, considering the many
legitimate and commercial uses for them; for instance, I may buy
an RFID reader in the foreseeable future to test for specific
types of radio frequency emission “leakage” as part of a
proposed business endeavor, and if I don’t have to pay more than
$100 to get it, I won’t. Since the business endeavor centers
around providing increased personal data security for customers,
trying to regulate the distribution of such tools could
potentially hurt security for a lot of people — especially since
those who would purchase a legally available kit to use for
nefarious purposes won’t be put off for long by making the
acquisition of such a device illegal. Lawbreakers are, by
definition, not deterred by laws.
There are
some things you can do all by yourself to reduce your
vulnerability to the dangers of RFID chips in your wallet. They
range in effectiveness from “maybe effective, sometimes” all
the way to essentially impervious to circumvention. A few
solutions that rely to some extent on the ideas of physicist
Michael Faraday, who built the world’s first Faraday
cage circa 1836, follow. I list them in order from the most
easily employed to the most difficult — and, perhaps
coincidentally, from the least effective to the most effective.
- If you bundle cards
with RFID transponders in them closely, perhaps by stacking
them together and wrapping a rubber band or elastic hair tie
around them, the radio frequency emissions of each RFID chip
may interfere with those of the others (producing, obviously,
RFI). This is far from fool-proof, of course, and a good RFID
reader held close enough can sort out the signals.
- Most of you being IT
professionals, you have probably encountered the anti-static
bags in which many hard drives and PCI expansion cards are
delivered. Simply wrapping the RFID-chipped items in one of
these bags can significantly reduce the likelihood that your
data can be read remotely. It’s not the most professional
looking solution, but it may work for you in a pinch.
- You could wrap these
items in aluminum foil, which serves as a more effective
masking medium than you’re likely to get out of anti-static
bags. Unfortunately, foil rips easily and can be a pain to
wrap, unwrap, and rewrap over the course of the day every time
you want to pay for something with your PayPass Mastercard.
Perhaps worse than the inconvenience is the funny looks you
could get, and the inevitable joke from someone who may
identify you with the “tinfoil hat crowd”.
- Constructing your own
Faraday wallet using common materials like duct tape and
aluminum foil is entirely possible. It requires setting aside
some time to do so, however, and may require more than one try
to get it right. Such a project should be tested afterward, as
well, such as by placing a PayPass Mastercard in it (alone)
and trying to use it from within the wallet to determine
whether the payment point reader can detect the RFID chip —
or, better yet, by getting an RFID “experimentation” kit
and testing it properly.
- Finally, of course,
you could try disabling the RFID chips. It has been suggested
this could be accomplished by microwaving any items you
suspect contain the chips, but that route is fraught with
danger, not only to your microwave oven but also to the item
whose RFID chips you want to disable. By all accounts, the
things tend to “explode”, or at least pop with sparks and
occasional small flames, when microwaved.
The right
way to handle it is to never get yourself in the position of
having to deal with it at all. You can urge your State and Federal
legislative representatives to oppose or revoke measures that
introduce more dangerous RFID technology into your life. There are
proper uses for this technology, such as inventory tracking in
warehouses, keeping track of the movements of participants in a
race more exactly than by the human eye so that precise timing can
be tracked, and research studies where the movements of subjects
must be tracked. Unprotected, constant RFID broadcast in passports
and driver’s licenses is just a recipe for security disaster.
|