Re: RFID Tags

["lsi" <stuart () cyberdelix net>]

An article on today's Register continues our thread:

http://www.theregister.co.uk/2004/05/20/us_passports/

It notes the possibility of RFIDs being used to support kidnapping; 
I'll widen that and say they could be used as invisible Gold Stars 
(all Jews in Nazi Germany were forced to wear a gold star to identify 
them).  They would provide the technical infrastructure for 
systematic discrimination of all kinds.

> The 3D map of all tags in range is fascinating, but I suspect there
> may be some issues with building usable hardware into a concealable
> form.  We're assuming "Badguy gets onto a train to scan" situation. 
> If I can place my equipment ON the train beforehand, my life (as the
> scanner) gets dramatically easier. 

A lone wolf might have a hard time managing the complexity.  A team 
of people might be more effective - a widely deployed, State-operated 
system would have no trouble, however.

> At least until someone brings his Pocket Pal RFID Jam-O-Matic 2000 to work.

This will be classified as a crime (and may be already).

> > Couple this with the Big Database of All RFIDs in the Known Universe, 
> > and you have a device that can instantly identify and geolocate high-
> > value targets, or targets matching specific criteria.
> A bit big-brothery, but certainly conceivable.  Of course, there is
> the search time on what will become an insanely large database.  If my
> antagonist is portable, there are communications issues too.  Plus the
> ongoing issue of trying to locate and sort through the huge number of
> signals you're bound to get in a crowd. 
>  
> I don't put this past the Three Letter Acronym folks

Well yes.  And we're coming to the point now.  Those folks are 
actually proposing to put RFIDs in passports, among other things.  
Quite aside from minding whether, say, the NSA can know exactly where 
you have been - there is more than one TLA!

Does the NSA really want the FSB/KGB, ISI, PRC and XYZ to *also* know 
exactly where you have been???

Hang on - we can *write* to these things!  Does the NSA really want 
other TLAs to be able to *write* to the passports of every US 
citizen???

> > > > the case, is it not possible to simply transmit a higher 
> > > > power signal, and thus boost the response from the tag to 
> > > > gain more range? 
> >
> > > Higher power, based on what?  And what about the nearer RFIDs you cook while
> > > trying to get enough power to the ones that are further away?  And of course
> > > this assumes that you can get enough gain without overloading all of them
> > > (or cooking your own gonads).
> >
> > This attack is not suitable for all scenarios, as you note.  However 
> > it would be suitable for a targetted attack on a specific individual, 
> > as the distance between the attacker and the victim could be 
> > controlled by the attacker.  The attackers would of course wear foil 
> > underwear.
> Agreed.  For a targeted attack, I could simply arrange to walk along
> next to Mister CEO Target Guy for a block or so while he's on his way
> to work (we're still working from the Bus/Train scenario).  Other
> situations would require different tactics, but most aren't especially
>  difficult to arrange.  

Actually, for this one I had in mind RFIDs in a supposedly "secure" 
area.  The window of a warehouse containing RFID-enabled kit might 
provide a means for an attacker to get inside the system, possibly 
using a high-power transceiver to extend the range of the RFID zone 
to her vehicle parked outside.

> > shoesize.  Stores in competition with one another could monitor the 
> > spending habits of people simply walking through their doors - no 

> I'm sure the stores would LOVE to know all that information.  Which
> begs the question.  If you, as a store, know the capability exists and
> that your competitors are using it, will you leave your merchandise
> tags "live" when they leave the store?  You alread have the customer
> information on what they bought.  The tags are potentially more
> valuable to the competition than they are to you. 

A market-based incentive for privacy?  Excellent...

> > It seems to me that without authentication, these things are at best, 
> > useless, and at worst, an open door for criminal activity.

> I disagree.  They're very useful for some of the functions they're
> being employed for: inventory tracking, anti-theft, etc.  There are
> other potential benign uses for them, and some of the more
> "intelligent" tags show potential - if they include authentication
> ofsome form as you suggest. 

I understand what you're saying - you're saying that they currently 
work as advertised.......
.
The reason I say they are useless, despite working as advertised, is 
because at the end of the day, the organisations using RFID need to 
be able to *depend* on the information coming out of an RFID system.  
There is no point Walmart deploying a massive RFID network if it can 
be disrupted by some kids around the corner with a home-bake walkie-
talkie.

More than this - the DOD reportedly uses RFID.  Do they intend that 
military assets be the subject of snooping, tampering, theft, 
impersonation, and corruption, possibly by foreign intelligence 
services and organised crime?  I think not.

Stuart

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192.168.0.2)