Home > Uncategorized > RFID: the blabbermouth in your pocket

RFID: the blabbermouth in your pocket

February 5, 2009

The story has been making the rounds of a security researcher who was able to drive around and swipe information from RFID passports and ID cards.  It’s scary stuff, and it got me thinking.

RFID chips are widely misunderstood.  Many people envision them as broadcasting information, even spying on the carrier.  But they’re not that energetic.  The majority of them just pick up some inducted power from a handheld reader,  then broadcast an identifying number in response, back to the reader.  The problem is that the range (normally a few inches or feet) can be significantly enhanced if the reader is modified with a directional antenna.  So if you could interrupt the induction power signal, and further interrupt the broadcast response, you’d greatly limit the range of the RFID chip.

I just happened to have a crude, if somewhat specialized signal-strength meter in my pocket; a cell phone.  The picture above shows I have really good signal in my kitchen; five bars.  Drop the phone in a silver anti-static bag, though, and it drops to one bar.  (The bright part on the second picture is just a reflection of my ceiling lamp off the silver bag.)

For a device like an RFID chip, that would be one-fifth the power, plus attenuating the resulting broadcast response by four-fifths as well.  Schlepp that through the inverse-square law and the bad guy would have to start carrying an awfully large antenna.  He’d have to aim it very carefully, too.

This is just a crappy, ‘materials-on-hand’ demonstration.  Silver anti-static bags, like the kind electronic parts come in, aren’t made for RF shielding; they just need to be slightly conductive on the surface, to dissipate static electricity before it can zap delicate components.  A ‘full metal jacket’, like an aluminum-foil lined bag, should stop RF communication cold.  I wonder if that’ll become standard for passport folders and wallets someday?

This is not to say that RFID chips in cards are a good idea; they’re not.  Chips in cards are fine, but chips at a distance, no thank you.  I suggest you take the foil wrapper from a Hershey bar and wrap it around your RFID cards.

Categories: Uncategorized
  1. February 5, 2009 at 05:21 | #1

    I’m going to have to start asking my customers who’re complaining about their lack of cell phone signal if they’ve put their phone in an anti-static bag.  LOL.  Awesome demonstration – I may have to start sending them your picture when they don’t believe that cell signals are easily deflected.

    I’ll have to remember your advice when I’m finally forced to carry something with an RFID tag.  What an excuse to buy chocolate!

  2. February 5, 2009 at 06:11 | #2

    a little more expensive and nicer looking… you might try this wallet from thinkgeek:

    RFID Blocking Passport Billfold and RFID Blocking Wallet

  3. February 5, 2009 at 08:21 | #3

    Dana – Feel free to send the picture out.  And I’m pretty sure you’d get superior shielding if the wrapper came from an oversize bar! 

    vw bug, thanks!  I’m definitely going to recommend these to my friends. (I followed your link and discovered they have both a passport folio and a wallet.  Hope you don’t mind I added the wallet to your comment.)

  4. james old guy
    February 5, 2009 at 09:18 | #4

    ROFLMAO, it is amazing what people will believe. Since I work with both Passive and active RFID, I could tell you the truth but this is so much more fun. Go make someone happy buy a wallet. Once again ROFLMAO.

  5. February 5, 2009 at 10:00 | #5

    Once again JOG behaves like a jerk.  Fortunately for us, there are people who are not jerks who also work with this technology; perhaps one of them will stop by.

  6. james old guy
    February 5, 2009 at 13:59 | #6

    I really don’t care if you think I am a jerk but I did think a man who had posted other material that was a lot closer to the truth would question this. Now I can’t go into details but do you really think that identification data does not have some sort of encryption and verification built into what is really nothing more than a computer chip? Do you really think that with all the money utilitzed in the RFID industry the thought of copies and verification hasn’t been addressed? Here is a big hint, all active tags are serialized and the serial number is never duplicated. While far from perfect the system is a bit more secure than is indicated.

  7. February 5, 2009 at 15:26 | #7

    James, I believe you relish the idea that people think you are a jerk; you show up and drop insults, proclaim your superiority, and brag about how you’re laughing at others, but forget to add anything constructive to the conversation.

    I wrote this post in response to a specific news item that people are hearing about.  Without addressing encryption issues specifically, I wanted to note that it isn’t terribly difficult to mitigate risk (to whatever extent there is any risk) by blocking signals.  I’m just not wired to accept assurances from authorities that they have the problem all taken care of. 

    Your faith in RFID encryption is touching, almost childlike.  Did you really think I was not aware that RFID tags in ID passports are encrypted?  I am also aware that encryption is not bulletproof, despite manufacturer’s claims.  Security expert Bruce Schneier isn’t too happy with RFID passports either.

  8. Still Me
    February 5, 2009 at 23:29 | #8

    I wonder if you could just wrap your passport in aluminum foil?  Is that right?

  9. fergie in Bloomington
    February 6, 2009 at 02:52 | #9

    please tell me:  what is RFID?

  10. James Old Guy
    February 6, 2009 at 07:37 | #10

    “Bruce Schneier writes often on security subjects”
    See now that is the problem. Just because someone writes about something is no justification about being an expert.  I don’t have a child like faith in much of anything but I do realize when the fear mongers are out and blowing smoke.  First of all a pass port is only useful for a limited number of things. Its primary purpose in life is to identify the person holding the passport.  Now let’s walk through the basics. You walk up to the customs agent as the port of entry. You present your pass port and he runs it through an RFI reader. This is linked to his computer and your face pops up on the screen this was from the picture you supplied to the processing center through your local post office or authorized agency to submit your application.  So now the problem isn’t with the RFI chip it’s with the basic system. Your passport is nothing more than a means of communications to a huge data base.  So why bother with trying to duplicate an RFI tag when is much simpler to get a real passport using false information. I worry a whole lot more about the process of data collection being valid than the RFI technology on the other end.  A much larger concern is the ability to overwrite tags on cargo containers changing the contents to read what ever is desired. Any tag is only as good or bad as the data base its linked too and the security around that data base.
    I have enjoyed reading this blog but I won’t be returning after this, good luck with your life.

  11. February 6, 2009 at 08:22 | #11

    You too, James.  Apparently you can dish it out, but you can’t take it.  I’m tired of you insulting people, buh-bye.

    OK, one objection at a time.  James is absolutely right about the datatbases, and that’s the fundamental hole to be plugged.  And he’s totally right about the implications of RFI tags on shipping containers. 

    But dismissing Schneier with a wave of the hand is a mistake; he’s a widely acknowledged expert on security issues.  As James points out the chip is a ‘point of entry’ to the database in addition to whatever information it contains within itself.  So remote access to the chip itself is a hole to be plugged.

    Schneier makes the point that (in the passport example) the chip would have to remain secure for the life of the passport, say ten years.  That’s ten years of advances in processing technology, antenna technology, and cracking techniques. The article linked at the beginning of this post was about a researcher who was able to crack one from a moving car using $250 worth of equipment.

    Hi Fergie! RFID chips are like electronic bar codes, tiny computer chips connected to a little antenna, which is usually printed on a little slip of paper.  They’re cheap (pennies in some cases) and used as a wireless identification/information repository about the object to which they’re attached.  The two biggest drivers of RFID technology have been Wal-Mart (because they move more stuff than anybody) and the government (for the same reason).  Other uses include the pharmaceutical industry (to identify and manage medicines, and reduce counterfeiting) and machine-parts industries.  There are many others.  If you buy a book at a bookstore, there’s usually a slip of paper inside with a circuit in it – that’s an RFID chip.

    Most RFID chips just return a number for tracking.  Some contain more information, like what medicine is in the bottle, what plant it was manufactured at, its expiration date, and an encrypted authentication number.  Identification chips for people will contain more and more biometric data. 

    The use of RFID chips in credit cards is to say the least, controversial.  Just wave your card at the reader and make the purchase – the card does not need to make physical contact.

    Still Me – yep.  Probably not necessary (yet) but that would work until the moment you unwrap it. An RFID reader could be placed where it can read a chip within range of the spot where it is removed from shielding.

    This is not a huge deal, yet.

  12. Jackson
    February 6, 2009 at 10:14 | #12

    The use of RFIDs in credit cards is not good.  I can see problems with that already.  While the individual consumer will not be responsible for the info being stolen and used to make unauthorized purchases, in the end everyone pays for this—the card companies will just pass on the cost to everyone, which is a natural way they do business.  Why is it so hard to swipe a card thru a slot?

    Just because you can doesn’t mean you should.

  13. Jackson
    February 6, 2009 at 10:16 | #13

    Just because you can doesn’t mean you should.

    What I meant by that is that sometimes swiping a card through a slot should be good enough technology.

  14. Rico
    February 6, 2009 at 13:37 | #14

    While passports, in their original design, was shown to be readable from 10 meters away, the final design incorporates a thin metal lining to make it more difficult for unauthorized readers to “skim” information when the passport is closed.

    Also passports incorporates BAC, Basic Access Control, where a PIN is printed on the passport.  This PIN must be entered into the RFID reader before it will read the tag.  The BAC also enables the encryption of any communication between the chip and RFID reader.

    Anyone that’s widely acknowledged expert on security issues would know this basic information.

  15. February 6, 2009 at 18:30 | #15

    Rico – thank you, that’s great information.  Suppose for the sake of discussion we set aside the example of passports, it seems to be a distraction.  Suppose we use instead “wave and pay” cards.  Or building-access cards, like the employees of a giant insurance company here in town use to enter their facilities.

    Yes, there’s been a lot of effort put into security on RFID instruments, but I am describing one simple way to augment that security, somewhat akin to unplugging a network cable.  You can’t crack what you can’t connect to.  If you only unshield your card when actually using it, you reduce the window of opportunity.

    Of course there are some people who are totally freaked by RFID instruments.  They probably also sit up late at night worrying about GM food; that’s not where I’m going with this. An RFID instrument may not give a criminal all the pieces he needs for identity theft, but why give them any pieces?

  16. February 7, 2009 at 14:21 | #16

    George I’ll have you know I bit my tongue on the James’ exit. It certainly wasn’t easy though…

    RFID chips are insanely easy to crack. If anyone is interested I’ll provide links, but some simple googling will provide plenty. I’ll attempt to look up the article, but Passports in Europe were cracked about 2 years ago. Worse they found the designers of the RFID chips used sensitive info, such as mother’s maiden names to hash the encryption. So once the RFID chip was cracked the cracker had everything that was contained in the passport.

    This is the problem with technology. Governments don’t know how to implement it securely.

  17. David Harmon
    February 7, 2009 at 18:47 | #17

    In fact, I think an unpowered chip would face an inverse fourth-power rule (same as radar), rather than inverse square, because it’s getting hit by inverse-square both ways.  Even so, that doesn’t help much, because we’re really good at detecting weak signals—not to mention an attacker can use an initial signal much stronger than the “official” reader does.

    Even beyond reading the chip data itself, there’s the hazard of simply being able to identify passports by country—consider the advantage to a terrorist of being able to pick, say, all the Americans out of a crowd!

  18. EdK
    February 8, 2009 at 20:41 | #18

    Given that official passport generation has been outsourced to foreign countries (according to Schneier’s site and others) I think the battle over passports and personal information security is probably lost.

  19. February 9, 2009 at 22:46 | #19

    Fergie, my apologies; I just noticed that in my long-winded reply I left out the actual answer to your question.  Doh!  RFID stands for Radio Frequency IDentification.

  20. July 20, 2009 at 09:31 | #20

    Update: State Department admits RFID passports are insecure.  They claim hackers “won’t find anything useful” but they can read the cards.

    I think the mantra “there’s no cause for concern” has preceded nearly every government screwup in history.

Comments are closed.