Cracking RFID With Your Phone

RFID tags and their security implications are returning to centre stage again. Adi Shamir, professor of computer science at the Weizmann Institute, has shown that it’s possible to crack passwords on RFID tags using a cellphone. In theory this could mean anyone with a cellphone could monitor traffic between a tag and a reader and collect the information being transmitted. As EE Times’ Rick Merritt writes (via Digg)

“I haven’t tested all RFID tags, but we did test the biggest brand and it is totally unprotected,” Shamir said. Using this approach, “a cellphone has all the ingredients you need to conduct an attack and compromise all the RFID tags in the vicinity,” he added.

Shamir said the pressure to get tags down to five cents each has forced designers to eliminate any security features, a shortcoming that needs to be addressed in next-generation products.

Quite a few of the comments on the Digg link are of the “why should we care?” variety:

I still dont understand what the big fuss is about RFID security. I mean who cares if someone knows that you just bought milk and eggs or that you are carrying around the latest Playboy. What could be tagged with RFID that people would so desperately need to keep private? I think that people are wrapped a little bit tightly around the issue.

This kind of response is infuriating, but predictable, and the reason why there’s still a huge gulf between the value we attach to our personal data and the value companies in the world of data collection attach to it. It is precisely the detail of our lives that is valuable to others; this detail — whether we bought milk, eggs or Playboy — comes together to form a very detailed profile of the consumer. The consumer is also a bank account holder, a patient, a credit card applicant, a driver, an employee. When all this information gathered on the individual is collated, it forms an alarmingly precise picture of their habits, their problems, their foibles — do you want a potential employer to know you read Playboy?, a life insurer to know you consume lots of fatty foods? — which might, just might, in the future prove the difference between a job, a loan, a credit card, a house.

16. February 2006 by jeremy
Categories: Privacy, Security, Taxonomy | Tags: , , , , , , , , , , , , , | 1 comment