Do RFID Security Worries Still Need a Reality Check?

A few years ago Computer World ran a particularly good piece on Radio-frequency identification )RFID entitled ‘Opinion: RFID security worries need a reality check‘. I’d highly recommend taking a look at it, for a pair of reasons:

  1. It identifies that hackers will only look at RFID tags once the data they transmit is easy to send along electronic mediums, with the data being transmitted itself valuable (i.e. not simply the location of valuable goods, but the information must be a valuable good in itself);
  2. It blindingly misses the point that RFID opens a new avenue of attack that could seriously contribute to an e-warfare application.


You might have heard about RFID in the news over the past few years. In case you need a quick primer/update, here’s the basics on RFID:

  • It’s not new – RFID has been in use since WWII to organize valuable assets and more effectively track them;
  • RFID can either actively broadcast information, or have the chip activated when placed within ‘hot’ zones – an RFID device does not necessarily always broadcast information;
  • There are different ISO standards for various RFID types – some support encryption, some do not, some support active transmission of data (i.e. they are always broadcasting information), and some do not (these are termed passive RFID devices);
  • RFID Tag are often confused with Contactless SmartCars (CSCs) on the basis that they mutually use radio transceivers to broadcast information. Different ISO standards are used for these two types of devices, with CSCs having been developed with encryption and privacy issues in mind;
  • On the topic of read ranges – RFID tags can be read up to 10 meters or so away, whereas CSCs are usually read from a maximum of about 5cm away from a reader;
  • RFID Tags are to be placed in many of the Enhanced Drivers Licenses (EDLs) in Canada, whereas CSCs are being insert into the e-passports that are being deployed in Britain and the US.

RFID – It’s worth some e-money now

In the article by Computer World, it was noted that:

Information criminals steal information that’s readily convertible to cash, not meaningless EPC RFID inventory data. The people who design EPC standards know far more about the risk to supply chains than cloistered academics engineering these meaningless proof-of-concept exploits.

The EPC initiative is backed by companies that suffer billions of dollars in global supply chain losses every year. They have performed a rigorous risk analysis and concluded that the effect of a supply chain exploit targeting EPC chips is relatively low. They also have determined that the probability of seeing a wave of hacks on EPC chips is similarly low. (Source)

What does this say? It says that billions were already being lost to supply chain losses – this isn’t necessarily the case when it comes to shunting people across borders, save through some reasonably abstract understandings of what it means to lose money as people cross the border (this would be where efficiently metrics as they relate to human actions would come in). It also says that from a supply chain analysis, it’s unlikely that there would be any kind of attack/hack on EPC chips.

Supply chain analyses are (presumably) different from border crossing analyses – the former relates to product as they move around the world, where there are known losses, whereas the former relates to the movement of citizens between different legal jurisdictions. Unless we’re talking about independent organizations being able to track the number of people that disappear as they hit various borders as they are ‘redistributed’ to Gitmo or similar detention areas, I fail to see how ‘known losses’ fit with a situation where citizens are crossing a border.

Moreover, whereas a supply chain is only likely to hold value to rival retailers (knowing how Wal-Mart moves all of its supplies internationally might provide a competitive advantage), knowing how and where citizens are traveling, as well as gaining access to a wide population’s biometric information, is of value to most bureaucratic bodies in public and private settings (imagine travel insurance companies learning just how much you travel!). The opportunities to be gained from this kind of information are high, which translates into the possibility of monetizing RFID hacks. When you’re dealing with sensitive information that can be communicated along the ‘net, with that information being valuable in and of itself, then it’s likely that those ‘cloistered academic’ engineering exploits will quickly become meaningful.

To encrypt, or not encrypt – that is the question

When it comes to your driver’s license, health card, or any other piece of government- issued ID you can visually confirm that the information displayed on the ID-piece is accurate. Given that the cards have the information placed on them after it is harvested from the appropriate databases, it is easy to determine whether or not the printed information is accurate or not and, correspondingly, whether the databases that were drawn on hold accurate personal information. When if comes to RFID Tags, however, you can never be entirely certain what is being broadcast, unless you have a way of reading the information. This would mean that, to ensure that accuracy of broadcast information, that you would need to be able to read it. This suggests one of two things:

  1. Information from RFID Tags is broadcast ‘in the clear’, that is, the information broadcast is not encrypted, enabling citizens to determine if the broadcast information is accurate;
  2. Information is encrypted, but there are many public readers where you can confirm the accuracy of the information being broadcast.

There are obvious problems with the first choice – it would mean that very personal/private information was being broadcast to the wider world. There are clear security problems with this possibility. The second choice – encrypted but lots of public access points – is good, but only if the access points are relatively ‘hardened’, if they are easy to find and access, and if the RFID Tags are set to a passive, rather than active, broadcast.

The problem with most encryption schemes, as they’re proposed at the moment, is that citizens would be unable to access the information that was being broadcast. This is intended to assuage citizens that their personal information is secure, but fails to provide them with the ability to confirm the accuracy of their personal information that is either being transmitted using RFID on CSCs or called up in databases associated with RFID Tags. For a democracy to thrive a government must be transparent, and citizens need to be able to perceive themselves as the legislators and subjects of any law. How can one legislate a law, when the consequences of that law are subsequently hidden? When it comes to identity programs, citizens must be able to understand precisely what they are giving up to authorities when challenged for ID.

Catch-22 and beyond

The current EDL proposals in Canada call for unencrypted transmissions of identifier numbers that than ‘hook’ into a government database. Unlike the government of Canada, most RFID venders recommend that data that is transmitted be encrypted. Unfortunately, the choice between encryption or not leads to a catch-22 situation; they either lack transparency, or they risk putting citizens’ biometric information in the public eye. This isn’t to say that there aren’t technical solutions to this issue – solutions can be implemented – but pursuing a technical solution fails to recognize that we, as citizens, really need to determine whether or not RFID-enabled identity cards are really needed!

In Canada, EDLs are being created in order to satisfy the American securitization of their borders. Putting aside whether or not that securitization is real security, or merely security theater, we as Canadians need to ask whether or not we want to open ourselves to a heightened risk of biometric theft (an upgrade of mere ‘identity’ theft), or simply pony-up for passports. Canadian passports are valid pieces of international ID, and can be used to cross the Canada-US border (as well as the other borders of the world). Instead of investing in EDLs and the massive infrastructure that will accompany them, why not simply divert that money to subsidize the cost of passports?