RFID

Radio frequency identification, or RFID, as defined by the RFID Journal, is “a generic term for technologies that use radio waves to automatically identify people or objects.” The most common use of the technology is “to store a serial number that identifies a person or object, and perhaps other information, on a microchip that is attached to an antenna (the chip and the antenna together are called an RFID transponder or an RFID tag). The antenna enables the chip to transmit the identification information to a reader. The reader converts the radio waves reflected back from the RFID tag into digital information that can then be passed on to computers that can make use of it.”^[1]

Background

RFID tags carry specific data about the objects they are attached to. Unlike barcodes, they can be recognised and read by a reader as long as they are in the same range. The amount of data they can carry depends on the manufacturer and the form of application, but the current versions can carry up to 2KB of data^[2], which is enough to store all the basic information about a product in a simple format.

Purpose

RFID is claimed to bring the advantage of every item being tagged with a unique proof of identification, making tracking of products easy and error-proof. In this way, it is expected to improve production line efficiency for many companies.^[3] The technology also allows companies to gain better access to product sales statistics. The main aim is stated to be “to reduce administrative error, labor costs associated with scanning bar codes, internal theft, errors in shipping goods and overall inventory levels.”^[4]

Drawbacks

The major obstruction to the implementation of the technology is its cost. Although the tags are reusable in a certain system, say, within one company, they have to be very cheap to obtain to go out of the system as they cannot be used in another system unless all the systems work together and create a whole network of tracking.^[5]

Therefore, the disadvantage is created by the absence of a universal system of RFID. Considering that the target now is to create a universal system, we come across some other, and much more serious, problems with respect to the practical limitations of the whole network of RFID.

Technological problems

Easily copyable

The first technical problem with the use of RFID tags on products is that they are easily copied. Political columnist Henry Porter, in an article for The Observer, writes that he had first-hand experience of this after having been injected a chip under his skin. “It turns out that this futuristic device is rather unimpressive… It took… no time at all to pass a scanner over my arm, extract the information and clone the RFID.”^[6]

This problem of being easily copied also applies to ID cards. Although the idea of embedding RFID tags in various types of ID cards has the aim of making them “nearly impossible to forge or tamper with,” the reality is just the opposite.^[7]

An article for WorkPermit.com entitled "New hi-tech RFID passports hacked and cloned" reports an experiment carried out by Lukas Grunwald, a security consultant with DN-Systems in Germany and an RFID expert, in which he hacked into an RFID tag in a new European Union German passport and copied the data on it. The article points out that the method would work on any country's "e-passport", since all of them will adhere to the same ICAO standard.

Grunwald, says the article, "obtained an RFID reader by ordering it from the maker - Walluf, Germany-based ACG Identification Technologies - but also explained that someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.”^[8]

In an attempt to get around the problem, the US authorities have decided to include a metal shield in passports to protect the RFID tags from being copied. Porter writes: “What they probably realise is that the covert reading of passport could represent a considerable threat, especially to those whose nationality terrorists want to target or those who may represent rich pickings for criminals.”^[9]

Viral threats

The RFID technology has been presented to public as being fault-free and posing no technical problems. However, in addition to the problem of copying, they can also carry viruses that may well corrupt, if not all, a huge part of the system they are implemented in.

Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionally) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags.^[10][11]

Implementation of such a vulnerable technology prone to viral attacks and hacking can be viewed as an economic threat, in the case of companies using it and spreading its use to enlarge their marketing system, as well as a security one, in the case of them being used with personal identification cards.^[12] Many computer experts and science centres accept the fact that “RFID introduces new privacy and security risks -- and a whole new dimension to corporate espionage”^[13], but also willing to work on the technology to prevent it: “Laboratories is now researching new techniques to help protect the privacy and security of businesses and consumers in RFID environments.”^[14] Considering the fact that current genius Microsoft technology fails to protect our desktop computers from being infected by viruses, it appears to be either a rather naïve or an extremely evil state of mind to believe that the RFID tags can be protected from any kind of technical misuse, and trust them to carry unique information about anything, be it a product, a pet, or a person.

People getting chipped

The formal explanations of the system only includes pets and products; on the other hand, there are examples of people who have been “tagged” with RFID microchips.^[15] However, the practice of inserting RFID devices into people for purposes of club memberships and payment procedures are not a dream – the ideas of employing the system actually dates back to at least 2004.^[16] Not surprisingly, another attempt to make Americans more secure includes the idea of “the use of an RFID implant which is shot into the body by means of a large hypodermic needle. The chip can be read when a scanner is passed over the area where it lurks in the fatty tissue below the surface of the skin.” ^[17] There actually is a company, VeriChip Corporation, that is not at all shy to publicise its basic ideal: “RFID for people.” The motives include ‘patient identification,’ ‘infant protection,’ ‘wander prevention,’ and ‘emergency management’ among many others.^[18]

Although in real practice very few people have so far been chipped, further practices are to come.^[19] The US Food and Drug Administration has already approved the RFID tagging technology for medical purposes.^[20] Additionally, in 2004, the students of an elementary and middle school in a small town in California were required to wear RFID badges around their necks to test the technology.^[21] Such practices show how serious the manufacturers and the state are about actually launching a nationwide program with RFID tagged individuals.

Duplication problem

As mentioned above, RFID chips are easily copyable unless they are protected with metal shields. Talking about the chips inserted into human body, it would be much more difficult to protect the chips from transmitting of information, as they can easily be read by any scanner/ reader placed at a certain distance, and duplicating the tag is not really a problem once the information the tag bears is recognised, therefore posing a threat to individuals’ personal data, challenging computer geniuses’ ability to hack into the system. ^[22] It means that today people are able to forge passports and any other different forms of ID cards, tomorrow they will copy others’ RFID tags. The problem is, RFID tags will probably carry all the key information about one individual – library records, insurance status, educational background, criminal record, family records, etc. It is difficult to believe that it will create peace among people, and there will not be people using their financial power to exploit others.

State power on individuals

The United States Patent Agency approved the “combination ID/ tag holder” in 2004, stating that the “invention can be used in conjunction with an automated attendance monitoring system to monitor attendance of students or other individuals whose whereabouts need to be tracked.”^[23] It remains to be seen who will decide who the "individuals" in question, whose whereabouts need to be tracked, would be. If the RFID project is launched in a country, it seems extremely likely that the state would soon acquire the ultimate power to manage it, using the justification of securing national safety.

Once the state has so much information about the people living in a country, it takes little imagination to foresee the ways it could be used against people who disagree with the ways of the state. Henry Porter explains his concerns about the NIR (National Identity Register) in the UK, which can be perceived as a simplified form of RFID tags:

Every time you get a library card, make a hire-purchase agreement, apply for a fishing or gun licence, buy a piece of property, withdraw a fairly small amount of your money from your bank, take a prescription to your chemist, apply for a resident's parking permit, buy a plane ticket, or pay for your car to be unclamped you will be required to swipe your card and the database will silently record the transaction. There will be almost no part of your life that the state will not be able to inspect. And it will be able to use the database to draw very precise conclusions about the sort of person you are - your spending habits, your ethnicity, your religion, your political leanings, your health and even perhaps your sexual preferences. Little wonder that MI5 desired - and was granted - free access to the database. Little wonder that the police, customs and tax authorities welcome the database as a magnificent aid to investigation.^[24]

Some members of the public also fear the rise of RFID technology. A concerned citizen states his fears about tagging people in one of the RFID blogs:

Today RFID is optional, but twenty years from now it may be mandatory. In fact, it might be required to be implanted at birth. Today a scanner may need to be within three inches, but in twenty years it might be detectable from a satellite, a moving car, or fixed scanners in businesses or on power poles where cameras are currently positioned in residential neighbourhoods.^[25]

Just imagining that it would be the case, that everyone is tagged with RFID chips, prisoners are kept safe, products tracked by owners, children safe in classes. In the frame of a catastrophe scenario, one would wonder what would happen to people of different colour, race, political view, religion, gender, etc., if, by any chance, countries give in to dictatorships. This might sound like a worst case, but we need not think that further to imagine what kind of power we would be handing to authorities with our personal data.

Resources

• ARS Technica website, “RFID chips can carry viruses,” 15 March 2006, accessed 22 November 2008.
• Best, Jo, “Schoolchildren to be RFID-chipped,” Silicon website, 08 July 2004, accessed 19 November 2008.
• CNET website, “FDA approves injecting ID chips in patients,” 13 October 2004, accessed 22 November 2008.
• CNET website, “The man with the RFID arm,” 15 February 2005, accessed 22 November 2008.
• Free Patents Online website, Combination ID/ tag holder, accessed 22 November 2008.
• Morton, Simon, “Barcelona clubbers get chipped,” BBC News website, 29 September 2004, accessed 19 November 2008.
• Porter, Henry, Guardian website, “Beware of card tricks,” 11 July 2006, accessed 19 November 2008.
• Porter, Henry, Henry Porter website, “Surveillance is really getting under my skin,” 19 November 2006, accessed 22 November 2008.
• RFID Journal website, accessed 19 November 2008.
• Rieback, M.R., et al., RFID Virus website, “Is Your Cat Infected with a Computer Virus?” IEEE PerCom 2006, accessed 22 November 2008.
• Rieback, M.R., et al., RFID Virus website, Vrije Universiteit Amsterdam, Department of Computer Science, “RFID Viruses and Worms,” last modified 02 March 2006, accessed 22 November 2008.
• RSA Laboratories website, “RFID Privacy and Security”, accessed 22 November 2008.
• VeriChip Corporation, accessed 22 November 2008.]
• Work Permit website, Global immigration news, “New hi-tech RFID passports hacked and cloned,” 04 August 2006, accessed 22 November 2008.
• Zetter, Kim, Wired website, “School RFID Plan Gets an F,” 02 October 2005, accessed 22 November 2008.

Further Reading

• Ahmad, Muhammad Idrees, The Fanonite website, “Fortress Britain,” 26 June 2008, accessed 23 November 2008.
• Broache, Anne, ZDnet website, “Tech industry attacks state anti-RFID laws,” 20 April 2006, accessed 23 November 2008.
• Juels, Ari, RSA Laboratories website, “RFID Security and Privacy: A Research Survey,” 28 September 2005, accessed 23 November 2008.
• Kharif, Olga, Business Week website, “RFID’s Second Wave,” 09 August 2005, accessed 23 November 2008.
• Kravets, David, Wired website, “Farmers See ‘Mark of the Beast’ in RFID Livestock Tags,” 09 September 2008, accessed 23 November 2008.
• Porter, Henry, Henry Porter website, “We don’t need ID cards,” 06 November 2006, accessed 23 November 2008.
• Slack, James, Daily Mail website, “Royal Mail, shops and private firms to bid for right to fingerprint us for new ID cards,” 06 November 2008, accessed 23 November 2008.
• Williams, Chris, The Register website, “Schoolkid chipping trial ‘a success’,” 22 October 2007, accessed 23 November 2008.

Notes and References