RFID Puts Us All at Risk

I've never really thought of myself as much of a seer, prognosticator or predictor of the future, but based on a column I wrote back in 2005, I may just have a future in the prediction field. In that column, "Security Getting Trampled in the Rush to RFID," I put forth a "hypothetical" situation where I could sit in a city square with nothing but a laptop and a small wireless device and--because of the ubiquity of unsecure RFID enabled gadgets--be able to do everything from read passports, identify employees and students, and even access credit card numbers and information. When I wrote that column, I was roundly jeered by RFID proponents. They said what I envisioned was impossible, that to read those RFID tags I would need to be within inches of the person carrying them and would have to use a very large and expensive device.

Jim RapozaI've never really thought of myself as much of a seer, prognosticator or predictor of the future, but based on a column I wrote back in 2005, I may just have a future in the prediction field.

In that column, "Security Getting Trampled in the Rush to RFID," I put forth a "hypothetical" situation where I could sit in a city square with nothing but a laptop and a small wireless device and--because of the ubiquity of unsecure, RFID-enabled gadgets--be able to do everything from read passports, identify employees and students, and even access credit card numbers and information.

When I wrote that column, I was roundly jeered by RFID proponents. They said what I envisioned was impossible, that to read those RFID tags I would need to be within inches of the person carrying them and would have to use a very large and expensive device.

It wasn't long before security researchers were able to successfully read RFID tags from 20 or 30 yards away, but still the RFID ostriches discarded these results as too expensive, too large and too complicated to take seriously as a threat.

And what's happened in the last year? Researchers have been able to crack and clone a variety of RFID tags to gain access to buildings or get free rides on public transportation, and when the popular TV show "Mythbusters" planned an episode on the ease of cracking RFID-enabled credit cards, the credit card companies threw a phalanx of lawyers at the show before they could show how insecure these types of credit cards are.

In addition, just recently, security researcher Chris Paget drove through San Francisco with a small, $250 wireless device attached to his car and in 20 minutes was able to capture all data from two RFID-enabled passport cards.

So researchers have shown RFID-tagged credit cards and devices can be easily read and cloned from a distance, with small and easily hidden devices that are inexpensive and well within the skill sets of your average hacker.

That gives the win to Jim "Nostradamus" Rapoza over the RFID ostriches with their heads in the sand about the serious security risks of putting RFID in these identification and financial devices.

As I've said in my past columns, all of these security risks come with almost no real benefit to users or the governments or companies that use these devices. RFID passports and credit cards save, what, one second over swiping them in traditional optical readers?

And the security threat can be pretty severe, even beyond the obvious areas of identity theft and credit fraud. After all, one of the supposed benefits of RFID tags is they can trigger actions by systems that detect them, whether they are doors to a building or turnstiles in a subway.

Imagine much less friendly automated systems, which are programmed to do something when they detect someone walking by with a specific type of passport.

Given that all of these problems with RFID tags are well known in the security community, you would assume that governments and businesses are working hard to remove RFID from areas where it doesn't make sense and making it much more secure in the areas where it is needed. But you would be wrong.

So far, most of the resources seem to have been spent on lawyers trying to stop people from pointing out the security problems of RFID. Vendors don't seem to want to take the time to make their devices more secure, and I guess governments would rather put people at risk than admit they made a mistake putting these things in passports.

Unfortunately, I was right about the risks of RFID, and I don't expect things will change until some serious incident happens because of insecure RFID. At that point, will we hear the inevitable excuse of "no one could have predicted this would happen?"