RFID is the wave of the future. Soon, we'll be able to order goods from online retailers (as well as pay bills and conduct other transactions) by briefly waving our hand under a reader of some sort, and at stores, ATM machines, air ports, hospitals, etc. it will be unnecessary to run a card through a machine because we can simply scan our hand, arm, or other body part in the time it takes to blink. So, RFID technology will be attractive because of the convenience it brings, and manufacturers will claim it is secure or will manage to implement proprietary security measures that succeed in allaying the fears of the general public (whether that sense of safety and security is justified or not).

The Real ID Act stipulates that beginning in 2008, states must implement ID cards and drivers licenses that meet minimum guidelines set forth by the Dpt. of Homeland Security. These cards will be required to travel by plane, enter banks, and to enter any federal, state, or local government building. Among these guidelines is that they all share a common machine readable technology. The current preference? RFID. Like it or not, RFID will be an integral part of our lives, in many forms.

Imagine if you will the following scenario, however. A major terrorist attack is successfully perpetrated on the United States mainland. It is discovered that these new ID cards were not as secure as was believed, and furthermore, that the perpetrators of the attack used - among other tools - stolen or forged RFID equipped ID cards. With RFID chip implantation FDA approved and increasingly popular due to the convenience they bring, it wouldn't be too difficult to argue to the public that only implanted IDs are truly secure, hidden in our bodies.

I'm not saying that there's any truth to that statement, whether they'd be more secure than RFID equipped cards, that they're a good or bad thing, whether the above scenario is possible or likely, or whether I agree or disagree with that hypothetical rationale. I'm just raising the possibility.

The possibilities, and the pitfalls of implanted RFID chips fascinate me.

On the one hand, they unlock (sometimes literally ) an entirely new way to interact with our environment, and the types of interaction will only increase with the chips' own complexity. Right now we're at the "wave your hands at a sensor" stage, and even with that there's a large number of things that can be, and have been done. Locks, environmental preferences (a room, for example, that adjusts the lighting levels to what you prefer when you walk into it, and turns the lights off automatically when you leave), electronic security, and so on.

On the other hand, as I'm sure will be more popular here ( ), there are staggering potentials for erosion of privacy, and invasion of personal life, for population control and tracking. Honestly, I'm excited and terrified at the same time to see how we'll deal with the situation.

As for security of the RFIDs, that is a largely trivial matter (when looked at next to the other problems raised). Right now most RFIDs are plain text, because they're not being used for anything particularly secure, much like WiFi was back when the 802.11 standard got started. As they see more and more public use, and more use in places where security is necessary (commerce, intelligence, etc), greater and greater standards of security will be applied to the "tags."

To use the quoted story as an example: Right now, the guy's chip probably does transmit its RFID in plaintext. You can move that up a level of sophistication by using a simple Public/Private encryption key scheme (much like PGP, in fact it may use PGP itself) so the chip broadcasts the encrypted ID along with the public key and this can only be used if the receiving device has the corresponding private key to unlock the "message." Because the private key is not broadcast, merely stored within the receiving device, this is actually fairly secure (from a technical standpoint, anyway)

For the problem mentioned with giving the guy's girlfriend a chip to access his home, etc. It's pretty likely that her RFID chip has a different code than Mr. Graafstra himself, and that he just programmed the locks, etc, to respond to her code as well as his own. Should a breakup happen, he just has to disable her code in the devices. This is actually safer (for him) than trying to retrieve a physical key.

Now, the potential problems (from a technical, not societal, standpoint) I can see right away are the following: Locks will still need a physical backup, unless they're failsafe (defaulting to "unlocked" if reset or without power, rather than fail-unsafe, locked). If the locks are Failsafe, all you need to do then is either kill power, or find some way to wipe the device's memory (perhaps using a very strong magnet to corrupt the data storage media and force the device to reset itself.)

Doesn't the bible say something about human beings needing a mark on the hand or forehead to buy and sell? Isn't that the mark of the beast?
Ultimately, everyone will end up with a chip/barcode (whatever) on them that will contain all their life history information/details etc. I would dare say this chip will end up containing a tracking device so government/nwo/'they' know where you are at all times. Game over, bye bye personal freedom and privacy.

[edit on 2-3-2006 by Lucius Driftwood]

I thought they could make the codes change all the time due to the speed of certain chemical breakdowns, meaning they would be encrypted beyond copy.

[edit on 2/3/06 by byhiniur]

At this stage of the game, about the only risk that this guy is taking is that some unscrupulous geek, knowing his identity, will get a device to read the data in his chip and steal his car and empty his house. The long term impact of such technology is questionable, but I think the best approach is to accept that such will be a part of our future and do what we can to exploit its benefits, while insuring that the potential for abuse is minimized. There has never been a technology that has not been met with howls of doom. Relax and embrace the future.

For the Bible, I believe it says something to that effect, but whether that's a literal or metaphoric comment I'll leave up to our scholars here to debate. For me, it's fairly moot anyway, as I'm not Christian

For tracking, it's easier than you'd think once the chips are widespread. You don't even need to add anything to the chips themselves to do it.

Most RFID stuff works by hitting the chips with a weak signal, which causes the chips to also broadcast a weak signal ("TV-remote" weak, really). Still, it's enough, usually, to cross the couple of feet separating the two devices. The RFID receptor then does whatever it's supposed to with the data it receives (notes an item is in inventory, for example, or sets off a door alarm that a product is being stolen). Most receptors are, or will be when things are widespread, networked. Should the .gov really want to track us, they simply require that they be able to access such devices "For Homeland Security Purposes" or whatever the fear-causing-catchphrase of the day is, and use our commercial and private equipment to keep tabs. For example, make a note on the door scanners at your local Wal-Mart to notify them when citizen 0x800ccc0E walks through.

The true potential for abuse, though, lays as much in the private sector as it does in the public. If implanted RFID chips become commonplace, businesses can and will track and share data on them. While they may not be able to tie "citizen 0x800ccc0E" to "John Dee", they will know that the person is likely a male (based on foods and hygene products purchased), an approximate age (entertainment, food, etc), a location (based on where he most often shops), and possibly even hobbies (use your chip for membership at a health club, or buying theatre tickets). This information will be used for advertisements, but could also be used for loss-prevention or other in-store security purposes. Heck, it could be used to keep out "undesirables" based on demographic information (e.g., if you don't shop at the right places, forget about getting into the new downtown club).

I'll even give you a likely scenario to get these into public use, and it won't be either secure or based on usefulness:

First, RFID will start to find widespread use for inventory and loss-prevention in stores. It will be cheap, and reasonably effective, and so will replace the magentic tags in use right now. This part is already starting to happen at some big-box retailers, and many libraries for that matter, right now, so it's a pretty safe bet.

Eventually someone will get the bright idea that, since this system works so well for tracking items, why don't we use it to track dangerous members of society, permanently. We need some group of people that garner absolutely no sympathy, that we allow on the streets, and we would like to track all the time. Registered sex offenders fit the bill for this quite nicely. We can even minimize the need for additional hardware by making use of the existing commercial infrastructure already in use. We just need to install monitors at the offender's home (so we know when they enter and leave), and at public places (parks, convention centers, etc). Then we tie everything together. While the individuals may not be monitored every second of the day, they should pass by monitored areas frequently enough that we can track them quite well.

Next, we suppliment the current Amber alert system already in play by tagging children. Since the system has worked so well to track society's undesireables, why not use the exact same infrastructure to protect its most innocent members? Parents may or may not install sensors in their own homes ("but think how convenient it would be to know where, exactly, your son and/or daughter is without having to go look for them"), but still using the public and commerce sensors, they'll be able to track their kids at the mall, at school, at events, and, should such an unfortunate thing happen, when their children run away or otherwise disappear.

Why not sweeten the deal: set up software so that parents can be alerted (SMS message to cell phone, for example) if they're entering a location with a registered sex offender. That way they can know to keep an even closer eye on Junior, or can choose to come back at a safer time. Should such tools result in the registered offenders being barred from private stores, well, they shouldn't have done what they did in the first place, then, should they?

At this point, since the system has been working so well (at least, publicly), why not extend its use to other people. And there you go.

Originally posted by Lucius Driftwood
Doesn't the bible say something about human beings needing a mark on the hand or forehead to buy and sell? Isn't that the mark of the beast?
Ultimately, everyone will end up with a chip/barcode (whatever) on them that will contain all their life history information/details etc. I would dare say this chip will end up containing a tracking device so government/nwo/'they' know where you are at all times. Game over, bye bye personal freedom and privacy.

[edit on 2-3-2006 by Lucius Driftwood]

Actually, the bible was referencing Nero, and his implementation of stamped gold coinage. So only Neros coins could be used to be payed, and they were monitored to know who had the money and who didnt, so they could use it to track and kill usurpers.

it's not difficult to read rfid tags. once you read ther information you can clone a tag it's that simple.

what this kid is doing can lead to big problems for him. a tech savoy thief only has to have him walk by and scan his rf code. clone a copy and then have access to his apartment. you don't have to steal anything except his bank account information and then if you are not greedy you just make monthly withdrawls from his credit, bank accounts in an ammount that he will not readily miss or credit companies don't flag. he'll never be the wiser

sure he'll say that his has to be read up close but in a crowd he'll never know who has read his tag or not

RFID and other biometrics are going to happen and I for one welcome them. No more credit cards, no more drug dealers, no more counterfeiting. The thing is it has to be tied to something like something you know AND something you have. That is security in its essence. If you can't lose a chip and you know a code (say 8 digit too, case shift-at least one number and one special character) you're in business. nothing wrong with it in my opinion.

Originally posted by OneGodJesus
RFID and other biometrics are going to happen and I for one welcome them. No more credit cards, no more drug dealers, no more counterfeiting.

The thing that worries me about this is that now getting robbed means having your wallet taken away from you. In the future it might mean having your hand cut off or your eye taken out.

Originally posted by OneGodJesus
RFID and other biometrics are going to happen and I for one welcome them. No more credit cards, no more drug dealers, no more counterfeiting. The thing is it has to be tied to something like something you know AND something you have. That is security in its essence. If you can't lose a chip and you know a code (say 8 digit too, case shift-at least one number and one special character) you're in business. nothing wrong with it in my opinion.

you can still counterfit a rfid tag. and really how hard is it to get some one's code they punch into a keypad. have you seen the camera's and card readers put in at atm machines lately? it is far easier to exploit rfid than you think.

those who welcome such innovations will be lead like sheep to the slaughter house.

how many have those little grocery store discount cards. you don't think that will ever be used against you? after all they could be recording everything you buy and if you buy lots of fatty, cholesterol ridden food you don't think some insurance company wouldn't want to know that. if they aren't doing it now it will be done in the future that is a gaurentee.

if you have one did you give them your name, address, phone number, age

it's amazing how many people are not alarmed when such simple, innocent things ( that could so easily be exploited) become common place.

Originally posted by bigx01

1) how many have those little grocery store discount cards. you don't think that will ever be used against you? after all they could be recording everything you buy and if you buy lots of fatty, cholesterol ridden food you don't think some insurance company wouldn't want to know that. if they aren't doing it now it will be done in the future that is a gaurentee.

2)it's amazing how many people are not alarmed when such simple, innocent things ( that could so easily be exploited) become common place.

1) I really could use someone standing over my shoulder saying what I'm eating is bad for me...lol. I think I've gained 22 lbs since I left uniform.

2) The same could be said of guns, machete's, axes, pocket knives, baseball bats. Anything can be used for ill. Moderation and good follow through are key IMO. If you have watchdog groups making sure no exploitation happens and sue the snot out of offenders or give them jail time, no more issues. Just don't put them in the Martha Stewart prison. More like the "my butt is really hurting" prisons.

Originally posted by bigx01
you can still counterfit a rfid tag.

Right now, sure. And 4 years ago, if you were lucky enough to have an 802.11b card in your laptop, you could watch the unencrypted credit card numbers fly from the Best Buy CC readers over to the cash register.
Try it now, and you'll have a much harder time of it.

The same thing will happen with RFID. Like I said, it's insecure right now becuase, for the majority of uses to which the technology is being put right now, it doesn't need any security. It makes no difference to Wal Mart if you know the internal product code for a box of Wheaties. Their main concern is that they can inventory now in 40 minutes, where it used to take several hours.

Now that we're starting to see use outside of things like that, though, I imagine that some form of security (public/private key encryption, perhaps) will be layered on. At first it will be a kludge, added to the previous technology and only as effective as a door-chain is in protecting your house. It'll stop the casual theif, and that's it. As future standards are developed, security will become more and more tightly integrated into the chips. See the transition of wireless security from 1997 to now. The latest standards are actually fairly secure.

those who welcome such innovations will be lead like sheep to the slaughter house.

Nope, those who welcome such innovations blindly may be. Me, I'm a cautious optimist when it comes to technology like this. There's a lot of good it can cause, and a lot of bad. We need the tech savvy to keep a close eye on how it's being used, and to keep the public aware of potential abuses.

how many have those little grocery store discount cards. you don't think that will ever be used against you? after all they could be recording everything you buy and if you buy lots of fatty, cholesterol ridden food you don't think some insurance company wouldn't want to know that. if they aren't doing it now it will be done in the future that is a gaurentee.

Sure, and that right there is one of the big potentials for abuse. Luckily, we geeks have been getting better at public speaking and gaming the media in the last few years. We're still not as sexy as an LA freeway chase, but just take a look at the national attention the Diebold voting machines thing has received.

it's amazing how many people are not alarmed when such simple, innocent things ( that could so easily be exploited) become common place.

For me it's largely about risk management. There are a huge number of simple, easily exploited things out there, and I'm not going to be able to avoid all of them. So, I take steps to be aware of potential abuses and to minimize the risk.

My position is this: RFID is going to happen, in some form or another. And it's not enough to just see the pitfalls in the technology. We need to be able to communicate those pitfalls effectively to the public, to help guide the introduction of the technology so to minimize the abuses. We can't do that if we stand on a box on the corner shouting about the "Mark of the Beast" or "sheep to the slaughterhouse."

For applied security on RFID, why, exactly, would a private/public encryption key scheme not work? Encrypt the data transmitted by the RFID, append a public key. Any authorized device can access the private key to decrypt the information contained therein. Exactly the way secure e-mail communication is carried out, for example, between the military and defense contractors. It's not 100% unbreakable, but it will keep Joe Q Thief from walking through the mall scanning your personal info unless Joe has also has some way to get to your private key.

That said, I doubt secure RFID will be implemented this way. Likely it will be closer to WEP on wireless: Sufficient to keep your neighbors from browsing your pr0n shares, but not much else With widespread use, though, does come another form of security, security through obscurity. It's quite easy to track the data when there's only a handful of devices responding, but with even weak protection on the transmitted data, and with widespread use, you can't just walk through the mall and grab everyone's data without having some way to tie that information in to specific individuals. Unfortunately, I'm afraid that when RFID is implemented on a wide scale, this is what they'll be relying on.

Originally posted by Whiskey Jack
For applied security on RFID, why, exactly, would a private/public encryption key scheme not work? Encrypt the data transmitted by the RFID, append a public key. Any authorized device can access the private key to decrypt the information contained therein. Exactly the way secure e-mail communication is carried out, for example, between the military and defense contractors. It's not 100% unbreakable, but it will keep Joe Q Thief from walking through the mall scanning your personal info unless Joe has also has some way to get to your private key.

joe q is not the one to worry about. organized crime is a bit more sophisticated than you think. not that i would comprimise my ethics but if i wanted to i could pimp myself and knowledge out for illegal gain. but what good would that get me. lets not forget the government, lest we forget about the vast array of antenna's in Yakima or the site on the east coast.

you cant crack what you don't transmit

I'm certain that a lot of us here, myself included, could pimp what we know for large amounts of cash. That aside, what, then, aside from "don't do it" would you suggest to lock down RFID to a reasonable level of security?

That's pretty much what I've been trying to do here, really. The way I see it, RFID will happen. Whether it's an implanted chip in people or in ID cards, I'll see it before my new son is out of elementary school. So, what I think that folks like you and I need to be doing is spreading the word about the potential pitfalls of the technology, but also encouraging ways to get the benefits of RFID in a way that minimizes those dangers. The alternative is to trust the folks in Washington to be both tech- and security-savvy, both things at which they've failed rather spectacularly in the last decade