An RFID tag is a combination of a special IC (chip) and a small antenna. When such a tag comes within range of a corresponding reader, the RFID chip is powered by the energy transmitted by the reader. The reader and the chip can use these radio waves to communicate with each other in both directions. RFID tags can be used for many different purposes due to the fact that they are wireless devices. A tag can communicate with a reader without even having to be visible. That also creates a few disadvantages. Users of RFID tag usually do not notice that their RFID tags are being read, and they will be equally unaware if other persons eaves- drop on the communications between a tag reader and their tag.
Suppose you’re shopping at the grocer’s and you put a nice cut of beef (with its own RFID tag) in your trolley. When you pass by the wine section, your trolley (fitted with a reader) tells you which wine fits best with your meat. That’s a pretty harmless scenario, but other scenarios are less so – for instance, suppose someone else could read and copy the information in your passport without your knowledge, or charge a petrol purchase to your account? In such situations, you naturally don’t want to unwittingly let yourself be victimised by malicious per- sons or companies. Various groups of people are now busy publicising haz- ards of this sort in order to make it clear that caution must be exercised in using this new technology and that security is a very important aspect that manufacturers and organisations must take into account. For instance, a group of students hacked the RFID system of the Exxon Mobile Speed Pass, which is used in a payment system for American filling stations operating under the Exxon brand name. The RFID tags for that system are fitted with a cryptographic system, but that wasn’t enough to prevent the students from making a purchase using a DIY RFID tag copied from a genuine tag. They used a homemade device to receive the communications between an RFID payment card and the associated reader at a distance (and thus without being noticed). After analysing the communications, they were able to crack the protection and copy the RFID card. As an experimental test, they then filled up with petrol and suc- cessfully used their copied RFID card to automatically pay for the purchase. Of course, the RFID payment card they copied belonged to one of the group, so what they did could not be treated as a criminal act.
Since then, the first RFID virus has been developed by one of the members of a research group at the Free Uni- versity of Amsterdam. That virus was written for the group’s own RFID system, which is not a system that is used commercially. Nevertheless, it clearly shows that it’s necessary to pay attention to the potential hazards associated with RFID technology.The person who created the virus, Melanie Rieback, did so to draw attention to issues related to the security of RFID systems. In her opinion, the privacy and security risks are not only a problem for consumers, but also for companies that want to use this technology. The number of items that have been published about this virus certainly suggest that she achieved her objective. As a result of this attention, several companies have approached Melanie to ask her to help them improve the security of their RFID software. Unfortunately, a few companies in the RFID business responded very negatively to the virus and regarded it as a tempest in a teapot. Besides the previously mentioned hacking of the Exxon Mobile Speed Pass, Melanie mentioned that the new Dutch passport is not entirely secure against hacking. A company in Delft named Riscure has shown that the pro- posed RFID technology is not sufficiently secure. They managed to crack the key to such a passport in a few hours, which then put them in the position to read the birth date, passport photo and fingerprint data from the new passport without that being noticed. In response to this, the Dutch Ministry of Internal Affairs announced that the security of this technology would be improved. The Dutch passport is not the only one to suffer problems from the security of its RFID tag. The American passport is also drawing sharp criticism. At the recent Computer, Freedom and Privacy conference, a member of the Amer- ican Civil Liberties Union demonstrated that the new American passport could be read at a distance of a metre, while the manufacturers stated that it could only be read within a distance of a few centimetres.
RFID tags are poised to play an increasingly important role in our society. The extent to which that will cause security problems is presently guesswork, but it’s perfectly clear that this issue must be examined critically. Particularly if we start carrying around banking information, medical data and other sensitive information in our RFID tags, it is important to screen this information against unauthorised persons. On the one side, we see the RFID manufacturers, who promise us even more luxury and convenience from using RFID technology. On the other side, there are groups of people who regard the coming of RFID as the prelude to the apocalypse. Which of these two sides will turn out to be right? As usually happens, the truth will most likely lie somewhere in the middle.