RFID "Security": Point/Counterpoint
BusinessWeek published an interview last week with Scott McGregor of Phillips Semiconductor. Phillips is a leader in developing radio frequency identification (RFID) technology; Mr. McGregor breezily waves away concerns about the impact RFID use would have on privacy.
EFF's Chris Palmer took a quick look at the article; below, he responds to Mr. McGregor's assertions:
McGregor: "When I buy a garment, one of the first things I do when I get it home is cut off the tags. You can cut off RFID tags the same way."
RFIDs are tiny and will only get tinier. How do you cut them off when they're
embedded in an item? Sure, you can still zap them--but why should people have to zap all of their new purchases to avoid shedding data?
McGregor: "When the laser scanners were coming out [in supermarkets], everybody was saying, retailers are going to collect information about what you
buy. And none of that happened."
All of that happened.
McGregor: "Medical identification: Your medical information is stored on a chip, so if you have an emergency and are in a hospital, doctors can read your medical history in a secure way."
Your private medical information stored on a chip? How will it be secure? Is the
data to be encrypted? Cryptographic key management is a total debacle (DeCSS, anyone?).
And if the tag only stores and reports an index into a database, then the database itself becomes a giant book of keys. Is this database intended to be available on the Internet? If so, it's an open book.
McGregor: "Plus, contactless payments are cool--and Visa, when it implements them, will be able to give customers a higher-end, interesting product."
Having your card charged by some random thief because he doesn't require your signature is neither "cool" nor "interesting."
McGregor: "RFID could replace your keys, too. Most car manufacturers we're talking to will have a card you keep in your wallet or embedded into your cell phone. You get in your car, push start, and the reader in the car will read the card in your phone to make sure you're the car's owner."
Forged RFIDs will make car theft easy. Simply scan someone's RFID from a distance, then make an RFID that responds with the same information that theirs did.
But perhaps that problem would be solved with the use of cryptography--by having the host computer/cell phone perform the cryptographic protocol. But when it comes to cryptography...
McGregor: "We're the only company that can do high-level, triple DES encryption in a contactless RFID tag."
As Bruce Schneier and Niels Ferguson point out in Practical Cryptography, triple DES encryption is nothing to write home about: "3DES has a larger key [than DES], but it inherits both the weak keys and the complementation property from DES, either of which is enough to disqualify the cipher by our standards. It is also severely limited by its 64-bit block size, which imposes severe restrictions on the amount of data we can encrypt with a single key."
Recent DeepLinks Posts
May 5, 2015
May 5, 2015
May 4, 2015
May 4, 2015
May 2, 2015
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Know Your Rights
- Trade Agreements
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Defending Digital Voices
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games