Missing-the-Point Central

Missing-the-Point Central AIM, Inc. - Tuesday, August 10, 2004 From the specter of tagging school children to RFID hacker tools, there have been recent news reports that seem significant but, upon closer reading, display a fundamental lack of understanding of RFID technology.
Home Article 188 : Missing-the-Point Central Article 243 : Implantable RFID Article 292 : RFID Hacking Threat Overstated Article 311 : RFID and Privacy Laws Article 327 : When is RFID not RFID? Article 335 : AIM Global Tackles Direct Part Marking Verification Article 338 : Editorial: "Privacy" vs. Safety Article 342 : RFID-tagged Passports: Deterrent or Threat? Article 354 : RFID Experts Group to Address Education Article 367 : Editorial: The Ethos of Panic and Doom Article 372 : Paxar Hosts AIM Global's RFID Experts Group (REG) Article 384 : TAGSYS Joins AIM Global Article 407 : The China Card Article 408 : Technology Insight: Cheaper RFID Chips? Article 409 : Editorial: Chaos Theory and RFID Article 410 : Editorial: Chaos Theory and RFID Article 411 : TI Starts Shipping Gen2 Inlays and Straps Article 422 : Breaking News: Group Proposes RFID Patent Pool Article 427 : Guest Editorial: Privacy Invasion as ROI Article 433 : Editorial: RFID Legislation -- Protection or Pause Button? Article 434 : Breaking News: CA State Legislation Update Article 435 : RFID Cards & Security Poll Article 436 : RFID IP Consortium Update Article 437 : RFID for Child Protection Article 438 : Who's Leading the Charge?	From the specter of tagging school children to RFID hacker tools, there have been recent news reports that seem significant but, upon closer reading, display a fundamental lack of understanding of RFID technology. "Japan School Kids To Be Tagged With RFID Chips" CNET News.com July 12, 2004, 7:55 PM PT Just reading that headline will send chills up the spine of privacy advocates and it's probably intended to do just that. It does make a great headline. Read the article, however, and the truth is far less chilling. According to the article on CNET News.com, "The chips will be put onto kids' schoolbags, name tags or clothing in one Wakayama [Japan] prefecture school. Denmark's Legoland introduced a similar scheme last month to stop young children going astray." The article explains, "The tags will be read by readers installed in school gates and other key locations to track the kids' movements." While it may be a helpful tool for school officials, it's hardly fool-proof. Any student could pick up another's backpack and kids (especially girls) often borrow each others' clothes. Tracking school kids through RFID in their clothes or belongings really doesn't work effectively. Here's a real life example: my 15 year old daughter came home from school one day wearing one of her friend's shoes...that is, she was wearing one shoe that belonged to her friend; the other was her own shoe. [I did not bother to ask for an explanation....] If the school were to use, say, shoe tracking as a way to monitor attendance, it would have failed since it would have registered both girls leaving together. [It would be quite easy to just toss shoes out the window and retrieve them later.] Using RFID as a "school pass" has a lot of merit but only if it's implemented correctly. True, younger students may well forget an ID card so having a tag on a backpack might be a fairly good idea...but it falls short when it comes to security or ensuring attendance. A child could easily leave without a backpack and have a friend carry it out. RFID works for security only if there's a way to ensure that only one individual (and tag) is being read at a time -- whether through optical sensors, video cameras or access restrictions such as turnstiles. A better idea would be a school ID that could also serve as a stored value card (which would also help put "lunch money bullies" out of business). Kids might forget them on occasion but could be issued a temporary pass for the day. After a while, they'd be as natural as carrying a cell phone -- which might also be a very good place to put a school ID. SOURCE ARTICLE: zdnet.com.com/2100-1104_2-5266700.html Counterfeit RFID Tags A July 30, 2004 headline on itvibe.com boldly proclaimed: "RFID Hacking Tools Released" above a story about the inherent vulnerabilities of RFID tags. Silicon.com's headline read, "RFID An Opportunity For Shoplifters, Says Expert." Forbes.com, Slashdot.com, Government Computer News (GNC.com) and many others all ran similar stories. And all of them missed the point completely. According to the itvibe.com story, "During the popular Black Hat Briefings security conference today, a new open-source product called RFDump was demonstrated. RFDump is a tool that allows you to not only read RFID tags within range, but more worryingly, you can actually change and alter all the data stored in the RFID tag." On the surface, and according to the developer of the RFDump software, this seems to be a real cause for worry. The program's developer, Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH [Germany], claims, "It is only a matter of time before smart tags replace the good old bar code. It is only a matter of time until everybody will wear at least one RFID tag. But you can exploit nearly all of these benefits." The Forbes article posited this scenario: "A would-be scofflaw heads into a grocery store where all the products have RFID tags on them. Rather than paying $7 for a bottle of shampoo, he'd rather pay $3. To make that happen, he whips out a PDA equipped with an RFID reader and scans the tag on the shampoo. He replaces that information with data from the tag on a $3 carton of milk and uploads it to the shampoo bottle tag. When he reaches the check-out stand--which just happens to be automated--he gets charged $3 instead of $7, with the store's computer systems none the wiser." According to the Forbes article, "Grunwald says this is not only possible, he's done it. That is, he's changed the information on the RFID tag. He didn't actually steal anything. To prove his point and let others learn about RFID tag security, he's created a free software program called RFDump that is the result of a few years of research into RFID. He presented his findings and announced the release of the software at the Black Hat Security Briefings conference in Las Vegas today." "There is a huge danger to customers using this technology, if they don't think about security," Grunwald says. Forbes also noted that, "This kind of disclosure -- complete with a software release that could potentially be misused -- is not unusual for Black Hat, a gathering where IT security pros talk frankly about the latest in computer security problems and how to solve them." The Silicon.com article, while quoting Grunwald about the supposed dangers, also offers a more rational view. The article quotes Pete Abell, an RFID consultant at Boston-based EPCGroup. Abell says that "as stores adopt the technology beyond the test phase, any shopper who brought his own RFID reader into a store would likely be detected. Secondly, he says, tags on products would be programmed to respond only to authorized readers. Finally, he says, the industry is working on stronger encryption than what is available now. 'Currently there's only 8-bit encryption available, and that is pretty easy to get around,' he says. 'And in this case [Grunwald's success at rewriting tag data] I doubt even that was in place.' " In a comment posted on the silicon.com site, a reader had a better response: "This story does not reflect the realties of RFID. It really says more about the poor understanding of RFID, the many types of tags, etc, than shoplifting." The reader response on Silicon.com comes closest to the real point: if companies are using WORM (write once, read many) tags for product identification, whether they have encryption or not, they simply cannot be rewritten. Period. That's the way they're made. And for just that reason. SOURCE ARTICLES: "RFID Hacking Tools Released...Security" itvibe.com/default.aspx?NewsID=2767 "A Hacker's Guide To RFID" www.forbes.com/business/commerce/2004/07/29/cx_ah_0729rfid.html "RFID An Opportunity For Shoplifters, Says Expert" software.silicon.com/security/0,39024655,39122720,00.htm Reader comment on silicon.com article: software.silicon.com/security/talkback.htm?PROCESS=show&ID=20028609&AT=39122720-39024655t-40000024c
Absolute News Manager : news publishing software and web content management system by Xigla Software