A bad use for RFID

Ok, so it really begins...

<rant>
I am coming to a conclusion that makes me sound like a paranoid freak, or a Luddite. I don't like RFID. Perhaps it has narrow applications where its use is essentially harmless. However, it is being foisted upon all of us like a magic bullet solution to all problems. It ain't. It's really just a fancy barcode that can be read without the holder's knowledge, and at a distance.

Crypto helps, but is not enough. A recent RISKS has a link to a research group that has worked out a way to completely reverse engineer the entire secret key from a particular TI encrypted tag that is widely deployed (a big-three automaker's "smart" ignition key, and Mobil SpeedPass among other applications) from fewer than 10 queries requiring no more than 2 seconds to gather the data. From the collected data, they can duplicate the tag in only a few hours using less than $5000 worth of off-the-shelf hardware.

Worse is the idea that tags could become ubiquitously buried in consumer goods. Walmart is the major driving force here. They have this pipe dream of doing whole-cart checkout by just letting *known* customers just push the cart past a reader. The problem is all the extra inventory data that will just sit their sewn into seams in clothing, cast in soles of shoes, and so forth. Some of that could be used to track people. Some could be used simply to violate privacy. (Hey, like those red panties you're wearing, Mr....) And then there's the easy opportunity for "extra charges" the second time you go shopping carrying or wearing one... (There may be a reader out there that remembers the trouble that we caused a classmate once by sticking a Ralphs anti-theft tag inside his Caltech ID?)

But the worst is the fact that thanks to some damn fools in some part of the US government, all Passports are supposted to use RFID to enable them to be read and validated. Not just US passports, all countries are supposed to be joining in. The tags will hold the country or origin, identifiers like the passport number itself, as well as lots of identity details of the bearer. When it was suggested that this would enable identity theft at a distance, the concern was laughed down as paranoid as well as because the tag reader is designed to work close up. But it wasn't designed to not work at a distance. And close up is enough of a threat. It wouldn't be at all difficult to leave a package in a taxi that will act on the next American (or...) to get in the cab.

The US will start issuing Passports with RFID in late 2005, so renew now to avoid the pesky things for 10 more years in hopes that they come to their senses.

For most of these applications, optical codes of one sort or another are a much better solution. For passports, especially, a 2D code could be used on an inside page, allowing many KB of data to be carried, robustly read, and avoid any possibility of accidental information leakage.

I do carry a SpeedPass, but the mechanical design of a gas station makes it highly unlikely that I could possibly pay for someone else's gas. Besides, we do check the monthly statements, and the total risk exposure is negligible since it really is fundamentally a credit card and those risks are managed by the issuer. I don't happen to own a vehicle with RFID in the ignition key, but I have heard horror stories about the cost of replacing a lost key, while (at least in the LA basin) the thief is likely to make more by chopping the car up for parts and so really doesn't care if he has keys.

All in all, it often seems like there is just plain an urge to use the highest possible tech to solve problems, even when there really isn't a problem there that needs solving.
</rant>