RFID: Radio Freak-Me-Out Identification
by Kn1ghtl0rd (Kn1ghtl0rd@kn1ghtl0rd.org)
RFID has become something of a hot topic in the hacking world.
There have been multiple presentations on security and privacy of RFID and also the technology behind it. This article is designed to be a what-if type scenario on what RFID is potentially capable of and where the technology is heading.
RFID stands for Radio Frequency Identification, which obviously means identifying objects using radio frequency.
Current implementations include asset management, inventory control, inventory tracking, access control, and entity identification. The first three are usually implemented in a business environment to track inventory from one location to another or to monitor asset activity to isolate theft situations and problem areas. These implementations of RFID are very efficient and perform a valuable task for a business.
The fourth example is not so good. RFID is being changed into a new type of ID for people and animals to be used instead of a hard-copy form of identification. This may seem convenient for people and they don't see why this is bad. There are many possibilities for this technology to turn our world upside down and allow for Big Brother to truly manifest itself.
Currently a human being can receive an implanted RFID chip that stores an identification number that associates them with information in a database. This can be anything from personal data such as name, address, and birth date to medical history, financial information, family information, etc. The cost of storage space now is so cheap that it wouldn't be out of the question to store just about every type of information on any one person so that any organization can utilize the technology embedded in said person.
If you don't get where I am going with this, then think a massive database with information on every person who has an implanted tag. Now you may say what is the big deal? There are already databases out there with our information. Why should one more be any different? Well the problem is this. Any database that contains that vast amount of information has to be controlled by someone. More than likely that someone will be the government. This may not seem so scary either. But wait, there is more.
RFID in its current implementations has been proven to be a reliable solution for tracking inventory.
Change the word inventory to humans and you see the problem. The technology does not change from one implementation to the other. The data on the tag may change somewhat, but the fundamentals do not. So what is stopping the government from placing readers on every government owned piece of property and monitoring the activities of everyone with an implanted tag? Not a whole lot.
Right now the cost for a reader is about $40 to $120 for a low-frequency (LF) module. The government, being its omnipresent self, can get these devices for less or manufacture them for less and tailor the technology to act as it wishes. The cost for an implant is around $20 for the tag and the cost of implantation, which can vary from one doctor to another. There is not a whole lot stopping the government from doing this.
The possibilities are then endless for the data and scenarios that the government can observe.
Not only can the government observe this information but so can anyone else who can figure out how to get the data off the tags. Since our country is basically run by huge retail outlets it is not too far of a stretch to see product marketing analysis based on human purchase activity that is all based on RFID technology. Picture walking into Walmart and having the racks scan your RFID tags and create some kind of notice to you to point on items that you prefer based on past purchase history. You regularly buy black cotton t-shirts in size large so the rack will recognize this data and highlight the rack with the black cotton t-shirts with little lights attached to all the hangers that flash as you approach. The same can be said about shoes. You wear a size 13 so it shows you only the size 13 shoes in stock. Now take it one step further and say you purchase one of those pairs of shoes. The shoes themselves have an RFID tag embedded in them so now not only can we see where you are going based on the implanted RFID tag, but we can also see that you bought your shoes from Walmart and produce Walmart advertising on interactive billboards as you pass by.
When you walk into a coffee shop they will already start making your favorite coffee because they got that information from your tag. This may seem cool, but then they ask you how your mother is doing because they saw on the report that she had come down with an illness and had to go to the hospital the day before and they now have her taking penicillin for an infection. That thought in itself is pretty scary. You don't want your local coffee house to know everything about you, do you? How can you even make a small decision like whether you want cream or not if they already know based on trends they have analyzed on your activity for the last fiscal year?
When everyone becomes a number we will see the true possibilities of this technology. A wealth of knowledge is attached to you and that information is accessible by way too many people for it not to be a little scary.
There are good things that can come out of this, but is convenience better than privacy or free will?
I think not.