Security

When RFID chips get a little too personal


RFID is getting some recognition in the news lately, from chips in Mini Cooper key fobs generating personalized messages on billboards ("Via RFID, these billboards know you by name") to embedding chips into humans for medical-record tracking ("Patients, doctors staying away from implantable RFID chips").

In the former story, 4,500 of the 150,000 Mini Cooper owners in the United States were invited to participate in a marketing trial called Motorby. For those who consented, customized messages appear on digital billboards. "The boards, which usually carry typical advertising, are programmed to identify approaching Mini drivers through a coded signal from a radio chip embedded in their key fob. The messages are personal, based on questionnaires that owners filled out: 'Mary, moving at the speed of justice,' if Mary is a lawyer, or 'Mike, the special of the day is speed,' if Mike is a chef."

I can't imagine working for the creative team at the advertising agency that's assigned to come up with all of these personalized messages. How catchy or clever can you be for Mini drivers who are funeral directors, proctologists, or *ack* IT professionals?

In the latter story, "Only 222 medical patients in total have opted to get RFID chips from VeriChip implanted as of the end of 2006, according to documents filed by the company with the Securities and Exchange Commission as part of its initial public offering. ... Putting RFID chips into people's arms is, it turns out, not a booming business."

If we merge these stories together, it's not unrealistic to think about a future where billboards, road signs, door entryways, drive-throughs, ATMs, and all other electronic/digital devices immediately have our personal information and greet us by name. Can you imagine putting coins into a vending machine and having it talk to you - or worse yet, having it suggest healthier snack alternatives? "Good morning, Sonja. Are you sure that you don't want a granola bar instead of a frosted poptart?" I don't know about you, but I would not be okay with that.

About

Sonja Thompson has worked for TechRepublic since October of 1999. She is currently a Senior Editor and the host of the Smartphones and Tablets blogs.

6 comments
mib.2945
mib.2945

With a portable pc (hell even a sophisticaed pda running java apps) a coil of copper wire about 2 inches across (small enough to fit in your palm) and about $13 worth of components, you can create an antena device to pick up any rfid it passes within 3-4 inches of. with more sophisticated directional antennas, you can pull information at up to 40-100 feet without any difficulties. This information is usually not encrypted, or lightly encrypted, and easily accessible. On one consultation, spending 32 minutes in the visitor's lounge, myself and an associate pulled 172 employee badge/ids including their full names, final four of soc, and with that information were able to generate badges that unlocked doors anywhere in the complex (minimum of 3 badges necessary, optimax 7 to ensure we had a manager badge)

highlander718
highlander718

The problem is not the technology itself, I can actually see many benefits of it, the problem of course is the abuse of it. It's very handy to shop on-line it's not that pleasant when the spam starts to arrive or if your credit card number gets hacked. As long as the RFID stays a personal option, I can see no problem with it. I would probably go for it if that saves me remembering PIN codes, door entry codes, swipe cards, using bank or credit cards alltogether and so on. I tend to be more trustfull with the public administration/government organisations, better said I think the risk of being abused is so slim that it worth it for the added comfort. It still is a risk of course, that's why I say it's OK as long as you are not forced to take it. More or less same as using a credit card :-)

highlander718
highlander718

Well, you definitely convinced me not to implant an RFID chip very soon :-), and yes in everything we do these days there is a "it won't happen to me approach" - flying on a plane, using credit cards ... you just have to take some calculated risks. I guess the math in the RFID case is not adding up ....yet :-)

mib.2945
mib.2945

I've worked with a number of IT security consulting firms. I can pull an rfid off a chip, transmitter card, or piece of hardware from as far as 5 feet away. When you are walking down the street with your credit card broadcasting constantly every step of the way, its an open invitation for criminals and thieves to rip you off. Not only would they have your information, but with many RFID solutions, they would have the passkeys as well. The only true solution is a broadcast on demand chip. Basically unless the chip receives a heavily encrypted signal, it doesnt broadcast. Of course, the catch 22 in that is that someone could still generate that heavily encrypted signal. Until security becomes a lot beefier, I just don't feel safe with rfid technology for more than trivial things like the mini cooper ads or telling me what items are in my fridge (to cite the last massive failure in RFID)

highlander718
highlander718

I sure don't know how easy is to take the RFID off a chip as it is today. If it is as you say, of course I wouldn't be comfortable either. I am making a parallel here between using your credit card on-line or doing on-line banking and the future of RFID (I am not talking about wide spread RFID chips as of today, but what thew could become - hopefully with the beefed up security you're talking about). You know that there is always a threat outthere, a risk of someone hacking into your system, in the banks system or somewhere in between and get your banking info. Still, I think the chances of a particular person being hacked and abused after that are reasonably low for me to use the system.

mroonie
mroonie

It's amazing just how many people are unaware of how common it is for someone's system to get hacked or a password to get stolen. Trust me, I work for a security company.It's one of those "It won't happen to me scenarios" and before you know it, you're a victim. I agree with mib. Until security gets "beefier" it probably isn't a good idea to use RFID technology because you think chances of it getting abused are "reasonably low"

Editor's Picks