Anyone who has read Cory Doctorow's Little Brother — mentioned in a previous article, Five good security reads — should already have some inkling of how RFID technologies can become liabilities. While the events of Doctorow's novel are unlikely to occur in the immediate future, there are potential dangers to poorly implemented RFID policies that can affect you right now.
Between the RFID chips in new US passports and similar measures required by Department of Homeland Security regulations persuant to the Real ID Act of 2005, US citizens could very soon be walking advertisements of their own personal information. Even the crudest uses of such information — just detecting specific classes of people based on the gross RF transponder characteristics of a given nation's passports, such as detecting the presence of US citizens based on the manner in which data is encoded on passport RFID chips — can lead to significant security problems. It has been suggested, for instance, that a person's nationality, detected in proximity to an explosive device, could be used to trigger the device. It's a simple way for a terrorist to make sure a bomb targets at least one person of a targeted nationality.
This isn't merely the domain of expensive projects by professionals. Hobbyists can acquire and learn to use RFID "experimentation" kits for under $100. Blaming the purveyors of such tools would be the height of foolishness, of course, considering the many legitimate and commercial uses for them; for instance, I may buy an RFID reader in the foreseeable future to test for specific types of radio frequency emission "leakage" as part of a proposed business endeavor, and if I don't have to pay more than $100 to get it, I won't. Since the business endeavor centers around providing increased personal data security for customers, trying to regulate the distribution of such tools could potentially hurt security for a lot of people — especially since those who would purchase a legally available kit to use for nefarious purposes won't be put off for long by making the acquisition of such a device illegal. Lawbreakers are, by definition, not deterred by laws.
There are some things you can do all by yourself to reduce your vulnerability to the dangers of RFID chips in your wallet. They range in effectiveness from "maybe effective, sometimes" all the way to essentially impervious to circumvention. A few solutions that rely to some extent on the ideas of physicist Michael Faraday, who built the world's first Faraday cage circa 1836, follow. I list them in order from the most easily employed to the most difficult — and, perhaps coincidentally, from the least effective to the most effective.
- If you bundle cards with RFID transponders in them closely, perhaps by stacking them together and wrapping a rubber band or elastic hair tie around them, the radio frequency emissions of each RFID chip may interfere with those of the others (producing, obviously, RFI). This is far from fool-proof, of course, and a good RFID reader held close enough can sort out the signals.
- Most of you being IT professionals, you have probably encountered the anti-static bags in which many hard drives and PCI expansion cards are delivered. Simply wrapping the RFID-chipped items in one of these bags can significantly reduce the likelihood that your data can be read remotely. It's not the most professional looking solution, but it may work for you in a pinch.
- You could wrap these items in aluminum foil, which serves as a more effective masking medium than you're likely to get out of anti-static bags. Unfortunately, foil rips easily and can be a pain to wrap, unwrap, and rewrap over the course of the day every time you want to pay for something with your PayPass Mastercard. Perhaps worse than the inconvenience is the funny looks you could get, and the inevitable joke from someone who may identify you with the "tinfoil hat crowd".
- Constructing your own Faraday wallet using common materials like duct tape and aluminum foil is entirely possible. It requires setting aside some time to do so, however, and may require more than one try to get it right. Such a project should be tested afterward, as well, such as by placing a PayPass Mastercard in it (alone) and trying to use it from within the wallet to determine whether the payment point reader can detect the RFID chip — or, better yet, by getting an RFID "experimentation" kit and testing it properly.
- Finally, of course, you could try disabling the RFID chips. It has been suggested this could be accomplished by microwaving any items you suspect contain the chips, but that route is fraught with danger, not only to your microwave oven but also to the item whose RFID chips you want to disable. By all accounts, the things tend to "explode", or at least pop with sparks and occasional small flames, when microwaved.
The right way to handle it is to never get yourself in the position of having to deal with it at all. You can urge your State and Federal legislative representatives to oppose or revoke measures that introduce more dangerous RFID technology into your life. There are proper uses for this technology, such as inventory tracking in warehouses, keeping track of the movements of participants in a race more exactly than by the human eye so that precise timing can be tracked, and research studies where the movements of subjects must be tracked. Unprotected, constant RFID broadcast in passports and driver's licenses is just a recipe for security disaster.
Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.