http://www.theinquirer.net/default.aspx?article=39170 By Wendy M. Grossman 25 April 2007 "SPYCHIPS," some privacy campaigners call RFID. Two years ago, when Melanie Rieback in 2005 was hunting for a research topic for her PhD, she settled on RFID security because "It was obvious there was a lot of work to be done." Based at the department of computer science at Vrije Universiteit in the Netherlands, Rieback, an American, caused a storm last year when she published a paper on RFID viruses. "I wrote a completely scientifically and factually neutral paper about how to use RFID to perpetuate common exploits like the ones on the Internet today," she says. The paper didn't talk about the possible consequences. But, "The reality is that RFID is a new technology like anything else, and you have to do a proper cost-risk analysis in deciding when to deploy it." Using RFID to tag cows in a field clearly carries much less risk than putting them in passports and credit cards. "I think you need to be as worried about RFID malware as any other kind of enterprise software. With big RIFD installations you're going to have big databases, Internet connections in the mix, a lot of bloated source code, and statistically they say there are 16 bugs per thousand line of code." Rieback's latest project, RFIDGuardian, aims to create a personal firewall for RFID tags. That is, a portable, battery-powered device that anyone can use to see and selectively block the tags around them. The idea, Rieback says, was inspired by a paper written by Ari Juels that she believes was the first proposal for an RFID privacy-enhancing technology. "It was a brilliant idea, but it had a few shortcomings, and thinking through those led me to RFIDGuardian." The basis of Juels' idea was to jam the system by using the built-in anticollision protocols. Readers check for nearby tags by proceeding down a tree of possible names. Juels proposed a tag that responds to all of them, slowing the system down and confusing it as to which tags are actually present. The shortcomings: tags have no power source and can only be read in the right orientation; they have very little data storage, ruling out complex security policies; and changing the policy after widespread distribution would be a "nightmare". The prototype RFIDGuardian is currently in its third version of hardware and software, and by now it's a single PCB with all the functionality build into it. "It sends out some random noise in the time slots when an RFID tag is going to be speaking," she says. "Because the jamming signal is so short and selective in can block only one tag and let others speak." Building the prototype took her team about six months and wasn't, she says, technically all that difficult. "The only thing at the beginning was that we didn't know if we would get tag spoofing/jamming to work." This was, she says, another problem with Juels' proposal: most people can't make their own silicon to create a jamming tag. Rieback's ultimate goal is to implement the device in a single chip that could be affordable for consumers. "The idea is it could eventually be integrated into a PDA or cellphone," she says. The version in progress will incorporate Bluetooth so that a Java applet on a cellphone can control the device and display its output on the cellphone screen. Currently, seven are in production destined to be given away to other researchers. Rieback hopes that seven or eight months from now she'll be able to open-source the entire project. For Rieback, enhancing privacy isn't a primary goal but it is a welcome by-product. "I see myself first as a scientist. It makes me happy that what I'm working on can have a positive impact in terms of privacy, but only being an activist has its limitations. People aren't going to believe you that something is broken until you show it to them. I try not to be too preachy – I just try to show things scientifically and factually." __________________________ Subscribe to InfoSec News http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Apr 26 2007 - 01:30:10 PDT