tracking and cloning rfid tags: the pragmatic tinfoil hat

In case someone has strangely missed this story, Chris Padget has made some headlines for a recent video where he reads and clones RFID tags around the San Francisco area. Read the comments for some good discussion (amidst the ignorant noise).

This is a very big issue for three reasons. First, obviously we need to care what may or may not be disclosed from the tags. Is it personal? Is it just a number that is looked up? This is probably the easiest issue to resolve.

Second, even if the item is just a number that is looked up, all it takes is some relatively simple database tracking or data points to start stumbling over the lines of privacy. #3482749 is Michael Dickey. #3482749 is shopping at Wal-Mart at 7:30pm. #3482749 stopped for a shake at McDonald’s at 8:15pm. And so on… And it wouldn’t take much to track this. If all the legit scanners that get issued are dumb but ping back to the master database system, the database just needs to log the location of the scanner that pinged in.

Third, just how easy is it to clone a tag and fool scanners? Kinda like me opening up a Facebook page for someone else, I might be able to do quite a bit of damage to someone’s profile or reputation by wandering around with a cloned ID just for the heck of it. Or maybe I’ll just clone my own and give it away on the streets and generate so much noise… In fact, how defensible would that tag information even be, legally, if I can generate doubt like that? Can I overpower my own RFID tag by transmitting a stronger signal and drown out my card?

Besides, let’s face it, as a shop owner I might want to buy some cheap RFID reader and put it near the front door just keep my own tabs on who my repeat visitors are based on their number. And it’s just a hop-step away from keeping a personal record of them so they can pay quicker by keeping their credit card on file and just charging them based on the number on the RFID. Come on, there’s a whole industry of people salivating at the possibilities of such tracking and ID…

And if “do no evil” Google will happily cross the line of privacy in pursuit of the profits, so too will others. It will just take some curious entity that is large enough to connect data points and suddenly that slippery slope is rushing by fast enough to burn our ass.

In short, it’s not just about the data given off by an RFID tag, but also how that data can be correlated. And how much the general public is made aware of the risks of unshielded tags or unquestioned tracking.

One thought on “tracking and cloning rfid tags: the pragmatic tinfoil hat

Comments are closed.