June 27th, 2003

ronin

RFID for you and me.

Stolen from Slashdot:

http://securityfocus.com/columnists/169


Sure, it's possible to destroy an RFID tag. You can crush it, puncture it, or microwave it (but be careful of fires!). You can't drown it, however, and you can't demagnetize it. And washing RFID- tagged clothes won't remove the chips, since they're specifically designed to withstand years of wearing, washing, and drying. You could remove the chip from your jeans, but you'd have to find it first.

That's why Congress should require that consumers be notified about products with embedded RFID tags. We should know when we're being tagged. We should also be able to disable the chips in our own property. If it's the property of the company we work for, that's a different matter. But if it's ours, we should be able to control whether tracking is enabled.

Security professionals need to realize that RFID tags are dumb devices. They listen, and they respond. Currently, they don't care who sends the signal. Anything your companies' transceiver can detect, the bad guy's transceiver can detect. So don't be lulled into a false sense of security.

With RFID about to arrive in full force, don't be lulled at all. Major changes are coming, and not all of them will be positive. The law of unintended consequences is about to encounter surveillance devices smaller than the period at the end of this sentence.