RFID Personal Firewall

JanMark writes "Prof. Andrew Tanenbaum and his student Melanie Rieback (who published the RFID virus paper in March) and 3 coauthors have now published a paper on a personal RFID firewall called the RFID Guardian. This device protects its owner from hostile RFID tags and scans in his or her vicinity, while letting friendly ones through. Their work has won the Best Paper award at the USENIX LISA Conference."

Popups.

[morgan_greywolf (835522)]

Oh, great. I can just imagine walking through the mall and then being bombarded by all these popups. "Would you like Macy's to be able to access your RFID tags? [Ok] [Cancel] [X] Always Allow"

Re:Popups.

[chroot_james (833654)]

What about "would you like Macy's to have no idea you're stealing their stuff? [yes][no][always][never]"

Well do you.... punk

[MarkGriz (520778)]

For the more adventuresome:

"would you like Macy's to have no idea you're stealing their stuff? [yes][no][im-feeling-lucky]"

Re:

[westlake (615356)]

Oh, great. I can just imagine walking through the mall and then being bombarded by all these popups.

so what do the RFID tags tell Macy's that can't be extracted from a video scan?

age, sex, style of dress, etc. since the beginning of time, salesmen have known what to look for in a prospect.

Well...

[Steppman2 (1029992)]

I guess whit officially makes them white-hats, however, I'd still be worried about the ability to spoof a legitimate rfid or steal one and deactivate this firewall. Things that are considered by many to be foolproof make things that much worse when they fall through...

Condoms, anyone?

[dotancohen (1015143)]

So these are little electronic rubbers, right?

Demo Video

[AugustZephyr (989775)]

Video of The Guardian in action: http://www.rfidguardian.org/videos/rfid-guardian-0 250.mov [rfidguardian.org]

Tin foil

[Rastignac (1014569)]

That's the only safe protection, for sure.

Re:

[hey! (33014)]

Just don't forget to wire the tin foil to a six foot copper stake driven into the Earth. It's a detail that is often neglected by the careless.

Faraday Cage

[ParaphiliaNOS (1015689)]

How much of this RFID traffic is good?  Why not market faraday cage coats and just leave the cellphone in an external pocket?  (Enumerate the GOOD and just ignore the BAD.)

Re:Faraday Cage

[Cruise_WD (410599)]

Makes sense, since that's a common strategy for dealing with spam: Block anything except emails from a known source.
That comment just triggered an odd thought in my head... ...in the future, will we look back at spam gratefully, for all the practice it's given us in blocking unwanted intrusions into our systems in a (realtively) benign way? Or does it just demonstrate how easily the majority of people will ignore privacy and real security and make life hell for the rest of us?

Old News

[Mike89 (1006497)]

This is either old news, or there is some other reason the website looks like it's from 1996.

Re:

[ParaphiliaNOS (1015689)]

My assumption is either the staff are hardware people or have just prefer the security of static HTML.

Staff: www.rfidguardian.org/people.html

Re:

[Intron (870560)]

Their next paper will be on CSS viruses and steps that can be taken to protect you from them.

KISS

[khafre (140356)]

If people are worried about others reading RFID tags at will, why not add a mechanical switch to the tag that must be pressed for the tag to power up? Just insist on it. If it doesn't have it, it goes in the microwave. Sheesh, add a cheap membrane switch, not a firewall.

Re:

[jonatha (204526)]

You want to add a mechanical switch to a chip that's roughly the size of a grain of rice?

Re:

[westlake (615356)]

If people are worried about others reading RFID tags at will, why not add a mechanical switch to the tag that must be pressed for the tag to power up?

correct me if I am wrong, but I thought RFID tags were passive reflectors. which can be read without contact in somewhat the same sense as an optical bar code can be read without contact.

Re:

[kwalker (1383)]

Considering the amount of times my friends have pocket-called me because the cheap membrane switches in the keypads of their cell phones got pressed, wouldn't something similar happen when cards are compressed while stuffed into a wallet?

Re:

[sherpajohn (113531)]

Um, cause by design RFID tags have no power source, they rely on an induction current from the reader for power?

DOH!

Re:

[BeBoxer (14448)]

Um, cause by design RFID tags have no power source, they rely on an induction current from the reader for power?

They have circuits in them, and wires. The fact that the power source is external is irrelevant. By your logic, a lamp can't have a switch because it relies on current from the wall for power. DOH!

Attack Barriers

[blueZhift (652272)]

This reminds me of the anime Ghost in the Shell wherein people use sophisticated attack barriers to defend their cyberbrains from unwanted intrusions. It seems that we are approaching the need for personal firewalls much faster than anticipated driven by the desire of world governments to more closely monitor their citizens as well as consumer desire for more personal electronics. I'd say we probably have only a year or two before implantable cell phones/accessories start making an appearance. Soon thereafter the first viruses targeting those systems will show up. So the personal firewall business should be pretty good.

Link to PDF

[tttonyyy (726776)]

For those that want more detail than the videos provide:

http://www.cs.vu.nl/~melanie/rfid_guardian/papers/ acisp.05.pdf [cs.vu.nl]

But is she hot?

[pestie (141370)]

Yeah, yeah, RFID, mark of the beast, firewall, virus, buzzword... whatever! This is Slashdot, and the important question is whether or not this Melanie Rieback chick is hot. 'Cause everyone knows that hot geek girls are the wet dream of every red-blooded male Slashdotter. And thanks to the magic that is Google, the answer [cs.vu.nl] appears to be, "Not bad... not bad at all!"

Tanenbaum's theory is false

[crucini (98210)]

I read Tanenbaum's paper when it came out. One of the soundbites:

RFID malware is a Pandora's box that has been gathering dust in the corner of our 'smart' warehouses and home.

This is not true. There is no Pandora's box. Read the paper and you'll see why.

Tanenbaum and his co-authors exploited vulnerabilities in RFID middleware - the software that connects to an RFID reader. What makes this less interesting is that they wrote the middleware. Yes, they deliberately built in vulnerabilities like SQL injection, then crafted RFID tags to exploit them.

Tanenbaum's team did not find any weaknesses in any commercial RFID middleware. And their entire premise is flawed. The weaknesses they scanned for, such as SQL injection, are not going to exist in the dominant RFID system, which is EPC. An EPC tag contains a binary number (frequently 96 bits). This bit vector is divided into fields for manufacturer, part number, and serial number. It is binary, not text. There is no way a malformed number could trigger an SQL injection vulnerability.

Re:

[morgan_greywolf (835522)]

Now Linus Torvalds will write a personal RFID firewall and claim that it is totally original and not based on Andrew Tannembaum's personal RFID firewall... wooo BURN CITY take that groklaw losers!

And will Tannenbaum back him up this time, too?