RFID Personal Firewall

JanMark writes "Prof. Andrew Tanenbaum and his student Melanie Rieback (who published the RFID virus paper in March) and 3 coauthors have now published a paper on a personal RFID firewall called the RFID Guardian. This device protects its owner from hostile RFID tags and scans in his or her vicinity, while letting friendly ones through. Their work has won the Best Paper award at the USENIX LISA Conference."

Popups.

[morgan_greywolf]

Oh, great. I can just imagine walking through the mall and then being bombarded by all these popups. "Would you like Macy's to be able to access your RFID tags? [Ok] [Cancel] [X] Always Allow"

Re:Popups.

[chroot_james]

What about "would you like Macy's to have no idea you're stealing their stuff? [yes][no][always][never]"

Re:

[plover]

Actually, it's against the law in many places to carry a device designed to aid in shoplifting with the intent to use it to shoplift. The code here in Minnesota [ros.leg.mn] states:

609.521 POSSESSION OF SHOPLIFTING GEAR.
(a) As used in this section, an "electronic article surveillance system" means any electronic
device or devices that are designed to detect the unauthorized removal of marked merchandise
from a store.
(b) Whoever has in possession any device, gear, or instrument designed to assist in
shoplifting or defeati

Well do you.... punk

[MarkGriz]

For the more adventuresome:

"would you like Macy's to have no idea you're stealing their stuff? [yes][no][im-feeling-lucky]"

Re:

[westlake]

Oh, great. I can just imagine walking through the mall and then being bombarded by all these popups.

so what do the RFID tags tell Macy's that can't be extracted from a video scan?

age, sex, style of dress, etc. since the beginning of time, salesmen have known what to look for in a prospect.

Well...

[Steppman2]

I guess whit officially makes them white-hats, however, I'd still be worried about the ability to spoof a legitimate rfid or steal one and deactivate this firewall. Things that are considered by many to be foolproof make things that much worse when they fall through...

Condoms, anyone?

[dotancohen]

So these are little electronic rubbers, right?

Re:

[morgan_greywolf]

Now Linus Torvalds will write a personal RFID firewall and claim that it is totally original and not based on Andrew Tannembaum's personal RFID firewall... wooo BURN CITY take that groklaw losers!

And will Tannenbaum back him up this time, too?

Re:

[ClosedSource]

Actually, I think it would be great if Tannenbaum were to come out in support of GPLv3. That should make the fanboys' heads spin 360 degrees.

Demo Video

[AugustZephyr]

Video of The Guardian in action: http://www.rfidguardian.org/videos/rfid-guardian-0 250.mov [rfidguardian.org]

Re:

[FinMacCool]

Should we trust this guy to protect our RFID chips when he can't seem to protect his underwear by zipping his fly?

Tin foil

[Rastignac]

That's the only safe protection, for sure.

Re:

[hey!]

Just don't forget to wire the tin foil to a six foot copper stake driven into the Earth. It's a detail that is often neglected by the careless.

Faraday Cage

[ParaphiliaNOS]

How much of this RFID traffic is good?  Why not market faraday cage coats and just leave the cellphone in an external pocket?  (Enumerate the GOOD and just ignore the BAD.)

Re:Faraday Cage

[Cruise_WD]

Makes sense, since that's a common strategy for dealing with spam: Block anything except emails from a known source.
That comment just triggered an odd thought in my head... ...in the future, will we look back at spam gratefully, for all the practice it's given us in blocking unwanted intrusions into our systems in a (realtively) benign way? Or does it just demonstrate how easily the majority of people will ignore privacy and real security and make life hell for the rest of us?

Re:

[ParaphiliaNOS]

Spam and malware has either taken over or is being fought back depending on who you ask.  We will only look back on spam gratefully if we win the war on IT security before society becomes so aclimated and accustomed to deleteing spam, scanning for malware, checking for phishing, shreding documents, etc as normal course of life/work/home.

Re:

[idsfa]

It's been [securedata.net] done [difrwear.com].

Re:

[ParaphiliaNOS]

I know, but thanks for linking for everyone.  I asked already knowing that they exist.  I guess I was being more like those people who always shout that hardware firewalls are better than software.  Faraday cage :Router = "Unpluging your computer from the 'dangerous network' altogether":"Try really hard to not let known and unknown BAD from getting in."

Old News

[Mike89]

This is either old news, or there is some other reason the website looks like it's from 1996.

Re:

[ParaphiliaNOS]

My assumption is either the staff are hardware people or have just prefer the security of static HTML.

Staff: www.rfidguardian.org/people.html

Re:

[Intron]

Their next paper will be on CSS viruses and steps that can be taken to protect you from them.

Re:

[idsfa]

Now that would be old news [securityfocus.com].

Re:

[Intron]

Leave it to Microsoft to ruin a perfectly good joke.

KISS

[khafre]

If people are worried about others reading RFID tags at will, why not add a mechanical switch to the tag that must be pressed for the tag to power up? Just insist on it. If it doesn't have it, it goes in the microwave. Sheesh, add a cheap membrane switch, not a firewall.

Re:

[jonatha]

You want to add a mechanical switch to a chip that's roughly the size of a grain of rice?

Re:

[ParaphiliaNOS]

Cheaper than a design revision and more renewable than EMP or microwave; why not get a shielded wallet or case?

Re:

[OneSmartFellow]

That was my idea over 12 months ago, that's it, I'm sick of this, I'm suing for IP infringement, wah, wah fucking wah !

Re:

[westlake]

If people are worried about others reading RFID tags at will, why not add a mechanical switch to the tag that must be pressed for the tag to power up?

correct me if I am wrong, but I thought RFID tags were passive reflectors. which can be read without contact in somewhat the same sense as an optical bar code can be read without contact.

Re:

[ParaphiliaNOS]

They are passive in that they require RF traffic to power on, which can occur without contact.  But the RFID can still be disabled by mechanical means.  Parent was suggesting to 'turn off' RFID so that it wouldn't power up in the presence of a reader unless it was 'turned on.'  The concept is no different than your TV remote(RFID reader) not turning on your unplugged(broken ciruit) TV(RFID tag, albet powered).

Re:

[kwalker]

Considering the amount of times my friends have pocket-called me because the cheap membrane switches in the keypads of their cell phones got pressed, wouldn't something similar happen when cards are compressed while stuffed into a wallet?

Re:

[ParaphiliaNOS]

Interesting design point.  I know your talking about CC RFID but lets hope the RFID firewall addresses this in production models.  When it comes to anything broadcasting financial or identifing information, regardless of it's formfactor, I'd like to be able to diable it reliably just in case.

Re:

[epee1221]

One simple answer to this, of course, is to not use the switch-enabled version for anti-theft purposes. Alternatively, you could just stick the tag inside the package where it cannot be tampered with (don't they do this already to keep them from just being removed?).

Re:

[sherpajohn]

Um, cause by design RFID tags have no power source, they rely on an induction current from the reader for power?

DOH!

Re:

[BeBoxer]

Um, cause by design RFID tags have no power source, they rely on an induction current from the reader for power?

They have circuits in them, and wires. The fact that the power source is external is irrelevant. By your logic, a lamp can't have a switch because it relies on current from the wall for power. DOH!

Attack Barriers

[blueZhift]

This reminds me of the anime Ghost in the Shell wherein people use sophisticated attack barriers to defend their cyberbrains from unwanted intrusions. It seems that we are approaching the need for personal firewalls much faster than anticipated driven by the desire of world governments to more closely monitor their citizens as well as consumer desire for more personal electronics. I'd say we probably have only a year or two before implantable cell phones/accessories start making an appearance. Soon thereafter the first viruses targeting those systems will show up. So the personal firewall business should be pretty good.

Link to PDF

[tttonyyy]

For those that want more detail than the videos provide:

http://www.cs.vu.nl/~melanie/rfid_guardian/papers/ acisp.05.pdf [cs.vu.nl]

buy ?

[polar red]

where do i get one ?

But is she hot?

[pestie]

Yeah, yeah, RFID, mark of the beast, firewall, virus, buzzword... whatever! This is Slashdot, and the important question is whether or not this Melanie Rieback chick is hot. 'Cause everyone knows that hot geek girls are the wet dream of every red-blooded male Slashdotter. And thanks to the magic that is Google, the answer [cs.vu.nl] appears to be, "Not bad... not bad at all!"

two things

[idlake]

(1) Yes, Mr. Tanenbaum, you have correctly mastered academic publishing: even the most inane ideas will get published if you just combine the right buzzwords (and this idea is inane indeed).

(2) No, Mr. Tanenbaum, the right way to deal with SQL injection bugs related to RFID problems is data validation and testing; interfering with RFID tags is neither effective nor necessary.

Too much complexity

[OYAHHH]

I'm,

Sorry, but I don't need this much complexity in my life.

Am I going to be forced to live in a cave?

Tanenbaum's theory is false

[crucini]

I read Tanenbaum's paper when it came out. One of the soundbites:

RFID malware is a Pandora's box that has been gathering dust in the corner of our 'smart' warehouses and home.

This is not true. There is no Pandora's box. Read the paper and you'll see why.

Tanenbaum and his co-authors exploited vulnerabilities in RFID middleware - the software that connects to an RFID reader. What makes this less interesting is that they wrote the middleware. Yes, they deliberately built in vulnerabilities like SQL injection, then crafted RFID tags to exploit them.

Tanenbaum's team did not find any weaknesses in any commercial RFID middleware. And their entire premise is flawed. The weaknesses they scanned for, such as SQL injection, are not going to exist in the dominant RFID system, which is EPC. An EPC tag contains a binary number (frequently 96 bits). This bit vector is divided into fields for manufacturer, part number, and serial number. It is binary, not text. There is no way a malformed number could trigger an SQL injection vulnerability.

RSA Already has technology?

[Patent-Monkey]

I see in US Patent 6,970,070 [patentmonkey.com] that RSA has an issued patent on a "a blocker device may comprise a mobile telephone, a portable computer, a personal digital assistant (PDA), a hardware-based authentication token such as an RSA SecurID.TM. token commercially available from RSA Security Inc..."

Don't see it referenced on A HREF="http://www.rsasecurity.com/node.asp?id=1155" >their site.