One of the cool things about working at Microsoft is that we often get visiting speakers on topics like technology, politics, world events as well as others.
Recently I attended a talk from a researcher from RSA Labratories where he was discussing his (and others) work on RFID security, the talk was specifically focused on how cryptography can be applied to address some of the issues the consumers of RFID complain about - these issues, the corresponding proposals and the merits of the approaches presented in this talk are out of scope for the purposes of this post.
The reason I bring this talk up is that during it the topic of RFID cloning came up, this is a particularly a interesting area of discussion since these RF tags typically have security properties more like barcodes despite the fact the they are increasingly geting used more like more like smartcards.
In any event two stories that always come up when one talks about RFID tags and cloning are:
- The one where you walk into a grocery store and "adjust" the price of items in the store, imagine re-tagging that new LCD you have been wanting as being a tube of toothpaste.
- The one where a RFID tag has been embedded bellow the skin as a means to authenticate you to your vehicle, for example sake in your hand and the car thief cuts your hand off.
Both of these are interesting as we already have had practical examples of thieves using these approaches, one of my favorites being the story from 2005 where a Mercedes was stolen, along with the drivers index finger so that they could bypass its built in fingerprint scanner.
In any event one of the points raised in the talk by David Wooten, a friend of mine was that based on these sorts of stories it sounded like it was time to regulate RFID usage, and in particular the idea of mandating that all sub-dermal applications of RFID be clonable.
The rational being that if its roughly as easy to clone a RFID as it is to cut off the appendidge the RFID has been emeded into attackers might be more inclined to do that than to do bodily harm. There is lots of good thinking here, afterall one would hope the risk of impressonment associated with theft is less than that of assault and/or manslaughter.
Well why did this topic come up on a Sunday evening? Well I was catching up on Engadget and came accross a post on RFID impants being linked to cancer, clearly the reasons to not use RFID subdermally are stacking up but this has not stopped companies building solutions based on these products its these sorts of situations that clearly warant some form of regulation, whats interesting IMHO is that RFID as a technology is knee deep in scenarios that warant such protections.
[Update 10/16/2007 7:30AM] Looks like California, Wisconsin, and North Dakota are already on the regulation war path (see: http://www.engadget.com/2007/10/16/california-says-employers-cant-require-rfid-implants/); its not exactly what we were talking about here but related.