RFID spy-chippers leak confidential data on the Web

And they want to track your every move

  • alert
  • submit to reddit

SANS - Survey on application security programs

Public relations flacks eager to win the public over to the benefits of mass RFID (Radio Frequency Identification) chip proliferation have ironically managed to leave their own confidential plans unprotected on the Web.

An outfit called CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) discovered the trove of marketing half-truths on the MIT Auto-ID Center Web site, available for all to see. The irony of data leakage by a group dedicated to allaying the privacy concerns of millions of people whose every possession may soon be broadcasting data indiscriminately to the world is just too tempting to be ignored.

"The Auto-ID Center is the organization entrusted with developing a global Internet infrastructure for radio frequency identification. Their plans are to tag all the objects manufactured on the planet with RFID chips and track them via the Internet," CASPIAN says.

Cryptome.org has volunteered to host the PR documents along with some pointed here.

Apparently the RFID lobby sees public reluctance as nothing more than an obstacle to be overcome with shallow bromides and platitudes. Many of the documents are related to focus-group surveys in which consumers wisely note that RFID offers them few benefits while posing considerable threats to privacy. In response, PR firm Fleischman-Hillard recommends that the industry communicate several inaccuracies, the most egregious being that the RFID transponder is "nothing more than an improved bar-code," as if broadcasting data were an inconsequential difference.

In another it is suggested that the sheep-like populace will resign itself to the inevitability of this innovation, though they may not much care for it.

In one document it is recommended that RFID tags be re-named "Green Tags" to suggest an overlay of environmental concern. But it seems that they will be re-named eTags, to give them that cool Silicon Valley cachet instead.

At no point do the flacks suggest the obvious solution to consumer concerns, namely that any products containing such tags be identified clearly and that they be designed so that buyers can remove or disable them easily.

A recent document posted here explains how 'eTags' will be used in connection with the ePC Network. The acronym ePC stands for Electronic Product Code: a "globally unique pointer for making enquiries about the item associated with the EPC," we are told. So that's the plan according to AutoID.org: a 'globally unique pointer' in every product, networked via the Web, and marketed as nothing more than an 'improved bar code'.

Our Friend the Atom Hidden Transponder

One of the challenges facing the 'chip everyone and everything' lobby is inventing applications for the chips that benefit consumers directly. They do of course offer real benefits to the manufacturing, transportation and retail industries, but training John Q Public to respond positively requires some sort of agreeable, real-world experience to illuminate his overall perception of the technology.

Perhaps with this in mind, Watchmaker Timex, of "it takes a licking and keeps on ticking" fame, would like you to be the first on your block to have your bank account emptied or your credit card maxed out by a sneak thief.

Timex is offering wristwatches with RFID transponders tied to the popular Speedpass system, which automatically bills one's credit card or debits one's bank account. The new watches, priced between $40 and $45, will allow consumers to "instantly pay for purchases at over 7,500 Exxon and Mobil stations nationwide and at over 440 participating McDonalds' restaurants in Chicago and Northwest Indiana," Timex says.

While the prospect of free quickie-mart snacks and Happy Meals may offer scant inducement to criminals, if the scheme were to catch on and expand, fraud would quickly become a problem and security concerns would drive consumers away. Thus early success might be the quickest route to ultimate failure.

Of course there is a more remote but quite disturbing possibility: that rampant transponder/credit fraud would provide the rationale for implanting the chips in people's bodies, reviving old concerns about the Biblical Mark of the Beast, to be required for all commerce when Satan's ultimate victory over mankind is at hand:

"And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name" Revelation 13:16-17.

It's a scary thought, and recent advances in technology give it currency, at least in some circles; but surely the fact that retail behemoth Wal-Mart has taken a leading role in the widespread conversion from bar-codes to RFID transponders, and the fact that major oil companies like Exxon Mobil and child-friendly homes away from home like McDonalds are getting involved should relieve everyone's anxiety.

Indeed, Wal-Mart only yesterday announced that it would delay trials within its stores of the 'Smart-Shelf' system, a venture with Gillette which would have chipped packets of razor blades and shaving foam to make re-stocking easier for its overworked staff. The company now says it will concentrate on chipping in the warehouse, but not the retail outlet.

Whether recent bad press surrounding the RFID publicity documents has anythng to do with this decision is difficult to determine, but the official statement, that Wal-Mart never really wanted the Smart Shelf system, is pretty hard to swallow once one reviews the PR documents. It may be that the cost per unit is still too high for inexpensive retail products, or it may be that the company is doing a bit of PR damage control. Either way, the Mark of the Beast looks set to catch on more slowly with the public than originally thought. ®

Related Story RFID chips are here

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.