Surveillance Nation: Hacking RFID In The Post-1984
Era
by Lee H. Goldberg
When I read Orwell's 1984 back in high school, the idea of having a TV watch you seemed like one of those scary but improbable things you see in an SF movie. But two decades after the grim imaginary doomsday was supposed to happen, I'm getting increasingly nervous as RFID technology is turning fiction into reality. These cheap, easy-to-use tags are turning everyday objects into electronic stool-pigeons that will cheerfully let merchants, manufacturers, and government agencies know my whereabouts, and nearly anything about what I wear, watch, eat, or drive. Our privacy has been on the decline for a long time, but the slope has gotten a whole lot steeper and greasier as we've been caught between our country's current fascination with controlling terrorism at all costs and the big retailers' obsessive need to gain complete control of the buying cycle.
It might be a boon to Wal-Mart and other big box merchants for tracking inventory and preventing pilferage, but past history indicates that if you give these folks the ability to track your movements and buying habits this closely, they'll find creative and highly intrusive ways to turn you into a "more efficient consumer." Call me paranoid, but I'm not nuts about having all the toasters, or for that matter the bread, I buy leave the store with still-working tags that let anyone equipped with the right equipment be able to do a complete inventory of my possessions. CNET's Declan McCullagh speaks eloquently to my darkest fears in his article RFID Tags: Big Brother in Small Packages.
" That (active RFID tags in merchandise) raises the disquieting possibility of being tracked though our personal possessions. Imagine: The Gap links your sweater's RFID tag with the credit card you used to buy it and recognizes you by name when you return. Grocery stores flash ads on wall-sized screens based on your spending patterns, just like in "Minority Report." Police gain a trendy method of constant, cradle-to-grave surveillance.
You can imagine nightmare legal scenarios that don't involve the cops. Future divorce cases could involve one party seeking a subpoena for RFID logs -- to prove that a spouse was in a certain location at a certain time. Future burglars could canvass alleys with RFID detectors, looking for RFID tags on discarded packaging that indicates expensive electronic gear is nearby. In all of these scenarios, the ability to remain anonymous is eroded."
Of course there are valid, useful applications for RFID and other tracking technologies. Used with some restraint, they really will help make the flow of goods and services across the country, and the world, much more efficient; but from what I'm seeing there is little of any real effort being made to protect us from the grim scenarios described above. The abuses described at the C.A.S.P.I.A.N (Consumers Against Supermarket Privacy Invasion and Numbering) web site have been going on for years, but the invisible, and invasive, capabilities of RFID seem to invite more.
Being a free-minded American who likes his freedom, I've been trying to figure out how to live within our Surveillance Nation with some semblance of the privacy I enjoyed back in 1984. Since this article is primarily about RFID, I won't go into how many "customer loyalty" cards I've shredded, or the sorts of measures I've put on my computer to avoid snooping. I'm not an expert on the subject, so I thought the first thing to do would be to find out a little about the technology behind RFID.
A quick Google search in "RFID Technology" shows that there is lots of information to be found on the web to help get you up to speed. One great resource is the Association for Automatic Identification and Mobility (AIM) web site, which has a nice primer on the subject. That's how I learned that the commonly-used frequencies used for Electronic article surveillance (EAS) systems used in retail stores are 1.95 MHz, 3.25 MHz, 4.75 MHz, and 8.2 MHz. I have done some other brief research and keep reading about other tag systems operating in the 2350 - 2450 MHz region (alongside microwaves and Wi-Fi), but am not clear about how widely it's used.
The assigned frequencies and power levels provide some excellent information about the range and limitations of the technology -- useful stuff if you want to either shield yourself against intrusion, or even actively jam an RFID system. While not as informative as I'd like, the article Is RFID Technology Easy to Foil? in the Nov. 18, 2003 issue of Wired indicated that shielding is relatively easy and effective on items you already know to be tagged. It turns out that putting something into a simple metalized Mylar anti-static bag, or simply enclosing an item in your fist provides an effective shield against most RFID fields.
Of course, if you don't want to have to wear a metalized baggie over your head to shield all your RFID-tagged clothing and possessions, you may have to resort to active measures, like jamming. I figure that if the companies using the systems don't have to ask your permission to snoop on you, you don't have to ask their permission to deny them the privilege.
Since the bands that RFID systems operate on are unlicensed, you should be perfectly free to carry your own personal RF "cloaking" transmitter that puts out a nice phase-modulated square wave which covers the band of interest with a thick layer of noise to create your own personal "RFID-free zone." Another alternative would be to have all your friends collect lots of RFID tags and randomly attach them to "noise vests" that could be worn into stores which had RFID systems. My favorite idea however, came from a friend who suggested that wearing a transmitter of around 10 W as you walked down the aisles of your local Mega-Mart could put out sufficient power to blow out the fusible links used to deactivate many RFID tags.
Some measures to defeat RFID involve social, rather than technical solutions. While the site is a tad on the alarmist side, the "Stop RFID" web site provides some very helpful information on who's using RFID and the consumer actions being leveled at them. It also has some good pointers on finding and destroying RFID tags in everyday merchandise.
If I was suddenly transported from 1984 to the present, I might not recognize the America we live in as having the same Constitution as we cheerfully accept subtle, and not-so-subtle, intrusions into our personal lives that would make Orwell spin in his grave, and watching many of our basic rights sink into a gray area from which they might never emerge. Let's hope that common sense, the efforts of the ACLU and some judiciously-applied counter-technology helps make sure Mr. Orwell's vision remains a distant nightmare.
Questions? Comments? Plans for an RFID cloaking device? Write me at: lgoldberg@green-electronics.com