The RFID cookie monster

by Jerry Brito on May 8, 2006 · View Comments

It looks like RFID panic is percolating a bit again. Wired has an article in the current issue about how easy it will be to hack RFID tags, and Gizmodo recently reported ominously hat Levi’s will be tagging its jeans. Most of the privacy concerns are the same as those I’ve refuted in the past; RFID is not GPS and it won’t let you pinpoint someone’s position. However, I’m curious about one new claim the Wired article raises:

Grunwald has recently discovered another use for RFID chips: espionage. He programmed RFDump with the ability to place cookies on RFID tags the same way Web sites put cookies on browsers to track returning customers. With this, a stalker could, say, place a cookie on his target’s E-ZPass, then return to it a few days later to see which toll plazas the car had crossed (and when). Private citizens and the government could likewise place cookies on library books to monitor who’s checking them out.

I’m curious for more information on how this is done. To my knowledge, cookies are just static strings of text that can be used to uniquely identify a browser each time it comes back to a site. In that sense, an RFID chip is itself a cookie. An HTTP cookie isn’t written to and doesn’t contain a list of all the sites you’ve visited, so how can an RFID cookie tell a stalker all the toll plazas you’ve been to? Also, can all RFID tags take cookies? Beyond those questions, I’m not sure how a stalker is helped by knowing where his target has been. He would only know which toll plazas were crossed, not what a target’s ultimate destination was, and certainly not their current location. With the library book example, the same questions apply. But assuming that the RFID chip is written to, is the patron’s name inserted into the surreptitious cookie whenever the book is checked out? Why would the library’s software do this? Why would it insert a name and not an ID number? If it’s an ID number, then wouldn’t the stalker need access to the library database to cross-reference the patron’s name? If the stalker has access to that database, why not just look up the check out information there?

At least I’m glad to see that both the Gizmodo and Wired stories acknowledge a privacy threat from government and not just from retailers and other private companies. Privacy activists have concentrated on the perceived threat of commercial RFID use when the real threat is their use in government-mandated IDs.

View Comments Posted in: Privacy, Security & Government Surveillance

  • Damian Gerow
    A device to zap RFID tags has been fashioned out of a disposable camera, by replacing the flash with a coil of wire. See for more details. They have been talking about putting the details online for some time now.
  • RFID chips were designed with one set of uses in mind, but they are actually implemented in ways that allow other (mis)uses as well. There's a small scholarly literature on these sorts of RFID problems. For example, David Molnar has a paper (with colleagues) about the library attacks, and there are several papers about e-passport issues.

    There is some silly RFID panic out there; but these sorts of technical problems are real.

    The cookie bit is hard to follow, even to techies like me. I think it's meant as an analogy, and what is really going on is that the guy can write information onto the RFID tag and then use various monitoring and reporting functions of the RFID-using system to figure out where the tag went. For example, maybe he can get the EZ-Pass system to report to him where a car went (instead of, or in addition to, reporting that information to the owner of the car). That sort of attack is probably possible.
  • I'm not sure exactly how they work, but there are tag-killing devices that zap them and deactivate them. There has been proposed legislation in a couple of states, including California, that would require all retailers to zap tags before they left the store. If tags replace UPC codes on all goods, imagine what such a mandate would do to small mom-and-pop stores and bodegas.
  • eric
    Is there any practical way to easily disable the tags? An electromagnetic pulse from a coil in close proximity to the tag, perhaps?
blog comments powered by Disqus

Previous post:

Next post: