DangerousThings - Amal Graafstra Presents at ISTAS10


The first thing I want to talk about is that radio-frequency identification (RFID) is very diverse. There are a lot of different technologies involved in making RFID work, and not a lot of people are aware of just how big that diversity is. So in very basic terms, there are two types of systems.

Passive RFID systems are those that induct and modulate magnetic fields to derive power from readers and communicate with those readers. And they come in three basic frequencies:

(1)   low frequency RFID which is the type of tags that are used in implants, pet chips. The reason for that is that the data can communicate through flesh and not be absorbed; that is, the signal is not absorbed.

(2)   high-frequency RFID which is typically used for access key cards and the like; and

(3)   ultra-high frequency RFID which is used for other things.

Each type of RFID has different advantages and disadvantages.

Active RFID systems have a battery and a power source. They transmit much like in the same way your mobile phone or Wi-Fi network or radio beacon works. And in essence, a mobile phone, Wi-Fi network, and a radio beacon all have unique identifiers; so in effect they are an active RFID system of some sort.


Data protocols vary with respect to RFID: the air interface, the way that RFID tags communicate, how data moves from the reader to the tag and then goes back. There are some ISO standards, but many are still proprietary with respect to RFID. Encryption standards are almost nonexistent; a very high percentage is proprietary encryption, which exchange effectiveness for speed and convenience, and that’s mostly due to limitations in power and processing in the tag. Normal RSA (Ron Rivest, Adi Shamir and Leonard Adleman) security banking style encryption would take a very long time for this low power processor to set up a secure channel.


So I’m diving right into DIY (do-it-yourselfer) RFID implants. This is some of the stuff that I kind of toyed with on my desk. There’s a standard reader here for $30, it has a TTL (Transistor-to-Transistor Logic) interface with a microprocessor. You can buy it and incorporate it into your own DIY projects. Some example glass tags I’ve worked with include:

(1)   The large sized RFID which are used for cattle and large animal use;

(2)   The middle sized RFID which is about a 3 millimeter by 13 millimeter cylinder, which I have in my left hand;

(3)   A small sized RFID which is the size of standard pet chips, and is the size of the tag I have in my right hand, which can be injected. That is, it's small enough to fit into an injector kit.


In my hands I have the EM4102 chip which is the type of chip in the tag in my left hand. It’s a 125 kilohertz low frequency tag. My right hand has a Philips HITAG which has more capability. Here's an x-ray image of my hands, that actually took quite a bit of effort to get; I can’t believe how convoluted the healthcare system is in the US. But the reason why I chose this area in the hand is illustrated here. You have two major nerve bundles in each hand, but then in between it is fairly devoid of major nerve fibers and it is kind of a squishy zone between the thumb and forefinger. There’s a lot of padding there to absorb shock and things and to protect the tag.

So there’s some detail on the left hand (see http://www.youtube.com/watch?v=kraWt1adY3k). That’s the tag before it went in. And there are the tools that were used to put it the RFID tag. And that’s just immediately after the injection. That’s me with the reader, doing my first access control project, and that’s the scar that was left about a week later, and that’s the scar that’s there today. It is just a little, little thing, that you can see right there.


In my right hand I have a Phillips High Tag, and this is a little more interesting. It has some crypto-security features – not a lot, about 40 bits – but it’s enough to ward off kind of momentary attackers. It also has 2,048 bits of read/write memory, which is kind of cool. You can store data on it, you can change it, and as Mark Gasson alluded to earlier, you can even put viruses on it, apparently. So there’s the tag before implantation. And there’s the gear used to put it in. There’s my doctor, just your every day family doctor. We used a pet implant kit: we took the injector, took the pet tag out, threw it away, put the hitag in, and after a simple sterilization process, it was only then a two-second deal. There we go. So that’s immediately after, and that’s today. I use this tag daily, so I would liken it to an enhancement. I can get into my front door and tap the little deadbolt system there with the tag, and then add on RFID as an authentication method. I can still use the key, and I can still use the PIN code but I just wanted to add the ability to use an RFID tag as well. I could also use a key card or the implant, either one.

This fire safe was modified to allow PIN code access or RFID tag access. That’s me getting into my car. This is a different application- I only wanted to get into the car, I didn’t actually want to use the tag to start it, because there are security issues of course if somebody were to get my tag ID and somehow emulate it. So getting into the car is great, because then there’s a hidden key, and I can use my knowledge to get the key and start the car.

I ripped apart a keyboard, modified a reader and put it in there, used that to log in, and I have that set up here if anybody’s interested, you can see that happen. I can also start my motorcycle, and this is a little different. I just went ahead and said, “Yeah, let me start the motorcycle,” because it normally stays in my garage and I’m not too scared of somebody wanting to break into my garage- they would probably take the bike regardless.

So I actually use active RFID in my daily life too, after having had my laptop stolen. The police said they could not do anything about it, even though I suspected a neighbour. So I got this locator device – it’s just a standard locator active RFID system, it has a reader with a directional antenna and two tags it came with. I ripped the tag apart and put the three-volt regulator on it, dipped it in some plastic, took my laptop, took it apart and embedded it there in the laptop. So now I can find my laptop if it’s stolen. The range isn’t great, but you know, it’s enough to tell the police, “Hey, it’s in there – go get ’em.”

The other thing about this which is of interest is that in active RFID, typically the transmitters constantly transmit, which can also be considered a security or privacy issue. But this system is set up specifically so the tags do not transmit until the appropriately paired receiver tells them to. So the receiver has to say, “hey, I’m looking for you,” then the tag responds. So it’s kind of a neat setup.


Public reaction – angry. I get a lot of angry emails, calls, and things like that. There are some people that wish I’d just go away, and there are others claiming that I am somehow helping “the conspiracy”. This is just kind of a little thing that I thought up, about the cycle of fear that I’ve noticed when talking to people. So when people come to me and they’re angry about things, I try to engage them in conversation but usually they’re afraid of misconceptions about the technology. They think that somehow the GPS satellites are communicating with this tag – which really only has a three-inch read range – and somehow reporting my location, “Can’t they track you?” … the elusive “they”.

So you know, they’re afraid of something they’re not sure of and they take action because they’re afraid. Then people that know about it respond, usually poorly. This interaction reveals to the angry people that they really don’t know what it is they’re talking about. And what’s interesting is that they have a new fear then, and that fear causes them not to want to learn about the technology. They don’t want to engage, because they somehow feel that if they learn about it, maybe their fears are unfounded or whatever. But it’s a cycle that repeats quite often. So the concept is that, you know, somehow now your body is up for sale, and companies and governments are vying for it.

Here is a picture of my x-ray image misappropriated. It is used all over the place, but I think it’s kind of interesting to do a Google search on it every once in a while and see where it’s been used. The mark of the beast, of course, has to come up. This is an email that I got, I think the second day after injecting the RFID tag. The first email that I got actually was, “You’re the Devil’s mouthpiece,” and I thought that was kind of interesting. So what I notice is a fear- that somehow- this is going to be compulsory. “I’ll never take that stupid chip in my hand”, taking it meaning they’re just going to have to take it. Just very interesting emails And I get a lot of them. But I’m just kind of showing the reaction that I’ve been getting from certain segments of the population.


Many RFID tags used today are not designed with security in mind. The IDs can be easily read by a standard reader and this leaves those systems open to attack. But in a lot of contexts, that’s usually irrelevant but in some contexts it’s not. The RFID tags that are designed with crypto-security features, most have been cracked or otherwise defeated. Entire systems need to be designed with comprehensive security features and not to just rely on the RFID tag’s encryption mechanism to secure the system.

An example of that is the Texas Instruments DST (digital signature transponder) tag. It is used in this key fob, which is ExxonMobil’s speed pass in the US. It’s used to buy gasoline, and I think you can buy fries at McDonalds with it as well. And then the same DST tags are used in some automobile keys to immobilize the system. It’s a 40 bit cryptographic key, it emits a factory set 24 bit identifier and authenticates itself through a challenge response mechanism. So there’s the DST tag there being used for the speed pass.

These guys at John Hopkins were able to use 16 parallel FPGAs (field-programmable gate array) and basically crack the algorithm, in about two hours. So they broke the algorithm for five different DST tags and created a common algorithm out of that, and they just set up a simple system that can randomly attack anybody with a DST tag. So they were out stealing cars and stealing gas. Kind of interesting… That site is no longer available, but I think you can go to a cached version somewhere on the Internet.


Basically security mechanisms can fail, and the one in the previous example did so. And the problem is, once they gained access to the algorithm, they could use it on anybody that had one of those tags. The possible remedies are to use stronger encryption based on open standards, not proprietary standards. You can also rotate one-time use keys that are written to read/write memory blocks. You can overcome power processing limitations to merge Smart Card technology, which is actually a small processor, with a more powerful capability using the contactless features of RFID. Or you can get these Faraday cage pants made by a friend of mine, Mikey Sklar. He keeps his keys and everything in those pants, and nothing can be read through those Faraday cages.


The severity of security issue depends on the context. So this is kind of where we look at the different uses, a business use where there is typically a high risk involved such as payment systems, high security access, medical records etc. Those types are all risky business. The attacks can be random because the systems are common. So you’ve got a VeriChip system or PositiveID (or whoever they are now) to access medical records. Well, there are other mechanisms that can be used to secure that system, but the tag itself is completely unsecured. And the system is common. So in a payment solution, let’s say you have your credit card – well that credit card now is RFID-enabled. It’s a common system. So any attacker can, once they figure out the system, they can attack anyone with a credit card. The attacker does not have to know that individual person- it could be a purely random attack. Then they know exactly what to do with that data – they can go anywhere and use the data and buy things.

So the common design makes it easy to attack and expensive to modify. It’s been deployed, so to modify that system you have to replace millions of readers, millions of tags. Personal use is quite low-risk, even though it is your front door access which is in question. This seems risky but it’s pretty low-risk because the attacks have to be extremely targeted. With the DIY context, it is a random design, so there’s not a common system- you’re not quite sure what you’re walking into as an attacker.

Other things that come into play are things like the reality of attacks. So my car has RFID in it, and after giving a talk one time, I came out to find my car burgled. So, I almost wished at the $500 price tag of that smashed window I had to repair thereafter, that they had used my RFID tag to get in and just take the $5 worth of change that they did end up taking.


So RFID implants like mine have a three inch read range. Reading the tag is deliberate and consensual. Logs, if kept, are mine and mine alone. Active tags and other types of tags can be read at a greater range. These could be used for “tracking”, which I put in quotes, which is really just logging, possibly without consent.

And the thing that I want to make clear here, is that tracking and logging are things that we do every day. For example, every time we make a phone call or use a credit card, it’s not locating. And I reiterate that here. RFID is an identification technology, not a locating technology like GPS, RF beaconing, or mobile phone triangulation. Logging, where a person was and when, is truly standard practice in today’s society, and we find this practice in loyalty card schemes, computer logins, credit cards, mobile phones, traffic toll tags – they all keep data of this type.

So how do we proceed? Focusing on RFID or any single technology is a waste of energy, in my opinion, particularly when you’re trying to somehow eradicate the technology or stop it altogether. Instead, I think that intelligent legislation needs to be created to broadly address the real issues behind those concerns, and not control technologies that enable the issues to arise in the first place.

With regards to the technology, be it RFID, biometric scanning, credit card purchases, mobile phone location- and this is just something I’m putting out for discussion- there should be awareness, consent, control, and licensing. Let me elaborate briefly what those mean.


A person, user, employee, customer, must be made aware that these technologies are in use, and who to contact with questions and concerns about them or the business process they are used in. Also public awareness in general needs to be raised, which slowly I think is happening but unfortunately RFID I think is getting the bulk of the attention, while there are facial recognition systems, biometric systems, systems that enrol you just simply by walking through an area and you don’t even know about it. At least with RFID, you can opt out by leaving the RFID card at home, shielding it, or otherwise not using it.


Systems should be designed around the idea of consent, difficult as it may seem in some situations. RFID cards could be designed with momentary switches that only enable the antenna when it’s intended to be used. An example would be like an access card for work. You have a badge, it’s got a card in it, and if you need to go through a door, you just give it a little squeeze so it connects the antenna, and only at that time can the card be read. At every other time it’s inactive, you can’t read it. So that’s a consent process.

Another example is the US Government issued me an access card which allows me to travel quickly to the Canadian border. They issue that card with a copper film sleeve that blocks the card from being read, and instructions on how to keep the card in the sleeve when not in use at the border, and that’s a consent process. So you take the card out, you’re saying, “I’m allowing this to be read now.”

Authorization must be given for each application the collected data is used for, as well as when data is shared with or sold to another party. So this idea is kind of going into the concept of legislating these mandates, where if you’re involved and are enrolled in the system.

A few years ago I went to Disneyworld, and after buying the tickets – which were very expensive – and travel, and hotels, and everything, I walk up to the front gate and there’s a fingerprint reader. And you have to match your fingerprint to the ticket. And I thought, “Well, there’s no notification before I went spending all this money that I had to do that- I had to give up that biometric information to the Disney Corporation.”

Even worse, by giving it up, I can’t really change my fingerprint, whereas if I had an RFID card issued to me or whatever, I could choose to shield it or use it to get through. But that biometric data, once given up, it’s hard to opt out – you really have to depend on that third party to opt out. Not to mention I have no idea what the licence agreement is to use that information – how long do they keep it? Nothing like that. After asking the Head of Security there at the gate, disturbingly, nobody else had asked or even wondered if there was another option, which there was not. So I gave in and gave them my fingerprint, so I'm kind of upset about that.


Participants should have the option to opt out and/or remove their identifying data from systems in question. This can only really be mandated through legislation I think, and basically something that says that if a company or a corporation or even Government is going to collect this information about you, if you choose to opt out of their system or service or product or whatever it is, that you should also have control over your data, be it biometric or RFID or otherwise. Citizens should always have manual or anonymous options offered to them as an alternative.

The previous presentation today about the Japanese universities where the entire university had payment systems set up for RF cards, they put cash into a terminal, it charged up their card, and then they used their card everywhere. Well, their card identifies them as buying a can of soft drink or whatever it is that they’re buying, and they should have the option to have an anonymous purchase at that machine. So this is something to think about, because by mandating that we can only use an identifying payment technology, that’s kind of against the rules in my opinion.

And this is kind of an odd concept, but licensing – licensing your data. If, you know, quote, unquote, “free society” – commercial interest usually spurs the efforts to collect this type of data. Citizens should realize that their mundane activities have value, and companies and even governments should pay to collect and license that data from you. And that license term should favor the data supplier, you, and integrate the previous points of consent and control.

Key Terms and Definitions

AUTHORISATION: the function of specifying access-control rights to resources as related to RFID security and information security.

CONTROL: The act of having authority and power over one’s own personal information and the ability to limit its distribution.

DIY: Do-It-Yourselfer approach is a method of design and construction of a computer system, without the aid of experts or professionals. DIYers usually like to deviate from commonly used computer systems, customizing systems to their own personal needs.

DST: Digital Signature Transponder is a cryptographically enabled radio-frequency identification (RFID) device used in many every day systems. It was developed by Texas Instruments.

FPGA: Field-Programmable Gate Array is an integrated circuit (IC) designed to be configured by a customer.

HITAG: is a well-established brand in the low frequency (LF) RFID market. It is particularly sturdy in harsh environments.

IMMOBILISE: the ability to withdraw a vehicle or object from circulation or theft.

LICENSE AGREEMENT: A mutual understanding between one party (licensor) and another party (licensee) that is legally binding.

RF: radio-frequency is a rate of oscillation in the range of about 3 kHz to 300 GHz, which corresponds to the frequency of radio waves.

RSA: is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman.

STERILIZATION: The elimination of microbiological organisms to achieve asepsis, a sterile microbial environment.

TTL: Transistor–transistor logic is a class of digital circuits built from bipolar junction transistors (BJT) and resistors.

VERICHIP: The VeriChip, which then became known as PositiveID, was the only Food and Drug Administration (FDA)-approved human-implantable microchip.