04.12.07

Not Everything Can Be Improved With Technology.

Posted in IT, Security at 10:12 am by Tyler Reguly

I know that's a hard statement for a lot of people to believe, but it's the truth. RFID is a prime example of this. The list of things that RFID has been used for just keeps growing.

  • Replacement of Keys
  • Embedded in Keys
  • Product Tracking (Warehouse)
  • Product Tracking (Livestock)
  • Payment Methods (Credit Cards)
  • Passports
  • Cookware
  • Ink (for RFID Tattoos)
  • Library Books
  • and the list goes on...

The latest offering in the RFID embedded products are E-Plates. That's right, a license plate with active RFID embedded inside it. These are being investigated and rolled out for testing in the UK, or I probably never would have heard of them (link found via Thoughts of a Technocrat).

Given the demonstrations we've seen lately of the ease of which RFID can be cloned and replayed. I find this to be a dangerous place to put RFID.  Hell, instructions on building an RFID cloner can be easily obtained. RFID is also susceptible to viruses.

I contacted the manufacture of E-Plates with a series of questions covering concerns I had on the subject.

These questions included:

  • How susceptible to wear and tear are the E-Plates?
  • If you watch the marketing video provided by E-Plates you'll notice a scene where they discuss how secure the E-Plates are physically. Any attempt to to remove the E-Plate results in the outside separating from the inside. To demonstrate this a person in the video grabs the E-Plate, and with apparent ease, separates the two pieces. You also have to factor in that this is active RFID, meaning that a battery is required to power it... a battery that, as advertised, is designed to last a maximum of 10 years.
  • Possible Sources of "wear and tear"
  • Pulling/backing into a parking space and bumping a curb
  • Minor accidents that would leave a traditional license plate with only a dent
  • Vandals, who can easily render your license plate useless by pulling it apart
  • The battery dies, meaning guaranteed license plate replacement every 10 years.
  • RFID devices have are susceptible to cloning and replay attacks. What is to stop someone from performing this with E-Plates?
  • I'm going back to the video for this next one. The video, in obvious marketing, attempts describes how the device can be mounted anywhere and could easily be run of solar power, meaning no new messy installations, no wires to run, just a small device mounted on a pole over a 4-lane highway. This same video explains that information from these RFID readers passes over the Internet to a master server.
    • How do these devices communicate with the Internet? Are they wifi capable? Will these devices that don't require messy installs need a CAT-5 cable run up every pole they are mounted on? What happens in remote locations?
    • How secure is their communication across the internet? Can they be the subject of data interception, manipulation and theft? Could criminals intercept the data and replay altered data to hide the location of a stolen car? Is this protection to ensure that malicious individuals cannot use the information to perform their own tracking.
  • What about privacy concerns? According to the marketing video, handheld readers will be available for these E-Plates. That means that a corrupt government could easily show up at a gathering of members of an opposition political party and quickly sweep the parking lot. They now know who is attending that meeting. This would also mean that the government would have a rough idea of where you are at all times. E-Plates makes it clear that this isn't GPS, but given enough readers in various locations, you could have a fairly good idea of where a car is. Suddenly it's like your every move is being watched. Prisoners wear RFID tracking bracelets, suddenly the innocent are being tracked as well.
  • The marketing video, and I apologize for using it again but it's really all the literature they provide, also states that short of removing the E-Plate they are tamper proof. While I question this, I'm wondering about painting the E-Plate with RFID blocking paint... Would that be enough to stop the active RFID from being read?
  • Lastly, I wondered if the company was willing to make demo E-Plates available to independent, third-party security researchers for an external audit.

    • To ensure that I don't miss anything, I'd like to provide the companies complete response here:

    Thank you for your enquiry. We have no comment to make.

    That's all, and that's a direct copy and paste from the email.

    This concept scares me. With the introduction of this, several things can happen:

    • The government can track me. (More efficiently, easily and at a larger scale than they currently could.)
    • Thieves can clone my license plate and make it appear as though I took part in a crime. (After all the manufacturer claims that these are completely secure and "uncloneable" (Like we haven't heard that before.))
    • Thieves could use misdirection after committing a crime. Masking their RFID and having a clone of it appear across town, or perhaps swapping their RFID with another car.

    I really think we need to sit back and think before we use technology in every little thing. At this point I'm waiting for the day when I sign a lease on an apartment and instead of handing me a set of keys, they pull out a needle and say, "Bend Over."