Chipping away at security

Radio frequency chips and antennae, which typically transmit small amounts of data in quick exchanges with reader devices, are used in E-Z Pass systems on highways. Consumers who tap their MasterCard PayPass bank cards on wireless readers are also using RFID technology.

But as radio frequency chips evolve to store more data and to transmit signals over greater distances, the devices can also be coaxed into giving up personal information, specialists say.

Nicole Ozer, technology and civil liberties policy director at the American Civil Liberties Union of Northern California, is among the privacy advocates worried about RFID security. Ozer said an RFID-enabled passport card issued by the Department of Homeland Security and the State Department, called US Passport Card, is vulnerable to wireless attacks.

US citizens can use the Passport Card, instead of a passport, to enter the country from Mexico and Canada by land or from the Caribbean and Bermuda by sea. The card's RFID chip contains a number that corresponds to the bearer's photo and other personal information in a government database.

"The new tags have extreme read ranges," Ozer said. "They can be read up to 30 feet away, and copied and cloned, without people ever knowing."

Radio frequency technologies first got a bad rap among privacy advocates in the late 1990s, when companies, led by Wal-Mart Stores Inc. and Procter & Gamble, along with computer scientists at the Massachusetts Institute of Technology, began developing an RFID tag standard, called the Electronic Product Code.

Consumer and privacy advocates feared governments and marketers might use the EPC-RFID on purchased goods to secretly track shoppers - and their buying habits - by using fixed and hand-held wireless reader devices.

Since then, radio frequency technologies have only grown more powerful and sophisticated.

For instance, Tego Inc., based in Waltham, is developing tags that can hold as much data as a suitcase-size PC did in the 1980s. This summer, Tego plans to introduce a 64KB RFID tag that could be used to do such things as store all of an airplane part's installation and repair history.

Tego's tag will help prevent the troubling use of "counterfeit parts in the airline industry," said Timothy Butler, its chief executive. Much like the earliest so-called passive RFID tags, Tego's device does not require a battery. It gets the juice it needs from radio waves emitted by the reader device trying to connect to it.

Radio frequency devices, coupled with biological sensors, can also act as sentries against disease. MicroStrain Inc., of Williston, Vt., is promoting its EmbedSense wireless sensors to monitor the functioning of joints and tissues throughout the body.

But with each new legitimate application, potential abuses are multiplying - especially the risk of hackers accessing private information on tags in the same way they break into computers.

"It's a bit of an arms race," said Kevin Fu, who is investigating RFID attacks and countermeasures at the RFID Consortium for Security and Privacy, or CUSP, at the University of Massachusetts at Amherst. "The adversary doesn't get any dumber."

So far, however, the "enemy" appears to consist largely of Fu, and cryptography specialists such as Ari Juels, director of RSA Laboratories in Bedford, who has developed ways to hack into RFID payment devices such as MasterCard's PayPass.

Fu recently demonstrated a potentially lethal threat, which might come from a rogue reader device: an attack against the wireless components inside an implantable cardiac defibrillator. For their experiment, Fu and his colleagues at the Medical Device Security Center - a partnership between UMass, Beth Israel Deaconess Medical Center in Boston, and the University of Washington - used a defibrillator that included a radio frequency chip and transponder to allow doctors to read and record patient information, and to reprogram the device.

The Secure Medicine team was able to glean the equivalent of personal medical records from the defibrillator by using an ad-hoc, unauthorized device. The researchers also managed to take control of the defibrillator, to create shocks that would be life-threatening to a patient.

"It's an extreme example of a lack of protection," Fu said.

But he believes there is a solution - using sophisticated radio frequency devices to foil attackers.

The Secure Medicine team is developing a radio frequency gadget called WISPer, which sounds an audible alarm and vibrates when it detects unauthorized attempts to reprogram an implanted device. To test it, researchers packed the WISPer prototype into a simulated human torso, made of beef and bacon. It worked.

The list of CUSP's backers, including Cambridge-based RFID device maker ThingMagic Inc., Intel Research, and RSA Security (home to Ari Juels' RSA Laboratories), suggests the RFID industry is committed to guarding its souped-up technologies from interference.

Butler, the Tego CEO, noted that the additional storage capacity on his company's tag leaves room for the use of security software. Also, Juels and Fu said, not all applications for radio frequency technology bear the same risks.

Besides, some risks might be worth taking.

"If you need a life-saving device, the [intrusion] might be less of an issue for you," Fu said.

Still, other RFID applications have proved less successful.

For example, Juels said, the VeriChip - an implantable RFID chip marketed as a tracking device for people at risk of abduction - "was an example of poorly implemented security."

"People quickly realized that kidnappers were likely to separate their victims from their limbs, to get rid of the tracking device," he said.