Apr 22, 2008This article was originally published by RFID Update.
April 22, 2008—Consumers have misunderstandings about how RFID works and the security issues related to the technology, according to a new paper from researchers at the University of California, Berkeley. The report, Where's The Beep?: Security, Privacy, and User Misunderstandings of RFID
, says most users of RFID-enabled passports, transit passes, and credit cards do not realize these items can be read without their knowledge or from more than a few inches away. Users also tend to think RFID cards and documents contain more personal information than is actually encoded.
The study was undertaken to gain insight as to how well users of common RFID cards and documents understand how the technology works, and how the knowledge level impacts user comprehension of the privacy and security risks associated with RFID. Researchers Jennifer King and Andrew McDiarmid interviewed nine users of RFID-enabled fare cards, credit cards, and passports after identifying them through a written survey. The research was sponsored by Team for Research in Ubiquitous Secure Technology (TRUST), an organization focused on cyber security science and technology issues. The authors plan to conduct a follow-up study with more participants. They plan to drop transit cards from the follow-up because the cards do not carry personal information.
Major findings of this study included:
- Most subjects thought direct line-of-sight was necessary for an RFID reader to access data on a chip.
- All subjects were accustomed to getting visible or audio feedback that their card or document had been read.
- Most subjects were unaware that RFID chips could be read without providing feedback.
- Most subjects were unaware that RFID chips could be read without their consent or knowledge.
- The subjects use RFID systems where the chips were encoded with only a unique ID number that serves as a reference for information held in secure databases. However, many of them thought their name, Social Security number, and other personal information was encoded in the chip.
- Issuing organizations provide little information about the security provisions of cards or passports or the risks associated with using them.
The report makes no recommendations and has no formal conclusions section, but does include some statements about the implications of the findings. One of the strongest passages reads: ...of particular concern is the reliance of a mental model based upon optical line-of-sight technology; failing to understand the omnidirectionality of RF communication may lead users to miscalculate their level of risk...
The report also criticizes e-passport issuers for not adequately communicating how the documents work and their potential security risks. It will likely be cited in the ongoing debate on electronic passports and in RFID legislative efforts. For more background, see recent coverage:
