Blog

RFID Surveillance Less Threat than Perception

While the technology can identify and track objects, its use to monitor humans has proven to be rare and cumbersome, despite persistent concerns from a few.

Dec 13, 2022 Does radio frequency identification (RFID) technology come with inherent security or surveillance risks? That's been a question raised periodically by members of the public and some legislators. In fact, the technology comes with some built-in security, but how that security is used could have a variety of impacts. In most cases, RFID security is a question not so much about what the technology is intended for and how it is being used, but rather what is it capable of in the hands of a bad actor or an oppressive government. Wifi Uhf Rfid Reader

RFID Surveillance Less Threat than Perception

So far, the very non-sexy answer has been "not much." The fact is, various forms of RFID have been used for decades for supply chain management, access control and enabling Internet of Things (IoT) systems, wirelessly transferring sensor data about conditions to a server. On the other hand, a more speculative concept of RFID, used as implants, has received an outsized share of attention in the press.

Some RFID tags are intended to be implanted, but not necessarily in humans. LF RFID chips transmitting at 125 kHz are often embedded in pets to enable veterinarians to identify them in the event that they are found without their owner. Cattle and other animals often wear LF or UHF RFID chips in the form of external ear tags, so they can be identified as they move through facilities and receive vaccinations or feed, or when they are slaughtered. These tags are not embedded in livestock the same way they are in pets, partly because those reading the tags would be unable to be in the immediate proximity of the animals, the way veterinarians would with pets in their office.

Companies have also used RFID tags attached to packages of meat, providing visibility linked to each piece of meat sold at a store. During the past few decades, a few businesses have prototyped or sold LF or 13.56 MHz HF (Near Field Communication [NFC]) RFID chips that could be injected into humans, though only a handful of companies and individuals have had tags embedded. Sensational stories about RFID threats may sell RFID-shielding wallets but often do a disservice to the facts around RFID technology.

Still, some members of the public remain concerned. The Bulletin of the Atomic Scientists approached Ahmed Banafa, a member of the San Francisco Bay University engineering school faculty, to request an in-depth study about surveillance threats from implanted technologies (see Microchips in humans: consumer-friendly app, or new frontier in surveillance?). "The way I look at this kind of technology," Banafa says, "is 'How close is technology to us?'" People carry smartphones in their pockets and wear earbuds in their ears, for example, so he muses, "Now we start to see the next move: is technology going to get inside us?"

Some of the stories bringing RFID into the mainstream have covered topics around technology implantation. For instance, Walletmor offers a payment-based implant using HF RFID (see Technology Startup Offers NFC Payment Implant). In 2017, Wisconsin's Three Square Market deployed an RFID system using Biohax technology (see Wisconsin Company Plans NFC Chip Implant Party) and encouraged some of its employees to have an RFID chip injected between their thumb and forefinger, enabling them to access offices and copy machines.

This has raised concerns for some members of the public, as well as for a few researchers like Banafa. His greatest fears are that the technology could be leveraged by a foreign or bad actor to track humans, that RFID transmissions could be hacked, or that those transmissions could pose health risks. "One big concern raised by many privacy advocates is the creation of a surveillance state tracking individual using this technology," he explains. Understanding whether an RFID tag could be used as a surveillance method requires knowledge of the types of RFID systems currently in use, as well as the physics of what the technology can do.

LF technology is a low-power, low-frequency band system typically used for access control and animal implants. The chip has an ID number linked to data regarding the animal, which is stored in a server or reader and typically requires a secure ID to access. The tag can be read by a handheld reader at a range of approximately 10 centimeters (3.9 inches). However, if the reader lacks access to the encryption key or password, it will not unlock the data. Therefore, the user will be able to view only a series of numbers.

HF RFID and NFC both transmit at 13.56 MHz, but with ISO standard 1445693 for the former and 13334 for the latter. Both have a short range and can be read within centimeters rather than feet—in both cases, surreptitiously reading the tag ID from a distance of more than a foot or two would be unlikely. The implanted RFID tags covered in the press typically employ NFC transmissions, the same frequency used for Apple Pay on a smartphone. UHF RFID tags are used in the billions, attached to apparel and high-value products that include electronics and automotive parts, for the purpose of supply chain tracking.

UHF RFID offers a much longer read range than LF and HF tags, but like LF and HF it does not require a battery. Instead, it responds to interrogations by a reader. Without a reader, such tags remain dormant. However, UHF is not being implanted in animals, in part because it does not transmit well through skin and tissue, which contain liquids that pose an obstacle to UHF transmissions. Other RFID systems with long-range transmissions require a battery, significantly increasing the size of a tag, and if they could be implanted in a living body, the tag would only operate until the battery died.

For RFID, Banafa questions whether hacking might take place during a transmission between an implanted chip and a receiver. He argues that hackers could simply intercept that communication and grab information. Sandeep Unni, Gartner's senior director analyst, disagrees. "You could conceivably pay or gain doorway entry," Unni explains, "or get on a subway ride by waving your hand, but you would need to be pretty close to the reader in such scenarios." Such constraints of RFID transmission limit the potential for RFID to track people, Unni notes, or to be a threat related to hackers.

Image: the Bulletin of the Atomic Scientists

Image: the Bulletin of the Atomic Scientists

When it comes to interrogating HF and LF tags that might be implanted, Unni says, "Most applications use a contactless approach where the reader is in close proximity with your chip" and cannot be read at a distance. Thus, while a security hack is not impossible, the hacker would need to be in close physical range, and thus would be noticeable. Additionally, the amount of information encoded in the tags and, therefore, susceptible to such a breach is limited. Just as frequency ranges and associated technologies differ, Unni says, so do security needs. For example, an NFC tag containing payment information would need to be inherently more secure than a UHF tag carrying a serialized Electronic Product Code.

For most common use cases for UHF RFID, such as inventory management and asset tracking, the main security concerns tend to involve data integrity and reliability, as well as the potential for information to end up in the hands of bad actors who might then use it for malicious intent. That is why, depending on the application, security features are typically in place so that data on a tag is locked from reading and writing unless authorized with a password, or by encrypting sensitive data. "Ultimately," Unni says, "the security risks need to be evaluated upfront as part of the security assessment of the overall system deployment, not just the tags."

California is among a few states that have signed bills into law banning the use of RFID implants, despite the fact that there are no reports of such implants being introduced by any companies in that state. There may be some other wireless technology ahead that could bear watching, though.

Neuralink, for instance, is testing an implantable device with threads linked to specific parts of the brain, which comes with a rechargeable battery and a potential Bluetooth connection to send data that is controlled in an app. The company's founder, Elon Musk, says he has a vision of linking human minds with artificial intelligence using such technology. So far, though, it is only being tested in chimpanzees. In any case, this is a far cry from standard RFID technology and its identification of goods or animals via ID numbers.

In the long term, Banafa may be prescient in raising concerns about the impact of a foreign body being implanted in people, as well as how it could be used. "We have no idea about what impact [there is] on the body of people who have those kind of chips," he states. "It's the medical consequences of having a foreign body inside us or under our skins that I would worry about. It's the permanence of an implant."

RFID Surveillance Less Threat than Perception

Financial Card You must be logged in as a registered user to access. Not a registered user? Sign up for basic membership for free here.