Smarter RFID

Many of you are probably familiar with the RFID tags which are used for diverse purposes: as a replacement for barcodes in product labeling, as identification mechanisms in payment systems (such as the EZ-Pass highway toll system), as an additional feature in personal identification credentials; and, recently, as an addition to US passports.   One of the security concerns about these devices is that they can be read, using readily-available technology, from a distance.  Unlike so-called “smart card” technology, these RFID devices are only able to re-play stored data; they have no computational capacity.

According to an article from the New Scientist, work is underway to add processing capability to RFID tags::

Today’s RFID tags can only broadcast fixed data back to a reader device, whether that’s details of your passport or of an endangered bird. Researchers are now working to add brains to the tags in the form of microcomputers, opening the way for much smarter applications.

One of the main challenges to doing this is that the tags generally do not contain a power source (such as a battery); they get the energy to operate from the radio-frequency transmission of the reader device.   This means that the capacity of the tags is limited:

Intel’s smarter tags use a 16-bit microcontroller and can store programs up to 32 kilobytes in size. They can also store small amounts of electricity picked up from a reader for short periods in a capacitor.

The article goes on to mention that the developers sometimes look at computer algorithms from as far back as (gasp!) the 1970s for inspiration.  That provoked a wry smile here; I remember when a default memory region of 90 KB would suffice for a fairly considerable program on an IBM System/360 mainframe.

Curmudgeonly carping aside, however, this is an interesting development.  There has been real concern, as I’ve noted in some previous posts, about the use of RFID tags in sensitive applications, such as passports.  Tags that had some computational capacity could help a lot in this area.  It is possible to imagine, for example, that a cryptographic protocol between the tag and the reader (somewhat along the lines of the SSL protocol between the browser and Web server, used to secure Internet transactions) could make documents like passports and identification credentials much more secure.