 So, good evening, you guys, thanks for coming. So I think I'm going to get started now, it's about 9 o'clock. So can you hear me? Can you hear me in the back? All right, good deal. So my talk today is about RFID spoofing and emulation. Now I'm actually going to start with kind of, well, slightly unrelated. But it's sort of like a dog ate my homework story. So it says in the abstract that I'm going to be giving a live demo tonight. Let me tell you a little story about this. So yesterday I was at Black Hat. I had given a talk. It was not about spoofing and jamming, it was actually about RFID malware, which is one of the other sort of research topics that I worked on in the last year. So I get out of the talk. Basically, there's a couple of people from the press corps that pounced on me. They were all really friendly. So I go and I'm speaking with them. One of them is actually waiting on the, she's speaking on a pay phone. And I'm just sitting there like waiting for her in the lobby. So I'm basically standing there waiting. And there was basically this table there. And there's a circle of chairs lined around this table. So I'm standing there holding the RFID garden, which is what I'm going to be talking about today. It's a spoofing and emulation device. It's in this little cardboard box. And I don't even notice, but apparently I'm standing right behind this guy in this chair. And he asks me, what's in the box? And I was going to explain, well, this is actually something I'm doing for my PhD. It's about RFID. He's like, no, really, what's in the box? I said, I was going to explain it. He grabs the box. I basically grab it back, guard it with dear life. Turns out he thought I was trying to sniff his password. So basically he starts yelling at me. I basically say, I'm not sniffing your password, this is actually RFID equipment. And then finally he runs off and says he's going to tell the feds. So he runs over to the feds and he tells them that there was this really belligerent young woman who was trying to sniff his password. And apparently the feds sold them. There's about 200 people here trying to do that. What do you want from me? But basically right after that I tried it later that night and I unfortunately threw a little bit of the rough and tumble. It wasn't working completely. Instead though of the live demo, what I'm going to do is I actually made a video of things back when I was still in Amsterdam. See y'all, they're still going to see the video, which basically shows exactly what I would have shown here with the demo so y'all can still see it. I've also got lots of photographs, so y'all won't miss out on any of the details. And with that, I'll get started. So RFID, I'm just really curious, how many people here in the audience think that they know something reasonably about RFID? Can you raise your hand? Okay, that's about half. So I'm going to start with some material, just talking about what is RFID? What is it? What is it used for? And why is it controversial? And why is it interesting? So RFID, one of the first things is that it's a computer chip. It can be sometimes the size of a grain of rice. It can be tiny. They have a little like millimeter ones, like ones that could almost like fit on the head of a pin. And the point is you put this little antenna around it, and you have a reading device that sends these radio waves. It powers it up. It basically makes something called an inductive coupling. It actually depends what kind of RFID you're using. But in the particular kind, my spoofing and jamming device works with. This makes an inductive coupling. There's something called a load modulation resistor. But essentially what it is, is a little resistor that turns on and off in time to basically send back bits. It can't send back too many of them at once, because of course, this is very limited power, because you're powering it remotely. But the idea is remotely you can, I mean, they're data carriers, but they're also sort of in a way like the computer of the future. It's like, if you think about it, where RFID actually came from is there a whole lot like those little, you know, those theft control tags. So if you go to a department store and you buy one of those tags, generally it might be on your clothing. Usually you go to the cashier. You pay for your goods. It deactivates the tag. You walk out. It goes beep, beep, beep anyway. And basically RFID has a whole lot like that. It's powered by its reading device. But the deal is, instead of just having one bit that says this item has been paid for or not, it has more bits. Because Moore's law, I mean, it's made computers so much phenomenally faster over the last decade or two. The exact same thing has also happened with computers in the really small scale. And basically RFID is actually a really old technology. It's been around since World War II. The first implementations of it were actually an identification friend and foe systems. Believe it or not, the Germans, what they used to do is they would roll their airplanes to make sort of like special signals when they were using radar to actually be able to identify that those planes belong to the Germans. All RFID was at that time is they came up with a little device that instead of having to roll the airplane, the device basically just kind of like did the rolling forum. And that was the very first kind of act of RFID. But of course, since the 50s, computers have evolved a lot since then. And it's evolved now into what is modern RFID. And the reason why it's really picked up so much in the last few years, among other things, related to Moore's law is also just because in the last couple of years, all the patents, the original patents, I think they last about 40 years. They've also just for the first time worn off, much to the chagrin of actually some of the pioneers of RFID technology. But in either case, but yeah, so in the last decade really it's just been taking off, getting a new life of its own and also creating quite a stir recently. But what the stir is about is not so much about the tags themselves, but it's about what the tags are used for. There's all kinds of RFID applications. One of the biggest ones that they wanna, that they're really pushing for is supply chain management. Walmart has this grand vision. Of course, they wanna make their products really cheap and they're gonna optimize probably both in how they handle their personnel, but also in how they're gonna track their products. And they've basically made this mandate, making sure that their top, first it was their top 100, then I think it moved up to their top 300 suppliers that they're all using this RFID technology. But what is it used for? It basically optimizes processes. It couples the physical world with the digital world and that gives you a whole lot of power. Because if you know at any given moment where for example a particular raw material is or what step it is in the assembly line, you can figure out where bottlenecks are. You can basically optimize your processes and companies love nothing more than return on investment. And this is what all the sort of all the execs and all the people in the industry keep shouting about. So, but that, so Walmart's a big pusher for that. Also the Department of Defense. I mean, they also, I mean, if you think about the operations going on right now in Iraq, just tremendous scale, all of these food, all of these supplies, I mean the ammunition need to be in the same place as the soldiers. And they're using among other things active RFID transponders for this. But there's, I mean, they also want to use it for other things. They want to use it for anti-counterfeiting purposes. There were rumors for a while that they were putting them into money into things like the European Central Bank was talking about putting them into Euro bills. There are actually videos floating around of people that have microwaved their dollar bills. And I'm not quite sure how they doctored it up there was actually one picture, you know, showing all this little black, you know, charred surface around this, another video floating around that was actually, you know, you just put the thing in the microwave, you know, hit the button, it's kind of satisfying. But yeah, so not also using it, for example, with World Cup soccer tickets, that kind of stuff. They also use it for payment. I mean, they think, you know, what's more convenient than being able to, well, IBM made this really great video and there's this guy, he's in the supermarket. He's basically running through the supermarket, you know, grabbing things off the shelves, stuffing it under his jacket, you know, you sort of see him like covertly running towards the door. And basically when he gets to the door, you know, there's a security guard and he's like, you know, thank you, Mr. Jones, it gives him his receipt. And that's their vision of what they want to do with this technology with automatic payment. It's supposed to make people's lives easy. It's supposed to make us be able to just relax and, you know, worry about the things we need to, where all these, you know, these processes can just go on automatically. But also, the companies love it because it's a way to save money. Another way, another use of it, for example, is actually in animals. I can tell you one time, well, they're using them in dogs and they're using them in cats. For example, if your pet runs away, so if somebody else picks up your pet, the idea is just that you can sort of scan your pet and eventually that can get returned to you. Oh, really? And they're using it for livestock because if you have things like the hoof and mouth, the foot and mouth disease and also with other things, perhaps like avian flu, I mean, if you can track your animals, I mean, if you have any source of contaminated meat, you can basically figure out where did it come from and hopefully then you can quarantine whatever other animals were involved and then be able to prevent other people from getting sick, you know, this is really noble stuff. So, you know, and once you're actually tagging animals, then you figure, well, you know, what's the next step? Maybe we should be tagging people. Of course, part of the way is that you can tag people is by giving them things they have to carry, you know, like their new passports. Another thing that they use, like they tag infants in hospitals to make sure that they won't get stolen or I guess maybe if they do get stolen, they can be detected on their way out the door or something like that. And my personal favorite is, well, there's a club. Actually, it's in Rotterdam. There's also one in Barcelona. It's called the Baja Beach Club and this place is about 20 minutes from where I live. I have to say, I've actually visited there one time. Actually, the drinks were free, I had a good time. And, but essentially what they do there is they have this VIP lounge, sort of a swanky place. You can get VIP access by, well, first, you have to fill out some forms, you know, and the usual indemnity stuff, you know, sign your life away and, you know, we don't have to worry about it. And then what happens is you can basically go to your doctor and he will give you an injection. There's these subdermal chips called Vera chips. They're essentially, they're about the size of a grain of rice. They're just these little antennas wound around these little ferrite cores. They're in a little glass casing and they just shoot it in your arm. It's, in fact, exactly the same chips almost as what they're using in other animals like the dogs and the cats and the ferrets and all that. It's FDA, not FDA, it's approved by, yeah, it was approved by the FDA. So they know there's no nasty side effects. And basically once you have this thing implanted, then you're cool. And all you have to do, and then you can get into the VIP area. And I'm telling you, they've got this little like boat, you know, where they have all these bartenders dressed up as sailors. I'm not joking. Something called the, I'm trying to love sailors. It's called the Princess Marmica Deck. I thought you'd like to know that. And basically what happens is when you actually want to get into this deck, basically they just scan your arm and voila, you are now a number in their system. And you can see it now on this barcode reader, this veritip reader. And what happens is then when you actually want to pay for your drink, because that's what they do, they put drink money on these things, is you can then look, the bartender can look at the screen and the number that was just read from the arm of that woman is now on the screen. Basically her account gets debited, she has her drink. And now she can get pretty much as wasted as she wants without having to carry a wallet. And so, who wouldn't love that? All right, so it sort of leads to a few questions about little inconvenient things like security. And one time a reporter decided to go to the, go to the horse's mouth and go to the CEO of a company called Applied Digital that makes these chips. And to quote him, applied digital's implantable chips do not employ cryptography as of yet. But the system is nevertheless safe because it's chips can only be read by the company's proprietary scanners. And the especially brilliant thing is a couple of months ago there was this guy named Jonathan West Hughes. And he actually managed to build a device. It's actually a bit similar to our device, works a little differently, but where he actually succeeded in cloning it. So, so much for the marketing talk. Oh, I have to say, I think our device was rushed, so. All right, but it's not the only security problem out there. There's a few others. Unauthorized tag reading, this is just an obvious one. If you have an RFID reader, these little tags are actually, usually they're so stupid and power limited that they can't manage their own access control. So the deal is anybody with a compatible reader can go up and they can basically scan their arm and they can get this information. I mean, certain more expensive kinds of tags like contactless smart cards. I mean, some of you might swipe them, not swipe them, but use them at the door to your buildings to get into your offices perhaps. Those are also RFID, but generally you have to hold them closer to the reader because they use a lot more power and also they tend to be a lot more expensive. So it's usually not going to be used in things like supply chain management, but still unauthorized tag reading is a problem. Eavesdropping, you can also eavesdrop on the communications between RFID readers and RFID tags. That way, I mean, if you figure, the RFID tag is only supposed to talk about 10 centimeters. However, the RFID reader itself, I mean, it's gonna talk probably up to a meter. And also, and this is just for really short range RFID, if you're talking about higher frequencies that use back-segatter and things like that, if you eavesdrop on the reader communications, it could just be, you can listen to this stuff from really far away. Tracking, I mean, sometimes that's useful, maybe even in the context of people, like if it's that infant I was telling you about, but of course other times you don't want that, so it's a problem. Tag cloning, that's what I'm gonna be talking about today, at least somewhat. And denial of service, and that also partially comes into the jamming I was telling you about before, although there's also other ways you can do denial of service, namely just wrapping it in some tinfoil or something like that, and you can usually prevent tags from working. Oh, and one other one is RFID malware, and I gave a talk on that yesterday at Black Hat, and that's essentially just saying you can launch things like traditional hacking attacks, like exploits, traditional exploits, buffer overflows, SQL injection attacks, you can actually launch all of that from an RFID tag. And anybody who actually wants to know more about my work on that should go to www.rfidvirus.org. All right, so, but now I'm gonna talk a bit about the spoofing and jamming. So we've built a device, and I'm gonna tell you just really generally what's in it for the hackers. What can we do with such a device? What features does this offer? Here's a few possibilities. You can do false positives. You can basically make multiple tags appear that don't exist. The way that it works is this particular kind of tag that we're using. It uses an anti-collision algorithm called Slot at Aloha. So basically it uses 16 time slots. So if you do one single inventory query, it can spoof up to 16 tags at one time. If the tag is repeatedly polling, you can basically spoof an unlimited number of tags. And of course, since most of the time they're not really gonna be sure about where a tag is at any given time, they're probably gonna be polling. So another thing is false negatives. You can actually make one or more existing tags disappear. And it's not just that you're randomly sending out some kind of jamming signal that's gonna interfere with all RFID traffic, because of course, besides being probably inconvenient, that's probably also illegal. But what you actually do is you have an access control list. I mean, just like a packet filter. And you actually put in the ID of the tag that you would wanna block. You might even give it some information about when you would like it blocked. What winds up happening is the RFID reader does a query to the tag. The tag does a response back. This is all dictated by a particular timing. And it knows exactly when the response is gonna come back. So it sends out a really brief, very brief jamming signal. So it only blocks that one tag. It's a bit of a simplification. I'm gonna actually go into a little bit more detail about how that jamming works on one of my later slides. But that's the general idea. So in such a way though, if you have, let's say, three tags there, you can just make one of them disappear while the other two of them are still perfectly readable. Another thing that you can do, and this is also kind of fun, is you can also just craft invalid RFID packets. And I have to say, using our RFID guarding, using our device, by just sending it enough things where the CRC check fails and sending it stuff that doesn't check out. Actually, one of the Philips applications that I was using, it was right out of the box. I don't have the source for this thing. Basically, it crashed. So us being good hackers, we know what we can do then with these kinds of possibilities. Once again, I refer back to RFIDvirus.org for more details on that. And also malware injection, because when you're talking about things like these buffer overflows, I mean, if you have some kind of a tag emulating device, then you can really send the reader more data than it's expecting to receive. So this is the part where I would have given the demo, but instead I'm gonna show you the video. I made it a couple months ago. It's actually using the old prototype that I made. We actually have version one and version two. I'm gonna talk mostly about version two, but actually in this video, it's showing you version one. So when the video's over, I'll actually explain the differences between the two versions. But here's the video. My name is Melanie Ryback. And my name is Ruth Geofman. And we're from the Freight University of Amsterdam. This film today is going to tell you a bit about the RFID Guardian. That's a handheld device that people can use to control their security and privacy in a world full of RFID tags. Since we're gonna be discussing secure RFID security and privacy today, first I'm gonna give a quick primer on RFID technology, specifically the setup that we're using. This here is an RFID reader. It's produced by Philips. It's a My Fair iCode RFID reader. It works with My Fair contactless smart cards and iCode RFID tags. These here are iCode SLI RFID tags. These are high frequency tags. They work at the frequency of 13.56 megahertz. And they work with the ISO 15693 standard. These are fairly standard tags in applications like supply chain management and access control. Now that I've explained a bit about our RFID equipment, let's see it in action. We've taken the RFID reader and we've attached it to the computer, as you can see here. Here is its user interface. It's holding right now, doing something called inventory queries. It's not registering any RFID tags because they're too far away from the reader when not being picked up. If you take the three RFID tags and you place them with the reading range of the reader, as you would expect, the three RFID tags show up on the user interface. Now I'm gonna tell you a little bit about the RFID Guardian. This is the project that we're building at my university. Right now, we're showing it in the map of program typing phase in our project. So we've done most of our development using program board and a Triton development kit. At a certain point, we're planning on replacing this with a printed circuit board. But for now, I'll give you a little tour of using the pieces just so you can see generally how it is and how it's put together. The first component is the Triton development kit. It consists of an X scale processor, the BX8 270, and it functions as the central nervous system of our RFID Guardian. It has the micro processor, it has all of the memory on the flash memory, and basically it holds the entire system together. The rest of the RFID Guardian consists of then a lot of electronics. There's two most important parts that we're going to demonstrate today. Combine these two parts, the tag transmitter and the tag receiver, allow our RFID Guardian to act like an RFID tag. This here is the tag transmitter. This produces side bands that are used to spoof RFID tags. And this here is the tag receiver, and the tag receiver simply picks up the signal of an RFID reader, and it decodes it so we can understand what it means. It's also useful to keep in mind that the tag transmitter and the tag receiver both have their own unique antennas. So, now this is the interesting part. It's time to see the RFID Guardian in action. Now just as a preliminary setup for our experiments, you've taken the RFID reader, and we've set it up down here, probably about a half meter away from the RFID Guardian. If you look at the user interface, you can see now that it is constantly in polling mode, and that it's picking up three RFID tags that I've located right now directly on top of the reader. The RFID Guardian is controlled by a serial interface that leads to a computer that's being controlled by reader over here. In our upcoming experiments, the RFID Guardian is going to be turned on and off at various times by reader. Now we're going to demonstrate a spoofing. As I mentioned before, the RFID Reader is in polling mode, and you can see that there are three RFID tags that are currently found. Now if reader starts up the RFID Guardian, as you can see on the screen, this three tags is now picked up as four tags, and it's still in constant polling mode, so you can see that this is reliably looking like four tags. We're now going to demonstrate the RFID Guardian's tag jamming abilities. Now it's not just any kind of jamming, it's selective jamming, and we've configured the RFID Guardian to take one out of the three RFID tags and make it completely unreadable to the reader that's trying to find out what tags are available. Now if you take a look at the screen, once again it's polling, you can see three RFID tags within the range of the reader. Now if reader activates the RFID Guardian, you can now see that it's went from three RFID tags down to two. So, as we've seen in this demonstration, tags spoofing and tag jamming are important features of the RFID Guardian, but they're not the only features. They're actually more highly level RFID security and privacy features that I haven't discussed. They consist of authentication, key management, access control, and auditing. For more information on these other functions, which I'm not going to discuss now, please surf over to www.rfIDguarding.org and you can find some more information as well as some academic papers concerning the subject. All right, so that was version one. Since then we've actually created version two because as you saw with version one it was sort of something, well you know, it was a labor of love, so it's also not very portable. So we wanted to try and create something that's a bit more usable for either the hackers or the well-meaning people who want to protect themselves of the world. So basically what we did, here's one picture, actually a picture of the top side of it and basically what you see now is we no longer have a separate receiver, a tag receiver and tag transmitter, but actually all of that analog circuitry is now integrated into one board. Another thing that we actually added that we didn't have in version one is we're basically trying to put all the logic in a CPLD. It's like an FPGA. So we're essentially trying to turn as much of the analog circuitry as we can basically into something that we can represent with VHDL. Provides us more flexibility, a few more things will break. It also gives us a lot more options about doing things like supporting basically new modes of operation later on. And yeah, and that's one thing that we've changed. Another thing you can also see, it's sort of, let me see if I can get a cursor here on my laptop so I can point to it. This little chip right here is also an RFID reader, actually reader on a chip, it's produced by Molexus. So another thing that this particular device can do is it can also actually act like an RFID reader. And it's such a, basically having such a mode of operation allows it to also do things like relay attacks, which makes it more interesting for a hacker. But also for, as I say, the more well-meaning people, they might also want to use our device just to help them in managing the tags that happen to be around them. Yeah, but this is also still sort of an intermediate effort in what we're building. We're actually already working on version three. What we're, basically our plan with that is version two still requires a serial cable, so you still have to have it kind of tethered to the laptop. What we're actually doing with version three is we're putting a touch screen on it. And we're also, version three is also gonna be professionally made. So I mean, yeah, we have no immediate plans to like mass produce these things, but our intention really is that with version three, it should be something that will be a device that you can use that's handy, that's reliable, and that's really our idea. And we're hoping, I mean, we're working on it right now, we're hoping in about the next six months that hopefully we can have something. So, oh yeah, oh, and that's the other thing. Once we actually have all of this finished, we are releasing both the hardware schematics and all of the software code open source. So here's actually a look at the back end of the Guardian. What you can see is basically besides some of the power circuitry, you can see what we actually took from the Triton Development Board. There's something called the Triton Module. Here's actually a bit more of a close up on it. And once again, this is now that X scale processor, the PXA270. Basically in our current version, we actually did it this way, that you could just unplug this little Triton Module, actually from the development kit we were using it before, and basically use a connector to connect the whole thing directly to our prototype. Actually, the reason why we're doing that is because the X scale is well, it's something called a ball gate array. And essentially if you wanna produce a PCB that it has layers and layers and layers of pins, so it's really expensive actually to make and solder these kinds of things. So that's actually why we just took the entire development module and sort of transplanted it. So it's sort of our solution for now. I also have to say we also made a really conscious choice in using the X scale for a couple of reasons. I mean, one, because it's just a beast, it's a workhorse. It's a full-fledged computer, and what we've actually found is that we need it. We need the horsepower, because I actually know some other people who have been building, they've been working on similar projects, but they've been using things like PIX or Atmels, and they've actually been running into limitations. So sort of in hindsight, it's actually a really good thing because we actually don't really have to worry too much about time constraints. In December, I'm actually releasing an academic paper that gives lots and lots of details about how we built this. Yeah, it'll be published in December. It's at USENIX-LISA, though what is it? Large installation system administration conference. So basically when that's published, you guys can also get a whole lot of the details about how some of this stuff works. It won't have schematics though, it's still an academic paper. Plus we're still changing them, so. All right, so tag spoofing. So I'm gonna actually go a little bit more now into how that works. First I'm gonna explain a little bit what a real RFID tag response looks like. This picture was taken out of the RFID handbook. Essentially what you're looking at is you have one really big peak in the middle, that's actually the carrier signal, and about 90 decibels lower, you have two little sidebands that are on either side of the carrier signal. Now this big peak in the middle is what the RFID reader sends. And these two little sidebands, these two little tiny peaks are actually what the RFID tag generates. And it's because there's such a large difference basically in volume between these two signals, it's actually part of why it's so difficult to keep RFID tags powered and be able to read them from long distances, because it's a week. Now basically what we've done is these little sidebands, these two little peaks of information that actually transmit the bits back. So what we're actually doing is we're sending those little sidebands with the correct timing as dictated by the standard. So that's essentially how you spoof an RFID tag. You just need to produce those two little frequencies on either side of the carrier signal and do it with the correct timing. It's as simple as that, and believe it or not, the actual circuitry you need to do that is very simple. So here's actually a scope trace showing what we do. Now you're gonna notice that this picture actually looks a bit different. You still have that carrier signal that's in the middle, but now take a look at the sidebands. Now we're artificially producing them. We have a transmitter that right now is powered by something plugged into the wall, which basically means that if an RFID reader operates at only about 10 centimeters, then our device has absolutely no problem operating, for example, a meter away spoofing a tag. In fact, yeah, I mean, before I left from Amsterdam, we measured it actually with our latest prototype being a meter away. So, all right, I'm gonna also talk a little bit more about the jamming and how that actually works. Essentially what we're doing, the actual jamming signal itself is randomly produced noise. All we're trying to do is we're trying to generate that noise at the right time so that it basically disrupts the whole signal to noise ratio so that the reader can't actually get the signal of the tag back. Now, one thing that I need to explain is how do we actually block one tag and leave the rest of them alone? And at least with the particular kinds of tags that we're working with, it's actually fairly easy, partly because of the protocol, because of this anti-collision protocol. So, Slot at Aloha has 16 time slots and this is actually illustrated in this picture here. And basically what you see, the way that it works is that tags actually calculate deterministically what time slot they're gonna respond in. What they wind up doing is in each round of anti-collision, they basically XOR their tag IDs with some kind of a mask value, an anti-collision mask value that's changed in each round of anti-collision. And I mean, you can almost think of it like pseudo-randomly. I mean, because that's basically what the final result is. It's almost like each tag with pseudo-randomly pick a time slot that it's gonna speak in. And then as it advances to the next round, then it's going to basically speak again but in that also pre-calculated time slot. But of course, remembering that if the tag is able to calculate that, we know how it works, so we're able to calculate it as well. So if you take a look then at the picture, let's say we have four tags that are present. One of them is going to transmit in round one in time slot two. Let's say there's tags one of four that are going to transmit in time slot five. And then tag two wants to transmit in time slot nine. Now, let's say that we would like to have tag three be able to speak. We also perhaps want to leave tag one and four alone but actually the one that we're after, the one that we want to block is tag two. So essentially what winds up happening is two, basically tag three transmits in time slot two. There's nothing else transmitting at the time so it's actually able to get its message back. Tag one and tag four in this case are transmitting in the same time slot so they're actually interfering with each other. But of course, as you advance to the next round of anti-collision, there's probably a high chance that they'll pick different time slots for the next round. So hopefully then those tags can actually get their signal through. But with tag number two, this might be a tag we don't want other people to be able to read. It could be our passport, for example. Basically during each round of anti-collision we know when it's gonna speak. So basically in this case in time slot nine we know that tag two is gonna speak. So we just make a really short jamming signal just in that time slot. Then you go to the next round of anti-collision. We calculate it again, just in that one time slot. We go through all 16 rounds of anti-collision, the reader gives up. Sometimes it reports a CRC error, sometimes it doesn't even notice. I haven't quite figured out what we need to do to control which is which but yeah. But that's basically how also in that demo video that's exactly how it works. So I was talking a little bit about malicious uses for RFID spoofing and jamming but there are probably also other uses for it. Just for people that aren't necessarily hackers but that want to be able to protect their own civil liberties that want to protect their own privacy. So basically we're also sort of in the academic community because when I'm not speaking at hacker conferences I'm actually well attempting to do a PhD right now. Well, at least for the academic community I sort of have to target this as this is something also that can help people and something that can you know, I mean, yeah, I mean, well they're funding me so I do my best. But yeah, so basically what we're also billing the guardian as is in being something that can either protect people or it can protect fixed locations. So the idea is that if you, for example, know what tags you have with you and you know what tags belong to you you might, for example, want to protect just those tags and then if there's other RFID systems around you can want to be able to just protect your tags while leaving all the other tags alone. And actually sort of the way that we're advertising this is it's being kind of like an RFID firewall. I mean just like a packet filter you have an access control list you basically say, okay, well this is where the query is coming from. I'll explain a little later how we determine that. This is the tags that, this is where the query is going to so these are the tags that it's targeting. This is the actual query that it's trying to do and would we, you know, perhaps maybe even extra context information that can also help you make the decision and then we would either like to block it or we would like to allow it. And essentially just using a rule set, rule set just like with a packet filter you can determine your security policy and in such a way you can manage, you know, who can read your tags and when and how. And that's, yeah, and that's pretty, I think it's kind of like a novel thing. The only inconvenient thing about it though is just that it's limited by the range of the Guardian. So if the Guardian only works for example at a range of one meter it can actually only protect tags that are one meter away from you. So if you have this thing clipped to your belt I mean you know that you'll probably have, you know maybe a meter of protection in this direction, a meter of protection in this direction. But if you leave that zone you're on your own. So I mean this device does have limitations. Of course how big the zone of protection is depends on the frequencies that are used by the RFID. But that's the basic idea. And what the main functions are are one of which is auditing. Kind of like FUBUD in Germany they produced one of these RFID detectors. They actually have a little bracelet that if an RFID query comes in it lights up. It's pretty cool. What the Guardian can do is because of course because it can actually decode RFID queries it can actually log this stuff for you. So you can do auditing. I mean just like you would audit your traffic on the network you can audit your RFID traffic. And that could be useful because for example if for example let's say they pass a law saying that you have to sign posts when you're using RFID just to protect consumers. If it turns out that they don't sign post it but they're actually querying your tags anyway you can log it. And then that would actually give the consumer some way of having some kind of legal recourse to be able to maybe go to the Chamber of Commerce and say hey that store isn't playing by the rules. I mean another way that that might be useful is in logging RFID tags that are around you. I mean let's say somebody, I have a bag with me and somebody drops a tag into my bag. Now if somebody can, if you just do RFID queries on a periodic basis correlate them across time. Another thing is you could also figure out when an RFID tag has been added to you. Maybe it's a tag you don't want. But of course you can't remove an RFID tag unless you know about it. And right now consumers, I mean we're being foisted into this world where these tags are around but we actually have no idea when it's around us. We don't know when the tags are there and we don't know when the readers are there. And by giving people the ability to do some kind of auditing you're really putting the choice, the decision back into their own hands. Key management is another possible use for it. They're talking about putting some kinds of security features on our RFID tags. For example, EPC Global has a kill feature, sort of like a password protected kill feature on their tags. But the question is first of all how do you get these keys? How do you store them? How do you use them? I mean are you gonna rely on some kind of a kiosk by the door to do it for you? I mean there's a group called Caspian that went to the Metro Future Store. They had in Rheinberg, Germany they had a killing station that was there. Apparently it didn't even work. I mean it basically zeroed out the data memory but actually the tag ID was perfectly fine and intact. So the tag wasn't even deactivated when the store said that it was. And you just, yeah. And you have, I mean isn't it better if you can deactivate your tags yourself? Isn't it better, for example if the tags have like things like sleep and wake modes which the companies are also working on if you can determine for yourself and have the tool, I mean present for yourself to be able to turn it on and off in different situations and when you want. And we think that something like the guardians really is useful for that. Access control. This is what I was talking about before like it being a firewall. I mean essentially you wanna be able to make those decisions, make a centralized security policy. I mean the other problem with things like well there's something called the RFID blocker tag. I think it's a wonderful idea. It's by a guy named Ari Jules from RSA Security. He's really a brilliant guy. In fact, his work partially inspired me to start working on RFID. But he was working on this thing called the blocker tag and his idea was you would have this RFID tag with its own security policy. And then essentially by spoofing, actually well not spoofing so much because it was actually a tag. But essentially that it would disrupt, it's actually a different anti-collision that's called the tree walking algorithm. Then you could basically cause the thing to traverse the entire name space when it's doing inventory queries looking for tags. It's a great idea. But the problem is you have a security policy on a single tag. I mean all the network administrators out there and system administrators, I mean what would it be like if you have all these devices and you wanna like update your policy. I mean that's a nightmare. So what the Guardian then lets you do is it just has a centralized security policy. So you only actually have to make one change to your policy that then can reflect how all of your tags are treated. And I think that's one thing that's also really quite handy. And authentication. Now generally you can't tell where an RFID query is coming from because there's no room in the protocol for it. This is actually one of my pet peeves because it would be a very easy thing to add. But the standards committees actually do not want to add it and the reason why is because there's a lot of, let's just say dedicated RFID companies that are part of these committees. And if they make a change to the standard they obsolete their whole product line. So just because a feature is technologically a no-brainer to be able to add and just because it does something useful like being able to improve privacy doesn't always mean that this change will be added. So the problem is then there's no room in the protocol for authentication information. There's no room for challenges and responses. There's no room for anything like authentication, like basically like receipts, basically cryptographic receipts that indicate that this particular query is actually coming from a particular source. Now the idea that we have with The Guardian is that since it's basically a computer that can talk directly with an RFID reader without requiring extra infrastructure, it can also basically do security protocols directly with the reader. Which means that if you pre-distribute secret keys to the RFID readers that basically they can then authenticate themselves. And the way that you would do this is just using read and write operations, the usual read and write operations. Read data block, write data block. All you have to do is just basically put meta information in the data blocks that you're sending that are recognizable to at least The Guardian and some kind of a Guardian aware reader. And in such a way, you can actually identify the reader that's sending this particular query. And that gives you the basis that allows you to make your access control decision. So this is basically our vision for The Guardian. And we're continuing working on it and I think in six months we're gonna be a lot further with it. So, and that's basically it. Any questions? Oh, how did that get in there? Any questions? Yes. No, not really. I mean, it's just because. Oh, he was saying that the RFID reader, or sorry, the RFID Guardian is plugged into the wall and it's able to achieve a range of, operational range of one meter. Do I think that when we convert the RFID Guardian to being powered by batteries that we're gonna have problems at achieving the same read distance? My answer is no, I don't think that's going to be a problem because it's not so much that we're even transmitting with that much power. We're certainly not, I mean, we're certainly staying well within regulatory, you know, limitations. But yeah, I mean, essentially it's just a very short amount of time that we're transmitting. So it doesn't even use that much power. We were actually doing some back of the envelope calculations with the batteries that we're planning on using. Rechargeable batteries in the next version. And we think you can probably go about a day having the thing be probably reasonably active in the in transmitting. So yeah, I don't think that's gonna be a problem. Are there? Yes. Actually, his question was contactless smart cards may work differently than sort of the cheaper RFID tags. Do I believe that the Guardian will also work with contactless smart cards and more specifically with the new passports? My answer is yes, they're different but there's actually more of a difference between I think the difference, well, especially the different frequencies, that's the biggest problem. And that has nothing to do with contactless smart card versus tag. But we're actually working right now, we're about halfway done with implementing an ISO 14.4403 stack, which is the standard that the passports use. So I mean, basically our intention and hopefully once we get the demo fixed, I mean one of the first things we do, we would like to be able to show that we can jam or spoof would be a passport reply. So, okay, well thank you guys.