7 Reasons Why RFID Guardian, the “RFID firewall”, is Not Enough to Protect Your Privacy

RFID technologies threaten to undermine your privacy by leaking who you are, where you are, what you have, and other personal information. Wouldn’t it be nice if you could carry a device that put you back in the driver’s seat? Ars Technica has published an article about RFID Guardian, a prototype “firewall” for RFID tags that proposes to give you such control. Basically it acts as a selective radio signal jammer—it monitors nearby RFID tags and readers, determining in real time which transactions to allow and which to jam. You get to specify which readers have access to which tags.

This sounds like a neat bit of equipment, and I’m grateful for the efforts of Melanie Rieback and the RFID Guardian Project team. I hope we’ll eventually see something like this on the market. Even so, RFID Guardian strikes me as rather flimsy protection that should only be used as the last resort in a multi-layer defense.

The weaknesses of RFID Guardian and selective jamming

A cool gadget like this makes it really tempting to think that the RFID privacy problem is all but solved. I know the researchers are well aware of its limitations, but less sophisticated users will tend to think that they can satisfy their privacy needs by just buying this high-tech product. Unfortunately, it will lure them into a false sense of security. Here’s why:

• You’re exposed if the least little thing goes wrong. The RFID readers are still there, probing for nearby tags. The tags are still there, responding to the readers’ inquiries. RFID Guardian has to jump in at just the right time to drown out the tags’ responses. This is a really precarious state of affairs.
• It’s a complicated device with many possible things to go wrong. RFID Guardian is essentially a dedicated computer with its own operating system and application software. What happens if it crashes or locks up? What if bugs in the software accidentally allow tags to be read when they shouldn’t be? What if a malicious RFID reader exploits a bug and quietly disables the jamming? How will temperature extremes affect it? Will it still protect you correctly after you drop it? And what will you do about your RFID tags when you’re on the go and your RFID Guardian’s batteries run down?
• You can’t tell if it’s actually working. RFID transactions use invisible radio waves and take place in milliseconds, so it’s not as if you can keep an eye on what happens. RFID Guardian may tell you everything is OK, but you would need special equipment to record the RFID transactions and verify that they were correctly jammed. Even then, you couldn’t be sure that the RFID reader wasn’t sophisticated enough to tease out your tags’ signals anyway. Ultimately, only the reader (that belongs to someone else) knows for sure whether the jamming works.
• It only works for certain kinds of tags. RFID tags come in many forms, use different protocols, and operate in several radio frequency ranges. Right now RFID Guardian only handles passive 13.56 MHz tags following the ISO-15693 standard. While its makers can extend it to support other kinds of tags, the variety of tags will continue expanding in the coming years. It won’t be feasible for RFID Guardian to protect all conceivable tags, and adding support for more types will just increase the complexity of the system.
• It doesn’t jam reader signals that can sometimes modify tags. RFID Guardian only jams tags’ responses. It doesn’t jam the readers’ signals that can modify tag data—or even kill tags—in some cases.
• It may not be allowed in certain places. Would you be able to carry a gizmo like this onto an airplane? Even if you got past security without a hassle, the airline might prohibit this radio jammer for fear of interference with the plane’s systems. And it doesn’t take much imagination to think of other places you might not be able to take your RFID privacy protection: courthouses, schools, retail stores.
• It may be regulated or completely outlawed. RFID jammers may run afoul of existing laws against shoplifting gear if stores use RFID to ring up your merchandise or prevent you from leaving without paying. In time, new laws may restrict jammers to licensed professionals as is the case with lock picks in some jurisdictions.

So where can RFID Guardian fit in?

Given RFID Guardian’s complicated, limited, and unverifiable nature, I wouldn’t recommend using it as your sole RFID defense. I do think it can be useful as a last-resort outer layer, however. Here’s how I would structure RFID defenses:

1. Avoid having any RFID tags on your person. The best defense is simply to not carry around radio beacons. Ask for credit cards without RFID (or don’t even use credit cards). Pass on Speedpass. Seek and destroy any tags in products you purchase. Just say no whenever possible.
2. If you must have RFID tags (in a passport, for example), put them in a Faraday cage. This is a reliable, low-tech defense that needs no batteries. You can simply use aluminum foil or buy anti-RFID wallets and passport holders.
3. Use RFID Guardian when you have to remove tags from their shielding. Suppose, for example, that your workplace ID badge has an RFID tag that you must use to enter the building. You have to remove the badge from its Faraday cage to use it, but you can use RFID Guardian to ensure that only the door’s reader has access to it. Since the tag would otherwise be completely exposed, RFID Guardian’s protection is gravy, and its limitations don’t matter.

One flawed technology patching another

Technology is seductive. It offers us big gains in productivity, efficiency, and convenience, not to mention blinking lights and shiny gadgets. It also brings drawbacks and complications that we must not overlook, however, as both RFID and RFID Guardian illustrate. RFID makes purchases quick and convenient but leaks information like a sieve. RFID Guardian intelligently stems the info leakage but does so in a fragile, unverifiable way that may inspire false confidence. When we consider using any technology, we need to take an honest look at all the implications to make sure it’s right for the job. Sometimes low-tech approaches such as bar codes and shielded wallets turn out to be better solutions.