Gillette Buys Half a Billion RFID Tags

prostoalex writes "Gillette announced its intent to purchase 500,000,000 RFID tags from startup Alien Technology. The company expects to introduce RFID tags into its pallets and cases, according to the article. Alien Technology was the first company to introduce an RFID tag with price lower than 10 cents, even though some people claimed it could not be done."

What some people thought they could not do

Was to get first time working silicon ... not what you suggested.

Damnit!

I have to wear my tinfoil hat while shaving too??

It's been said before...

But when posting an acronym that is not that common / RFID? why not put up the translation for those not in the know?

Re:It's been said before...

RFID = Radio Frequency ID

RFID [everything2.org]

HERE IS THE COMPLETE FAQ...

posted as AC for karma rasonZ

What Is Automatic Identification?
Automatic identification, or auto ID for short, is the broad term given to a host of technologies that are used to help machines identify objects. Auto identification is often coupled with automatic data capture. That is, companies want to identify items, capture information about them and somehow get the data into a computer without having employees type it in. The aim of most auto-ID systems is to increase efficiency, reduce data entry errors, and free up staff to perform more value-added functions. There are a host of technologies that fall under the auto-ID umbrella. These include bar codes, smart cards, voice recognition, some biometric technologies (retinal scans, for instance), optical character recognition, radio frequency identification (RFID) and others. Back to Top

What is RFID?
Radio frequency identification, or RFID, is a generic term for technologies that use radio waves to automatically identify individual items. There are several methods of identifying objects using RFID, but the most common is to store a serial number that identifies a product, and perhaps other information, on a microchip that is attached to an antenna (the chip and the antenna together are called an RFID transponder or an RFID tag). The antenna enables the chip to transmit the identification information to a reader. The reader converts the radio waves returned from the RFID tag into a form that can then be passed on to computers that can make use of it. Back to Top

How does an RFID system work?
The system consists of a tag, which is made up of a microchip with a coiled antenna, and an interrogator or reader with an antenna. The reader sends out electromagnetic waves that form a magnetic field when they "couple" with the antenna on the RFID tag. A passive RFID tag draws power from this magnetic field and uses it to power the microchip's circuits. The chip then modulates the waves that the tag sends back to the reader and the reader converts the new waves into digital data. Back to Top

Is there any health risks associated with RFID and radio waves?
RFID uses the low-end of the electromagnetic spectrum. The waves coming from readers are no more dangerous than the waves coming to your car radio. Back to Top

Why is RFID better than using bar codes?
RFID is not necessarily "better" than bar codes. The two are different technologies and have different applications, which sometimes overlap. The big difference between the two is bar codes are line-of-sight technology. That is, a scanner has to "see" the bar code to read it, which means people usually have to orient the bar code towards a scanner for it to be read. Radio frequency identification, by contrast, doesn't require line of sight. RFID tags can be read as long as they are within range of a reader. Bar codes have other shortcomings as well. If a label is ripped, soiled or falls off, there is no way to scan the item. And standard bar codes identify only the manufacturer and product, not the unique item. The bar code on one milk carton is the same as every other, making it impossible to identify which one might pass its expiration date first. Back to Top

Will RFID replace bar codes?
Probably not. Bar codes are inexpensive and effective for certain tasks. It is likely that RFID and bar codes will coexist for many years. Back to Top

Is RFID new?
RFID is a proven technology that's been around since the Second World War. Up to now, it's been too expensive and too limited to be practical for many commercial applications. But if tags can be made cheaply enough, they can solve many of the problems associated with bar codes. Radio waves travel through most non-metallic materials, so they can be embedded in packaging or encased in protective plastic for weather-proofing and greater durability. And tags have microchips that can store a unique serial number for every product manufactured around the world. Back to Top

If RFID has been around so long and is so great, why aren't all companies using it?
Many companies have invested in RFID systems to get the advantages they offer. These investments are usually made in closed-loop systems - that is, when a company is tracking goods that never leave its own control. That's because all existing RFID systems use proprietary technology, which means that if company A puts an RFID tag on a product, it can't be read by Company B unless they both use the same RFID system from the same vendor. But most companies don't have closed-loop systems, and many of the benefits of tracking items come from tracking them as they move from one company to another and even one country to another. Back to Top

Is the lack of standards the only thing that has prevented RFID from being more widely used?
Another problem is cost. RFID readers typically cost $1,000 or more. Companies would need thousands of readers to cover all their factories, warehouses and stores. RFID tags are also fairly expensive - 50 cents or more - which makes them impractical for identifying millions of items that cost only a few dollars (see below). Back to Top

How much do RFID tags costs?
They can cost as little as 30 cents or as much as $50 depending on the type of tag and the application. Generally speaking, finished smart labels that can be applied top products typically cost 50 cents or more. Active tags - those with a battery - can cost far more. And if you bundle in a sophisticated sensor, the cost can rise to more than $100. Back to Top

What is the difference between low-, high-, and ultra-high frequencies?
Just as your radio tunes in to different frequency to hear different channels, RFID tags and readers have to be tuned to the same frequency to communicate. RFID systems use many different frequencies, but generally the most common are low- (around 125 KHz), high- (13.56 MHz) and ultra-high frequency, or UHF (850-900 MHz). Microwave (2.45 GHz) is also used in some applications. Radio waves behave differently at different frequency, so you have to choose the right frequency for the right application. Back to Top

How do I know which frequency is right for my application?
Different frequencies have different characteristics that make them more useful for different applications. For instance, low-frequency tags are cheaper than ultra high frequency (UHF) tags, use less power and are better able to penetrate non-metallic substances. They are ideal for scanning objects with high-water content, such as fruit, at close range. UHF frequencies typically offer better range and can transfer data faster. But they use more power and are less likely to pass through materials. And because they tend to be more "directed," they require a clear path between the tag and reader. UHF tags might be better for scanning boxes of goods as they pass through a bay door into a warehouse. It is probably best to work with a consultant, integrator or vendor that can help you choose the right frequency for your application. Back to Top

Do all countries use the same frequencies?
No. Europe uses 868 MHz for UHF and the U.S. uses 915 MHz. Japan currently does not allow any use of the UHF spectrum for RFID. Government's also regulate the power of the readers to limit interference with other devices. Some groups, such as the Global Commerce Initiative, are trying to encourage governments to agree on frequencies and output. Tag and reader makers are also trying to develop systems that can work at more than one frequency, to get around the problem. Back to Top

I've heard that RFID doesn't work around metal and water. Does that mean I can't use it to track cans or liquid products?
No. Radio waves bounce off metal and are absorbed by water at higher frequencies. That makes tracking metal products or those with high water content problematic, but good system design and engineering can overcome this shortcoming. In fact, there are applications in which RFID tags are actually embedded in metal auto parts to track them. Back to Top

What's the difference between passive and active tags?
Active RFID tags have a battery, which is used to run the microchip's circuitry and to broadcast a signal to a reader (the way a cell phone transmits signals to a base station). Passive tags have no battery. Instead, they draw power from the reader, which sends out electromagnetic waves that induce a current in the tag's antenna. Semi-passive tags use a battery to run the chip's circuitry, but communicate by drawing power from the reader. Active and semi-passive tags are useful for tracking high-value goods that need to be scanned over long ranges, such as railway cars on a track, but they cost a dollar or more, making them too expensive to put on low-cost items. The Auto-ID Center is focusing on passive tags, which cost under a dollar today. Their read range isn't as far - less than ten feet vs. 100 feet or more for active tags - but they are far less expensive than active tags and require no maintenance. Back to Top

How much information can the tag store?
It depends on the vendor and the application, but typically a tag would carry no more than 2KB of data - enough to store some basic information about the item it is on. Back to Top

What's the difference between read-only and read/write tags?
Chips in RF tags can be read-write or read-only. With read-write chips, you can add information to the tag or write over existing information when the tag is within range of a reader, or interrogator. Read-write tags are useful in some specialized applications, but since they are more expensive than read-only chips, they are impractical for tracking inexpensive items. Some read-only microchips have information stored on them during the manufacturing process. The information on such chips can never been changed. A more flexible option is to use something called electrically erasable programmable read-only memory, or EEPROM. With EEPROM, the data can be overwritten using a special electronic process. Back to Top

What is reader collision?
One problem encountered with RFID is the signal from one reader can interfere with the signal from another where coverage overlaps. This is called reader collision. One way to avoid the problem is to use a technique called time division multiple access, or TDMA. In simple terms, the readers are instructed to read at different times, rather than both trying to read at the same time. This ensures that they don't interfere with each other. But it means any RFID tag in an area where two readers overlap will be read twice. So the system has to be set up so that if one reader reads a tag another reader does not read it again. Back to Top

What is tag collision?
Another problem readers have is reading a lot of chips in the same field. Tag collision occurs when more than one chip reflects back a signal at the same time, confusing the reader. Different vendors have developed different systems for having the tags respond to the reader one at a time. Since they can be read in milliseconds, it appears that all the tags are being read simultaneously. Back to Top

What is the read range for a typical RFID tag?
The read range of passive tags depends on many factors: the frequency of operation, the power of the reader, interference from metal objects or other RF devices. In general, low-frequency tags are read from a foot or less. High frequency tags are read from about three feet and UHF tags are read from 10 to 20 feet. Where longer ranges are needed, such as for tracking railway cars, active tags use batteries to boost read ranges to 300 feet or more. Back to Top

Are there any standards for RFID?
Yes. International standards have been adopted for some very specific applications, such as tracking animals. Many other standards initiatives are under way. To see a list of standards initiatives prepared by AMR Research, click here. The most interesting efforts involve GTag, which is promoted by EAN and UCC as a way to communicate with UHF tags; ISO 18000-6, which is an international effort that forms the foundation for the GTag standard; and the Auto-ID Center's electronic product code. The EPC and the technology surrounding it is not a standard in any formal way, but the Auto-ID Center hopes that it will be widely adopted and become the de facto standard. Back to Top

Who are the leading RFID vendors?
There are many different RFID vendors with different areas of expertise. We have compiled a director of vendors around the world. Click here to locate the type of vendor you are looking for. Back to Top

What are some of the most common applications for RFID?
RFID is used for everything from tracking cows and pets to triggering equipment down oil wells. It may sound trite, but the applications are limited only by people's imagination. The most common applications are tracking goods in the supply chain, tracking assets, tracking parts moving to a manufacturing facility, security and paymant systems that let customers pay for items without using cash. Back to Top

I've heard RFID can be used with sensors. Is that true?
Yes. Some companies are combining RFID tags with radiation sensors. One day, the same tags used to track items moving through the supply chain may also alert staff if they are not stored at the right temperature, if meat has gone bad, or even if someone has injected a biological agent into food. To learn more, read Low-Cost RFID Sensors: From Battlefield Intelligence To Consumer Protection. Back to Top

What are intelligent software agents and how do they fit into RFID?
Software agents are basically autonomous applications that automate decision making by establishing a set of rules. For instance, if X happens, do Y. They are important to RFID because humans will be overwhelmed by the amount of data coming from RFID tags and the speed at which it comes (real-time in many cases). So agents will likely be used to automate routine decisions and alert employees when a situation requires their attention. SAP and a company called BiosGroup are working on an automated replenishment system in which software agents would make decisions when trends indicate a product will be out of stock. See BiosGroup's Intelligent Agents Could Hold the Key to RFID-Driven Supply Chains. Back to Top

What is "energy harvesting"?
Most passive RFID tags simply reflect back waves from the reader. Energy harvesting is a technique in which energy from the reader is gathered by the tagged, stored momentarily and transmitted back at a different frequency. This method may improve the performance of passive RFID tags dramatically. See Is Energy Harvesting the Breakthrough that Jumpstarts RFID Adoption?. Back to Top

Where can I learn more about the Auto-ID Center and its technology?
We have created a separate page of Frequently Asked Questions about the Center and how its

Re:It's been said before...

"Read the F***ing ID"?

who are these people...?

And why do they have a "journal?" I guess I just don't get it. I was expecting a news story, but instead there was a press-release about how cool it was that Gillette was doing this.

Re:who are these people...?

The "journal" is probably completely "sponsored" by the groups actively creating and pushing this. If you read the article you'll notice that Gillette has "sponsored the development of" Alien's RFID technology, so it sounds like Gillette is a major investor, and probably one of the "sponsors" of this "journal". That would also explain the "Gillette is so cool" angle.

The "independent" journal has probably been created to help market the concept to retailers and other customers, but naturally biased towards the sponsors of the journal. In other words, the journal is advertising material disguised as independent reporting. I can't imagine what independent group would be creating a journal like this.

Judging by their FAQ, it sounds like this area has been quite competitive for a while, in terms of different companies trying to come up with low-cost RFID tags, and different companies creating different standards. But the world is going to pretty much need ONE standard for this to work. And naturally, the company that gets their standard in place is set to make incredibly huge truckloads of $$$ further down the line, once this is implemented on a large scale. Thus it makes sense for investors like Gillette, who appear to want to be in on the deal, to sponsor such a journal. I am of course speculating, but it makes a lot of sense to me.

They even mention on the page an alliance with a group working with SAP to integrate this technology with SAP software, which would then just extend this automation of supply chain management even further. The system would be able to do things like automatically "alert staff" if buying trends indicate that a retailer is running out of stock of a particular item.

Essentially, the gist of all this is that managers realise that most of the jobs in a retail store can be automated, and that all you really need is a few managers using the right software and hardware tools. You don't need human cashiers when the customer can just put his trolley of goods under a scanner that tallies his entire shopping cart in under a second and automatically bills his credit card. What this is probably going to mean, 10 or 20 years from now, is that HUGE numbers of people in retail and distributing are going to lose their jobs to these little tags.

The biggest joke of all is how they seem to avoid mentioning this issue in the "journal". To quote the FAQ: "The aim of most auto-ID systems is to increase efficiency, reduce data entry errors, and free up staff to perform more value-added functions". Yeah right, more like "free up staff to perform more value-added functions, like collecting unemployment".

This technology is probably inevitable though. As technology improves, more and more people can have their jobs replaced by computers. I know somebody is going to reply by saying "but it just shifts the jobs to somewhere else, e.g. the people who create these tags and create and maintain the software". Sure, to a degree, but if you follow the trends to their logical conclusion, you get to a point where millions of low-paying jobs are getting lost and being replaced by maybe a couple thousand higher paying jobs. At some point, something will have to give .. all those people who end up losing their jobs will be the retailers customers themselves, so their business drops.

Reminds me of this despair.com poster: http://www.despair.com/motivation.html [despair.com]

Re:who are these people...?

Interesting, because me and at least one other post to the parent of the one I'm replying to disagree.

I'd rather go through the self-serve thing, personally. The actual help is less than astounding at most places, and so by the end of my shopping trips I'm usually put out after being told to go from one end of the store to the other for peroxide or something cross-categorically capable, even was told to look in the liquor department for the rubbing alchohol. It wasn't there.

I respect the need for the stupid to make money and live and eat, but I'd really not have to deal with them as much as possible.

Of course, maybe they're having a bad day, etc.etc. We all do stupid things, so . . . with this outlook I'm usually pretty tolerant, but I'd rather not push my luck.

The few times i've used the auto-checkout things there hasn't been any trouble, so, maybe it's a percentage thing. I'm sure as well that as these things become more ubiquitous that the bugs will creep out of the systems . . . come to think of it, one time the machines couldn't accept the new 5 dollar (us) bill. Of course, I've gotten my share of dumb people for my small stash of 2 dollar bills. Even had a clerk and manager at Best Buy try and take a 100 bill of mine because it didn't have a plastic strip and they thought it was counterfeit. It took explaining that I had got it that morning for my work: a bank.

The date on the bill was 1954.

Re:who are these people...?

... What this is probably going to mean, 10 or 20 years from now, is that HUGE numbers of people in retail and distributing are going to lose their jobs to these little tags. ...

This technology is probably inevitable though. As technology improves, more and more people can have their jobs replaced by computers. I know somebody is going to reply by saying "but it just shifts the jobs to somewhere else, e.g. the people who create these tags and create and maintain the software". Sure, to a degree, but if you follow the trends to their logical conclusion, you get to a point where millions of low-paying jobs are getting lost and being replaced by maybe a couple thousand higher paying jobs. At some point, something will have to give .. all those people who end up losing their jobs will be the retailers customers themselves, so their business drops.


Social progress (measured as GDP increase, or something like that) has largely been driven by technological innovations. RFID, if (or when) deployed large-scale, will decrease the workforce needed in retail and distribution. Of course, as you say, all those same people will not get jobs developing RFID hardware & software. If that were the case, there would be no point in RFID, since there would be no net efficiency gain! What will happen is that workforce will be freed to do new tasks, which noone has come up with yet. Look at things from a longer time scale, and to think of the economy has a whole rather than just the retail part.

As an example, say about 200 years ago a significant fraction of the population (about 80%) were directly involved in agriculture (i.e. they were farmers). Today, thanks to technological innovations farming productivity has increased about 100-fold, and as a consequence a quite small part of the population are farmers (4-5% in western europe and presumably smaller in the USA as farms are bigger there). This has allowed a lot of people to do other things than plowing the ground. We don't have a ~70% unemployment rate (i.e. 80%-5%-overhead of producing and developing farming machinery), as your line of reasoning suggests.

The same goes for RFID tags (or say, the introduction of automation, robots and such, in industry). So yes, in the short term and on a personal level, it might be unpleasant. I.e. aunt Tilly working as a cashier gets the boot and as she has little education she has a hard time getting a new job. But for society as a whole on a slightly longer timescale, the efficiency improvement made possible by RFID will be beneficial.

"who didn’t want to be identified"

Quote from the article:[snip] "People couldn't stop talking about it over lunch," says one person present, who didn't want to be identified. [/snip]

he was later scanned, and identified as RFT number 167434343

Re:"who didn’t want to be identified"

he was later scanned, and identified as RFT number 167434343

It was determined that he was actually carrying his wife's razor. Gilette officials declined to comment.

Quantity has its own problems

According to the article, the larges prior order was for 30 million tags. It doesn't give a time frame other than delivery starts in March, so I wonder how well the company can absorb such an order. One assumes this order is not a complete suprise to the upper management. People may think huge orders are always great but if production capacity is exceeded, it can be a serious curse in disguise.

What's really sweet about this is...

that it bears out everything Slashdot, the Million Book Project, Kahle and so on have been saying about the benefits of freeing IP, how this does *not* hurt large companies, and how it lets everybody do more.

The Auto-ID Centre, who developed the standard and technology are 'a not-for-profit group established by MIT to develop a system for using the Internet to identify goods anywhere in the world...It is funded by large companies who want to use RFID to track goods and who believe an open standard is critical..just as the world uses one network to share information -- the Internet -- it may be possible to use that same network to share information stored initially on an RFID tag...Strictly speaking, the intellectual property belongs to the universities where the research is being conducted. However, the intellectual property will be freely available to any company that wants to use it...the Auto-ID Center may be the first time in history that companies from different industries and different regions of the world have come together to develop technology they feel would benefit their businesses - and their competitors' businesses.' (quotes from http://www.rfidjournal.com/FAQ2.html)

These guys get it, and as they've convinced companies of the size of Gillette, Cocoa-Cola, Pepsi, P&G, Johnson & Johnson, Unilever, Wal-Mart and others to sponsor this, maybe that's a sign that these companies are, or will, getting it too. There's hope yet.

Re:You have got to be kidding?

Its more invasive than that. I work in a grocery wharehouse. There are electronic tags to monitor temperature, vibration and shock, humidity, air quality, time of travel, GPS, and all sorts of violations of privacy. What does this mean to you as a consumer? Your food is guaranteed to be fresh and not subject to conditions that would make it unsafe.

These sensors are everywhere. They help improve failures in distribution that costs shippers and consumers alike money.

Just be afraid when a bill is passed to push that national ID card as an injectable tag behind your neck. That's when you will find FAQ's on the internet how to build tin foil hats.

Cleanse me of my ignorance

The article read like a company press release and doesn't really cater to the uninitiated so, to those of you in the "know":

What exactly is an RFID tag and why would Gillette want so many of them?

RFID?

RFID = Read the Fucking Identification?

RFID.org home of Radio Frequency Identification

http://www.rfid.org/

yes, I am karma whoring!

Crap!

Now they'll be able to tell if I'm shaving in the car, by tracking me with the RFID tags! Er... wait, oh, they're putting them in the shipping palettes. You had me worried there. Uh... wait, why is this on the front page then? I'm confused, better go get my tinfoil hat.

Aluminum Foil Deflector Beanie: Amazing

"A small, but vocal, contingent even argues that tin is superior, but they are held by most to be the lunatic fringe of Foil Deflector Beanie science. I would advise people wishing to build a Deflector Beanie to stick with aluminum whenever possible since it is a proven technology."

Aluminum Foil Deflector Beanie: An Effective, Low-Cost Solution To Combating Mind-Control [zapatopi.net].

That is an amazing link! Someone who is a good writer has put a huge amount of time into documenting nonsense. And it says that the site is rated Cranky by Crank.net [crank.net]

The internet is an amazing virtual place where every comedian can be heard: Zapato Productions intradimensional -- "Serving the Paranoid Since 1997" [zapatopi.net]. It says this web site is a member of the (no doubt prestigious) "Yes, there really IS a VAST Right Wing Conspiracy!" web ring.

hmmm

...an average product label, say on the back of a TV or computer monitor, costs approx. 10 cents right now.

I can see RFID taking off, but I can also see issues, such as Japan not allowing this technology at this time, and later, some countries charging a fee to dump this little ditty into a land fill, as part of the original product.

If they can BlueTooth the output, and the cost of read/write comes down, I've got a ton of uses for these things today...

How long before....

They plant these things in the scalps of newborns? Talk about big brother!

progress

Well it looks like this is the start... Anyone got a guess as to how long it will take from today (where they are planning to put them in shipping cases) till the day my refridgerator can tell whats inside and do my shopping for me?

Does it bother anyone...

...that the name of the company is ALIEN technology. Oh my god it's starting! Quick! somebody get Mel Gibson and a glass of water.

RFID is...

Yes, this is a tad redundant since quite a few people have given links to FAQs which thoroughly give this information. Mod kindly.

That said, RFID = Radio Frequency IDentification. Narrowing our vision to current practical uses, RFID tags are embeded in something one wishes to scan, identify, or track. The idea with low cost RFID tags like Gillette is buying is that they are passive. Readers for the chips emit a signal which actually supplies the power for the chip. For those who haven't had physics, this is akin to how a crystal radio works (with no battery at all). Low-cost, passive chips like this have a range of only about 10 ft, however, so don't go too 1984.

RFID Security Is Problematic (At Least For Badges)

Interesting. I just started doing some preliminary research on the security of RFID badge readers, based off of hazy memories that somebody had shown they were absolutely trivial to capture and replay.

Haven't been able to find that paper yet, but I can tell you what I've seen ain't great. Here's the story:

RFID stands for Radio Frequency Identification, and is essentially a Tesla-esque hack to allow contactless, bidirectional storage of small amounts of data on trivial circuits powered by the reader infrastructure itself. It's most commonly deployed nowadays as a replacement for magnetic-swipe oriented systems, as the lack of an exposed data surface and the absence of contact during scanning make RFID astonishingly reliable. The functionality is quite compelling, as Gilette's mass purchase shows -- what if you never needed to do inventory? What if you could just have a few sensors throughout your warehouse do a "mass ping" and acquire from the mass of replies precisely what needs to be restocked?

And it would only take a few sensors, too. Badge readers may only provide a few inches range, but there was a pretty big fuss a while back about RFID becoming functional at nine meters. At that point, you're quite a bit beyond the forklift knowing precisely what it's carrying. It's pretty clear that Gilette will make its $50M back within a year.

Oddly enough, Inventory Tracking is much, much better use of RFID than as a badging technology, even though the latter remains much more common than the former. Badging, like all trust management systems, attempts to differentiate the few who are trusted from the many that aren't.

The problem is, the many that aren't trusted aren't trusted for a reason -- they'll spy, they'll steal, they'll break stuff. Against that backdrop, mounting an attack against the security system isn't particularly unimaginable -- and here's where things get problematic.

You see, RFID tags make 802.11 look like Alcatraz.

Passive RFID systems are powered by the outside world -- the evil demon of Cartesian yore is handing over the battery. Given a cooperative RF field, the chip spews the same bits, over and over and over again.

When an employee is standing in front of the legitimate badge reader, this is a good thing. When an employee is sitting on the subway on his way to work and some guy walks by with a power source and 13.56Mhz sniffer in his briefcase...well, I guarantee you that briefcase ain't going to beep "Thank you for your access credentials, I'll be you now." All the attacker needs to do is forge a standard plastic badge and covertly trigger a transmitter when approaching the door -- there's no way for anyone to know the badge wasn't the source of the RFID transmissions!

Just because your badge reader only works from a few inches away doesn't mean anyone's reader will. If all I need to do to get access to your entire corporate infrastructure is sit in the lobby "waiting for someone" as your CEO strolls by, you don't actually have a security system. You just have doors :-)

Now, I've got my suspicions of whether magnetic strips can be read at a distance, but to be honest, I'm more than willing to concede that it's a longshot at best (and a hilariously laughable descent into paranoia at worst). But RFID is not the kind of technology people should be carrying around with them at all times, assuming that as long as they still have their card, they still have the value the card represents.

To be fair, it's an extraordinarily difficult problem for TI et al to solve: The chips are necessarily trivial -- they're *powered* by the sensors, for crying out loud. Not only is it nearly impossible to build any kind of cryptosystem into a chip that small and weak, but the system itself would remain utterly defenseless against electrical skullduggery: Manipulating a chip's power source is one of the definitive ways of divining its cryptographic secrets, as Satellite TV hackers have been pointing out for quite some time.

Security hasn't been left completely unaddressed by the RFID industry; they're well aware of the problems and have attempted some manuevers to compensate. As mentioned, some RFID systems can be both read and written to. This would be perfect for creating a "universal badge" that could spoof any identity without even a separate transmission system that could be examined and recognized. So what some companies have done is create a 64 bit region that cannot be modified and remains unique to the badge itself. So you use those 64 bits as a badge identifier that authenticates the rest of the data, and trust that your vendor will never release a badge that either a) repeats identifiers (unlikely, 2^64 is a very large number) or b) can have its identifier changed.

Of course, they can't do anything about c) somebody hacks together their own badge that doesn't play by the same arbitrary restrictions.

Now, I could get up and say "Oh my god! You just can't do this, it's horrifyingly insecure, just use IPSec/SSH er wait wrong wireless technology..."

But that wouldn't be useful. Maybe this might be:

There are some techniques that can minimize the exposure from insecure RFID badge authentication systems. Exploiting the Read/Write capacity is moderately elegant and requires only a badging infrastructure that supports RW. Essentially, every time somebody attempts to enter the secure facility and provides a valid bitstream from their badge, upload a new unique bitstream and verify the badge accepted it. This reduces the window of opportunity for an attacker and significantly increases their risk of discovery, since now the bits they steal today will stop working the moment the legitimate employee uses their badge next. Furthermore, if the attacker does manage to get to a badge reader before the employee returns for another update cycle, he has two major problems: First, his equipment must be minorly more complex, because it must inform the system that it has completed updating its internal RAM with the new (possibly cryptographically signed) bitstream. This is only a minor deterrent; having the equipment to spoof the badge reader means you likely have the equipment to read from one too. Second, and more importantly, because the interloper cannot control the bitstream submitted by the reader and expected upon next examination, the legitimate card will possess an out-of-date bitstream, allowing Security to discover the unauthorized entry.

That works OK. Not great -- especially if badge access translates into an ability to hack the central authentication server to accept whatever bits the legitimate card originally had -- but OK. Really, once the attacker gets access to the card's bitstream, it's game over.

So, lets prevent that. RFID may be contactless but that doesn't mean the badges themselves are -- they're attached to a living, breathing, thinking human being. One with fingers. Fingers that, for the last hundred thousand years or so, have had the ability to pinch two things together, like contacts inside a card. "Pinch here to activate badge", if you will. Just embed a cheap "squeeze sensor" into the card such that two contacts need to be forced together for the card to respond to the RF power source. It's cheap, it's easy, and it can be designed to fail towards functionality or security (i.e. the contacts either can't be separated or can't be attached).

I did see some mention of work to embed cryptographic constructs into Passive RFID systems; one paper pointed out that hash algorithms can be made using very little silicon, so having the card read some value from the badge reader and return a that value hashed with a shared secret can be a valid solution. As I pointed out earlier, these things are *so* vulnerable to power assult that any shared secret inside of them wouldn't last for long. (It's the kind of thing where you run some data through and you look at which gates are glowing -- thus you see which memory blocks are 1 and which are 0.) But this type of analysis usually requires physical access to the security card much greater than simply walking past the mark, so there's a definite win. Plus the system is inherently immune to replay attack because the output of the card is dependant upon the particular input of a given badge reading. Excellent -- if it works(and the hash is cryptographically secure, not CRC-32!).

Of course, this is all mildly off topic. Gilette's security posture is vastly different; they're more worried about five finger discounts and overly optimistic projections than they are about a rogue batch of razor blades sneaking in the back door! But since we're only a precious little amount of time away from the definitive displays of RFID remote compromise, I thought it worthwhile to go into some depth about the security concerns of RFID.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Update: Alien != Badging, but = Cordless Freqs

Small update.

Alien is using 915mhz/2.45ghz. I assumed they were using the tech described here:

13.56 MHz Frequently Asked Questions [ti.com]

There's no shortage of equipment that can capture and transmit on these frequencies; cordless phones do analog work in this domain all the time. But, again -- Alien is not trying to do badging, they're trying to do inventory control.

Very, very different problems. Worst case scenario is that a competitor drives by your facility and gets the same realtime updates of your inventory that you do.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:RFID Security Is Problematic (At Least For Badg

Good questions.

The Auto-ID system that Alien Technology is implementing supports 96 bits of data, apparently read only. They are attempting to deploy the next generation of UPC Barcodes, something they're calling ePC. Some good information about the tech can be found here:

Introduction to Auto-ID [autoidcenter.org].

The 13.56mhz spec that appears to be used for badge reading supports 2048 bits, with 64 being read-only. It's irrelevant to encrypt this data, not because the space is small (encryption does not necessarily expand the size of your data) but because you don't need to understand what you're replaying in order to replay it.

I walk next to you on a train, spit out power, sniff some bits, and spit out the bits when I'm nearby your badge reader. Poof. I win.

Again, I need to emphasize that while this use of RFID -- inventory control -- does have some creepy personal and corporate privacy issues, it's nothing at all like the situation with badges.

There is the Legitimate Counterfeit issue, though. Large US currency now contains a magnetic strip to authenticate its validity. People were talking about using that strip to detect whether or not a bill was real. Well, there's a problem -- the strip is almost invisible to the naked eye, but can be easily removed without rendering the actual bill in any way, shape, or form visibly molested. So you've got this disturbing corner case where an attacker can strip the value from a twenty, attach it to a counterfeit bill, and still have a completely legitimate looking original on his hands. So, end result has been that as far as I know nobody uses the strip as a final arbiter of whether currency is real or not.

The equivalent problem with ePC is that you can tell when a UPC has been rendered inoperable, because it's just a visual series of stripes on paper. We're good at seeing stripes -- we're *not* good, however, at seeing RF bitstreams. At the end of the day, people are buying goods, not codes -- but the issue of the two being separated can be problematic.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Badges: an example of pseudo-security

While I can't match the parent for length and information, I can provide an example of a real-world application of security that is so insecure as to be ridiculous. Unfortunately, it's at the company I work for.

Somebody went and told our clients that "security" for information systems was a problem. The clients demanded "security", so we obligingly delivered. On the software side, it meant making the login process onerous, ensuring that multiple passwords will be written on paper and taped to every client's monitor. Wow, how secure! But the suits like it.

But the clients wanted physical security for the servers, too, and that's where the RFID badges came in. For after-hours access, we already had a system where the badge was placed on a plate (I think it read a metallic signature on the card), so they replaced that with an RFID "wave the card" receiver with a keypad. Now, we were required to wave the card *and* enter a 5-digit number -- which we all immediately wrote on the card. A message came down from data (in)security: "Don't write your number on your card!" The message was universally ignored.

But the "security" gets even better. To promote the idea that we've implemented a real security system, the company installed "optical turnstiles" at the public entrances. When you walk in the lobby, you pass between hip-high black boxes with an RFID/keypad unit. If you don't wave your card *and* enter the PIN (which you wrote on the card), you'll trip an infrared beam and the unit will sound an alarm. The purpose of this alarm is to wake up the receptionist so that she can make you pick up a visitor badge. No, that's not fair... she's not always asleep; sometimes she's on the phone gossiping. Or playing Solitaire.

The first day the unit was installed, I just jumped over the IR beams. This resulted in a well-deserved nastygram from (in)Security. After that, I just made sure to enter the wrong PIN several times... and found out that the last digit can be any one of three values! Hmmm...

And one more tidbit: a co-worker's badge quit working, and when she got a new one, she had to learn a new PIN. It looks like the badge readers aren't cross-referencing the data at all... any bozo who types in the number that his badge transmitted can probably defeat the system... though surely they've done something better for the after-hours system. (Please let me believe that...)

*Laughs* Silly.

You need to get a bit more cynical, Mr. Pony. Ever actually *deployed* a security system?

Broken policies create noncompliance. Only two ways to define a broken policy -- a) the trusted refuse to participate, or b) the untrusted don't need to. You have to understand, it's not the job of your authorized users to spend all their time dealing with your security system. Since that's not their job, don't be surprised if they're not particularly willing to go along with arbitrary rules.

All security creates a cost for the legitimate user; the goal is to keep the cost heavily asymmetrical. In other words, those you trust are hurt a little, whereas those you distrust are utterly wiped out. A locked door still requires the legitimate user to wait while he pulls out a key, after all. Lock or not, that guy should be able to walk on in.

Turns out the best way to get people to use a security system is to install a new door -- some new functionality they've never seen -- but, oh yeah, it has this security limitation, but look! New door! New functionality!

I enjoyed your comment about security having reasons you don't grasp -- you don't seem to grasp how quantifiable noncompliance really is with various degrees of onerousness. Don't believe the hype :-)

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Target and Walmart within 5 years

You put your loot in the cart. You walk up to the scanner. You swipe your credit card. You leave. No cashier to deal with. No lines. No need to even remove the items from the cart.

I love technology.

Re:Target and Walmart within 5 years

You put your loot in the cart. You walk up to the scanner. You swipe your credit card. You leave. No cashier to deal with. No lines. No need to even remove the items from the cart.

Great geek value, no question about that! Then, when you get to your car, you get to put all your stuff in the trunk, and don't have to worry about those meddling plastic bags. And when that soccer mom cuts you off in the Expedition and you have to take evasive manuvers, you get the really fun part when you get home! Collecting all your stuff from wherever it was!

Once nice thing about the system as it stands right now is that it's tuned for a major convenience, bagging, at the time of payment. No payment, no bags. This, I believe, will have an impact on the non-geek-value customer. Even the most convenient package to carry, the two liter bottle, is difficult to carry more than three at a time for 100 yards (any apartment people want to say how far it is up 3 flights of stairs?). Now my local store is only offering coke bottles in 3 liter -- heavier and bigger than my wifes hands can wrap around. (Also, incidentally, more expensive per liter than 2 liter if you do the math.)

Bags make groceries go 'round. That's why the store throws them in for free, and usually tries to put someone there who can supply the service of stuffing them. In the RFID method, I suppose, you could be handed a wad of bags as you walk in and just stuff as you go, but that involves planning and rework -- if you pick up bread or eggs first, now you have to shuffle to get those to end up on top.

What else will be tagged?

The tagging of books has been discussed (the tag is part of the book, not the pallet) with the current 'owner' being encoded in the RFID tag's memory.

Another interesting one is hand guns. If a hand gun can be tagged and the owner recorded on the tag, then it becomes very easy to verify firearms ownership, i.e., that AK47 has a tag claiming it is a small smith and wesson revolver with the owner named Mr. Bin Laden. I guess that will go down like a lead balloon with the NRA.

RTFA

Everyone! Please realise that this is not some sort of spyware attempt by gilette. Most RFID tags can't transmit further than 30cm without special antennas, so its not like they're tracking you or anything.

Gilette are using this technology, presumably to make tracking their shipments much easier and automated better. (the article is a bit light on details).

I wonder how long until they'll be able to get a RFID that will hold enough data to be able to store a Public or Private encryption key on it. RFIDs are used in some credit card sized swipe-cards, maybe one day we'll have our public keys embedded in our business cards? That'd be handy, especially once we need to have 2048 byte keys! :)

Insert-standard-comments-here about this not being News That Matters, but I think this is a relevant article because we'll be seeing lots of this sort of technology in the future.

I'm worried

Reading the Auto-ID Centre website [autoidcenter.org], they show a soda can [autoidcenter.org] with an RF tag attached. It seems the ultimate plan is to track individual items. Presumably everyday items such a clothes will be carrying RFID tags, which will be so small the consumer may not be aware of their presence? Does this leave the possibility open for tracking individuals without their knowledge? Surely a large antenna array, with high performance receivers, could track an RFID tag from much further away that its designed distance? Perhaps as far away as low earth orbit?

Expensive razors + RFID = Profit - Shoplifting

I think this is just an attempt at getting all those Mach 3 razor packs back out in front of shoppers. It must make it hard to sell them when they are locked up with the cigarettes all the time.

This way, they can promote impulse shopping and avoid getting those damn things lifted by nimble-fingered, course-bearded hoodlums like me. I mean, c'mon! Who wants to pay $12 for four damn razors? Gimme a break! Now I'll have to line my pockets with aluminum foil or something...

RFID

I think RFID = Radio Frequency Identification.

Please, people, define your terms when you submit an article.

Motives for purchase

I happened to be operating the AV for the meeting of the Australian Packaging Organisation, and they were discussing RFID's, and their applications, and the interest from razor manufacturers.

Basically, razors are regarded as the most expensive small item avaliable in a store. Closed research showed that on average for one location, about 2 packs of razors per hour were sold. By introducing RFID's, the the base station notices that morethan the average of razors are removed, then there is the possiblity of theft.

Apparently, investment in this tech. would significantly reduce the costs of theft.

But why would...

Penn Jillette [sincity.com] want to track Teller? [sincity.com]

Oh, the irony...

Half a billion tags is probably close to the total number of RFID tags in use today. "People couldn't stop talking about it over lunch," says one person present, who didn't want to be identified.

Do those two sentences right next to each other strike anyone as unbelievably funny?

Why Gillette - bit of insight

A bit of background information on why Gillette specifically might be interested in implementing this quickly. I worked in retail security until just recently and one the trade magazines had an article on the Mach3 razors and how, worldwide, they are one of the most stolen items; Gillette didn't officially give an estimate, but I think the theft was placed at upwards of 20%. At most flea markets you can find at least one stall selling Mach3's at ridiculously low prices, and suprisingly enough they don't like questions about where their stock comes from.
Point being, a great big portion of the stolen razors are taken before the razors make it to the stores, obviously with this new level of tracking available they can find out where the bleeding is.
Ideally, this would mean you (the smooth faced consumer) will get a price break with less theft, but let's be realistic, it just means more profit for the companies.

RFID has been in Denmark for a long time

When Gilette pushed hard for Mach 3 in advertising, many supermarket chains actually made a loss on selling Gilette due to large amount of theft. So on top af having Gilette re-imbursing them, Gilette also started putting RFID tags on most of their products priced at at $3-$4 and up.

SO now that they have experience, they are pushing it towards the US as well.

I wonder...

1) Eventually higher performance chips could replace owner's manuals. Buy an item, get it home & set it down next to your RFID-enabled computer monitor & start digging into the manual

2) Could the battery on an active chip be replaced with a photovoltaic? I could then see them being used to prevent theft of street signs. Don't laugh--replacing stolen street signs is a costly problem for small & rural communities to deal with. Just one replacement sign; not including the pole; typically costs the community $25-$30. Add in public works dept. labor, transportation & any applicable taxes & now you're talking $50 to $100 per sign.

--------

This is amazing technology that I believe will transform our world in ways we can barely imagine.

Obvious alien conspiracy!

"Alien Technology" is not even trying to hide their involvement with aliens. And look at the photo [rfidjournal.com] of the Gilette VP! Clearly an Andorian [stenterprise.nu] who has had his antennae surgically hidden. Soon they will know where all my razor blades are. Think of the children!

slashdot technophobes

I can't beleive there are some replies that are actually up in arms about this. What will they tag next?!?! When will these be implanted in people?!?! WONT SOMEBODY PLEASE THINK OF THE CHILDREN?!

Who would have thought that so many /. readers were luddites. Do they get someone to chisel the stories into clay tablets for them to read?

Another use

These little puppies have been sought after for airport baggage tracking for a long time. Getting the cost low enough has been the hold up. My bet is this will be the eventual prime consumer of this technology. Think about how many pieces of luggage move through all the airports every day. The ability to replace the optical barcode tags with RFID will improve the baggage system quite a bit.
Also, you would not believe the cost and panic associated with every single abandond piece of luggage in an airport. The ability to know it's grandma's will save $millions, as well as give some bomb squad dogs a rest.

Cost

Gillette? The Razor people? Scrud! Alien Technology should sell them the receiver units real cheap and then charge $5.00 for those $.10 tags! I sure wish those Mach 3 Ultras weren't so expensive, everything else seems like broken glass bits on the end of a stick now :( ~Zilch

HBA Leads the way?

I think it is worth noting that the HBA (Health & Beauty Aids) industry seems to be the most cutting-edge when it comes to inventory tech in the retail market. I can't think of any other type of products in a grocery store that have 2D barcodes, and now they will be adding RFID to their cases and pallets? Amazing! One would think that things like this would find their way into high-end expensive products first, but fact is stranger than fiction...

Smart staples

I read in Frontline that one of the holy grails is to get "smart staples" that you would attach to printed documents (even one page documents) that would allow tracking of paper documents -- the price target for that application is $0.02 per tag.

zerg

I tend not to shave but my mom called me up and told me that I wouldn't be allowed in the house for Thanksgiving if I had hair on my face so I went out to get a razor. Where the shaving supplies were was a little card saying, "Mach 3 razors are available behind the counter." Which is funny because condoms and pornos are available at the front desk but the razors are behind the counter w/ the cigarettes and blunts? Wacky...

I want some of these!

Attach them to your important personal objects

Have a scanner

Find the objects in your messy room

Seriously, I'd love to find my Palm m505 if it was in a drawer. If they can count it now, a triangulator cannot be very far away.

Hot, cold revisited.

Does anyone else...

...find it somewhat disturbing that the company making these tags is called "Alien Technology"? Tracking packages is just the first step toward their goal of total dominion over the planet Earth!

Don't say I didn't warn you!

Allaying worries in RFID

For the mostpost, RFID readers is quite limited in range. Ideas that RFID's will have them tracking you by hidden tags on your pants, etc, is not really a legit worry. They *may* be able to track you when you walk through a doorway with a reader, but it's not likely that they'll be able to find you in your car in the middle of an interstate.

The last place I worked used RFID tags in their product. The readers weren't cheap, but even they had to be fairly well calibrated to get a consistent read. Large long-range RFID readers would be really expensive, and probably large. You won't be seeing any helicopters over your car shouting "citizen #3849932919, we have identified you, please come peacefully."

On the flipside, this could be a biatch for advertising. If they tag clothes,etc then they may be able to track you in malls and know your purchasing trends... which would be annoying

Last Post!

Winny and I lived in a house that ran on static electricity...
If you wanted to run the blender, you had to rub balloons on your
head... if you wanted to cook, you had to pull off a sweater real quick...
-- Steven Wright

- this post brought to you by the Automated Last Post Generator...

Re:WTF? Gillette buying RFID?

You might want to read the article. Or even the paragraph that was submitted with the story.

They're using them to identify pallets and shipping cases. Presumably, so they can be most efficient mofos that ever shipped anything anywhere. Imagine shipping inventory that tells *you* where it is, where it was last, what's on it, where it was seen last, tied directly into the ERP system, so you know where it was manufactured, the product numbers, what the TCO is involved...

Suddenly, FedEx becomes nothing more than a transport company (one of hundreds), and Gillete can manage thier own JIT inventory, track "spoilage" (theft), do on-the-spot inventory recounts without tying up personnel...

Re:WTF? Gillette buying RFID?

This will almost certainly be attach to the product. In the warehouses today, ppl move product around and handle order fulfillment. In the near future, I would bet that it will be roboticisized. This will lower the need for ppl (read low-end employees), but will increase the need for higher-end maintence ppl.

Re:Gillette

I shave with a straight razor. My annual shaving costs are $3, for a new bar of shaving soap.

Find an old barber to teach you how to use it. Once you get the hang of it, it's no harder than a safety razor, and it shaves just as well.

Re:WTF? Gillette buying RFID?

In the short term, they will, as other people have said, be attached to palettes and be used for warehouse and back-of-store inventory control. But the proponents hope that soon *everything* in your supermarket trolley will have one of these babies (good term, in view of its size) attached to it. At that point, you don't have to unpack your trolley at the checkout and have it scanned by some bored hosewife. You just wheel it past a checkout point which scans the whole trolley, works out the total and prints your bill. Swipe your credit card, maybe input a PIN or some form of biometric ID, and walk out. Saving for you - the checkout queue and the whole nauseating checkout routine. Saving for the store - all the checkout operators; one problem solver can supervise three or four checkout queues, each of which can probably handle two to three shoppers a minute. Its a *big* store that needs more than one such. Cost - perhaps 3-5% on the gross bill, but you have already saved some money in the warehouse, now more at the checkout. Better security - the goods you shoved in your pocket or under your hat get billed as if they were in the trolley.

NVWS

Just wanted to put the bookmark here.