RFID is one of those things that seem cool until you start playing with it and then it turns out that the only uses for it are really boring. Like, you can't use it to locate stuff because the range is too short; you can't rely on stuff to have chips (food, or clothes or whatever) and it's a major time sink if you'd have to start tagging stuff yourself; it's cumbersome to install readers everywhere and not being able to rely on half lives measured in decades instead of months, etc.
I used to have an rfid chip implanted in my hand. I had all these ideas of what I was going to do with it - log on to my computer by putting an rfid reader in my keyboard, build a magic 'touch the wall and music starts playing' thing etc. All of them turned out to be very boring and useless in practice. Logging into my machine - meh, turns out that it takes longer for monitors to come back on than to type the password. Building (useful) user interfaces based on rfid is very hard and doesn't add anything over a regular proximity sensor.
The only idea I have left is that in my current house, I have a place where I could put an rfid reader so that if I'd get a chip implanted in my gluteus maximus (my butt, essentially) I could activate an automatic door opener by bumping into it when I have my hands full. I just can't motivate myself to set this up and discovering again that it's a dud in real life.
This library lets visitors rearrange the books organically (if you pull out multiple books on a topic, you're encouraged to put them back on the shelf together instead of finding their old homes). The books are tracked with RFID so that they remain easy to find individually.
I'm a frequent library user, and this may be fine for certain types of collections (where you look for very specific books) but is terrible for general use, as you are removing the ability to search by topic.
It could certainly slow searching by topic (since patrons are remixing the books based on whatever way they're using them). It does seem to demand quite a bit of infrastructure, adding RFID scanners to every shelf (and keeping them working). If it truly would allow every book in the collection to be pinpointed in realtime, that would be a plus, many times the catalog can only tell you that the title you're looking for should be on the shelf, not where it has ended up.
right, and then you get listed the locations of 20 books on 20 shelves scattered around the library. Extremely fatiguing and time consuming if you want to skim a couple.
If you carry a proximity card in your rear pocket, that's pretty much the same thing except that there's no surgery and it's easy to swap out or discard when no longer useful.
Source: the door-opening sensors at my college, many years ago, were all located at the right height for a key in the back pocket to activate them. I referred to it as the "buttprint identification system".
But it is of critical importance to have the sensors located at the right height!
At my school, I had to jump up quite a bit (and I am 6' tall) to get them to read the card.
In many installations of both hardware and software, the actual usage of the system is quite different from what was imagined by the designers. Prox card installers imagine people holding up cards on lanyards. They mandate it not be carried in a wallet, because "the magnetic fields of a credit card can erase it" and it might break if it's bent. In real life, only freshmen carry lanyards, credit cards use high-coercivity stripes and aren't damaged by the prox readers or cards, and wallets with IDs and credit cards are stiff enough.
Talk to your users about how they use your product and what they need! You will learn something!
They also have longer-range solutions now and things that use Bluetooth instead of rfid for this. Works from a few feet away. I'm guessing that it's using some combination of Bluetooth MAC + signal strength.
I think you could basically switch "RFID" with "smart home device" and this comment would be just as accurate. It seems finding a problem to solve is much harder than finding a solution.
Couldn't you just put a push button switch there with the same effect? Something like the large square handicap accessible switches for powered doors in public buildings.
Slight quibble: the token is just authentication. The authorization is done by the pad. Granted, the current scheme grants the access authorization to any authenticated tag, but that could change if butt-thentication took off.
He could also leave his stuff on the ground and open the door in most if not all cases, I think. Why create problems to solutions that come with their own problems (installation, maintenance...)?
Not much to it, really. It became feasible around 2007-2008 ish or so, when you could buy glass ampules with rfid tags in them and simple readers retail online (my timing might be a few years off). There were several forums about it at the time, most of them gone now it seems; I suspect because people found out the same thing I did, that it's just not that useful and that the novelty wears off after the first 5 times you wave your hand over a reader and have a led go on or a dialog pop up on a screen.
I went to a piercing study, girl stamped a hole in the upper layers of my skin, made a small cut to open it up a bit further, slid in the ampule (which had been autoclaved first of course). Band aid on it, done. It was strange being in a studio with a bunch of people with facial tattoos and horn implants and discs the size of my wrist in their ears - and them looking at me like I was a freak from out of space. I do have to say though that I had to search around a bit to find someone willing to do it. There are plenty of places that will take your money to suspend you from their ceiling with flesh hooks in your back, but that won't stick a glass pill under your skin. Go figure.
You can also buy kits online if you want to DIY - basically big needle guns that are used to tag cattle which you just jam into your hand and pull the trigger on, literally. That would've been a bit too hard core for me, tbh.
Compared to using a biometric such as a fingerprint it makes some sense. Fingerprints can in theory be stolen and reproduced, and you can't change them if that happens. You could replace an implanted RFID tag if that were ever to become necessary, but otherwise it's something you always have like your fingerprint.
They do it for most pets now too. They're useful for identifying runaway pets wherever they end up, and for stuff like https://www.sureflap.com/en-us . I have a few of the sureflap doors and they work well for keeping my cats on their own diets (controlling access to a combination of crates + auto-feeders).
It's the same (exact?) thing as far as I'm aware; rice-sized glass bit with a tiny RFID chip inside.
More interesting, in my opinion, is "surgically" inserting a little magnet into the tip of one of your fingers, which then vibrates in magnetic fields such that your nerves can feel it.
This gives you a sixth sense - you can sense magnetic fields.
> I could activate an automatic door opener by bumping into it when I have my hands full.
My co-worker solves by unlocking the front door when the home server sees his phone's (and his wife's phone's) MAC address on the home wi-fi network. (But only during "waking hours" so the server doesn't leave the door unlocked when everyone is sleeping.)
Solitude, Brighton and Snowbird also use the same tech. I know Solitude has had contactless lift ticket swiping in place for well over the past decade.
Also Squaw Valley in Tahoe. Ski passes are a great use for RFID! Their season passes are prox cards with a photo ID on them. Edit: they also work from 1-2 feet away. You just leave it in your pocket and walk through the gate.
I'm prototyping an IoT system that will use RFID tags to track inventory as it moves around an area. The system will provide live updates on location. Imagine knowing exactly where things are at all times through a simple dashboard. Nothing super amazing, but not boring. :)
Yes, but the simple website is very scarce in details. The project is in pre-alpha. I was just writing code for the API like an hour ago. I dont want to publicize it here at the moment, but if you send me an email (check profile) I will gladly talk to you about it.
Btw, I went to the demo of enerscore (which looks pretty interesting) and it wasn't working for me. I'm on Firefox last build and OSX if that helps. :)
Firefox has been pretty finnicky for some reason, but we're actually processing a giant data dump at the moment. Was the address unsupported or did the property just never load?
Sure, there are plenty of actual uses for RFID, what I meant is that most of the 'that'd be cool to play with' uses are impossible, and what is possible aren't the things you'd play with (I mean I don't have a warehouse, and for tracking stuff in my pantry it's impractical because of the reasons I mentioned earlier).
What I want is RFID tags on all of my pieces of kit for when I go kayaking. Before I leave the house I scan my bag and see if I have missed anything. I was going to write a phone app to do it when I got a phone that had NFC, then I read up and found out the range was way too short.
It's naturally a volume solution. RFID makes close-range identification just a little faster & easier for a lot of hassle. So it's been worthwhile anywhere you need to identify a lot of things at close range. Ski passes, cows, library books, boxes in a warehouse... and anything volume tends not to be very "the future!" exciting.
As someone who frequently goes skiing, the recent deployment of RFID scanners at larger resorts is nothing short of amazing:
You can reload the passes online, the lift attendants can check everyone's pass just by waving a scanner across a crowd (no more having to precisely line up a barcode), you get online stats and achievements at the end of the day, and if you have photos taken on the hill they automatically show up in your online account.
So ya, definitely some really cool stuff you can do with them. :)
Just skied for the first time in years and the resort didn't even have attendants checking passes. You just put your pass in your left pocket and when you got to the front of the line a turnstile would admit you.
And a huge improvement over the magnetic strip passes. I have a pair of ski pants with magnets to hold the pocket closed, which is an incredibly dumb design, and they kept wiping my ski pass
The butt-chip. It's like the punchline of a joke. Still... Put a reader in your chair so that when you sit down somewhere, things turn on and log in? Butt-thentication, if you will.
This story doesn't quite make sense. I believe that his RSA pass was clonable and that his towel also had an RFID chip embedded in it. What I find hard to believe is that the towel had a writable RFID tag.
My main experience with RFID is cloning tags onto T5557 chips, and I don't think I've ever come across a writable tag in the wild. It doesn't seem to make economic sense to spend an extra penny or two on every towel to put in a tag you are never going to change.
The tags have to be writable at the factory to set the serial number. Presumably it's supposed to be write-once but is actually a small EEPROM, and he has an exploit that lets him overwrite it (see the "details withheld").
Mifare Ultralight C cards have 3DES-based security, cloning protection and read-only locking [1]. So I don't see how copying the RSA card to the towel would work unless the RSA conference totally messed up their use of RFID or the author has some super-hacker key extraction technique. Am I missing something?
I recently was at a Panera Bread, and when I put my Android phone (with NFC) onto the table, it immediately helpfully popped open tagwriter.
Turns out they didnt lock the tables' tags, so you could write urls and when people placed their phones down, had those urls open. (they used the tags for their food pager system)
A couple of weeks ago. It did take some work, it seems like there's a "sweet spot" that I had to hit, and some experimentation that required rotating the phone on the surface, but I was able to write google.com and then pop it open on my tablet.
OK, the RSA conference failed here. They're supposed to be a security conference, yet they didn't use an RFID tag that's challenge/encrypt/response, so you can't clone it by passive listening. RSA itself used to make such things.
That tag is about the right level of security for towel inventory. The big win in this is managing outsourced laundry costs. Knowing how many items went to the laundry, and how many came back, rather than just counting linen carts, matters a lot. ABS Laundry Solutions overview (with ominous music) [1]
Having designed the RFID tag system for a conference before, there's a real cost difference between crypto-capable NFC tags and ordinary ones, once you factor in the number of badges you need to print.
Then consider that (a) the conference probably has very little budget for an RFID implementation, and (b) the NFC tag isn't used for anything that's security-sensitive -- mostly checking in at vendor booths, attendance tracking, etc.
Given that, I can totally understand why RSA didn't use something more secure.
The BIG fail here is that the towel manufacturers didn't toggle the read-only fuse in the tags, which allows them to be overwritten by anyone with an Android smartphone.
A customer checks in and is given a towel with a customer specific RFID attached. If at the point the customer checks out and the towel is not in the room, it is assumed to be missing or stolen.
Er, no. Have you been to a hotel? They don't normally give you a single towel for your entire stay. The hotel changes the towels every day. Bulk RFID scanning during laundry lets them keep track of how many towels have gone wandering and individually track how many times specific towels have been laundered, which is probably useful information for managing towel quantities in bulk. I don't think tracking down and identifying individual towel thiefs is generally the idea, though I guess you can detect towels in places they are not meant to be (such as in their suitcases on the way out of the lobby).
Engadget had a basic article from a few years ago. I'm not sure how the alarm works as even the distance from the floor to your suitcase might be too far for RFID:
The local Gold's Gym has a theft prevention style detector around the front door which will complain if you try and leave with a towel. The towels themselves have an obvious bump in one corner, about the size of a jellybean.
NFC is a specific kind of RFID which uses the ISO 18000-3 band for communication over short distances. There are many other types of RFID, which can have much longer ranges.
Within reason, I think hotels expect a certain level of loss. They are probably not going to want to make a big scene in the lobby as a guest is departing and demand that they return the towel they are taking out.
On the other hand, theft by employees is something they are probably much more concerned about. Before this technology, you have to wonder how many hotel housekeepers had fully furnished their own homes with towels and bed linens at the expense of their employer.
The hotel probably uses a commercial laundry service. All the dirty towels go into a bin, and every few days a van from the laundry service delivers a pile of clean towels and takes away the bin of dirty towels. The bedsheets, pillow cases and duvet covers probably get the same treatment.
You can get similar services for mechanics' overalls, door mats, chef's uniforms, and things like that. They'll even put the right uniform in the right employee's locker, if you like [1].
Often there will be different pools for different hotels, as well as different pools for different items and sizes. Good inventory management helps you get the customers' orders right; you don't want to deliver a Holiday Inn towel to a Hilton, or have a tablecloth in a delivery of bedsheets, or deliver 99 bedsheets when you promised 100. Also, if things are getting damaged or going missing you need to know where things are going, and when you need to order replacements.
Of course, bar codes are also in use [2] but in hotels particularly they like the markings to be subtle.
This reminds me of the ubiquity of insecure MIFARE Classic chips.
My previous workplace (an international organization that shall remain anonymous) had vending machines where you could "buy" an RFID key that acted sort of like a "wallet". You could refill it by putting it inside the vending machine and then inserting coins, or you could use it to buy goods from the machines. It used MIFARE Classic and was trivial to break, and the cash amount was stored as cents in a short integer. Fun stuff, you could even buy deodorant and panties.
Then, several towns in my country use RFID cards for public transportation payment. Guess what? Even systems implanted AFTER these cards were deemed highly insecure are using them.
One place I worked at while in college had a similar thing with smart cards. The vending of the product and debiting of the card wasn't an atomic operation, so if you removed the card at the right time you'd still get the product but not be charged.
They must have changed that. At a cafeteria that uses MIFARE cards the operation is still not atomic, but the customer loses: If you remove the card at the wrong time, the card is debited but the transaction does not show up on the cashier's terminal, leading to heated arguments. The transaction does show up in the central database, so after spending 20 min writing a complaint you get your money back after a few days.
In Santiago, Chile, the public transportation system uses Mifare Classic cards, and few apps that (ilegally) refilled the cards appeared a while ago.
The solution given by the government was to block the cards that were used with fraudulent refills on a weekly basis, but there is always the possibility of changing the ID or purchasing blank cards.
Of course the system was chosen years after the vulnerabilities were discovered, too.
My guess is that the only way to stop this is to replace all the scanners, which will be far more expensive than losing a few thousand paying customers per day.
I was a CTO strategy consultant for an RFID MIST startup back in 2008 - that is RFID chips on documents, id badges, and any item of value within an organization. The MIST is a series of wireless sensors & network placed throughout the organization, enabling 3D location of any RFID marked object within range of the MIST network. The system could track who, when, and where of any person or item of interest simply by following the RFID through the series of sensors. However, there was zero plan for security of the RFID signals nor the MIST network itself, they were planning on security by obscurity. As I made more and more noise that security was their entire mission, and by not having any themselves they were setting themselves up for massive hacking. Thankfully, their main inventor was more interested in surfing than working, and their investor got deported for tax fraud.
RFID is one of those things that seem cool until you start playing with it and then it turns out that the only uses for it are really boring. Like, you can't use it to locate stuff because the range is too short; you can't rely on stuff to have chips (food, or clothes or whatever) and it's a major time sink if you'd have to start tagging stuff yourself; it's cumbersome to install readers everywhere and not being able to rely on half lives measured in decades instead of months, etc.
I used to have an rfid chip implanted in my hand. I had all these ideas of what I was going to do with it - log on to my computer by putting an rfid reader in my keyboard, build a magic 'touch the wall and music starts playing' thing etc. All of them turned out to be very boring and useless in practice. Logging into my machine - meh, turns out that it takes longer for monitors to come back on than to type the password. Building (useful) user interfaces based on rfid is very hard and doesn't add anything over a regular proximity sensor.
The only idea I have left is that in my current house, I have a place where I could put an rfid reader so that if I'd get a chip implanted in my gluteus maximus (my butt, essentially) I could activate an automatic door opener by bumping into it when I have my hands full. I just can't motivate myself to set this up and discovering again that it's a dud in real life.
One interesting use:
https://vimeo.com/157990864
This library lets visitors rearrange the books organically (if you pull out multiple books on a topic, you're encouraged to put them back on the shelf together instead of finding their old homes). The books are tracked with RFID so that they remain easy to find individually.
That's very cool! I thought it deserved its own post:
https://news.ycombinator.com/item?id=11266334
yes indeed, 1 up
I'm a frequent library user, and this may be fine for certain types of collections (where you look for very specific books) but is terrible for general use, as you are removing the ability to search by topic.
I guess the idea is that books naturally fall next to other similar books, a kind of "People who read this also read..." system.
I can understand the experiment, the dewey-decimal system doesn't have to be the ultimate in organisation.
It could certainly slow searching by topic (since patrons are remixing the books based on whatever way they're using them). It does seem to demand quite a bit of infrastructure, adding RFID scanners to every shelf (and keeping them working). If it truly would allow every book in the collection to be pinpointed in realtime, that would be a plus, many times the catalog can only tell you that the title you're looking for should be on the shelf, not where it has ended up.
How? One of the search terms could easily be topic...
right, and then you get listed the locations of 20 books on 20 shelves scattered around the library. Extremely fatiguing and time consuming if you want to skim a couple.
sadly, this one very interesting aspect is buried down the spiffy but hardly useful table scanner.
If you carry a proximity card in your rear pocket, that's pretty much the same thing except that there's no surgery and it's easy to swap out or discard when no longer useful.
Source: the door-opening sensors at my college, many years ago, were all located at the right height for a key in the back pocket to activate them. I referred to it as the "buttprint identification system".
But it is of critical importance to have the sensors located at the right height!
At my school, I had to jump up quite a bit (and I am 6' tall) to get them to read the card.
In many installations of both hardware and software, the actual usage of the system is quite different from what was imagined by the designers. Prox card installers imagine people holding up cards on lanyards. They mandate it not be carried in a wallet, because "the magnetic fields of a credit card can erase it" and it might break if it's bent. In real life, only freshmen carry lanyards, credit cards use high-coercivity stripes and aren't damaged by the prox readers or cards, and wallets with IDs and credit cards are stiff enough.
Talk to your users about how they use your product and what they need! You will learn something!
The height's probably specified by building code re: disabled people, whether or not it's compliant
They also have longer-range solutions now and things that use Bluetooth instead of rfid for this. Works from a few feet away. I'm guessing that it's using some combination of Bluetooth MAC + signal strength.
I think you could basically switch "RFID" with "smart home device" and this comment would be just as accurate. It seems finding a problem to solve is much harder than finding a solution.
Yeah, that's right. I have a house full of such stuff but when push comes to shove, most of it is 'meh'.
Couldn't you just put a push button switch there with the same effect? Something like the large square handicap accessible switches for powered doors in public buildings.
The rfid tag also acts as an authentication/authorization token. Not a very good one, but not worse than a key either.
Slight quibble: the token is just authentication. The authorization is done by the pad. Granted, the current scheme grants the access authorization to any authenticated tag, but that could change if butt-thentication took off.
I would probably hold off on the butt chip. Why not get an optical viewer and train it to understand when you need help with the door?
A button at floor level that you can press with your foot is probably more practical.
I think we already solved this issue ages ago... https://en.wikipedia.org/wiki/Sliding_door_operator#Triggeri... :)
He could also leave his stuff on the ground and open the door in most if not all cases, I think. Why create problems to solutions that come with their own problems (installation, maintenance...)?
Wait, sorry... what?! You had an RFID chip implanted in your hand???
I think that story deserves a little elaboration.
EDIT: Wow, this is apparently a thing. [0]
[0] https://en.wikipedia.org/wiki/Microchip_implant_(human)#Hobb...
Seemed like a normal hacker thing to do to me.
It shows real commitment to the tech. And also, it looks cool when you can make machines do stuff with just a wave of your hand. Sorcery!
Not much to it, really. It became feasible around 2007-2008 ish or so, when you could buy glass ampules with rfid tags in them and simple readers retail online (my timing might be a few years off). There were several forums about it at the time, most of them gone now it seems; I suspect because people found out the same thing I did, that it's just not that useful and that the novelty wears off after the first 5 times you wave your hand over a reader and have a led go on or a dialog pop up on a screen.
I went to a piercing study, girl stamped a hole in the upper layers of my skin, made a small cut to open it up a bit further, slid in the ampule (which had been autoclaved first of course). Band aid on it, done. It was strange being in a studio with a bunch of people with facial tattoos and horn implants and discs the size of my wrist in their ears - and them looking at me like I was a freak from out of space. I do have to say though that I had to search around a bit to find someone willing to do it. There are plenty of places that will take your money to suspend you from their ceiling with flesh hooks in your back, but that won't stick a glass pill under your skin. Go figure.
You can also buy kits online if you want to DIY - basically big needle guns that are used to tag cattle which you just jam into your hand and pull the trigger on, literally. That would've been a bit too hard core for me, tbh.
Compared to using a biometric such as a fingerprint it makes some sense. Fingerprints can in theory be stolen and reproduced, and you can't change them if that happens. You could replace an implanted RFID tag if that were ever to become necessary, but otherwise it's something you always have like your fingerprint.
They do it for most pets now too. They're useful for identifying runaway pets wherever they end up, and for stuff like https://www.sureflap.com/en-us . I have a few of the sureflap doors and they work well for keeping my cats on their own diets (controlling access to a combination of crates + auto-feeders).
It's the same (exact?) thing as far as I'm aware; rice-sized glass bit with a tiny RFID chip inside.
"EDIT: Wow, this is apparently a thing."
More interesting, in my opinion, is "surgically" inserting a little magnet into the tip of one of your fingers, which then vibrates in magnetic fields such that your nerves can feel it.
This gives you a sixth sense - you can sense magnetic fields.
http://io9.gizmodo.com/what-you-need-to-know-about-getting-m...
> I could activate an automatic door opener by bumping into it when I have my hands full.
My co-worker solves by unlocking the front door when the home server sees his phone's (and his wife's phone's) MAC address on the home wi-fi network. (But only during "waking hours" so the server doesn't leave the door unlocked when everyone is sleeping.)
Yeah but he's missing out on surgically inserting electronics into his butt! Sad!
alta ski area uses rfid intelligently -- embedded in lift tickets to forego scanning bottlenecks.
Solitude, Brighton and Snowbird also use the same tech. I know Solitude has had contactless lift ticket swiping in place for well over the past decade.
Also Squaw Valley in Tahoe. Ski passes are a great use for RFID! Their season passes are prox cards with a photo ID on them. Edit: they also work from 1-2 feet away. You just leave it in your pocket and walk through the gate.
I'm prototyping an IoT system that will use RFID tags to track inventory as it moves around an area. The system will provide live updates on location. Imagine knowing exactly where things are at all times through a simple dashboard. Nothing super amazing, but not boring. :)
Hey man, I'm fascinated with the RFID space and would love to learn more about what you're building. Got a website?
Yes, but the simple website is very scarce in details. The project is in pre-alpha. I was just writing code for the API like an hour ago. I dont want to publicize it here at the moment, but if you send me an email (check profile) I will gladly talk to you about it.
Btw, I went to the demo of enerscore (which looks pretty interesting) and it wasn't working for me. I'm on Firefox last build and OSX if that helps. :)
Firefox has been pretty finnicky for some reason, but we're actually processing a giant data dump at the moment. Was the address unsupported or did the property just never load?
It did not load. I did not check the console so debugging data from that request is unavailable. I could try it out again if you want. :)
Walmart uses RFID to track inventory. http://www.usanfranonline.com/resources/supply-chain-managem...
Sure, there are plenty of actual uses for RFID, what I meant is that most of the 'that'd be cool to play with' uses are impossible, and what is possible aren't the things you'd play with (I mean I don't have a warehouse, and for tracking stuff in my pantry it's impractical because of the reasons I mentioned earlier).
So does just about every other large supply chain. There's lots of practical use cases for RFID, they're just all pretty boring.
What I want is RFID tags on all of my pieces of kit for when I go kayaking. Before I leave the house I scan my bag and see if I have missed anything. I was going to write a phone app to do it when I got a phone that had NFC, then I read up and found out the range was way too short.
Kayaker here too. The logistics pains of tour kayaking have too long gone unsolved, if you ever start working on this - give me a shout.
It's naturally a volume solution. RFID makes close-range identification just a little faster & easier for a lot of hassle. So it's been worthwhile anywhere you need to identify a lot of things at close range. Ski passes, cows, library books, boxes in a warehouse... and anything volume tends not to be very "the future!" exciting.
As someone who frequently goes skiing, the recent deployment of RFID scanners at larger resorts is nothing short of amazing:
You can reload the passes online, the lift attendants can check everyone's pass just by waving a scanner across a crowd (no more having to precisely line up a barcode), you get online stats and achievements at the end of the day, and if you have photos taken on the hill they automatically show up in your online account.
So ya, definitely some really cool stuff you can do with them. :)
Just skied for the first time in years and the resort didn't even have attendants checking passes. You just put your pass in your left pocket and when you got to the front of the line a turnstile would admit you.
And a huge improvement over the magnetic strip passes. I have a pair of ski pants with magnets to hold the pocket closed, which is an incredibly dumb design, and they kept wiping my ski pass
The butt-chip. It's like the punchline of a joke. Still... Put a reader in your chair so that when you sit down somewhere, things turn on and log in? Butt-thentication, if you will.
Might be cool in a car.
...maybe that's how the batmobile works.
> RFID is one of those things that seem cool until you start playing with it and then it turns out that the only uses for it are really boring.
Well, boring for users perhaps. For people who like to track you, it is certainly not boring. It is more like fingerprint heaven!
I posted this in part because I love the idea and because today is the anniversary of the birth of Douglas Adams.
Edit: said death meant birth.
It's actually his birthday. He died on 11 May 2001.
It's March :)
This story doesn't quite make sense. I believe that his RSA pass was clonable and that his towel also had an RFID chip embedded in it. What I find hard to believe is that the towel had a writable RFID tag.
My main experience with RFID is cloning tags onto T5557 chips, and I don't think I've ever come across a writable tag in the wild. It doesn't seem to make economic sense to spend an extra penny or two on every towel to put in a tag you are never going to change.
The tags have to be writable at the factory to set the serial number. Presumably it's supposed to be write-once but is actually a small EEPROM, and he has an exploit that lets him overwrite it (see the "details withheld").
Mifare Ultralight C cards have 3DES-based security, cloning protection and read-only locking [1]. So I don't see how copying the RSA card to the towel would work unless the RSA conference totally messed up their use of RFID or the author has some super-hacker key extraction technique. Am I missing something?
[1] http://www.nxp.com/documents/data_sheet/MF0ICU2.pdf
I recently was at a Panera Bread, and when I put my Android phone (with NFC) onto the table, it immediately helpfully popped open tagwriter.
Turns out they didnt lock the tables' tags, so you could write urls and when people placed their phones down, had those urls open. (they used the tags for their food pager system)
The ones at the Panera I used to work at weren't writable (I know this because I saw people trying more than once). How long ago was this?
A couple of weeks ago. It did take some work, it seems like there's a "sweet spot" that I had to hit, and some experimentation that required rotating the phone on the surface, but I was able to write google.com and then pop it open on my tablet.
OK, the RSA conference failed here. They're supposed to be a security conference, yet they didn't use an RFID tag that's challenge/encrypt/response, so you can't clone it by passive listening. RSA itself used to make such things.
That tag is about the right level of security for towel inventory. The big win in this is managing outsourced laundry costs. Knowing how many items went to the laundry, and how many came back, rather than just counting linen carts, matters a lot. ABS Laundry Solutions overview (with ominous music) [1]
[1] http://www.abslbs.com/
That might not have been an oversight.
Having designed the RFID tag system for a conference before, there's a real cost difference between crypto-capable NFC tags and ordinary ones, once you factor in the number of badges you need to print.
Then consider that (a) the conference probably has very little budget for an RFID implementation, and (b) the NFC tag isn't used for anything that's security-sensitive -- mostly checking in at vendor booths, attendance tracking, etc.
Given that, I can totally understand why RSA didn't use something more secure.
The BIG fail here is that the towel manufacturers didn't toggle the read-only fuse in the tags, which allows them to be overwritten by anyone with an Android smartphone.
Reminds me of how someone embedded the chip from their Oyster card (London travel card) in a magic wand :)
I also immediately thought about this! :) https://41.media.tumblr.com/tumblr_m3i9ic6qKJ1qg9f5xo1_400.j...
Wait, towels have RFID tags?! Never heard of that before.
Hotel towels, to prevent theft.
How do they prevent theft, exactly?
A customer checks in and is given a towel with a customer specific RFID attached. If at the point the customer checks out and the towel is not in the room, it is assumed to be missing or stolen.
Which is the same as if a non RFID'd towel is missing from the room.
Er, no. Have you been to a hotel? They don't normally give you a single towel for your entire stay. The hotel changes the towels every day. Bulk RFID scanning during laundry lets them keep track of how many towels have gone wandering and individually track how many times specific towels have been laundered, which is probably useful information for managing towel quantities in bulk. I don't think tracking down and identifying individual towel thiefs is generally the idea, though I guess you can detect towels in places they are not meant to be (such as in their suitcases on the way out of the lobby).
This doesn't prevent someone from just taking a pool towel to their room and then putting it in their suitcase.
No idea - the article says "to help with inventory control" which doesn't help matters much.
Engadget had a basic article from a few years ago. I'm not sure how the alarm works as even the distance from the floor to your suitcase might be too far for RFID:
http://www.engadget.com/2011/04/20/that-hotel-towel-youre-st...
Inventory control does not necessarily have anything to do with theft. "Inventory management" would probably be a better term.
The local Gold's Gym has a theft prevention style detector around the front door which will complain if you try and leave with a towel. The towels themselves have an obvious bump in one corner, about the size of a jellybean.
And they are using NFC for that?
RFID!=NFC
NFC is a specific kind of RFID which uses the ISO 18000-3 band for communication over short distances. There are many other types of RFID, which can have much longer ranges.
Yeah, no one would just cut the label out, right?
It is sewn into the corner of the towel itself, not the label.
More accurately, to detect theft/misplacement (is it theft if I leave it on the beach?)
I think you'd still get charged for it.
Million dollar startup idea: Luggage with a faraday cage built into the lining.
How niche is this product?
Within reason, I think hotels expect a certain level of loss. They are probably not going to want to make a big scene in the lobby as a guest is departing and demand that they return the towel they are taking out.
On the other hand, theft by employees is something they are probably much more concerned about. Before this technology, you have to wonder how many hotel housekeepers had fully furnished their own homes with towels and bed linens at the expense of their employer.
The hotel probably uses a commercial laundry service. All the dirty towels go into a bin, and every few days a van from the laundry service delivers a pile of clean towels and takes away the bin of dirty towels. The bedsheets, pillow cases and duvet covers probably get the same treatment.
You can get similar services for mechanics' overalls, door mats, chef's uniforms, and things like that. They'll even put the right uniform in the right employee's locker, if you like [1].
Often there will be different pools for different hotels, as well as different pools for different items and sizes. Good inventory management helps you get the customers' orders right; you don't want to deliver a Holiday Inn towel to a Hilton, or have a tablecloth in a delivery of bedsheets, or deliver 99 bedsheets when you promised 100. Also, if things are getting damaged or going missing you need to know where things are going, and when you need to order replacements.
Of course, bar codes are also in use [2] but in hotels particularly they like the markings to be subtle.
[1] https://www.phs.co.uk/our-services/managed-workwear/locker-s... [2] http://www.giltbrookworkwear.co.uk/operation/laundry-facilit...
That makes a lot of sense! Thanks.
It's also a lot easier to scan a bin of 100 RFID tags than it is to try to line up all of their barcodes :)
There's a frood who really knows where his towel is.
Discussed thrice already. Kinda, never caught up.
https://news.ycombinator.com/item?id=11212357 https://news.ycombinator.com/item?id=11207155 https://news.ycombinator.com/item?id=11217681
Interesting. Where I can find more information about reading RFID chips?
https://en.wikipedia.org/wiki/MIFARE#Security_of_MIFARE_Clas... seems to be a good start.
This reminds me of the ubiquity of insecure MIFARE Classic chips.
My previous workplace (an international organization that shall remain anonymous) had vending machines where you could "buy" an RFID key that acted sort of like a "wallet". You could refill it by putting it inside the vending machine and then inserting coins, or you could use it to buy goods from the machines. It used MIFARE Classic and was trivial to break, and the cash amount was stored as cents in a short integer. Fun stuff, you could even buy deodorant and panties.
Then, several towns in my country use RFID cards for public transportation payment. Guess what? Even systems implanted AFTER these cards were deemed highly insecure are using them.
One place I worked at while in college had a similar thing with smart cards. The vending of the product and debiting of the card wasn't an atomic operation, so if you removed the card at the right time you'd still get the product but not be charged.
They must have changed that. At a cafeteria that uses MIFARE cards the operation is still not atomic, but the customer loses: If you remove the card at the wrong time, the card is debited but the transaction does not show up on the cashier's terminal, leading to heated arguments. The transaction does show up in the central database, so after spending 20 min writing a complaint you get your money back after a few days.
I guess this is called progress.
In Santiago, Chile, the public transportation system uses Mifare Classic cards, and few apps that (ilegally) refilled the cards appeared a while ago.
The solution given by the government was to block the cards that were used with fraudulent refills on a weekly basis, but there is always the possibility of changing the ID or purchasing blank cards.
Of course the system was chosen years after the vulnerabilities were discovered, too.
My guess is that the only way to stop this is to replace all the scanners, which will be far more expensive than losing a few thousand paying customers per day.
NXP has SDKs and mobile apps for it: https://www.mifare.net/en/products/tools/
There's also different kinds, for environments with high security demands you're not supposed to use DESfire cards, not Ultralight: https://www.mifare.net/en/products/chip-card-ics/
I was a CTO strategy consultant for an RFID MIST startup back in 2008 - that is RFID chips on documents, id badges, and any item of value within an organization. The MIST is a series of wireless sensors & network placed throughout the organization, enabling 3D location of any RFID marked object within range of the MIST network. The system could track who, when, and where of any person or item of interest simply by following the RFID through the series of sensors. However, there was zero plan for security of the RFID signals nor the MIST network itself, they were planning on security by obscurity. As I made more and more noise that security was their entire mission, and by not having any themselves they were setting themselves up for massive hacking. Thankfully, their main inventor was more interested in surfing than working, and their investor got deported for tax fraud.
This article succeeds with just a few words and well chosen pictures.
The Proxmark is a great tool... there is a nice forum here: http://proxmark.org/forum
RFID is definitely one of the cooler things that exist on the practical/futuristic feeling matrix. Really wish I had some need for one
Could this be done using a phone with NFC? Thats pretty much RFID tech isn't it?
Yes, it was a Mifare Ultralight C, which most Android phones can talk to.
Disney has a pretty neat use for RFID that was featured in a previous HN post. https://news.ycombinator.com/item?id=9177105
I'm kind of wondering what sort of towel hacks can be done now to truly create a hitchhiker's kind of towel
Oh, what a hoopy frood.
Is proxmark3 still the device to get?