Apple Seeking To Make Wireless Network Setup Easier

[longofest]

There is very little value in this. The same can be done via the wireless or bluetooth with the exception that you have to power the device.

We already have way too many RFID tags in the environment. Your shoes, your clothes, your belt, your computer, your passport, your credit card, your gas pass, etc. These devices are not secured and can be read from a distance. People can track you and your habits.

Just because you dont see the tags, does not mean they are not there. I highly suggest you fry them if you do not need them. See this http://globalguerrillas.typepad.com/globalguerrillas/2006/01/weapons_the_rfi.html

BTW I am a securuty consultant, I highly sugest you start zapping them if you do not need them.

For the ones you must carry like the credit cards you may want to use something like this, but I have not tested them so not sure how effective they are: http://www.rpi-polymath.com/ducttape/RFIDWallet.php

You complain about the tracking abilities of RFID, yet you don't worry about the tracking ability of mobile phones? Mobile phones can be pinpointed and tracked over a far greater distance than RFID can. Same thing with GPS devices.

It really perturbs me that there is such a vocal minority spreading FUD about RFID without considering the entire picture. If you are some sort of conspiracy theorist, there are much worse evils out there to get scared about than RFID.

 

[Peace]

You complain about the tracking abilities of RFID, yet you don't worry about the tracking ability of mobile phones? Mobile phones can be pinpointed and tracked over a far greater distance than RFID can. Same thing with GPS devices.

It really perturbs me that there is such a vocal minority spreading FUD about RFID without considering the entire picture. If you are some sort of conspiracy theorist, there are much worse evils out there to get scared about than RFID.

While I agree with you to an extent.One can turn off a mobile phone and/or GPS device.It appears the AEBS using RFID would be on regardless of whether or not the airport was on.
Please correct me if I'm wrong.

[edit] perhaps this topic deserves a poll concerning RFID in future Apple products [/edit]

 

[EagerDragon]

You complain about the tracking abilities of RFID, yet you don't worry about the tracking ability of mobile phones? Mobile phones can be pinpointed and tracked over a far greater distance than RFID can. Same thing with GPS devices.

It really perturbs me that there is such a vocal minority spreading FUD about RFID without considering the entire picture. If you are some sort of conspiracy theorist, there are much worse evils out there to get scared about than RFID.

Correct, however this thread is about RFID so I stick to that. there are a lot of areas related to security we could cover, but I am not writting a book and not every one is interested.

 

[EagerDragon]

You complain about the tracking abilities of RFID, yet you don't worry about the tracking ability of mobile phones? Mobile phones can be pinpointed and tracked over a far greater distance than RFID can. Same thing with GPS devices.

It really perturbs me that there is such a vocal minority spreading FUD about RFID without considering the entire picture. If you are some sort of conspiracy theorist, there are much worse evils out there to get scared about than RFID.

I am not complaing, I am passing information, you can ignore it or take the advice, your choice, makes zero difference to me.

As to FUD.... When you were told to look both ways before crossing the street, did you consider that as FUD? Well it is the same here, if you look both ways you become aware of your surroundings, the dangers (if any) and you have an opportunity to digest the information and decide to cross at a moment where you personnaly can deal with the level of risk. I guess most people did consider it FUD since a lot of people do not look both ways before crossing.

As a security consultant I analyze the risk and inform, if people do not take the advice they are now aware of the risk and it was their choice to act or not.

Some people are paranoid, some want to be aware and make their own decisions, and some like to cover their ears and not listen.
Decide which one you want to be.
Makes no difference to me.

 

[longofest]

I am not complaing, I am passing information, you can ignore it or take the advice, your choice, makes zero difference to me.

As to FUD.... When you were told to look both ways before crossing the street, did you consider that as FUD? Well it is the same here, if you look both ways you become aware of your surroundings, the dangers (if any) and you have an opportunity to digest the information and decide to cross at a moment where you personnaly can deal with the level of risk. I guess most people did consider it FUD since a lot of people do not look both ways before crossing.

Sorry to respond so quick with the FUD comment, but I've heard the arguments so many times before, and I largely regard most of them (not all, however) as baseless.

You seem to be concerned regarding tracking abilities of RFID. I believe the conspiracy theories and "security risks" regarding tracking abilities of RFID are extremely over-blown.

First, lets make an assumption we're talking about passive RFID. In response to Peace's comment, yes, RFID could be read even when not powered on, however this is mitigated by the fact that you can place some RF-interferance material over the chip and it would no longer respond. There are other techniques that can be employed as well in newer generations of RFID (tags can be programmed to only respond to certain readers, etc).

However, the main point that I would make is that you have to be in relative close proximity to an RFID tag to read it. Therefore, you'd have to have a network of readers to track someone. While this kind of scenario does occur in supply-chain management (networks of readers in a warehouse and along highways to track trucks, for instance), the potential to do it otherwise isn't that huge.

Now, back to your original point. Why is apple using RFID instead of Bluetooth or something else? Well, BlueTooth requires pairing, so its doubtful that they'd use that specific technology, but still, they could use a different technology, and I don't know why they aren't. To be honest, it sounds like they would save themselves from some headaches by not using RFID but using a similar principle to what they are suggesting, minus the RFID.

 

[EagerDragon]

Sorry to respond so quick with the FUD comment, but I've heard the arguments so many times before, and I largely regard most of them (not all, however) as baseless.

You seem to be concerned regarding tracking abilities of RFID. I believe the conspiracy theories and "security risks" regarding tracking abilities of RFID are extremely over-blown.

First, lets make an assumption we're talking about passive RFID. In response to Peace's comment, yes, RFID could be read even when not powered on, however this is mitigated by the fact that you can place some RF-interferance material over the chip and it would no longer respond. There are other techniques that can be employed as well in newer generations of RFID (tags can be programmed to only respond to certain readers, etc).

However, the main point that I would make is that you have to be in relative close proximity to an RFID tag to read it. Therefore, you'd have to have a network of readers to track someone. While this kind of scenario does occur in supply-chain management (networks of readers in a warehouse and along highways to track trucks, for instance), the potential to do it otherwise isn't that huge.

Now, back to your original point. Why is apple using RFID instead of Bluetooth or something else? Well, BlueTooth requires pairing, so its doubtful that they'd use that specific technology, but still, they could use a different technology, and I don't know why they aren't. To be honest, it sounds like they would save themselves from some headaches by not using RFID but using a similar principle to what they are suggesting, minus the RFID.

All very good points, besides not everyone is out to get everyone else. We are talking about potential uses of perfectly great technologies for purposes other than the original intend. Some people will be affected by these issues and some wont. However once my pair of shoes is purchased and is taken home, there is not reason to not fry the RFID chip. I rather take a moment to do so than leave the door open, regardless of how unklikely.

We will have to see how secured Apple implements the chip and the level of information they store. Assuming for a moment that they don't go all the way, an individual could read the chip and either get the full set of information on how your network is setup, or at least some of the setup, making it easier to listen in.

Hope they do the right thing. Convenience is #2 enemy of security.

 

[alec]

It's always nice to have Apple improve something it hasn't improved on before! By the way, I got a Windows Vista ad on this site ::bleggghhhhhhhhh::

 

[Peace]

It's always nice to have Apple improve something it hasn't improved on before! By the way, I got a Windows Vista ad on this site ::bleggghhhhhhhhh::

[ plug for arn's great site ]

One can always contribute and the get ad-free site

[ /end plug for arn's great site ]

 

[FleurDuMal]

Could it get any easier?!

 

[Analog Kid]

Apple didn't talk much about the exact implementation of their RFID system. They didn't even mention which frequency they'd be using (LF, HF, UHF (EPC Gen2?)). Its most definitely would be a passive system though.

Basically, the RFID tag is being used to store basic network information. I'm assuming SSID. If they are smart, they may also store a public key.

Then, the RFID portion is done, and the devices will connect using wireless to communicate the rest of their settings. This is why I said it would be good of Apple to have included a public key in the RFID tag. this would enable the devices to talk relatively securely even over an unencrypted channel to exchange WPA keys. Then, the full wireless security framework would be set up.

The biggest problem I see in the proposed solution by Apple is that an attacker in close proximity could get the connecting device to look at the attacker's RFID instead of the intended device. This would basically make the user's device connect automatically to the attacker's device. Oops! However, this would require an attacker in relative close proximity, and if they are further away than the user's connecting device, then they would need a higher gain output to try to trick the device. Its just one of the security implications Apple would need to work to prevent from happening in the field.

Thanks longofest. Sounds about right to me. I think the objective here is to provide security on a wireless signal by ensuring that the individual using the wireless link has physical access to the base station. This could be further enhanced by adding a button to the base station to minimize the chance of the high-gain remote attack. A hacker might be able to collect the credentials remotely if they're listening when the button is pressed, but they couldn't trigger an authentication remotely.

Passive RFID would make the most sense from a cost standpoint-- put the expense of the reader into the base station and each device has pennies of incremental cost.

You complain about the tracking abilities of RFID, yet you don't worry about the tracking ability of mobile phones? Mobile phones can be pinpointed and tracked over a far greater distance than RFID can. Same thing with GPS devices.

Just to extend the battle against FUD on all fronts, there is nothing about GPS that allows anyone to track you. GPS is passive only-- the satellites transmit but the user only receives. Remember this was a military technology and they aren't very keen on their soldiers broadcasting their position. GPS can only track someone if they transmit their position over a separate transmitter.

Cellphones, on the other hand, are quite powerful transmitters and are easy to track and triangulate to.

You seem to be concerned regarding tracking abilities of RFID. I believe the conspiracy theories and "security risks" regarding tracking abilities of RFID are extremely over-blown.

First, lets make an assumption we're talking about passive RFID. In response to Peace's comment, yes, RFID could be read even when not powered on, however this is mitigated by the fact that you can place some RF-interferance material over the chip and it would no longer respond. There are other techniques that can be employed as well in newer generations of RFID (tags can be programmed to only respond to certain readers, etc).

However, the main point that I would make is that you have to be in relative close proximity to an RFID tag to read it. Therefore, you'd have to have a network of readers to track someone. While this kind of scenario does occur in supply-chain management (networks of readers in a warehouse and along highways to track trucks, for instance), the potential to do it otherwise isn't that huge.

Now, back to your original point. Why is apple using RFID instead of Bluetooth or something else? Well, BlueTooth requires pairing, so its doubtful that they'd use that specific technology, but still, they could use a different technology, and I don't know why they aren't. To be honest, it sounds like they would save themselves from some headaches by not using RFID but using a similar principle to what they are suggesting, minus the RFID.

I should probably be responding to EagerDragon here but your post better covers both sides of the issue... The danger in RFID as a privacy/security threat is two fold but it's always tied to the information that the RFID provides.

The threat that EagerDragon raises is the ability to follow you around town which is theoretically possible, but as you point out that is rather impractical for very short range devices. Wallmart can track you around the store if they choose, but following you home would require a grid of tag readers spaced every few feet across an entire city. This is roughly the equivalent of the Nike Jogger Stalking threat that got a lot of attention with their iPod integration.

Wrapping the device in foil helps reduce range but only mitigates the threat, it doesn't eliminate it. As the British will tell you, the foil cover on their RFID passports doesn't prevent them from being scanned by the sufficiently motivated. The problem in that case is different though, and it points to the other danger of RFID:

The problem with the British passports is that the data transmitted contains real information not just a meaningless identification number. This is bad implementation. If RFID is broadcasting an identifier that is is divorced from other information, it allows you to track the device, but not to learn anything about the person carrying it. If the RFID carries useful information in itself, as it does with the passports, then you have a real privacy/security concern-- as with the ability to know the contents of and clone a passport without ever having held it.

Wallmart may know the ID for your shoes, and they may have even linked that ID to your credit card data so they know more about you which is spooky in itself, but for that threat to spread they'd need to share that information with others. If the RFID is spitting out your name and address, then it is poorly implemented and you've got the same problem that the passports have.

The way I see this fitting in with the Apple application is this: I don't care much if my iPod or remote control spits out a meaningless ID when polled. Maybe I'd feel differently if I was in a position where someone might want to activate a device only when I'm next to it, but there aren't many people with that concern and it's easier to accomplish the same goal with a pair of binoculars and a remote control anyway. What I don't want is anything on me to be spitting out anything that is useful in itself and this doesn't seem to do that on the device side-- only on the base station side (and this is easy enough to plug as I mentioned above).

Overall, it's a question of whether this is a net positive for security or a net negative. Despite what people are saying here on the forum, I know for a fact that there are a large number of people who aren't able to secure their networks properly and as the ubiquity of wireless links grows, the problem is only going to get worse. The threat of someone following my RFID tag around is much smaller than the threat of someone listening in to all of my WiFi transmissions-- because those transmission carry useful data.

The one remaining attack point that I'd be worried about is not rogue devices connecting to my base station, but rogue base stations linking to my device. If the device is dumb enough to connect to any base station it's close to then someone could set up a base station under a bus seat and harvest information by establishing secure links with any device that goes by then polling it for more useful data. A simple button press might be sufficient to mitigate this one as well...

 

[Aeolius]

All I want is for Apple to release an "Airport Extreme XXL" (Airport Wambo?), which will transmit up to a 3,000' radius, like some of the hotspot transmitters. Then couple that with support for outdoor network cameras, or release a standalone iSight Extreme, for color video during the day and b&w w/ IR transmiters at night. Oh, and add an optional harness to strap them on to an alpaca... then I'm set.

 

[MrCrowbar]

All I want is for Apple to release an "Airport Extreme XXL" (Airport Wambo?), which will transmit up to a 3,000' radius, like some of the hotspot transmitters. Then couple that with support for outdoor network cameras, or release a standalone iSight Extreme, for color video during the day and b&w w/ IR transmiters at night. Oh, and add an optional harness to strap them on to an alpaca... then I'm set.

Or better, a motor driven directional antenna that always points to your location or looks for a reflecting surface to get you the best signal. This way, you could have your own wireless network across your hometown...

I still like those mini-USB-sattelite-dishes that give you high speed, low latency internet access so you can get high-def video calls from the agent above you.

 

[twoodcc]

seems interesting. not sure if it effects me, but i guess we'll see

 

[Analog Kid]

All I want is for Apple to release an "Airport Extreme XXL" (Airport Wambo?), which will transmit up to a 3,000' radius, like some of the hotspot transmitters. Then couple that with support for outdoor network cameras, or release a standalone iSight Extreme, for color video during the day and b&w w/ IR transmiters at night. Oh, and add an optional harness to strap them on to an alpaca... then I'm set.

I've been waiting for alpaca mount peripherals for ages, but I'm close to giving up. I'm thinking I'll just put mine on Ebay and try to pick up a used armadillo. Now that is the wave of the future. I'm sure of it.

 

[Henri Gaudier]

I'm with EagerDragon

... if everybody harping at him wants them so bad - fine - have them. But those of us who don't want them get them too. RFID is going to be worse than CCTV. The conspiracy theory line was moronic too. Why is it that if you don't want what is prescribed for you by big business you're a crank?

 

[Aeolius]

I'm thinking I'll just put mine on Ebay and try to pick up a used armadillo. Now that is the wave of the future. I'm sure of it.

Mind you, these already work on a WiFi network and have built-in webcams:

 

[krieghoff123]

easier

It all ready pretty easy Just got an airport express yesterday and took me about 30 second to set it up. I find it even harder to belive it could become easier

 

[longofest]

The problem with the British passports is that the data transmitted contains real information not just a meaningless identification number. This is bad implementation. If RFID is broadcasting an identifier that is is divorced from other information, it allows you to track the device, but not to learn anything about the person carrying it. If the RFID carries useful information in itself, as it does with the passports, then you have a real privacy/security concern-- as with the ability to know the contents of and clone a passport without ever having held it.

Wallmart may know the ID for your shoes, and they may have even linked that ID to your credit card data so they know more about you which is spooky in itself, but for that threat to spread they'd need to share that information with others. If the RFID is spitting out your name and address, then it is poorly implemented and you've got the same problem that the passports have.

The way I see this fitting in with the Apple application is this: I don't care much if my iPod or remote control spits out a meaningless ID when polled. Maybe I'd feel differently if I was in a position where someone might want to activate a device only when I'm next to it, but there aren't many people with that concern and it's easier to accomplish the same goal with a pair of binoculars and a remote control anyway. What I don't want is anything on me to be spitting out anything that is useful in itself and this doesn't seem to do that on the device side-- only on the base station side (and this is easy enough to plug as I mentioned above).

Overall, it's a question of whether this is a net positive for security or a net negative. Despite what people are saying here on the forum, I know for a fact that there are a large number of people who aren't able to secure their networks properly and as the ubiquity of wireless links grows, the problem is only going to get worse. The threat of someone following my RFID tag around is much smaller than the threat of someone listening in to all of my WiFi transmissions-- because those transmission carry useful data.

The one remaining attack point that I'd be worried about is not rogue devices connecting to my base station, but rogue base stations linking to my device. If the device is dumb enough to connect to any base station it's close to then someone could set up a base station under a bus seat and harvest information by establishing secure links with any device that goes by then polling it for more useful data. A simple button press might be sufficient to mitigate this one as well...

The point of placing extraneous info on the tag is always one that I do not argue against. I have had extreme reservations in the way various countries are implementing their e-passports due to this exact reason.

However, if Apple wants to put an SSID on there, its nothing that you can't find over the airwaves anyways, so no big deal.

 

[longofest]

... if everybody harping at him wants them so bad - fine - have them. But those of us who don't want them get them too. RFID is going to be worse than CCTV. The conspiracy theory line was moronic too. Why is it that if you don't want what is prescribed for you by big business you're a crank?

The thought that people are going to use RFID to track your every movement is what I was getting at for the term "conspiracy theory". Being dilligent in making sure RFID isn't abused isn't a problem. However, I also have problems when people harp on RFID and ignore other more sinister things out there, as I have said before in previous posts.

 

[Henri Gaudier]

Unfortunately everything is abused. We're being hemmed in by successive governments and no one from the "political class" has the nerve to confront it. From Echelon to traffic flow cameras, SatNav in your car to the phone in your pocket. Everything is being co-opted by law enforcement to spy on people. Or you could argue the reason for cameras isn't for traffic management etc it is to spy under the auspices of "safety" etc. Face recognition and car plate reading cameras aren't about safety, they're about the government wanting to know what everyone is up to and where they're going. RFID will be sold as a security feature - police cars will be kitted out with RFID radars to aid in the detection of stolen goods - the media will jump on the bandwagon etc. Insurance premiums ill go up if you don't have them etc etc. 10 years sown the line - subcutaneous ID/credit/debit/card.

 

[Rocketman]

The thought that people are going to use RFID to track your every movement is what I was getting at for the term "conspiracy theory". Being dilligent in making sure RFID isn't abused isn't a problem. However, I also have problems when people harp on RFID and ignore other more sinister things out there, as I have said before in previous posts.

Once you identify a particular RFID (edit: or cellular GPS or GPS or IP address) with a particular person (even the public key can do that) as the government or a large retailer has the capacity to do for vast numbers of people, each and every time "your" device passes an RFID transceiver your whereabouts are known. Given the sheer number of activities that are already illegal and more being added every day, and the rapid advance of big brother to identify each and every small breach, it becomes practical for any "targeted" person to be shown voilating something, then be tracked and arrested.

At least for the past 100 years if you made a mistake you had to do it in front of a cop or a witness inclined to call the police. Now any of millions of machines can prove you committing a crime, even if you are not aware of it, and the perfection of proving it and arresting you is improving by the month to the point where lazy police can sit in front of computer terminals and pick and choose who to "pick off that day".

Selective enforcement perfected.

Someone should come up with a constitution and a bill of rights or something.

Rocketman

 

[EagerDragon]

... if everybody harping at him wants them so bad - fine - have them. But those of us who don't want them get them too. RFID is going to be worse than CCTV. The conspiracy theory line was moronic too. Why is it that if you don't want what is prescribed for you by big business you're a crank?

Specialy when the message is "If you are concerned ZAP the ones you don't need, protect the ones you do". If one is not concerned then do nothing, live happy.

 

[EagerDragon]

Once you identify a particular RFID with a particular person (even the public key can do that) as the government or a large retailer has the capacity to do for vast numbers of people, each and every time "your" device passes an RFID transceiver your whereabouts are known. Given the sheer number of activities that are already illegal and more being added every day, and the rapid advance of big brother to identify each and every small breach, it becomes practical for any "targeted" person to be shown voilating something, then be tracked and arrested.

At least for the past 100 years if you made a mistake you had to do it in front of a cop or a witness inclined to call the police. Now any of millions of machines can prove you committing a crime, even if you are not aware of it, and the perfection of proving it and arresting you is improving by the month to the point where lazy police can sit in front of computer terminals and pick and choose who to "pick off that day".

Selective enforcement perfected.

Someone should come up with a constitution and a bill of rights or something.

Rocketman

Very well said

 

[e-coli]

Could be for connecting iPods... sort of like what the Zune can do.

Exactly what I was thinking. Instant proximity connection.

 

[Analog Kid]

... if everybody harping at him wants them so bad - fine - have them. But those of us who don't want them get them too. RFID is going to be worse than CCTV. The conspiracy theory line was moronic too. Why is it that if you don't want what is prescribed for you by big business you're a crank?

I count myself among the more paranoid of the world, and I don't like anything that makes it easier for either businesses or the government to track me and my habits. Not because I have anything to hide, but because I'm a believer in the slippery slope. I'll hold of expounding on that further because it probably belongs in a different thread.

To function in the world, and reap its benefits you have to keep an eye on technology and use what makes life better while avoiding technologies that undermine our personal freedoms and privacy.

To do that, we need to be educated in how things work and where the threats are. There is nothing about RFID that inherently makes any more dangerous than Bluetooth, WiFi, cell phones or credit cards. In fact it is probably less so. RFID, because it has gotten so much attention, has come to encompass a broad range or technologies, but in the general sense, RFID emits a meaningless number when it is polled. There is nothing useful there. If it's embedded in an iPhone with WiFi and cellular, it's the least of your concerns.

I have to agree with longofest on this point-- the paranoia developing around RFID is only serving to obscure other threats to privacy and security that are much more grave.

If you're microwaving your shoes but calling your spouse while handing over your credit card, club card and drivers license at the grocery store every time you make a purchase then that looks a little misguided...

Once you identify a particular RFID (edit: or cellular GPS or GPS or IP address) with a particular person (even the public key can do that) as the government or a large retailer has the capacity to do for vast numbers of people, each and every time "your" device passes an RFID transceiver your whereabouts are known. Given the sheer number of activities that are already illegal and more being added every day, and the rapid advance of big brother to identify each and every small breach, it becomes practical for any "targeted" person to be shown voilating something, then be tracked and arrested.

At least for the past 100 years if you made a mistake you had to do it in front of a cop or a witness inclined to call the police. Now any of millions of machines can prove you committing a crime, even if you are not aware of it, and the perfection of proving it and arresting you is improving by the month to the point where lazy police can sit in front of computer terminals and pick and choose who to "pick off that day".

Selective enforcement perfected.

Someone should come up with a constitution and a bill of rights or something.

Rocketman

Again, there is nothing about GPS that can be tracked. Period. If you connect it to your cellphone and transmit your position that's a different problem, but the truth is your cellphone can be located nearly as well by triangulating the cellular signal.

I share your concern about states and businesses tracking people, but the truth is that your phone and your credit card are much more effective for this purpose than an RFID tag in your shoe with 3ft of range and a meaningless product code.

It's becoming increasingly true however that none of these methods are required for selective enforcement-- they merely have to say that they have information that you don't but their methods must be concealed for security reasons. Again, a topic for another thread.