This week, California became the second state to pass a law making it illegal to steal data from RFID (radio frequency identification) cards.
The law sets a penalty that includes a maximum fine of US$1,500 and up to a year in prison for someone convicted of surreptitiously reading information from an RFID card.
RFID chips, used in a growing variety of applications worldwide, store small amounts of information that a nearby device can read. Among other things, the chips can be used to store customer data on a credit card or allow authorized people to open locked office doors or car doors in “keyless” entry systems.
The California bill makes exceptions for certain emergency situations, such as permitting a health care worker to scan someone’s RFID-enabled health card in order to help the person. Also, police officers would be allowed to view information on an RFID card with a warrant.
The bill was first introduced by California State Senator Joe Simitian in 2006, and the final version was signed into law on Wednesday. It was backed by a wide variety of groups ranging from the American Civil Liberties Union to the Gun Owners of California.
Earlier this year, Washington became the first state to pass a law against theft of RFID data. Washington makes it a class C felony to steal data from an RFID card specifically for the purpose of fraud, identity theft or other illegal purposes. That means that if convicted, a criminal could receive a penalty of as much as a $10,000 fine and five years in prison.
While there are security mechanisms that issuers of RFID cards can employ to make it more difficult for someone to steal data stored on them, many don’t or do so poorly, so these laws could help serve as a deterrent against would-be hackers.
A paper recently published by the Stanford Law Review detailed some alarming examples of security researchers hacking into RFID systems. In one instance, researchers at Johns Hopkins University cracked the encryption code on Texas Instruments chips used in Exxon Mobil gas cards. Armed with that code, a laptop and a simple RFID device, they were able to fill up their tanks with gas for free.
The Stanford paper also cites work done by computer security researchers at IO Active showing how easily they could clone information stored on building entry cards. In another example described in the paper, researchers from the University of Massachusetts spent $150 to build an RFID reader and found they could read information such as names and other data stored on RFID-enabled credit cards. They found that data was stored on the commercially used cards unencrypted and in plain text.
California’s governor this week vetoed another related bill also introduced by Simitian. That bill would have required schools to obtain written consent from parents before issuing RFID cards to students that could be used for recording attendance or tracking the students’ whereabouts. The bill, drafted after controversy erupted at one California school that issued RFID cards to students, would also have required schools to take certain steps to protect students’ privacy.