
Please scan my towel - jgrahamc
http://jerrygamblin.com/2016/03/01/please-scan-my-towel/
======
roel_v
RFID is one of those things that seem cool until you start playing with it and
then it turns out that the only uses for it are really boring. Like, you can't
use it to locate stuff because the range is too short; you can't rely on stuff
to have chips (food, or clothes or whatever) and it's a major time sink if
you'd have to start tagging stuff yourself; it's cumbersome to install readers
everywhere and not being able to rely on half lives measured in decades
instead of months, etc.

I used to have an rfid chip implanted in my hand. I had all these ideas of
what I was going to do with it - log on to my computer by putting an rfid
reader in my keyboard, build a magic 'touch the wall and music starts playing'
thing etc. All of them turned out to be very boring and useless in practice.
Logging into my machine - meh, turns out that it takes longer for monitors to
come back on than to type the password. Building (useful) user interfaces
based on rfid is very hard and doesn't add anything over a regular proximity
sensor.

The only idea I have left is that in my current house, I have a place where I
could put an rfid reader so that if I'd get a chip implanted in my gluteus
maximus (my butt, essentially) I could activate an automatic door opener by
bumping into it when I have my hands full. I just can't motivate myself to set
this up and discovering again that it's a dud in real life.

~~~
chatmasta
Wait, sorry... what?! You had an RFID chip implanted in your hand???

I think that story deserves a little elaboration.

EDIT: Wow, this is apparently a thing. [0]

[0]
[https://en.wikipedia.org/wiki/Microchip_implant_(human)#Hobb...](https://en.wikipedia.org/wiki/Microchip_implant_\(human\)#Hobbyists)

~~~
roel_v
Not much to it, really. It became feasible around 2007-2008 ish or so, when
you could buy glass ampules with rfid tags in them and simple readers retail
online (my timing might be a few years off). There were several forums about
it at the time, most of them gone now it seems; I suspect because people found
out the same thing I did, that it's just not that useful and that the novelty
wears off after the first 5 times you wave your hand over a reader and have a
led go on or a dialog pop up on a screen.

I went to a piercing study, girl stamped a hole in the upper layers of my
skin, made a small cut to open it up a bit further, slid in the ampule (which
had been autoclaved first of course). Band aid on it, done. It was strange
being in a studio with a bunch of people with facial tattoos and horn implants
and discs the size of my wrist in their ears - and _them_ looking at _me_ like
I was a freak from out of space. I do have to say though that I had to search
around a bit to find someone willing to do it. There are plenty of places that
will take your money to suspend you from their ceiling with flesh hooks in
your back, but that won't stick a glass pill under your skin. Go figure.

You can also buy kits online if you want to DIY - basically big needle guns
that are used to tag cattle which you just jam into your hand and pull the
trigger on, literally. That would've been a bit too hard core for me, tbh.

~~~
ams6110
Compared to using a biometric such as a fingerprint it makes some sense.
Fingerprints can in theory be stolen and reproduced, and you can't change them
if that happens. You could replace an implanted RFID tag if that were ever to
become necessary, but otherwise it's something you always have like your
fingerprint.

------
jgrahamc
I posted this in part because I love the idea and because today is the
anniversary of the birth of Douglas Adams.

Edit: said death meant birth.

~~~
oneeyedpigeon
It's actually his birthday. He died on 11 May 2001.

~~~
bpchaps
It's March :)

------
helper
This story doesn't quite make sense. I believe that his RSA pass was clonable
and that his towel also had an RFID chip embedded in it. What I find hard to
believe is that the towel had a _writable_ RFID tag.

My main experience with RFID is cloning tags onto T5557 chips, and I don't
think I've ever come across a writable tag in the wild. It doesn't seem to
make economic sense to spend an extra penny or two on every towel to put in a
tag you are never going to change.

~~~
tekklloneer
I recently was at a Panera Bread, and when I put my Android phone (with NFC)
onto the table, it immediately helpfully popped open tagwriter.

Turns out they didnt lock the tables' tags, so you could write urls and when
people placed their phones down, had those urls open. (they used the tags for
their food pager system)

~~~
chipperyman573
The ones at the Panera I used to work at weren't writable (I know this because
I saw people trying more than once). How long ago was this?

~~~
tekklloneer
A couple of weeks ago. It did take some work, it seems like there's a "sweet
spot" that I had to hit, and some experimentation that required rotating the
phone on the surface, but I was able to write google.com and then pop it open
on my tablet.

------
Animats
OK, the RSA conference failed here. They're supposed to be a security
conference, yet they didn't use an RFID tag that's challenge/encrypt/response,
so you can't clone it by passive listening. RSA itself used to make such
things.

That tag is about the right level of security for towel inventory. The big win
in this is managing outsourced laundry costs. Knowing how many items went to
the laundry, and how many came back, rather than just counting linen carts,
matters a lot. ABS Laundry Solutions overview (with ominous music) [1]

[1] [http://www.abslbs.com/](http://www.abslbs.com/)

~~~
tjohns
That might not have been an oversight.

Having designed the RFID tag system for a conference before, there's a real
cost difference between crypto-capable NFC tags and ordinary ones, once you
factor in the number of badges you need to print.

Then consider that (a) the conference probably has very little budget for an
RFID implementation, and (b) the NFC tag isn't used for anything that's
security-sensitive -- mostly checking in at vendor booths, attendance
tracking, etc.

Given that, I can totally understand why RSA didn't use something more secure.

The BIG fail here is that the towel manufacturers didn't toggle the read-only
fuse in the tags, which allows them to be overwritten by anyone with an
Android smartphone.

------
anarchitect
Reminds me of how someone embedded the chip from their Oyster card (London
travel card) in a magic wand :)

~~~
mino
I also immediately thought about this! :)
[https://41.media.tumblr.com/tumblr_m3i9ic6qKJ1qg9f5xo1_400.j...](https://41.media.tumblr.com/tumblr_m3i9ic6qKJ1qg9f5xo1_400.jpg)

------
lucb1e
Wait, towels have RFID tags?! Never heard of that before.

~~~
aylons
Hotel towels, to prevent theft.

~~~
krzrak
How do they prevent theft, exactly?

~~~
rc55
A customer checks in and is given a towel with a customer specific RFID
attached. If at the point the customer checks out and the towel is not in the
room, it is assumed to be missing or stolen.

~~~
jameshart
Er, no. Have you been to a hotel? They don't normally give you a single towel
for your entire stay. The hotel changes the towels every day. Bulk RFID
scanning during laundry lets them keep track of how many towels have gone
wandering and individually track how many times specific towels have been
laundered, which is probably useful information for managing towel quantities
in bulk. I don't think tracking down and identifying individual towel thiefs
is generally the idea, though I guess you can detect towels in places they are
not meant to be (such as in their suitcases on the way out of the lobby).

------
gargravarr
There's a frood who really knows where his towel is.

------
DominikD
Discussed thrice already. Kinda, never caught up.

[https://news.ycombinator.com/item?id=11212357](https://news.ycombinator.com/item?id=11212357)
[https://news.ycombinator.com/item?id=11207155](https://news.ycombinator.com/item?id=11207155)
[https://news.ycombinator.com/item?id=11217681](https://news.ycombinator.com/item?id=11217681)

------
marvel_boy
Interesting. Where I can find more information about reading RFID chips?

~~~
Rafert
[https://en.wikipedia.org/wiki/MIFARE#Security_of_MIFARE_Clas...](https://en.wikipedia.org/wiki/MIFARE#Security_of_MIFARE_Classic.2C_MIFARE_DESFire_and_MIFARE_Ultralight)
seems to be a good start.

~~~
glastra
This reminds me of the ubiquity of insecure MIFARE Classic chips.

My previous workplace (an international organization that shall remain
anonymous) had vending machines where you could "buy" an RFID key that acted
sort of like a "wallet". You could refill it by putting it inside the vending
machine and then inserting coins, or you could use it to buy goods from the
machines. It used MIFARE Classic and was trivial to break, and the cash amount
was stored as cents in a short integer. Fun stuff, you could even buy
deodorant and panties.

Then, several towns in my country use RFID cards for public transportation
payment. Guess what? Even systems implanted AFTER these cards were deemed
highly insecure are using them.

~~~
lucaspiller
One place I worked at while in college had a similar thing with smart cards.
The vending of the product and debiting of the card wasn't an atomic
operation, so if you removed the card at the right time you'd still get the
product but not be charged.

~~~
throw91283
They must have changed that. At a cafeteria that uses MIFARE cards the
operation is still not atomic, but the customer loses: If you remove the card
at the wrong time, the card is debited but the transaction does not show up on
the cashier's terminal, leading to heated arguments. The transaction _does_
show up in the central database, so after spending 20 min writing a complaint
you get your money back after a few days.

I guess this is called progress.

------
bsenftner
I was a CTO strategy consultant for an RFID MIST startup back in 2008 - that
is RFID chips on documents, id badges, and any item of value within an
organization. The MIST is a series of wireless sensors & network placed
throughout the organization, enabling 3D location of any RFID marked object
within range of the MIST network. The system could track who, when, and where
of any person or item of interest simply by following the RFID through the
series of sensors. However, there was zero plan for security of the RFID
signals nor the MIST network itself, they were planning on security by
obscurity. As I made more and more noise that security was their entire
mission, and by not having any themselves they were setting themselves up for
massive hacking. Thankfully, their main inventor was more interested in
surfing than working, and their investor got deported for tax fraud.

------
HillaryBriss
This article succeeds with just a few words and well chosen pictures.

------
spants
The Proxmark is a great tool... there is a nice forum here:
[http://proxmark.org/forum](http://proxmark.org/forum)

------
rtpg
RFID is definitely one of the cooler things that exist on the
practical/futuristic feeling matrix. Really wish I had some need for one

------
collyw
Could this be done using a phone with NFC? Thats pretty much RFID tech isn't
it?

~~~
tjohns
Yes, it was a Mifare Ultralight C, which most Android phones can talk to.

------
RoseO
Disney has a pretty neat use for RFID that was featured in a previous HN post.
[https://news.ycombinator.com/item?id=9177105](https://news.ycombinator.com/item?id=9177105)

------
bpicolo
I'm kind of wondering what sort of towel hacks can be done now to truly create
a hitchhiker's kind of towel

------
poppingtonic
Oh, what a hoopy frood.

------
apaz
Is proxmark3 still the device to get?

