Monday, June 18, 2012

Baby's First Hack

Maternity hospitals put these security bracelets on your baby. The thing is because the baby loses so much weight and generally changes so much after their birth they keep falling off. The nurses get annoyed by them because they fall off so often but they generally seem not to mind them too much. My video below shows how easy they are to remove

And that is without trying to cut off the tag or shield it from the radio receiver in some way. Schneier has a good post on how these tags just because they don't actually reduce risk of harm much are still valuable. I'll quote it at length because it is so good.

'While visiting some friends and their new baby in the hospital last week, I noticed an interesting bit of security. To prevent infant abduction, all babies had RFID tags attached to their ankles by a bracelet. There are sensors on the doors to the maternity ward, and if a baby passes through, an alarm goes off.

Infant abduction is rare, but still a risk. In the last 22 years, about 233 such abductions have occurred in the United States. About 4 million babies are born each year, which means that a baby has a 1-in-375,000 chance of being abducted. Compare this with the infant mortality rate in the U.S. -- one in 145 -- and it becomes clear where the real risks are.

And the 1-in-375,000 chance is not today's risk. Infant abduction rates have plummeted in recent years, mostly due to education programs at hospitals. So why are hospitals bothering with RFID bracelets? I think they're primarily to reassure the mothers. Many times during my friends' stay at the hospital the doctors had to take the baby away for this or that test. Millions of years of evolution have forged a strong bond between new parents and new baby; the RFID bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.

Security is both a reality and a feeling. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We know the infant abduction rates and how well the bracelets reduce those rates. We also know the cost of the bracelets, and can thus calculate whether they're a cost-effective security measure or not. But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don't feel secure, and you can feel secure even though you're not really secure.

The RFID bracelets are what I've come to call security theater: security primarily designed to make you feel more secure. I've regularly maligned security theater as a waste, but it's not always, and not entirely, so.'

In Praise of Security Theater

I agree with his description. The tags from a rational measurable security point of view silly, everyone if they think about it can tell their silly. But they reassure new parents of a non rational but still present fear. And that means the tags probably are not silly.

1 comment:

Kama Life Styles said...
This comment has been removed by a blog administrator.