[Dave Birch] I ran a workshop on mobile proximity security day, and one of the things we touched on in the group is the EU’s publication of their recommendations on the “identity of stuff” last week. They’ve published a 14-point action plan.

The European Commission has announced plans for Europe to play a leading part in developing and managing interconnected networks formed from everyday objects with radio frequency identity (RFID) tags embedded in them – the so-called “internet of things”.

[From EU lays out plans for the “internet of things” – V3.co.uk – formerly vnunet.com]

These are real issues, and although I’m not making any comment on the value or otherwise of the specific recommendations, there’s no doubt that the subject deserves more attention. There’s an “identity of things” problem that came up (again) in a meeting I was in last week that I think is worth sharing. It comes from the world of NFC, where the problem revolves around contactless stickers, tags, posters and that kind of thing. It’s the same problem that we looked at before, and it’s worth reviewing because there’s been no industry progress toward a solution.

A little background. The NFC Forum have announced their “N mark” which is a standard symbol to be applied to adverts, magazines, posters and such like. The idea is to show consumers (none of whom have ever even heard of NFC, let alone seen an NFC phone) where they can “tap” their phones to get some kind of service.

The NFC Forum has developed the “N-Mark” trademark so that consumers can easily identify where their NFC-enabled devices can be used. It is a stylized “N” and indicates the spot where an NFC-enabled device can read an NFC tag to establish the connection.

[From NFC Forum : N-Mark]

If you haven’t seen it, it looks like this. A simple ecosystem in the offing: you put the N-mark on things, consumers come along and touch them with other things.

So what’s the problem? Well, how does the customer (and the customer’s phone) know that the tag is “real”? How can I be sure that the “get your bus timetable” tag doesn’t link a porn site? When I touch my phone to the poster to find out more about The Glastonbury Festival (this is hypothetical: I stopped going in 1983 on the grounds that it was getting to big and too commercial) how do I know that I will be connected to the Glastonbury Festival ticket line (or whatever) and not a premium-rate call to Nigerian scammers who will play me “please hold, your call is important to us” followed by snatches of Vivaldi until Vodafone cut you off when your bill passes $10,000? It would be nice to have some kind of setting in the NFC preferences to say something like “ignore all tags except for the phones with a digital signature, signed by a key that resolves through a certificate chain to a root known to my mobile phone operator”. But I see at least two problems with this:

  1. Consumers, and more importantly, mobile phone company marketing types, don’t have the slightest idea what this means and there is no possibility of explaining it to them, and
  2. Even if it was turned on, most consumers confronted by a dialogue box on their mobile phone saying something like “warning, this tag is unrecognised and could lead to you being ripped off big time or embarrassed in public” would just hit “OK”. We know this, but that’s what they do on the web.

The NFC specifications don’t include a security layer. It’s not good enough for them to say that service providers should implement their own security layers, because we need something interoperable: a digital identity infrastructure, if you will. Therefore, it seems to me, we need the industry to assemble a group that combines technologists, security specialists, psychologists and UI designers to come up with a way of dealing with it in an intelligent way. There’s a great business somewhere here.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights