WarCloning, the New WarDriving?

ChrisPaget writes "After my legal skirmishes with HID a while back, The Register has coverage of my latest RFID work — cloning Passport Cards and Electronic Drivers Licenses from a moving vehicle. Full details will be released at Shmoocon this weekend, but in the meantime there's video of the equipment and articles all over the place."

RFID on identification scares me

[sempiterna (1463657)]

I'm very much afraid of government implementing rfid on a widespread level. I have to admit that if I was government, I'd probably push to do the same thing.

Having Big Brother being able to know who I am by walking into a door of the court house, or if a police officer pulls you over and 'scans your arm', really scares me.

The potential for abuse is tremendous.

Why?

[EmbeddedJanitor (597831)]

Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

And while you're driving around your car has license plates on it which can be scanned from far further than RFID.

The potential for abuse is already there and has been for a long time.

One cool thing with new tech is that it lifts the bar for the scammers. With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

Re:Why?

[faloi (738831)]

With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

Yeah, you also apparently need a couple of hundred bucks worth of stuff. And the added "advantage" to RFID is that most people will probably actually believe it's secure and take the scan at face value, making it easier than ever to pass off fake ID most places.

Re:

[NonUniqueNickname (1459477)]

your car has license plates on it which can be scanned from far further than RFID

Very few people carry their car's license plates in their wallet or purses. For most of us, having RFID on our driver's license is akin to having RFID implanted in our skull.

Re:Why?

[icebraining (1313345)]

Yeah, but I bet it's easier to make a RFID protected wallet [instructables.com] than extracting it from your skull.

Tin Foil Hat!!

[corsec67 (627446)]

I think that is a VERY legitimate use of a tinfoil hat... /Couldn't resist.

Re:

[physicsphairy (720718)]

One cool thing with new tech is that it lifts the bar for the scammers. With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

I think in most places drivers license/government ID are now done on plastic cards (not laminated). Getting a color printer for those plastic ID cards will set you back quite a few grand, which is a lot more than this guy is paying to copy RFID. And this way gives minimum exposure vs. needing to have physical access to something to copy it.

But, you know, there is not much defense against someone who waits to mug you in a lonely alleyway either. Maybe instead of focusing on preventing these sort of thin

Re:Why?

[commodore64_love (1445365)]

>>>Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

Perhaps in other countries, but not the U.S. The Supreme Court decided (v. Prouse) that a discretionary, suspicionless stop for a spot check of a motorist's driver's license and vehicle registration was invalid. The officer's conduct in that case was unconstitutional primarily on account of his exercise of "standardless and unconstrained discretion." A generalized roadblock that stopped all drivers would be allowed, but only in cases of border security or sobriety checks, not other tasks such as narcotics search.

Re:

[by Anonymous Coward]

The U.S. you refer to has ceased to exist: http://epic.org/privacy/hiibel/ [epic.org]. The officer still has to have "suspicion" but who isn't suspicious to a cop?

Re:Why?

[RiotingPacifist (1228016)]

I suspect your laws are similar to what we have in the UK, in theory to pull you over / search you they need reasonable suspicion, in practice they can just make shit up.

Re:

[davester666 (731373)]

Using RFID isn't that big a leap for the police, as they already have access to all the information that it transmits, only with RFID, they may be able to retrieve the information without having to ask you (if you keep your DL,passport,whatever unshielded).

Using RFID IS a big leap for everybody else. Suddenly, anybody who has the inclination can find out your name, address, SIN, your digitized picture and fingerprints. Without your knowledge or permission.

With license plates, they do uniquely identify you

Re:Why?

[_Sprocket_ (42527)]

Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

And while you're driving around your car has license plates on it which can be scanned from far further than RFID.

Asking to see the license still requires asking. It also requires driving for one to be (legally) provided. RFID allows for scanning a crowd and (potentially) getting a crowd of identities in less than a second.

OCR on license plates are very doable if you control the conditions. Make sure the vehicle is going the desired location and mount the camera in the perfect position. Back that up with occasional human to try and work out those cases where OCR fails. With RFID you put up antennas in a few strategic locations and you cover blocks of traffic without worrying about angles, lighting, and other bothersome conditions.

The potential for abuse is already there. RFID makes it more efficient.

Re:

[mckinnsb (984522)]

One cool thing with new tech is that it lifts the bar for the scammers. With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

Not in every state of the US.

Some states (see: Connecticut) have drivers licenses that are extremely difficult-if not impossible-to copy physically without having the exact same equipment that the DMV has. Connecticut's licenses in particular have layers of holographs and foil that overlap each other. A printer that can print on plastic combin

Re:

[mckinnsb (984522)]

Fair question, a la the recent XKCD-put motif of "A human target is almost always weaker than the tech". Although I don't think you are looking for an answer, I'll bite, mostly because I'm bored and sick. It depends on your DMV, and your DMV worker.

First, all DMV's I've been to (NY/CT/MA) have CCTV cameras all over the place - so convincing a DMV employee to create a fake ID during work time is probably somewhat difficult. I would not be surprised if the machines used to produce licenses were set to shut

Re:

[steelcaress (1389111)]

I always thought they should do more. I'm not particularly scared of it, but I always thought that since there's a massive amount of information available on you anyway, why not implement this in a useful way?

Go to a job interview, they could have a resume, letters of recommendation, supervisor comments, phone numbers, etc already on file. No more wasted paper or wasted time filling out the same info on different forms.

Go to a hospital, they could already have the meds you're on, anything you're allergic

Re:RFID on identification scares me

[ushering05401 (1086795)]

Who knows what your prospective employer etc would see in your file?

Who knows if it would be true?

Oh wait.. there could be some sort of efficient appeals process to get improper notations removed from your file just as easy as fixing your credit history after getting ID jacked...

Boy, my grade school teachers didn't know how right they were when they threatened me with screwing up my 'permanent record.'

Re:

[Jurily (900488)]

Go to a job interview, they could have a resume, letters of recommendation, supervisor comments, phone numbers, etc already on file. No more wasted paper or wasted time filling out the same info on different forms.

Go to a hospital, they could already have the meds you're on, anything you're allergic to, and any afflictions you currently suffer from along with symptoms, last blood pressure reading, x-rays, etc -- even if you've never been there.

Enlist in the military, they'd need things for that, including competencies, education, etc.

Likely this would result in employers having your medical record, the military having your CV, and hospitals your supervisor comments.

Where would you store all that data? Who would authorize accesses? Why not just give them a CD containing the needed info?

Also, the paperwork has one important aspect not covered by computers: the paper trail. Logs can be tampered with, a piece of paper signed by your doctor/employer/whatever in your safe can not.

In the land of CYA it can be important.

Re:RFID on identification scares me

[commodore64_love (1445365)]

Go to a concentration camp; they could have a name, phone numbers, next of kin, final will and testament, etc already on file. No more wasted paper or wasted time filling out the same info on different forms. Just send them straight to the "showers" for processing.

Go to a job interview; they could have a genetic workup, list of potential diseases, previous health expenditures, current debt accumulation, etc already on file. No more hiring of people who are sickly & likely to aste company resources, or are deep in debt and potential thieves. They can be weeded out immediately.

Point:

Having information so easily available is dangerous. It's loss of power by the citizen & a gaining of power by the politicians and the corporations.

Don't be scared

[by Anonymous Coward]

We're safe. Cloning RFIDs is illegal.

Re:

[Neanderthal Ninny (1153369)]

No kidding.
Any form of transmittable broadcast information can be cloned and hacked, so like you, don't trust them. I have an FasTrak on my car but it is stored in a metal case to prevent it from being cloned or tracked for no good reason.
All companies that sell RFID and government agencies claim that their "technology" is safe, unhackable and unclonable but they haven't allow the real world (at least the hackers world) to have at it and truly prove they are safe, unhackable and unclonable. However, over ti

Re:

[LingNoi (1066278)]

As usual XKCD has an answer to your "security" and it just came out today too. http://xkcd.com/538/ [xkcd.com]

... neat stuff, and a teensy bit scary ...

[ninjagin (631183)]

Saw a video linked at gizmodo. Neat stuff, Chris, if a bit scary.

My hat ain't enough

[sls1j (580823)]

Looks like I'll be getting a matching tin foil wallet to go with the hat.

Re:My hat ain't enough

[Gojira Shipi-Taro (465802)]

Interestingly enough, when I got my new Passport Card, it came with a little Faraday Cage sleeve (metalized mylar) with the instruction to put the card there when not in use. I don't remember getting anything like that when I got my (RFID carrying) Passport a while back, so maybe there's some realization of the problem on the issuing end...

Re:

[complexmath (449417)]

I got a new Passport Card and plain old Passport at the same time, and the card had a sleeve while the Passport did not. I wondered whether the jacket of the Passport was lined and could only be scanned when open, but haven't bothered to investigate.

Re:

[kaatochacha (651922)]

I just received a new US passport. The passport itself has a blurb about being shielded when closed. Don't know if this is true or not, as I haven't checked it myself, but the covers feel like there's something in them.

Re:My hat ain't enough

[Jherek Carnelian (831679)]

I just received a new US passport. The passport itself has a blurb about being shielded when closed. Don't know if this is true or not, as I haven't checked it myself, but the covers feel like there's something in them.

It is true and it is not. Building a faraday cage into the cover was one of the "concessions" they made in response to all the complaints about privacy issues. But... it only really works if the covers are tightly pressed together. Leaving it open a quarter inch or so may be enough to prevent official readers from picking up the RFID, but not enough to protect against someone with a reader with more juice - like anyone who is up to no good will certainly have.

WarCloning?

[spyder913 (448266)]

WarDriving = Driving around finding open APs.
"WarCloning" = Driving around cloning RFID stuff.

Shouldn't it be "CloneDriving" or something else? Though I suppose all of them are equally dumb. So nevermind...

Re:

[spacerog (692065)]

No. I know your being funny, or at least modded that way, but the correct prefix is 'war' as in WarDialing, as in War Games (the movie), which is were the term comes from. "WarCloning" is a perfectly acceptable term.

- SR

Re:

[Ron_Fitzgerald (1101005)]

"...what do freedom fighters fight?"

~ The late, great George Carlin

Good for crime fighting, scary for potential abuse

[hwyhobo (1420503)]

Take a lesson from London video cameras and spread the RFID readers at each intersection, and now you can track everyone in the city remotely.

Re:

[internerdj (1319281)]

Ooops...
http://www.thinkgeek.com/gadgets/security/8cdd/ [thinkgeek.com]

Re:

[hwyhobo (1420503)]

In a brave new world of the future those will probably be outlawed...

Re:

[internerdj (1319281)]

As scary to the government as it could be, wire mesh will never be outlawed where I live...http://en.wikipedia.org/wiki/Chicken_wire [wikipedia.org]

Re:

[icebraining (1313345)]

What, will they outlaw aluminum sheets? Those bastards!

There are plenty of threats to our freedom right now, no need to be paranoid about the "scary new technologies".

Protection

[riceboy50 (631755)]

The first thing I did after receiving my RFID-embedded passport was to pick up one of these [travelonbags.com].

Re:Protection

[chill (34294)]

Really? The first thing I did was pick up one of these [about.com], which I already had on hand at the house. Mine is *guaranteed* effective. :-)

Re:

[pluther (647209)]

The first thing I did was to put it in the microwave.

We are still supposed to do that to all our mail, right? To protect against anthrax? (Are we still living in fear of that? It's hard to keep up sometimes.)

Surely Homeland Security can't be upset at us for doing what they told us to do!

Re:

[chill (34294)]

Just out of curiosity, have you tested the effectiveness of that shielding wallet? If so, how?

Re:

[chill (34294)]

I do believe the magnetron in the microwave is a tad more energetic than your average RFID reader. Well, I hope it is anyway. If not, we're going to have some seriously upset -- and sterile -- border control agents.

Thanks for the input, though.

Where are the FUNCTIONAL RF-blocking covers?

[dltaylor (7510)]

I would like to get both passport and driver's license covers.

A google has so much noise that I cannot find the signal.

Any links to to something other than mumetal by the sheet?

Re:Where are the FUNCTIONAL RF-blocking covers?

[by Anonymous Coward]

For your driver's license, just use what I have for many years: an "Altoids" tin (or similar item). Perfectly sized for drivers licenses, credit cards, and other such things, and completely impervious to RF scanning technologies. I use one for my "wallet".

For a passport, well, they *did* have those jumbo tins a while back... ;)

Re:

[PayPaI (733999)]

I've got one of these [idstronghold.com] for a passport, and it looks like they have card size sleeves as well.

Good

[El_Muerte_TDS (592157)]

I hope they do a lot of damage so that they scare enough people so that they finally start protesting against those terrible plans.

tracking abuse..

[Adult film producer (866485)]

Are rfid tags available for the consumer right now? As another person pointed out the city of london is creating a grid of tracking stations so anybody can be located and followed remotely.. but if these tags can be cloned then why not buy up a million or two rfid tags, program the buggers and distribute them throughout big cities (inside car bumpers? tractor trailers? covertly inject them in food if their small enough..) This should really cause headaches for the people tracking..

RFID Gathering

[CaptCovert (868609)]

What worries me about all of this is not that the RFIDs can be picked up while driving around. A little consumer education (you are supposed to worry about who you give your SSN to, and you don't just leave your other PII laying around in plain sight usually) in the form of RF-blocking wallet linings will fix that. What I'm worried about is what happens in 5 years, when advances in RF technology (it is the new form of governmental ID, after all. Technology WILL follow suit) allow for hardware that I can hide on my person (antenna down the back of a coat lining, wired to a recorder in my pocket, or hell, dropped in the lining somewhere). At that point, all it takes is one man sitting in a train station or airport. You pull your ID out for scanning, and I harvest it. You may as well walk around with your SSN printed on your shirt.

I saw the video and it is inaccurate at best

[anand78 (832850)]

The XR400 used in the drive through was a UHF reader. Reading a UHF tag is not as easy as the author described. All you have to do is put it against your body, and the salt water attenuates the signal, thus making the tag unreadable. Making such broad statements as scrap the whole real ID or national id, will be valid, if the author showed some substance.

exaggerated description

[SethJohnson (112166)]

This fellow doesn't demonstrate cloning anything. He's just reading RFID codes in the video.

Seth

I have an even better solution

[Miseph (979059)]

We should make RFID highly controlled instead. Once we make RFID ownership illegal then only criminals will have RFID, and they'll be a whole lot easier to find.

Hey, it works for guns, right?

Airport Demonstrations

[LuYu (519260)]

I thought about this when I first heard the news about RFIDs being included in passports -- and money. Now that there is a practical implementation, it is time for a bunch of privacy advocates to get a marquee style display and go to an international airport. They could stand outside of the arrivals customs area and scan and display people's personal information in order to demonstrate how completely these tags violate the passengers' Fourth Amendment rights.

The sign might look something like this:

Hello John Doe!
Your passport number is #########
Your SSN is ####-##-###
You are carrying two MasterCards, one Visa card, and one Diner's Club card.
You are carrying seven 100 dollar bills and ten 20 dollar bills. Say hello to Ben and Andy for us!
This information has all been made publicly available courtesy of Uncle Sam and your banks.
If you are offended by this sign, please contact your Congressmen as soon as possible.
If you would like further information, ask one of our friendly volunteers for an explanatory pamphlet!!

Have a Nice Day!

That should get people's attention. And it should be quite entertaining until the airport authorities figure it out. When they do, it would also be nice to point out that Freedom of Assembly is also an inalienable right!