WarCloning, the New WarDriving? 154
ChrisPaget writes "After my legal skirmishes with HID a while back, The Register has coverage of my latest RFID work — cloning Passport Cards and Electronic Drivers Licenses from a moving vehicle. Full details will be released at Shmoocon this weekend, but in the meantime there's video of the equipment and articles all over the place."
Re:RFID on identification scares me (Score:3, Interesting)
I always thought they should do more. I'm not particularly scared of it, but I always thought that since there's a massive amount of information available on you anyway, why not implement this in a useful way?
Go to a job interview, they could have a resume, letters of recommendation, supervisor comments, phone numbers, etc already on file. No more wasted paper or wasted time filling out the same info on different forms.
Go to a hospital, they could already have the meds you're on, anything you're allergic to, and any afflictions you currently suffer from along with symptoms, last blood pressure reading, x-rays, etc -- even if you've never been there.
Enlist in the military, they'd need things for that, including competencies, education, etc.
Insurance companies, well, unfortunately would have limited medical access.
The uses for a big pool of info, with limited access, would be massive. The best thing is that it wouldn't be available online -- it would be available on a data crystal or some other media capable of storing massive amounts of information. You could even have a retina scan or a galvanic skin sensor to make sure the right person has the medium, rather than a crook who ran off with your wallet or an identity thief. RFID doesn't scare me. I think it could be a step in the right direction. As a man who's tired of answering questions and filling out forms, I think this could be a boon, not a bane.
Good for crime fighting, scary for potential abuse (Score:5, Interesting)
Protection (Score:5, Interesting)
Re:Why? (Score:5, Interesting)
Yeah, but I bet it's easier to make a RFID protected wallet [instructables.com] than extracting it from your skull.
Re:My hat ain't enough (Score:5, Interesting)
Interestingly enough, when I got my new Passport Card, it came with a little Faraday Cage sleeve (metalized mylar) with the instruction to put the card there when not in use. I don't remember getting anything like that when I got my (RFID carrying) Passport a while back, so maybe there's some realization of the problem on the issuing end...
Re:RFID on identification scares me (Score:2, Interesting)
No kidding.
Any form of transmittable broadcast information can be cloned and hacked, so like you, don't trust them. I have an FasTrak on my car but it is stored in a metal case to prevent it from being cloned or tracked for no good reason.
All companies that sell RFID and government agencies claim that their "technology" is safe, unhackable and unclonable but they haven't allow the real world (at least the hackers world) to have at it and truly prove they are safe, unhackable and unclonable. However, over time any encryption technology can be cracked with better and faster computers so any RFID can be cracked.
tracking abuse.. (Score:2, Interesting)
Re:RFID Gathering (Score:1, Interesting)
Stand in a airport with a suitcase.
What is wied about that?
Well in that you can have an antenna and battary, and computer.
And you know that there will be a lot of passports around you.
And what else that are using RFID.
Now get a group of your frinds to getter.
And now you are are standing along the path that normal persons will use.
When you all log a lot of data.
When you get home you will look at what ID you that poped up togetter at all of your.
And that way you can see what set of RFID that is belonging to the same person.
Re:RFID on identification scares me (Score:3, Interesting)
As usual XKCD has an answer to your "security" and it just came out today too. http://xkcd.com/538/ [xkcd.com]
Re:Why? (Score:3, Interesting)
Not in every state of the US.
Some states (see: Connecticut) have drivers licenses that are extremely difficult-if not impossible-to copy physically without having the exact same equipment that the DMV has. Connecticut's licenses in particular have layers of holographs and foil that overlap each other. A printer that can print on plastic combined with a laminator simply wouldn't produce anything even remotely close to the real thing. Anyone familiar with a Connecticut license - even an extremely drunk frat boy - would be able to spot the fake instantly.
Now lets talk passports. I don't think I have to get into this too much , but US passports are incredibly difficult to copy or reproduce. The majority of the time (from what I am told), passports are stolen and modified, not forged from scratch.
For your average scammer, acquiring the equipment to produce either is both expensive and extremely difficult. I'd guess that the companies who develop the machines that are capable of producing licenses or passports probably sign a contract with the state or federal government stating that they won't sell the equipment to unauthorized persons; so your only real alternative is to either get it through the black market or a contact at the company.
Now here is the problem illustrated by this experiment:
Chris Paget only spent 250 dollars on creating a device that can steal RFID's while moving. One of the primary motivating factors leading to the inclusion of the RFID in identification documents was the desire to obtain information about travellers without having to ask them to take their license or passport out of their pocket. Here is the important part: A passport or license that has to be taken out of the pocket is one that will be subject to visual scrutiny. A stolen RFID is not subject to visual scrutiny.
If this is true and reproducible, not only do RFID's present a security risk for their bearers, because I don't even have to see your license to copy its relevant information, but RFID's are not effective in achieving their original goal. If you cannot rely on the information given by RFID's , because someone could 'steal' one with only $250 of equipment, then you have to check each and every travelers' passport or license, then why do you have an RFID system in the first place?
Airport Demonstrations (Score:5, Interesting)
I thought about this when I first heard the news about RFIDs being included in passports -- and money. Now that there is a practical implementation, it is time for a bunch of privacy advocates to get a marquee style display and go to an international airport. They could stand outside of the arrivals customs area and scan and display people's personal information in order to demonstrate how completely these tags violate the passengers' Fourth Amendment rights.
The sign might look something like this:
That should get people's attention. And it should be quite entertaining until the airport authorities figure it out. When they do, it would also be nice to point out that Freedom of Assembly is also an inalienable right!