Feds At DefCon Alarmed After RFIDs Scanned 509
FourthAge writes "Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera. The reader sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks. The 'security enhancing' RFID chips are now found in passports, official documents and ID cards. 'For $30 to $50, the common, average person can put [a portable RFID-reading kit] together,' said security expert Brian Marcus, one of the people behind the RFID webcam project. 'This is why we're so adamant about making people aware this is very dangerous.'"
Re:What do you bet... (Score:2, Interesting)
Is it possible to remove the RFID device?
The Congressional mandate for RFIDs is similar to the stupidity that gave us a bunch of computer-controlled voting booths (which are easily hacked, or prone to errors). The politicians don't understand technology. To them it's just "magic" that will cure everything, therefore they mandate this stuff without putting any thought into it, basing their decision upon faith rather than reason. They don't realize this "magic" has serious flaws that makes it less-desirable than the old paper-based methods.
Re:What do you bet... (Score:5, Interesting)
Re:What do you bet... (Score:2, Interesting)
Silly Feds (Score:5, Interesting)
They should've used the foil protective sleeve provided with the document in question and reccommended by the organization who provided the document.
I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a reccommendation to keep the license in the protective sleeve when not in use.
That's right - the government is providing tinfoil hats for your RFIDs already.
Re:What do you bet... (Score:4, Interesting)
My New York EDL came with a foil-lined protective sleeve.
I don't wear a tinfoil hat, but ... (Score:5, Interesting)
Re:duh? (Score:3, Interesting)
"pencil-pushing bureaucrats" do not belong in attendance at DefCon, period.
It is precisely these kind of people (those who use, but completely lack the understanding of the underlying technology), that cause the proliferation of malware, spam and other methodologies of subterfuge.
Send your best people to DefCon, and even they won't be good enough, but if you send pencil-pushing bureaucrats, you deserve to be scanned and have your personal information made public.
Hrmph!
The Federal Agents weren't Pwnd (Score:2, Interesting)
I know that some think this is some kind of critical failure, especially on slashdot. But it isn't.
1. Agents don't know or understand what's on the card(s). They probably fell into the same false belief the scanner operators have just because they don't know any better.
2. There's nothing particularly special on the RFID chip. A parking facility card and a passport generate the same amount of interesting information. A unique ID. Whew! you got me there. There's a particularly obsessive set of slashdotters that watch too much television and come to believe something can be done with this information. The hurdles are so many the odds of winning the lottery are better than doing something useful with the unique ID.
3. If this were a crypto-capable chip and they got the secrets off the chip with a passive scan, they'd still have a unique ID. It would be a minor accomplishment, but no one cares.
Move along.
Re:What do you bet... (Score:4, Interesting)
I seem to recall that putting it in a microwave on the "defrost" setting for a minute or so had the same effect, without destroying the passport itself.
Think again. I tried this with a RFID'ed credit card just to see what would happen and the results were rather spectacular. The RFID chip was destroyed in under a second but generated a shower of sparks that melted a large portion of the credit card and rendered it completely unusable. Of course that was the point -- I'd made the credit card company send me a card without a chip in it -- but I'm guessing you don't want to try and use a scorched and carbonized passport.......
Finding this Slashdot article in your browser cache, and you being in possession of a disabled RFID passport might be enough probable cause to dig deeper and find more. And more.
It would take a bit more than a disabled RFID chip to get probable cause to search your computer. That said, I wouldn't try the hammer or the microwave with my passport. I'd be surprised if there isn't a law on the books about mutilating those types of documents. It's easy enough to keep the thing in a foil pouch until you need to use it -- and if I'm not traveling out of the country my passport lives in a safe deposit box anyway.
Re:bar-codes (Score:5, Interesting)
Re:What do you bet... (Score:3, Interesting)
The passport is still valid even if the RFID is disabled, right?
Re:The Federal Agents weren't Pwnd (Score:5, Interesting)
Paget announced during his DefCon talk that his security consulting company, H4rdw4re, will be releasing a $50 kit at the end of August that will make reading 125-kHz RFID chips â" the kind embedded in employee access cards â" trivial. It will include open source software for reading, storing and re-transmitting card data and will also include a software tool to decode the RFID encryption used in car keys for Toyota, BMW and Lexus models. This would allow an attacker to scan an unsuspecting car-ownerâ(TM)s key, decrypt the data and open the car. He told Threat Level theyâ(TM)re aiming to achieve a reading range of 12 to 18 inches with the kit.
Just wait until someone creates a small RFID reader and hooks it up to an iPhone in their pocket (a combo that would be virtually undetectable) and starts walking through the subway collecting info. We can already pick up the credit card owner's name, credit card number, expiration date, etc. right off of the RFID tags present in AMEX cards.
Re:What do you bet... (Score:3, Interesting)
Re:bar-codes (Score:3, Interesting)
Not everyone. A couple years ago I worked at a place that used barcoded cards as entrance badges. Swipe the card through the scanner and you're in. It looked like a mag stripe -- the barcode was printed black-on-black, with inks that reflected differently in the infrared. But it was just a 1-D barcode. And yes, it was trivial to use an ordinary flatbed scanner and crank up the contrast in Photoshop to view the barcode. Print it out on a laser printer and the copy would work just as well as the original.
Granted, this was at a place that made barcode printers, including badge printers, and it was a matter of eating our own dog food. But although we made the printers, the overall badge-scanning system was made by an outside vendor and we weren't their only customer. So obviously someone could be convinced it was a good idea.
And actually it's not much worse than an ordinary metal key. If you have physical access to an ordinary key you can photocopy it, and create a workable duplicate from the photocopy. It just takes equipment not normally found in every office and public library in the country.
Re:What do you bet... (Score:5, Interesting)
Re:The Federal Agents weren't Pwnd (Score:1, Interesting)
"The hurdles are so many the odds of winning the lottery are better than doing something useful with the unique ID."
You're missing the point. If a unique RFID can be cloned, then the most fundamental bit of information that it represents -- i.e. that it is unique -- has been defeated. The first step of that process is to find some valid RFIDs by reading them remotely. If you can't trust the uniqueness of the numbers, then you can't trust that number for anything important, which kind of defeats the point of using it in any security application. Stocktaking in a warehouse? Fine. That's an okay application, as long as you keep the limitations in mind. Passports or other types of personal identification that are meant to be secure? Bad idea. That is the essence of the problem: people *are* applying RFID to secure identification documents such as passports and drivers licenses. They shouldn't be.
Re:What do you bet... (Score:3, Interesting)
do you think criminals CARE if they are breaking the law?
Depends on the criminal. Statistics that I found with a quick Google indicate that 50-55% of violent crimes in the USA are crimes of passion (i.e. not premeditated or planned). That means that they are perpetrated by people who are not what you would typically call criminals until they actually commit the act. These people are, for most of their lives, law-abiding citizens and are unlikely to carry an illegal weapon.
Re:Missing the point. (Score:2, Interesting)
You can buy these systems now. I did the 3d tracking interface for this. Low cost phased array antenna with a really long read range. http://www.rfctrls.com/ [rfctrls.com] If they had this at the conference they could have done realtime 3d tracking of everybody threre and had the cameras follow people.
Re:What do you bet... (Score:3, Interesting)
but I know that you carry a gun, that may dissuade me from assaulting you. I'm not going to say with 100% certainty that it will - that would be hyperbole. I will, however, assert that it would change a lot of people's minds.
If the knowledge that I have the gun doesn't dissuade you then the 230 grain .45 caliber slugs entering your body at 800 feet per second probably will.
"God created man, Sam Colt made them equal." A friend of mine was nearly raped a several years ago. The attempted rapist had more than 12 inches and 150 pounds on her. She stood absolutely no chance at overpowering him or successfully running away. So why was it an attempted rape and not an actual rape? She had a .38 special with her.
Re:What do you bet... (Score:2, Interesting)
No brainer (Score:4, Interesting)