Forgot your password?
typodupeerror
Security Technology

Feds At DefCon Alarmed After RFIDs Scanned 509

Posted by CmdrTaco
from the oh-sure-now-you're-alarmed dept.
FourthAge writes "Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera. The reader sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks. The 'security enhancing' RFID chips are now found in passports, official documents and ID cards. 'For $30 to $50, the common, average person can put [a portable RFID-reading kit] together,' said security expert Brian Marcus, one of the people behind the RFID webcam project. 'This is why we're so adamant about making people aware this is very dangerous.'"
This discussion has been archived. No new comments can be posted.

Feds At DefCon Alarmed After RFIDs Scanned

Comments Filter:
  • What do you bet... (Score:5, Insightful)

    by thisnamestoolong (1584383) on Thursday August 06, 2009 @09:44AM (#28971251)
    ...the Feds try to ban the tech to read the RFIDs instead of urging credit card manufacturers/the state department to back off on putting RFID chips into everything?
    • by commodore64_love (1445365) on Thursday August 06, 2009 @09:53AM (#28971369) Journal

      It's easier to outlaw gadgets than to admit you're wrong.

      That's why, thanks to recent laws, only criminals carry guns. Pretty soon only criminals will have webcameras or RFID sniffers.

    • by Kartoffel (30238)

      If they ban RFID readers, only criminals will read RFID's. Sort of makes the legal use of RFID's a little awkward, ya think?

    • by multisync (218450) on Thursday August 06, 2009 @10:01AM (#28971479) Journal

      I found this part really interesting:

      It's not known if any Feds were caught by the reader. The group that set it up never looked closely at the captured data before it was destroyed. Priest told Threat Level that one person caught by the camera resembled a Fed he knew, but he couldn't positively identify him.

      "But it was enough for me to be concerned," he said. "There were people here who were not supposed to be identified for what they were doing ... I was [concerned] that people who didn't want to be photographed were photographed."

      Priest asked Adam Laurie, one of the researchers behind the project, to "please do the right thing," and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected.

      Nice to see that - after they made their point - the organizers and attendees at "one of the most hostile hacker environments in the country" did the right thing and destroyed the data. I'm sure we could count on law enforcement, our employers and credit card companies to show the same moral character.

      • by siloko (1133863) on Thursday August 06, 2009 @10:12AM (#28971629)

        I'm sure we could count on law enforcement, our employers and credit card companies to show the same moral character.

        Ha ha very good! The sad thing is they would keep the data while telling the media they didn't, then justify keeping it when there lies are exposed, then mock outrage when it gets stolen, then bungled legislation when the peasants revolt. It's written in my tea leaves - which at least will be destroyed on MY say so!

  • duh? (Score:5, Informative)

    by Kartoffel (30238) on Thursday August 06, 2009 @09:44AM (#28971257)

    Why would they be surprised? This has been common knowledge for years.

    If you have to carry an RFID'ed object that contains sensitive information, keep it shielded at all times or destroy it.

    • This is completely beyond my comprehension that the Feds are surprised by this. I just assumed that they were doing this on purpose to achieve some grander goal. It's either that, or they are retarded. In fact, there are many things that are happening now which makes me think: "Are they doing this on purpose? Or are they retarded?"
      • Re:duh? (Score:4, Insightful)

        by ShieldW0lf (601553) on Thursday August 06, 2009 @10:01AM (#28971487) Journal
        This is completely beyond my comprehension that the Feds are surprised by this. I just assumed that they were doing this on purpose to achieve some grander goal. It's either that, or they are retarded. In fact, there are many things that are happening now which makes me think: "Are they doing this on purpose? Or are they retarded?"

        They're faithfully participating in a system which is intentionally insane. It's not that hard to understand...
        • Re: (Score:3, Funny)

          by JosKarith (757063)

          They're faithfully participating in a system which is institutionally insane

          There, fixed that for ya.

      • by jmauro (32523)

        Usually it's on purpose, but not for nefarious reasons. More likely it's because some RFID contractor\vendor got to the government person in the upper levels of charge and convinced them they need this feature in their IDs whether it's a good idea or not (it does help the previous vendor\contractors bottom line which is all that matters really). It then gets implemented regardless of any security conserns.

  • RFID is a slightly-longer-range bar-code that doesn't require line-of-sight. But it would certainly be possible to use a digital camera or scanning lasers to do this same sort of thing to any visible bar-codes.

    It doesn't really make sense to say RFID is "very dangerous" unless you have that same fear of bar-codes.

    • Re:bar-codes (Score:5, Insightful)

      by ari_j (90255) on Thursday August 06, 2009 @09:47AM (#28971299)
      People can't surreptitiously read personal identifying information from a bar code that's in your pocket.
      • Re:bar-codes (Score:5, Insightful)

        by Kartoffel (30238) on Thursday August 06, 2009 @09:55AM (#28971391)

        Right, but they sure can read whatever your RFID has to say. The problem is twofold:

        1) Ignorant implementers put sensitive data on RFID's in plaintext.
        2) Users are unaware of what data is actually *in* their RFID items.

        RFID tags are dumb, low powered, even passive devices. If you can't afford active RFID's with public key encryption, don't put sensitive data on the damn things!

    • Re:bar-codes (Score:5, Insightful)

      by multisync (218450) on Thursday August 06, 2009 @09:49AM (#28971325) Journal

      It doesn't really make sense to say RFID is "very dangerous" unless you have that same fear of bar-codes.

      There is no bar code on my passport, credit card or driver's license. Even if there was, it's unlikely that person sitting at the next table with a portable bar code reader could read the bar code off my Visa card while it's in my wallet.

      • by Atzanteol (99067)
        There's a bar code on my license. And are you telling me you don't have a magnetic strip on your credit card (that's similar to a bar code)?
      • by eht (8912)

        Just as a note, New York has bar codes on their driver licenses.
        http://www.instructables.com/id/Decode-Your-License/ [instructables.com]

        You're still quite correct in that they can't be read in your wallet, but that what RFID blocking wallets are for anyway.

        • Which is great until you take the card or passport out of the RFID blocking wallet. Then a RFID reader nearby can pick up the information from a distance away. On the other hand, I think I'd notice someone leaning in real close to me with a barcode scanner trying to read my card.

      • Are you kidding? There already are bar-codes on things like driver's licenses. And they can be photographed and decoded by the person sitting next to you at the bar. Where is the outrage? "very dangerous" indeed.

        • Re: (Score:3, Insightful)

          by Teun (17872)
          It's worse, virtually any type of ID has this other code on the outside, it's purposely done in a contrasting colour so it's easy to copy and photograph and is called Alphabet.

          That's scary!

        • Re:bar-codes (Score:5, Interesting)

          by TooMuchToDo (882796) on Thursday August 06, 2009 @10:48AM (#28972143)
          What worries me is the black hat demo where their RFID detector detected US passports within range of a garbage can and detonated an explosive in said garbage can. No barcode/magstrip can be read remotely to determine your country of origin and action taken based on that.
      • by Kartoffel (30238)

        Your credit card has a magnetic "bar code". I don't know where your driver's license is from, but many licenses come with both magnetic strips *and* a 1-D or 2-D bar code. I can take a cell phone picture of my license's 2-D code and within seconds, pull out my full name, date of birth, endorsements/restrictions, address and license number.

        Don't be afraid of the technology - just be afraid of leaking sensitive information.

    • "RFID is a slightly-longer-range bar-code that doesn't require line-of-sight. But it would certainly be possible to use a digital camera or scanning lasers to do this same sort of thing to any visible bar-codes.

      Doesn't this suggest that RFID is a much less secure tech? A barcode or magnetic strip is safe in your wallet in your back pocket, RFID is not. That is like saying that because your windows can still be broken, it is not a security risk to leave your front door open when you leave the house.

    • Except the problem is that RFID is being used in a manner that barcodes are not being used. Everyone knows it is utterly stupid to rely on a barcode as an access code for a company, build, or secured facility. Too bad they did not make the same jump in conclusion with RFID. And because they can store more information in RFID, it is being used to hold personal identification data, not just a number (which is what barcodes encode).
      • I'll grant you that. But this is not a problem with RFID. It's a problem with some misapplications of it. RFID itself is a fantastic technology.

      • Re: (Score:3, Interesting)

        by Chelloveck (14643)

        Everyone knows it is utterly stupid to rely on a barcode as an access code for a company, build, or secured facility.

        Not everyone. A couple years ago I worked at a place that used barcoded cards as entrance badges. Swipe the card through the scanner and you're in. It looked like a mag stripe -- the barcode was printed black-on-black, with inks that reflected differently in the infrared. But it was just a 1-D barcode. And yes, it was trivial to use an ordinary flatbed scanner and crank up the contrast in Ph

        • Re: (Score:3, Insightful)

          by Fallen Kell (165468)
          Yes you can take a photocopy of the key and make a duplicate, but not without raising suspicions from the guys making the duplicate keys (possibly with a phone call to local or state police) or you have to have the equipment yourself and it isn't cheap. With the barcode, you just have to go to the nearest copy machine, and poof, you are in. RFIDs are not quite as easy as the barcode in that sense, but it doesn't cost more then a couple Benjamins to do it.

          Again, RFID is a great technology for inventory, NOT
    • by krou (1027572)

      "RFID is a slightly-longer-range bar-code that doesn't require line-of-sight."

      RFID is not just like another barcode, because it uniquely identifies an individual product (or person). The numbering scheme for RFID is estimated to be able to uniquely number everyone product and person on the planet for the next several hundred years.

      Also, talking about it being "remotely readable" obscures the fact that you don't require line of sight to read an RFID chip, as it can be read through clothes, or bags. Combine t

  • wait a minute (Score:3, Informative)

    by DragonTHC (208439) <Dragon.gamerslastwill@com> on Thursday August 06, 2009 @09:47AM (#28971291) Homepage Journal

    They're attending a security convention with id cards that can be read from their pockets.

    It's a good thing they didn't have rfid credit cards.

    If it can be done, it will be done.

  • Cops (Score:3, Insightful)

    by Jaysyn (203771) <jaysyn+slashdot@gm a i l . c om> on Thursday August 06, 2009 @09:47AM (#28971303) Homepage Journal

    So these sloppy mofos are the ones that are supposed to be "protecting" us? Laughable.

  • Surprising? (Score:2, Insightful)

    by Noam.of.Doom (934040)
    How could they be surprised by this? Were they not aware of the demographic group that attends Defcon? They probably just forgot to wear their tin-foil hats
  • So, do we have picture of the federal agents that were there ? Is this not supposed to be a criminal offense ? And who is (legally) to blame on this one ? Poor procedures ? Decision to use RFID in a situation where it should not be used ? Are they going to say that this is entirely hackers' fault ?
  • by sifi (170630) on Thursday August 06, 2009 @09:51AM (#28971353)

    Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera...

    erm... not quite what the Wired Article says:

    But the device, which had a read range of 2 to 3 feet, caught only five people carrying RFID cards before Feds attending the conference got wind of the project and were concerned they might have been scanned

    Still I suppose the Feds have probably hacked into the Wired Article and fixed that one...

  • by doug141 (863552) on Thursday August 06, 2009 @09:56AM (#28971403)

    "Priest asked Adam Laurie, one of the researchers behind the project, to "please do the right thing," and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected."

    • Re: (Score:2, Funny)

      by Anonymous Coward
      The Feds are later seen picking up the pieces of the smashed SD card for 'forensic analysis'.
  • by Anonymous Coward on Thursday August 06, 2009 @10:06AM (#28971543)

    ...they have nothing to fear. Let's see how they like that argument used against _them_!

  • Silly Feds (Score:5, Interesting)

    by Andy Dodd (701) <atd7&cornell,edu> on Thursday August 06, 2009 @10:07AM (#28971565) Homepage

    They should've used the foil protective sleeve provided with the document in question and reccommended by the organization who provided the document.

    I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a reccommendation to keep the license in the protective sleeve when not in use.

    That's right - the government is providing tinfoil hats for your RFIDs already.

    • Re:Silly Feds (Score:4, Insightful)

      by aynoknman (1071612) on Thursday August 06, 2009 @10:32AM (#28971907)

      I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a recommendation to keep the license in the protective sleeve when not in use.

      That's right - the government is providing tinfoil hats for your RFIDs already.

      As asinine as possible. The advantage of RFID is convenience. Let's use it and then make it less convenient to use.

      General lesson: Convenient or secure. That's an XOR.

  • Missing the point. (Score:5, Insightful)

    by BlueKitties (1541613) <bluekitties616@gmail.com> on Thursday August 06, 2009 @10:09AM (#28971583)
    I was charged with writing POS software where I work. After looking into using scanners, I came across RFID. As it turns out, instead of needing to scan your crap, you can just have a magic wand magically take inventory for you. In fact, after looking into it, I realized I could rig sensors in our storage room to automatically re-take inventory periodically.

    I'm sure some people are pushing for RFID for the wrong reasons, but I'm all for it as a replacement for barcodes as far as keeping stock goes. Imagine going to Walmart, and your shopping buggy automatically tells the clerk how much money you owe! Well, that might be a ways off, but it's possible.

    I think RFID is an awesome tech, it just has a risk for being abused. Just like barcodes are awesome, but we don't want them on our forehead (unless we're playing shadow run, then it's 'cool.)
    • by TooMuchToDo (882796) on Thursday August 06, 2009 @10:50AM (#28972187)
      RFID tracking inventory/rail cars/etc. = OK
      RFID tracking people = NOT OK
    • by Evil Shabazz (937088) on Thursday August 06, 2009 @11:18AM (#28972669)
      I love acronyms. :) My mind read your first sentence as, "I was charged with writing [Piece of Shit] software where I work." "Point of Sale" is only a secondary parsing of that acronym for my language framework. ;)
  • by Charles Dodgeson (248492) <jeffrey@goldmark.org> on Thursday August 06, 2009 @10:13AM (#28971649) Homepage Journal
    ... my passport certainly does. I got mine at ThinkGeek [thinkgeek.com].
  • by geekmux (1040042) on Thursday August 06, 2009 @11:49AM (#28973323)

    Um, hello? They were selling nice (and very effective) RFID blocking wallets and passport holders there for $20. If you're flying Feds halfway across the country to attend DEFCON, I'm pretty sure you can afford 20 fucking dollars to give yourself some peace of mind.

    Of course, some idiot in Gov will propose a 3 billion dollar project called Protect-A-Fed that will invest thousands of man-hours to devise such a device that could prevent RFID tags from being captured...and 4-billion dollars later you'll have a "new and improved" Government-issue $20 RFID wallet.

Our informal mission is to improve the love life of operators worldwide. -- Peter Behrendt, president of Exabyte

Working...