WarCloning, the New WarDriving? 154
ChrisPaget writes "After my legal skirmishes with HID a while back, The Register has coverage of my latest RFID work — cloning Passport Cards and Electronic Drivers Licenses from a moving vehicle. Full details will be released at Shmoocon this weekend, but in the meantime there's video of the equipment and articles all over the place."
RFID on identification scares me (Score:5, Insightful)
Having Big Brother being able to know who I am by walking into a door of the court house, or if a police officer pulls you over and 'scans your arm', really scares me.
The potential for abuse is tremendous.
Why? (Score:4, Insightful)
And while you're driving around your car has license plates on it which can be scanned from far further than RFID.
The potential for abuse is already there and has been for a long time.
One cool thing with new tech is that it lifts the bar for the scammers. With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.
Re:Why? (Score:5, Insightful)
Yeah, you also apparently need a couple of hundred bucks worth of stuff. And the added "advantage" to RFID is that most people will probably actually believe it's secure and take the scan at face value, making it easier than ever to pass off fake ID most places.
Re: (Score:3, Insightful)
your car has license plates on it which can be scanned from far further than RFID
Very few people carry their car's license plates in their wallet or purses. For most of us, having RFID on our driver's license is akin to having RFID implanted in our skull.
Re:Why? (Score:5, Interesting)
Yeah, but I bet it's easier to make a RFID protected wallet [instructables.com] than extracting it from your skull.
Tin Foil Hat!! (Score:4, Funny)
I think that is a VERY legitimate use of a tinfoil hat... /Couldn't resist.
Re: (Score:2)
Or a balaclava and goggles.
Re: (Score:2)
One cool thing with new tech is that it lifts the bar for the scammers. With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.
I think in most places drivers license/government ID are now done on plastic cards (not laminated). Getting a color printer for those plastic ID cards will set you back quite a few grand, which is a lot more than this guy is paying to copy RFID. And this way gives minimum exposure vs. needing to have physical access to something to copy it.
But, you know, there is not much defense against someone who waits to mug you in a lonely alleyway either. Maybe instead of focusing on preventing these sort of thin
Re: (Score:2, Informative)
I think in most places drivers license/government ID are now done on plastic cards (not laminated). Getting a color printer for those plastic ID cards will set you back quite a few grand
Just for the sake of argument, I think a consumer CD printer (e.g. Epson R240) can be modified to print onto a piece of rectangle. With the careful use of glossy ink, the end result may fool casual glances.
The only problem, of course, is getting a stack of blank cards that are inkjet printable and looks professional.
Re:Why? (Score:5, Informative)
>>>Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.
Perhaps in other countries, but not the U.S. The Supreme Court decided (v. Prouse) that a discretionary, suspicionless stop for a spot check of a motorist's driver's license and vehicle registration was invalid. The officer's conduct in that case was unconstitutional primarily on account of his exercise of "standardless and unconstrained discretion." A generalized roadblock that stopped all drivers would be allowed, but only in cases of border security or sobriety checks, not other tasks such as narcotics search.
Re: (Score:3, Informative)
The U.S. you refer to has ceased to exist: http://epic.org/privacy/hiibel/ [epic.org]. The officer still has to have "suspicion" but who isn't suspicious to a cop?
Re:Why? (Score:4, Informative)
I suspect your laws are similar to what we have in the UK, in theory to pull you over / search you they need reasonable suspicion, in practice they can just make shit up.
Re: (Score:2)
Re: (Score:2)
Actually, in the UK the police can stop any driver with *no* reason. They don't need reasonable suspicion of anything.
On the plus side, you don't need to carry your licence with you.
Re: (Score:2)
They don't need much in the way of suspicion. Did you really believe seat-belt and cell phone/driving laws were about saving lives?
So once they pull you over, if you don't show your id, you'll be hit with something along the lines of interference with an investigation, obstruction of justice, or resi
Re: (Score:2)
Good luck with that. If you start quoting court decisions you will likely see the hot end of a tazor really quick. And then you will be arresting on charges of resisting arrest, fighting with an officer, and several other charges that struck the officer's fancy while he watched you squirm on the ground in agony.
I have several police officers in the family. This happens all the time.
Re: (Score:2)
Um, they do random license checkpoints in this state all the time, its how they get around the 'no drunk driver checkpoint' rulings. Something about if they take a classified ad out people who want to avoid it can. (Because of course, everyone reads the classified section of the dead tree newspaper).
Of course, the courts here are also convinced that visiting a grocery store is reasonable suspicion of drunk driving.
Re: (Score:2)
Re: (Score:2, Insightful)
Using RFID isn't that big a leap for the police, as they already have access to all the information that it transmits, only with RFID, they may be able to retrieve the information without having to ask you (if you keep your DL,passport,whatever unshielded).
Using RFID IS a big leap for everybody else. Suddenly, anybody who has the inclination can find out your name, address, SIN, your digitized picture and fingerprints. Without your knowledge or permission.
With license plates, they do uniquely identify you
Re:Why? (Score:5, Informative)
Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.
And while you're driving around your car has license plates on it which can be scanned from far further than RFID.
Asking to see the license still requires asking. It also requires driving for one to be (legally) provided. RFID allows for scanning a crowd and (potentially) getting a crowd of identities in less than a second.
OCR on license plates are very doable if you control the conditions. Make sure the vehicle is going the desired location and mount the camera in the perfect position. Back that up with occasional human to try and work out those cases where OCR fails. With RFID you put up antennas in a few strategic locations and you cover blocks of traffic without worrying about angles, lighting, and other bothersome conditions.
The potential for abuse is already there. RFID makes it more efficient.
Re: (Score:2)
"OCR on license plates are very doable"
Already done. The British call it ANPR, automated number plate recognition. It is very good. Its used on speed cameras all over the UK. The technology was developed as an antiterrorism system originally. British intelligence wanted to be able identify vehicles used by IRA bombers.
Re: (Score:2)
Sure. And I see it used daily at the local county's tollroad. Works pretty well. But the toll lanes create a reasonably controlled environment and it still requires an occasional human to manually read a percentage of images. I'd be curious as to how ANPR handles things - I couldn't imagine the technology to be that different.
Re: (Score:2)
Interesting point. Of course, in my state the text is pretty high contrast (dark blue on white). Hmmm. Now that I'm thinking about it, I wonder if I can find out what the OCR error rate is for the tollroads; I have inside connections.
Re: (Score:2)
Reminds me of the movie Gattaca, though. "Who looks at photographs anymore?" The problem with your statement is that people would likely start relying on a technology that doesn't really establish identity. It only establishes the authenticity of the document.
Re: (Score:2)
Yes, but if the bar is raised, for some stupid reason, the trust in such technology seems to increase.
What this means is that when the "scammers" actually do succeed in defeating protections, their fakes have just that much more "believability".
Think "Its so hard to duplicate, it must be real".
Just more of the same "security theatre" we've seen in the past, but with the potential for serious repercussions, IF we put our trust in the system. Which, quite frankly, I do not.
Re: (Score:3, Interesting)
Not in every state of the US.
Some states (see: Connecticut) have drivers licenses that are extremely difficult-if not impossible-to copy physically without having the exact same equipment that the DMV has. Connecticut's licenses in particular have layers of holographs and foil that overlap each other. A printer that can print on plastic combin
Re: (Score:2)
Some states (see: Connecticut) have drivers licenses that are extremely difficult-if not impossible-to copy physically without having the exact same equipment that the DMV has.
So how hard would it be to scam/bribe a DMV worker?
Re: (Score:3, Informative)
First, all DMV's I've been to (NY/CT/MA) have CCTV cameras all over the place - so convincing a DMV employee to create a fake ID during work time is probably somewhat difficult. I would not be surprised if the machines used to produce licenses were set to shut
Re: (Score:2)
Are human rights to be restricted to those who have the mark ? How can you be anonymous if you can be scanned from a distance ?
I can't think of anything primarily done for the sake of convenience, that has turned out without having nasty side effects. Personal motor cars, cheap mortgages, credit cards, fast food, plastic packaging, party line voting, etc.
RFID is fine for bus tickets, or other temporary privileges but not for permanent personal ID.
Re: (Score:2)
Re: (Score:2)
Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.
Only if you've been witnessed driving without it. If you're a passenger or otherwise not driving, you can be compelled to truthfully identify yourself, but you don't need corroborating documentation.
This doesn't mean the authority involved won't overstep his bounds and arrest you anyway for failure to comply with (IAOO -- In the Armed Officer's Opinion) a lawful order and/or interfering in police business.
Re: (Score:2)
That's because of the flash. License plates are made to be reflective so the flash worked on it even though the plate was far away. Other plates were probably at a wrong angle. The blur is caused by a slow shutter speed, which means the scene was relatively poorly lit. The flash strobe is very fast, so it wasn't affected by the camera shake much.
Re: (Score:2)
Is there any evidence that they were worse?
Re: (Score:3, Interesting)
I always thought they should do more. I'm not particularly scared of it, but I always thought that since there's a massive amount of information available on you anyway, why not implement this in a useful way?
Go to a job interview, they could have a resume, letters of recommendation, supervisor comments, phone numbers, etc already on file. No more wasted paper or wasted time filling out the same info on different forms.
Go to a hospital, they could already have the meds you're on, anything you're allergic
Re:RFID on identification scares me (Score:5, Insightful)
Who knows what your prospective employer etc would see in your file?
Who knows if it would be true?
Oh wait.. there could be some sort of efficient appeals process to get improper notations removed from your file just as easy as fixing your credit history after getting ID jacked...
Boy, my grade school teachers didn't know how right they were when they threatened me with screwing up my 'permanent record.'
Re: (Score:3)
Go to a job interview, they could have a resume, letters of recommendation, supervisor comments, phone numbers, etc already on file. No more wasted paper or wasted time filling out the same info on different forms.
Go to a hospital, they could already have the meds you're on, anything you're allergic to, and any afflictions you currently suffer from along with symptoms, last blood pressure reading, x-rays, etc -- even if you've never been there.
Enlist in the military, they'd need things for that, including competencies, education, etc.
Likely this would result in employers having your medical record, the military having your CV, and hospitals your supervisor comments.
Where would you store all that data? Who would authorize accesses? Why not just give them a CD containing the needed info?
Also, the paperwork has one important aspect not covered by computers: the paper trail. Logs can be tampered with, a piece of paper signed by your doctor/employer/whatever in your safe can not.
In the land of CYA it can be important.
Re:RFID on identification scares me (Score:5, Insightful)
Go to a concentration camp; they could have a name, phone numbers, next of kin, final will and testament, etc already on file. No more wasted paper or wasted time filling out the same info on different forms. Just send them straight to the "showers" for processing.
Go to a job interview; they could have a genetic workup, list of potential diseases, previous health expenditures, current debt accumulation, etc already on file. No more hiring of people who are sickly & likely to aste company resources, or are deep in debt and potential thieves. They can be weeded out immediately.
Point:
Having information so easily available is dangerous. It's loss of power by the citizen & a gaining of power by the politicians and the corporations.
Re: (Score:2)
Don't be scared (Score:3, Insightful)
We're safe. Cloning RFIDs is illegal.
Re: (Score:2, Interesting)
No kidding.
Any form of transmittable broadcast information can be cloned and hacked, so like you, don't trust them. I have an FasTrak on my car but it is stored in a metal case to prevent it from being cloned or tracked for no good reason.
All companies that sell RFID and government agencies claim that their "technology" is safe, unhackable and unclonable but they haven't allow the real world (at least the hackers world) to have at it and truly prove they are safe, unhackable and unclonable. However, over ti
Re: (Score:2)
This is a common misconception. Modern encryption algorithms are strong enough that "better and faster computers" won't help break them; a classical computer powerful enough to brute force 256-bit AES is physically impossible. Even quantum computers will just mean that some specific techniques need larger keys to be secure.
Encryption algorithms do occasionally get broken through mathematical trickery, but from a use
Re: (Score:2)
This is a common misconception. Modern encryption algorithms are strong enough that "better and faster computers" won't help break them; a classical computer powerful enough to brute force 256-bit AES is physically impossible.
Do these RFID cards really use 256 bit AES encryption? Do they even use encryption? I assume they can't be super strong, given their limited size and the amount of power available to them, but I hope they at least reply differently given a replayed request?
Re: (Score:3, Interesting)
As usual XKCD has an answer to your "security" and it just came out today too. http://xkcd.com/538/ [xkcd.com]
Re: (Score:2)
No. Not in any useful sense of the word "possible". No one will ever luck into guessing a randomly generated 256 bit key on the first try.
Re: (Score:2)
You certainly don't want it to be like in the olden days, where people in the town would recognize you as soon as you walked in, including all of your reputation, simply by your face.
Re: (Score:2)
... neat stuff, and a teensy bit scary ... (Score:2)
My hat ain't enough (Score:5, Funny)
Re:My hat ain't enough (Score:5, Interesting)
Interestingly enough, when I got my new Passport Card, it came with a little Faraday Cage sleeve (metalized mylar) with the instruction to put the card there when not in use. I don't remember getting anything like that when I got my (RFID carrying) Passport a while back, so maybe there's some realization of the problem on the issuing end...
Re: (Score:2)
I got a new Passport Card and plain old Passport at the same time, and the card had a sleeve while the Passport did not. I wondered whether the jacket of the Passport was lined and could only be scanned when open, but haven't bothered to investigate.
Re: (Score:3, Informative)
Re:My hat ain't enough (Score:5, Informative)
I just received a new US passport. The passport itself has a blurb about being shielded when closed. Don't know if this is true or not, as I haven't checked it myself, but the covers feel like there's something in them.
It is true and it is not. Building a faraday cage into the cover was one of the "concessions" they made in response to all the complaints about privacy issues. But... it only really works if the covers are tightly pressed together. Leaving it open a quarter inch or so may be enough to prevent official readers from picking up the RFID, but not enough to protect against someone with a reader with more juice - like anyone who is up to no good will certainly have.
Re: (Score:1)
A couple of years ago I invested $10 in a metal travel wallet [retro51.com] that functions as a de facto Faraday Cage. Or you could spend 8x that on a microwoven stainless steel version [wired.com]...
Re: (Score:2)
Shoulda got it a long time ago... Its not like we didn't all see this coming. Anyone with half a brain knows that when you add technology to something simple and relatively secure, you then allow it to become complex and easily exploited.
E-voting?
WarCloning? (Score:5, Funny)
WarDriving = Driving around finding open APs.
"WarCloning" = Driving around cloning RFID stuff.
Shouldn't it be "CloneDriving" or something else? Though I suppose all of them are equally dumb. So nevermind...
Re: (Score:2, Informative)
- SR
Re: (Score:2)
No. I know your being funny, or at least modded that way, but the correct prefix is 'war' as in WarDialing, as in War Games (the movie), which is were the term comes from. "WarCloning" is a perfectly acceptable term.
Are you sure?
I was given the impression, way back when, that WARdriving was a semi-acronym for "wireless access reconnaissance" driving.
Re: (Score:2)
~ The late, great George Carlin
Re: (Score:2)
Good for crime fighting, scary for potential abuse (Score:5, Interesting)
Re: (Score:3, Informative)
http://www.thinkgeek.com/gadgets/security/8cdd/ [thinkgeek.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What, will they outlaw aluminum sheets? Those bastards!
There are plenty of threats to our freedom right now, no need to be paranoid about the "scary new technologies".
Re: (Score:2)
No. They will probably outlaw that particular application of aluminium foil. Plenty of such examples today. I'm sure it will have a smart sounding clause, something about impeding lawful functioning of RFID locators, or somesuch.
Protection (Score:5, Interesting)
Re:Protection (Score:5, Funny)
Really? The first thing I did was pick up one of these [about.com], which I already had on hand at the house. Mine is *guaranteed* effective. :-)
Re: (Score:1)
Re: (Score:3, Insightful)
The first thing I did was to put it in the microwave.
We are still supposed to do that to all our mail, right? To protect against anthrax? (Are we still living in fear of that? It's hard to keep up sometimes.)
Surely Homeland Security can't be upset at us for doing what they told us to do!
Re: (Score:2)
Re: (Score:2)
Just out of curiosity, have you tested the effectiveness of that shielding wallet? If so, how?
Re: (Score:2)
Re: (Score:2)
The shield that comes with the passport card is effective, at least as far as my research so far has suggested. It's worth mentioning though that according UW / RSA, the shields supplied with the electronic drivers license in Washington are ineffective at preventing reads (although they do reduce range somewhat) - http://www.rsa.com/rsalabs/node.asp?id=3557
Re: (Score:2)
It didn't seem to help protect the passport when I put the passport in the sleeve, then the sleeve & passport together in the microwave...
Re: (Score:3, Funny)
I do believe the magnetron in the microwave is a tad more energetic than your average RFID reader. Well, I hope it is anyway. If not, we're going to have some seriously upset -- and sterile -- border control agents.
Thanks for the input, though.
Re: (Score:2)
Where are the FUNCTIONAL RF-blocking covers? (Score:2)
I would like to get both passport and driver's license covers.
A google has so much noise that I cannot find the signal.
Any links to to something other than mumetal by the sheet?
Re:Where are the FUNCTIONAL RF-blocking covers? (Score:4, Informative)
For your driver's license, just use what I have for many years: an "Altoids" tin (or similar item). Perfectly sized for drivers licenses, credit cards, and other such things, and completely impervious to RF scanning technologies. I use one for my "wallet".
For a passport, well, they *did* have those jumbo tins a while back... ;)
Re: (Score:2)
Re: (Score:2)
Unless you use your passport a lot (as in weekly) you can make your own and it will last for a couple of years. Take a sufficiently large sheet of metal foil and lay it flat. Cover it with duct tape. Fold and tape, and add a Velcro (or clone) fastener to keep it closed. I've had an RFID passport for about four years now and my second homemade wallet is still going strong, even though I fly internationally every few weeks.
The trickier one is how to shield cards which you want to use more frequently than that
Good (Score:2)
I hope they do a lot of damage so that they scare enough people so that they finally start protesting against those terrible plans.
tracking abuse.. (Score:2, Interesting)
Copyrights and Serial Numbers r/o ? (Score:2)
I'm afraid you can't just copy the rfid tag of a passport or a visa card because the serial number is r/o while some parts are r/w (if I'm not wrong);
Also there is the law of Copyright, which protects passports, travelling documents and even money...
although you might be able to stuff those databases with "known test cards" ...
It's quite freightening, soon as rfid can be cloned perfectly, I hope it'd cause the world again to swap to alternative more controlled technologies again.
RFID Gathering (Score:5, Informative)
I saw the video and it is inaccurate at best (Score:3, Informative)
Re: (Score:2)
"All you have to do is put it against your body, and the salt water attenuates the signal, thus making the tag unreadable. "
The old "prison wallet" looks better and better.
Reading Passport RFID Cloning Passport RFID... (Score:1)
exaggerated description (Score:3, Informative)
This fellow doesn't demonstrate cloning anything. He's just reading RFID codes in the video.
Seth
How far do you trust that unknown with a scanner? (Score:2)
Whatever can be done, will be done ...
Its a lie (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
There are R/W tags out there. The one I was working with, I was able to make emulate another read-only tag that we used.
I have an even better solution (Score:3, Funny)
We should make RFID highly controlled instead. Once we make RFID ownership illegal then only criminals will have RFID, and they'll be a whole lot easier to find.
Hey, it works for guns, right?
Re: (Score:2)
Same as recording license plate numbers? (Score:2)
If the RFID is nothing but an ID number and the actual data is in a database somewhere, how would this be worse than, say, writing down the license plate numbers of the cars you see?
Airport Demonstrations (Score:5, Interesting)
I thought about this when I first heard the news about RFIDs being included in passports -- and money. Now that there is a practical implementation, it is time for a bunch of privacy advocates to get a marquee style display and go to an international airport. They could stand outside of the arrivals customs area and scan and display people's personal information in order to demonstrate how completely these tags violate the passengers' Fourth Amendment rights.
The sign might look something like this:
That should get people's attention. And it should be quite entertaining until the airport authorities figure it out. When they do, it would also be nice to point out that Freedom of Assembly is also an inalienable right!
Re: (Score:2)
That is so fake and unrealistic.
Nobody has a Diners Club card. :)
Reality Isn't A Photograph (Score:2)
It seems that quite a few people missed the fact that TFA refers only to "proof of concept".
First of all, the odds that this technology will stand still are zero. Second, anybody who wanted to get really nasty would find a way to access the remote databases and do a little creative matchmaking. After all, it's not like anybody's ever managed to walk off with a few million tax records and credit card numbers and stuff like that before, is it? I seem to recall DB breaches were getting so common it was n
His reader shows... (Score:2)
Losing your edge (Score:2)