Feds At DefCon Alarmed After RFIDs Scanned 509
FourthAge writes "Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera. The reader sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks. The 'security enhancing' RFID chips are now found in passports, official documents and ID cards. 'For $30 to $50, the common, average person can put [a portable RFID-reading kit] together,' said security expert Brian Marcus, one of the people behind the RFID webcam project. 'This is why we're so adamant about making people aware this is very dangerous.'"
What do you bet... (Score:5, Insightful)
Re:What do you bet... (Score:5, Insightful)
It's easier to outlaw gadgets than to admit you're wrong.
That's why, thanks to recent laws, only criminals carry guns. Pretty soon only criminals will have webcameras or RFID sniffers.
Comment removed (Score:4, Insightful)
Re:What do you bet... (Score:4, Funny)
The only way that happens is if you are rich and have political connections.
That's not entirely true - if you're a bodyguard of a rich (important) person, you can legally protect them too.
Comment removed (Score:5, Insightful)
Re: (Score:3, Insightful)
Um no... the gun totin trigger happy people aren't the problem...
do you think criminals CARE if they are breaking the law? Do you think having a nationwide concealed carry law would make all gang members and others suddenly stop carrying until they got a permit?
If you do you are sadly mistaken... the ones who are regulated and don't carry are the law abiding people... Typically not the people you need to be worrying about. Typically.
Re: (Score:3, Interesting)
do you think criminals CARE if they are breaking the law?
Depends on the criminal. Statistics that I found with a quick Google indicate that 50-55% of violent crimes in the USA are crimes of passion (i.e. not premeditated or planned). That means that they are perpetrated by people who are not what you would typically call criminals until they actually commit the act. These people are, for most of their lives, law-abiding citizens and are unlikely to carry an illegal weapon.
Re: (Score:3, Insightful)
Re:What do you bet... (Score:4, Insightful)
In fact, I'd say gun ownership does more to prevent crime than it does to encourage it. If I'm a big guy and I figure that I could throttle you pretty easily, but I know that you carry a gun, that may dissuade me from assaulting you. I'm not going to say with 100% certainty that it will - that would be hyperbole. I will, however, assert that it would change a lot of people's minds.
Comment removed (Score:5, Funny)
Re: (Score:3, Interesting)
No brainer (Score:4, Interesting)
Re: (Score:3, Informative)
Professional soldiers who have trained extensively with firearms tend to average a couple thousand rounds per kill.
That's because of two things: suppressive fire, which just keeps the target's head down, and training, which burns through tons of ammo without killing anyone. Snipers, who have trained extensively in accuracy against designated targets, average about 1.3 rounds per kill.
Look at an example of a worst case scenario such as the Columbine killings, where two heavily armed kids were in a target-dense environment with no serious concern over defense and yet "only" killed 12 and wounded 24
Harris and Kleibold weren't planning to shoot everyone - guns were for mop up. Their original plan was to blow the place up with propane bombs and shoot the survivors. For an example of how that might play out, check the 'bath school disast
Re: (Score:3, Insightful)
Re: (Score:3)
Don't bring a sniper rifle to a knife fight, eh? Both examples are significantly different than a bar-fight-gone-wrong. However, pray-and-spray is much closer to how it would go in a bar fight than prepared sniper vs. unaware target.
Guns are plenty scary against one or many targets. But give your average joe who doesn't handle guns a 9mm and ask him to hit a running/dodging person at 50ft on one clip? Fat chance. A trained soldier or cop? Different story but it's still no where near one-shot, one-kill
Re: (Score:3, Informative)
Re: (Score:3, Funny)
Actually it's because the same rules apply to them as apply to the rest of us.
Ha ha ha ha. Very funny.
Re: (Score:3, Insightful)
Comment removed (Score:4, Insightful)
Re:What do you bet... (Score:4, Insightful)
If they weren't out there publicly trying to get our rights taken away, they wouldn't attract crazy people, therefore they wouldn't need the armed security.
Until then keep your deadly weapons and wild west "justice" out of my community.
So, move to LA, San Francisco, New York City, Chicago, etc. and the terrible worry about peacefully minded citizens taking legal means to protect themselves from assault, rape, robbery, etc. will never again burden you.
Re:What do you bet... (Score:4, Insightful)
I am so reminded of a line from The Chronicle [wikipedia.org] along the lines of "How very twentieth century of you", as the character whips out a taser and stuns the miscreant.
There are nonlethal means of defending one's self, these days. While most may only work at arm's reach, that's also the range you're most likely to be at, in a situation you'd want to use a gun defensively. ... and have any realistic chance of it being effective, anyway.
If they weren't out there publicly trying to get our rights taken away, they wouldn't attract crazy people, therefore they wouldn't need the armed security.
Y'know, I wouldn't take that bet. Crazy people are considered crazy in no small part because they use skewed logic, or no logic at all. And "taking away our rights" doesn't really top the agenda of people who need bodyguards. Nor, I expect, the rationale for most assaults upon people who feel a need for bodyguards.
Re:What do you bet... (Score:4, Insightful)
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re:What do you bet... (Score:5, Insightful)
The government has done its best for decades to convince the people that militias are full of homicidal maniacs. And no, the National Guard is not a militia. It is a standing army under the control of the FEDERAL government-- and it has to be, because states are forbidden from having standing armies in the Constitution.
Compared with... what? "Putting up your dukes," as one ignoramus once snorted on slashdot? Would you ask your 80 year-old grandma to "put up her dukes"? I bet she could handle a small pistol, though.
Thanks to the 10th Amendment, we do have the right to use hunting rifles. However, the general right to KEEP AND BEAR ARMS is EXPLICITLY mentioned in the 2nd. The "militia" part is not a condition of that.
Re: (Score:3, Funny)
Re:What do you bet... (Score:4, Informative)
Every able-bodied man between 18 and 45 is automatically in the militia.
Re:What do you bet... (Score:5, Informative)
for those who will demand the citation
10 usc 311
(a) The militia of the United States consists of all able-bodied males at least 17 years of age and, except as provided in section 313 of title 32, under 45 years of age who are, or who have made a declaration of intention to become, citizens of the United States and of female citizens of the United States who are members of the National Guard.
(b) The classes of the militia are--
(1) the organized militia, which consists of the National Guard and the Naval Militia; and
(2) the unorganized militia, which consists of the members of the militia who are not members of the National Guard or the Naval Militia.
it should be noted that well-regulated != organized
Comment removed (Score:4, Informative)
Re: (Score:3, Insightful)
Re:What do you bet... (Score:5, Interesting)
Re:What do you bet... (Score:5, Funny)
I find it peculiar that they were willing to participate in criminal activity but could not bring themselves to spell the word "FUCKING".
Re:What do you bet... (Score:4, Funny)
Ah, nice. ESR is the perfect argument against an armed citizenry.
Every time some 12 year old posts "IMA KIL U U FAT FCK I AMA IRANYAN NINJA U NEVAR C ME CUMING!!!!1!!" on his blog, he craps his pants, buys another .45 extension for his shrinking penis, and gets another entry in his FBI "whackjob time waster" file.
Personally I think the entire "ESR" persona is the intartube's longest running piece of performance art, but it appears that some of his followers:
1) Actually believe that he's real and someone to be emulated...
2) Are armed.
Which is quite a worrying combination.
Re: (Score:3, Insightful)
- Just, merely state that as a Danish citizen I'm happy with the strict gun policy and never regardless of the arguments you may bring up going to find nonrestrictive gun policies sane.
And I am even happier to live in a part of the USA where they don't have to keep guns away from people to keep them from killing each other. I feel very sorry that at some point, your society reached a low point that it was no longer safe to trust fellow citizens with a otherwise useful tool, because they cant be trusted to have sufficient self control over their own actions. (I am not saying gun violence doesn't happen here, I am just saying removing guns would make a insignificant or even negative chang
Re: (Score:3)
I agree in places where society has broke down, and people can't control themselves may need Gun control if the true causes can't be addressed first.
Don't you think society has broken down when so many people feel the need to carry guns?
Even in the US it is stupid to kill someone with a gun, they leave to much of a trace, and are so accurate it is very difficult to claim it as anything but intent.
Why on earth would you be thinking about ways to kill someone? Surely you can discuss differences through speaking to one another? Work out differences without resorting to violence?
By allowing a simple solution, it is easier to catch/get rid of those criminals lazy/crazy enough that they used a gun anyway.
So now, you are advocating allowing loads of people to carry guns so that it's easier to catch the lazy and stupid criminals?
I am even happier to live in a part of the USA where they don't have to keep guns away from people to keep them from killing each other
Probably not the way you meant to word that. Paraphrasing it
Re: (Score:2)
If they ban RFID readers, only criminals will read RFID's. Sort of makes the legal use of RFID's a little awkward, ya think?
Re:What do you bet... (Score:5, Insightful)
I found this part really interesting:
Nice to see that - after they made their point - the organizers and attendees at "one of the most hostile hacker environments in the country" did the right thing and destroyed the data. I'm sure we could count on law enforcement, our employers and credit card companies to show the same moral character.
Re:What do you bet... (Score:4, Insightful)
I'm sure we could count on law enforcement, our employers and credit card companies to show the same moral character.
Ha ha very good! The sad thing is they would keep the data while telling the media they didn't, then justify keeping it when there lies are exposed, then mock outrage when it gets stolen, then bungled legislation when the peasants revolt. It's written in my tea leaves - which at least will be destroyed on MY say so!
Re:What do you bet... (Score:4, Insightful)
It's one thing to expose a security flaw, quite a different thing to exploit it. You're right, the Feds shoulda oughta known better; I'm sure the security issues with RFID are being given a closer look at several alphabet agencies as I write this.
You seem to be advocating some sort of vigilante action on the part of the people doing the demonstration, but I think that is exactly the wrong approach if your goal is to raise public awareness. If the people doing the demonstration had dug their heals in and kept the information they harvested, the likely result would have been arrests and confiscation of the information and headlines reading "Hackers Steal Identities of Federal Agents." This would have been wrong as well, and cause for much bitching on Slashdot, but would have done exactly nothing to address the insecurity of RFID.
By volunteering to destroy the data collected, Priest got the best of all worlds - the dangers of RFID were exposed,
as was the ignorance of the general public to these dangers (including the people who oughta know better) and he left them with no opportunity to spin this as a story of Hackers Out Of Control.
Sometimes it's better to go after the big fish, rather than eat your bait.
Re: (Score:2, Interesting)
Is it possible to remove the RFID device?
The Congressional mandate for RFIDs is similar to the stupidity that gave us a bunch of computer-controlled voting booths (which are easily hacked, or prone to errors). The politicians don't understand technology. To them it's just "magic" that will cure everything, therefore they mandate this stuff without putting any thought into it, basing their decision upon faith rather than reason. They don't realize this "magic" has serious flaws that makes it less-desirabl
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
If politicians are that gullible, and stupid enough to take everything said by people with vested interests at face value, then they shouldn't even have the authority to run their own life, forget the country.
Re:What do you bet... (Score:5, Insightful)
Not quite as satisfying however.
Re: (Score:3, Interesting)
The passport is still valid even if the RFID is disabled, right?
Re:What do you bet... (Score:5, Informative)
It is still valid. After returning from a long trip I went to bed and my wife did all my laundry from my trip, which included my passport and ipod nano in a shirt pocket. I was traveling again shortly after and tried to find someone who could tell me if it was still valid, but had no luck. I was going from the U.S. to Mexico and just figured I'd see how it went.
The agent tried to scan the chip and when it didn't work, just treated it like an older passport. I've gone out of the country with it again since then and had the same result.
I wouldn't recommend that approach, as is mentioned above, a hammer will do the job. It took me a while to dry out my passport then I had to leave it under a huge stack of books to get the pages flat again. Knowing that people keep them for 10 years makes me think that they must go through all kinds of things like that.
The nano took longer to dry out completely but still works.
I hope events like this (the scanning of the chips) keep getting attention so that something can be done before disabling the chip becomes synonymous with invalidating the document.
Re: (Score:3, Insightful)
Re:What do you bet... (Score:4, Interesting)
My New York EDL came with a foil-lined protective sleeve.
Re:What do you bet... (Score:5, Interesting)
Comment removed (Score:4, Interesting)
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
Re:What do you bet... (Score:5, Insightful)
You can microwave it. The RFID antenna collects to much power and fries the circuit. Should take a second or two.
While an inoperative RFID may not invalidate your passport, I suspect a big honking scorch mark in the middle of the thing just might.
Re: (Score:3, Informative)
Most RFID cards are completely unencrypted, and even the encrypted ones have only basic encryption implemented (it was quite spectacularly reverse engineered a couple of years ago) - there just isn't enough power available to do anything robust.
duh? (Score:5, Informative)
Why would they be surprised? This has been common knowledge for years.
If you have to carry an RFID'ed object that contains sensitive information, keep it shielded at all times or destroy it.
Re: (Score:2)
Re:duh? (Score:4, Insightful)
They're faithfully participating in a system which is intentionally insane. It's not that hard to understand...
Re: (Score:3, Funny)
They're faithfully participating in a system which is institutionally insane
There, fixed that for ya.
Re: (Score:2)
Usually it's on purpose, but not for nefarious reasons. More likely it's because some RFID contractor\vendor got to the government person in the upper levels of charge and convinced them they need this feature in their IDs whether it's a good idea or not (it does help the previous vendor\contractors bottom line which is all that matters really). It then gets implemented regardless of any security conserns.
Re: (Score:3, Interesting)
"pencil-pushing bureaucrats" do not belong in attendance at DefCon, period.
It is precisely these kind of people (those who use, but completely lack the understanding of the underlying technology), that cause the proliferation of malware, spam and other methodologies of subterfuge.
Send your best people to DefCon, and even they won't be good enough, but if you send pen
bar-codes (Score:2)
RFID is a slightly-longer-range bar-code that doesn't require line-of-sight. But it would certainly be possible to use a digital camera or scanning lasers to do this same sort of thing to any visible bar-codes.
It doesn't really make sense to say RFID is "very dangerous" unless you have that same fear of bar-codes.
Re:bar-codes (Score:5, Insightful)
Re:bar-codes (Score:5, Insightful)
Right, but they sure can read whatever your RFID has to say. The problem is twofold:
1) Ignorant implementers put sensitive data on RFID's in plaintext.
2) Users are unaware of what data is actually *in* their RFID items.
RFID tags are dumb, low powered, even passive devices. If you can't afford active RFID's with public key encryption, don't put sensitive data on the damn things!
Re:bar-codes (Score:5, Insightful)
There is no bar code on my passport, credit card or driver's license. Even if there was, it's unlikely that person sitting at the next table with a portable bar code reader could read the bar code off my Visa card while it's in my wallet.
Re: (Score:2)
Re:bar-codes (Score:5, Insightful)
Re: (Score:3, Funny)
Re: (Score:2)
Just as a note, New York has bar codes on their driver licenses.
http://www.instructables.com/id/Decode-Your-License/ [instructables.com]
You're still quite correct in that they can't be read in your wallet, but that what RFID blocking wallets are for anyway.
Re: (Score:2)
Which is great until you take the card or passport out of the RFID blocking wallet. Then a RFID reader nearby can pick up the information from a distance away. On the other hand, I think I'd notice someone leaning in real close to me with a barcode scanner trying to read my card.
Re: (Score:2)
Are you kidding? There already are bar-codes on things like driver's licenses. And they can be photographed and decoded by the person sitting next to you at the bar. Where is the outrage? "very dangerous" indeed.
Re: (Score:3, Insightful)
That's scary!
Re:bar-codes (Score:5, Interesting)
Re: (Score:2)
Your credit card has a magnetic "bar code". I don't know where your driver's license is from, but many licenses come with both magnetic strips *and* a 1-D or 2-D bar code. I can take a cell phone picture of my license's 2-D code and within seconds, pull out my full name, date of birth, endorsements/restrictions, address and license number.
Don't be afraid of the technology - just be afraid of leaking sensitive information.
Re: (Score:2)
"RFID is a slightly-longer-range bar-code that doesn't require line-of-sight. But it would certainly be possible to use a digital camera or scanning lasers to do this same sort of thing to any visible bar-codes.
Doesn't this suggest that RFID is a much less secure tech? A barcode or magnetic strip is safe in your wallet in your back pocket, RFID is not. That is like saying that because your windows can still be broken, it is not a security risk to leave your front door open when you leave the house.
Re: (Score:2)
Re: (Score:2)
I'll grant you that. But this is not a problem with RFID. It's a problem with some misapplications of it. RFID itself is a fantastic technology.
Re: (Score:3, Interesting)
Not everyone. A couple years ago I worked at a place that used barcoded cards as entrance badges. Swipe the card through the scanner and you're in. It looked like a mag stripe -- the barcode was printed black-on-black, with inks that reflected differently in the infrared. But it was just a 1-D barcode. And yes, it was trivial to use an ordinary flatbed scanner and crank up the contrast in Ph
Re: (Score:3, Insightful)
Again, RFID is a great technology for inventory, NOT
Re: (Score:2)
RFID is not just like another barcode, because it uniquely identifies an individual product (or person). The numbering scheme for RFID is estimated to be able to uniquely number everyone product and person on the planet for the next several hundred years.
Also, talking about it being "remotely readable" obscures the fact that you don't require line of sight to read an RFID chip, as it can be read through clothes, or bags. Combine t
wait a minute (Score:3, Informative)
They're attending a security convention with id cards that can be read from their pockets.
It's a good thing they didn't have rfid credit cards.
If it can be done, it will be done.
Cops (Score:3, Insightful)
So these sloppy mofos are the ones that are supposed to be "protecting" us? Laughable.
Surprising? (Score:2, Insightful)
Re: (Score:2)
Well for one thing, it was a trap, and that is the nature of traps, they surprise you.
Finally ! (Score:2)
Misleading post text... (Score:5, Informative)
Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera...
erm... not quite what the Wired Article says:
But the device, which had a read range of 2 to 3 feet, caught only five people carrying RFID cards before Feds attending the conference got wind of the project and were concerned they might have been scanned
Still I suppose the Feds have probably hacked into the Wired Article and fixed that one...
The data was destroyed (Score:3, Informative)
"Priest asked Adam Laurie, one of the researchers behind the project, to "please do the right thing," and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected."
Re: (Score:2, Funny)
If they have done nothing wrong... (Score:5, Insightful)
...they have nothing to fear. Let's see how they like that argument used against _them_!
Silly Feds (Score:5, Interesting)
They should've used the foil protective sleeve provided with the document in question and reccommended by the organization who provided the document.
I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a reccommendation to keep the license in the protective sleeve when not in use.
That's right - the government is providing tinfoil hats for your RFIDs already.
Re:Silly Feds (Score:4, Insightful)
I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a recommendation to keep the license in the protective sleeve when not in use.
That's right - the government is providing tinfoil hats for your RFIDs already.
As asinine as possible. The advantage of RFID is convenience. Let's use it and then make it less convenient to use.
General lesson: Convenient or secure. That's an XOR.
Missing the point. (Score:5, Insightful)
I'm sure some people are pushing for RFID for the wrong reasons, but I'm all for it as a replacement for barcodes as far as keeping stock goes. Imagine going to Walmart, and your shopping buggy automatically tells the clerk how much money you owe! Well, that might be a ways off, but it's possible.
I think RFID is an awesome tech, it just has a risk for being abused. Just like barcodes are awesome, but we don't want them on our forehead (unless we're playing shadow run, then it's 'cool.)
Re:Missing the point. (Score:5, Insightful)
RFID tracking people = NOT OK
Re:Missing the point. (Score:5, Funny)
Re: (Score:3, Insightful)
Great, so now Walmart can simply tie my purchases to my credit card and know who I am as I walk in the door on subsequent visits, or walk in the door of any other store they share data with, as long as anything on my person has an RFID tag I wasn't able to find and destroy.
Oh, and anyone else with an RFID scanner who can match it to my face can make the same connection, no credit card required.
Wow, you've actually just made it sound even worse than it was.
I don't wear a tinfoil hat, but ... (Score:5, Interesting)
The Billon dollar solution is only $20. (Score:3, Insightful)
Um, hello? They were selling nice (and very effective) RFID blocking wallets and passport holders there for $20. If you're flying Feds halfway across the country to attend DEFCON, I'm pretty sure you can afford 20 fucking dollars to give yourself some peace of mind.
Of course, some idiot in Gov will propose a 3 billion dollar project called Protect-A-Fed that will invest thousands of man-hours to devise such a device that could prevent RFID tags from being captured...and 4-billion dollars later you'll have a "new and improved" Government-issue $20 RFID wallet.
Re: (Score:2)
Or just don't carry incriminating ID while undercover.
A FedSnitch? (Score:2)
Re:The Federal Agents weren't Pwnd (Score:5, Insightful)
There's nothing particularly special on the RFID chip. A parking facility card and a passport generate the same amount of interesting information. A unique ID. Whew!
The problem is when you have another government computer that is counting on the Unique ID to be a UNIQUE ID, and using ONLY THAT parameter (plus other info also on the card) to identify someone - congratulations, you have just stolen someone else's identity.
Re:The Federal Agents weren't Pwnd (Score:5, Interesting)
Paget announced during his DefCon talk that his security consulting company, H4rdw4re, will be releasing a $50 kit at the end of August that will make reading 125-kHz RFID chips â" the kind embedded in employee access cards â" trivial. It will include open source software for reading, storing and re-transmitting card data and will also include a software tool to decode the RFID encryption used in car keys for Toyota, BMW and Lexus models. This would allow an attacker to scan an unsuspecting car-ownerâ(TM)s key, decrypt the data and open the car. He told Threat Level theyâ(TM)re aiming to achieve a reading range of 12 to 18 inches with the kit.
Just wait until someone creates a small RFID reader and hooks it up to an iPhone in their pocket (a combo that would be virtually undetectable) and starts walking through the subway collecting info. We can already pick up the credit card owner's name, credit card number, expiration date, etc. right off of the RFID tags present in AMEX cards.