Fed's RFIDiocy pwnd at DefCon
Summary: NSA spooks gather for a colleague's retirement party at a bar. What they don't know is that an RFID scanner is picking them out - and a wireless Bluetooth webcam is taking their picture.
NSA spooks gather for a colleague's retirement party at a bar. What they don't know is that an RFID scanner is picking them out - and a wireless Bluetooth webcam is taking their picture.
Could that really happen? It already did.
The Feds got a taste of the real world risks of RFID passports and IDs at DefCon, the annual hacker conference. According to Wired:
. . . federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader.
The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.
RFIDiots The goal at DefCon was awareness, not crime. But as organized tech mobs grow it won't be long before crime - or terrorism - exploits the gaping security holes in RFID.
Chris Paget, the researcher who demo'd drive-by scanning early this year
. . . will be releasing a $50 kit at the end of August that will make reading 125-kHz RFID chips — the kind embedded in employee access cards — trivial. It will include open source software for reading, storing and re-transmitting card data and will also include a software tool to decode the RFID encryption used in car keys for Toyota, BMW and Lexus models. This would allow an attacker to scan an unsuspecting car-owner’s key, decrypt the data and open the car.
RFID Bad Day: you get fired because a bunch of office equipment went missing after someone with your ID entered the office at 1 AM. And when you go to your car, it isn't there.
Cloning on the fly Adam Laurie, another researcher and author of the RFIDiot (RFID I/O tool), an open source python library, said
It takes a few milliseconds to read [a chip] and, depending on what equipment I’ve got, doing the cloning can take a minute. I could literally do it on the fly.
Mr. Paget even demo'd a wired doorframe that collects RFID data as people walk through it. Handy, eh?
The Storage Bits take Perhaps now that federal security gurus have been pwnd the RFID threat will get some serious attention. Like, maybe this isn't such a great idea, attention.
Maybe that will be enough to start the wheels turning, but with hundreds of millions of dollars already spent on this stupidity, I'm afraid that someone, somewhere, will have to die before citizens figure out that this is a real, increasing and unnecessary risk.
The technology for reading, hacking and cloning RFID tags will only get better. The mass production machinery behind the tags can't keep up with the security threats.
The time to end this nonsense is now. There are perfectly usable non-RF storage technologies - like 3D barcodes - that can safely store data in hard to crack, hard to hack formats.
Comments welcome, of course.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Do you even read your own stuff?
". . . will be releasing a $50 kit at the end of August that will make reading 125-kHz RFID chips ? the kind embedded in [b]employee access cards[/b] ? trivial." (emphasis added)
And yet you go and say that this is a risk for RFID passports instead. I think before you go and then engage in juvenile writing using words like 'pwned' you should at least make sure that you're talking about equivalent items.
It'd certainly be interesting to see what actual information they got from this setup and how useful it actually is but please stop trying to use this to stir up a panic about passports until you have an actual tie-in.
@Robert Crocker
I can agree that the specific data retrieved should be made known so that we can evaluate the validity of the threat.
But your argument makes it seem like you believe that changes should only be implemented when a serious occurrence actually happens in the wild.
Not at all
I'm not saying that we have to wait for a serious occurrence, I'm just tired of people using juvenile phrases like "pwned" and then not even being able to back it up with the information that they present.
Pwned
Do you really believe passports will get proven security?
What security do they need?
"The U.S. Electronic Passport (e-passport) is the same as a regular passport with the addition of a small contactless integrated circuit (computer chip) embedded in the back cover. The chip securely stores the same data visually displayed on the photo page of the passport, and additionally includes a digital photograph. The inclusion of the digital photograph enables biometric comparison, through the use of facial recognition technology, at international borders."
(http://travel.state.gov/passport/eppt/eppt_2498.html)
There's a discussion of some of the security implications in their FAQ (http://travel.state.gov/passport/eppt/eppt_2788.html#Twelve)
Finally, the idea is that this isn't supposed to be the only thing used for security as there is a human element involved in border crossings.
Is it perfect? Probably not but it's also not in any danger of being "pwned" either. (Yes, I've seen the Elvis passport link too.)
What Security Do They Need?
See Robin's other story:
http://blogs.zdnet.com/storage/?p=540
for a possible scenario. Or Google "RFID Passport Danger" for other possibilities.
I've lived overseas and had a friend killed by a car bomb; nothing personal, the terrorists just wanted to kill a US citizen. Now we've made it even easier for them to find us. Your tax dollars at work!
It's especially annoying thet none of this needs to be a problem. Using a non-broadcast technology to store the same information would increase the physical security of the passport carrier. But I guess that wasn't a "cool" enough solution.
alan
$50 Kit
Do You Honestly Think...
Criminal and Terrorist organizations can send people to school and hire people with the skills they need. Even if this was never published or talked about, they could have the information on their own.
At least this way people can be aware of the problem and test to see what their vulnerability is.
alan
You didn't make your point, on the other hand:
What risks did he show?
This would be like me saying that since one version of a dead-bolt lock is no good then all dead-bolt locks need to be thrown out as a bad idea.
These people were sniffing RFID-embedded Access Badges, things that are specifically designed to be accessed at a distance.
Any technology . . .
If personally identifiable information (read: ID theft) can be scanned passively by walking up to a table or walking through (what appears to be) a normal doorway, or in another way that the owner doesn't know about - it's a MAJOR risk!
Protecting something like a 3d barcode is easy - put it in a case and it can't be scanned until it is taken out. If they can't SEE it, they can't SCAN it.
RFID is risky because humans cannot sense the signals that read it. As was demonstrated here, RFID can be read without the owner's knowledge.
The demonstration was a CONCEPT - designed to show the conference attendees what COULD happen.
And if you think that things that AREN'T "specifically designed to accessed at a distance" COULDN'T be accessed, think again!
If a $50 kit can read the badges at a distance, you can be certain that something that costs more can read more. IT'S WORTH IT to the thieves, so the technology is available. Bet on it.
Or, just be happy. Stick your head in the sand. Let criminals read your ID information. Then have fun straightening everything out AFTER you're the victim of identity theft.
You're missing the point
My complaint was that the story used scanning of employee badges to try to discredit the e-Passports which is a different technology.
I'm not sticking my head in the sand, I'm just refusing to instantly drop into the paralyzed fear state that this blog was trying to invoke based on bad and/or incomplete information.
Enlighten me please
IF you say it's the level of data and encryption, I'll tell you that matters not, as any terrorist, spy, etc. that is serious about cloning the data (in which case, it can be copied verbatim) modifying it for their own use (i.e. the Elvis e-passport people don't want to be reminded of any more, or to fake a security clearance to some top secret data), or what-not, they'll find a work around as fast as it comes out... case in point: Draconian DRM, as fast as it comes out with new ways, someone has cracked it wide open.
No one is saying to panic, just saying "hey, this RFID thing is a BAD idea, rethink it completely." IT was a bad idea to put a gas tank in a Pinto without a real shield between it and the interior of the car, it's a bad idea to trust RFID tech or any other transmitted (active or passive) identification will remain unusable to anyone outside the system it was designed to be used in.
As far as the extra additive of the human factor double checking this e-passport or security badge info, people can be bribed, people can infiltrate the checking positions, people can be lazy... you can count on this verification as much as you can count on current older tech verifications.
Ok, a $5.00 shield might protect the RFID data from being snooped out by a $50.00 snoop kit, what about a $5,000.00 snoop kit, or a $50,000.00 kit?
Please educate me how the two uses, security ID badge and e-passport, are different enough that a failure in keeping data private in one, can't be used on the other.
Kinds?
A couple of those in use in my world....
Let's call them type 1, 2 and 3.
Type 1: Contains a pointer that when read links
to specific record(s) in a database file
somewhere and the relevant information is read
from the table(s).
Type 2: Contains all the relevant information
to allow a reading program to fill in a form,
create or update records.
Type 3: Contains a key that does all kinds of
useful things like allowing me access to my car
or paying at the cash register.
All can be used to trigger additional
functionality.
I have to say this gives me pause if we as the
public have to wait for a major occurrence
before someone really looks at this...
Let's hope this is not the case...
RE: Fed's RFIDiocy pwnd at DefCon
We might as well just take out the security doors and invite the thieves in!
RE: Fed's RFIDiocy pwnd at DefCon
I foresee a Magnetic Ink stained to a person's skin, that is also invisible. As usual, your article is right-on. This form of technology won't work in the long-run. Soon, they will be able to scan the back of your hand for your personal ID. Don't anyone fool themselves. It won't be something we'll want then either.
Magnetic Ink tatoos?
I'd like to
Re tattoos