WSIS Physical Security Cracked

An anonymous reader writes "A group of activists has apparently bypassed physical security checks at the WSIS Meetings. Not only did they bypass the physical security with a fake card, they found the system uses RFID tags to monitor participants -- possibly even who they interact with and their movements through the conference."

Re:[RFID] Late night on slashdot and the nightmare

What is it that makes you think RFID technology suddenly enables this?

Lemme clue you in, there's this wild and crazy technology that puts a unique identifier on every automobile driving on public roads. It's linked to your name in state databases and it's required by LAW. It's called a license plate, you dumb shit.

And amazingly, if you get caught by an officer speeding in a school zone or blowing a red light, they will run your license plate in their little laptop to see if you have any warrants out, like for being a deadbeat dad.

And your car insurance company has the ability to look up your driving record to see any tickets or accidents within the past few years.

I'd assume that most anyone has this ability, an assumption based on the fact that if you get a speeding ticket, within 2 days you'll receive about 150,000 postcards in the mail from ticket attorneys and driving schools.

Get a clue you dumb piece of shit.

RTFA

[lurker412]

The World Summit on the Information Society is not a security conference. It is concerned with much broader issues of society and technology. You can find more info here

Re:[RFID] Late night on slashdot and the nightmare

[narratorDan]

Simple way of taking care of the RFID tags in this tin hat situation;

Pay cash, (until the gov stops printing it, they must accept it) give them a fake name and phone number (the phone book is full of them), buy or make a RFID reader and locate the tag in the tire and cut that section of the tire out and put it in a microwave for about 30 seconds. DING! The RFID tag is fried, now replace the cutout in the tire and freely run down kids in school crosswalks with the red lights.

Hmm, just read the rest of your post. You're screwed.

NarratorDan

Re:[RFID] Late night on slashdot and the nightmare

[Grue]

RFID technology automates all this, no need for the cop anymore. No need for visually checking license plates. Suddenly everyone and anyone is tracked.

That is the big difference. The fact that this information will be entered into several hundred databases automatically.

Two comments

I'm a delegate to WSIS, so I've been here for going on three days...

First, the security here is quite interesting...as other posters have mentioned, getting into the actual facility is more or less impossible without the proper badge. The exploit that these individuals used was to simply trick the badging desk - a location right next door manned (mostly) by teenage girls. I highly doubt that they're trained security professionals.

Two, the RFID badge has a range of about an inch. If there are transponders all over the place, I have yet to see them. The physical layout of the building would kaie it difficult to place them inconspicuously...there's far too much open space, with thirty foot ceilings...

Just my two cents (CHF)...

Re:[RFID] Late night on slashdot and the nightmare

[clickety6]

Isn't the UK already thinking of taxing every car "seen" on key roads once a day, every day they show up?


Noppe, not thinking of it - in the "congestion zone" of London they are already DOING this!

Better case is made by the "pictures" page

[Halo-]

I have to admit the main link was a bit of a let-down, but after following the link to the pictures page, I start see why this is a big deal. A few things happened which aren't well expressed in the main link:

1. Participants were sent credentials which were supposed to serve as a second form of ID. The activists circumvented this second ID by simply claiming to be someone else and showing a generic fake ID. The list of participants was available beforehand, which was a mistake. Think of it like if an airport published lists of all the passengers on a plane and allowed "ticketless" travel using any form of ID. (instead of governement issued photo ID) You just need to say you're "John Smith" and present a fake anything (library card, etc...)
   
2. Notice all the cameras in the photos? That's sorta creepy. My bank doesn't have that many.
   
3. There are pictures of RFID scanners, which means the whole "they are gonna track participants movements" bit isn't entirely tinfoil-hat paranoia. The presence of the sensors implies they plan to track.
   
4. There were metal detectors and X-Ray machines maned by the Swiss Army (insert knife joke here) at the entrances, but they didn't get placed until very later. The "safety" this buys the participants is marginal unless the entire conference center was sweep very, very carefully after the gates were put up. Most people with the motive to blow up an international conference don't do it as a spur of the moment thing. When a head of state visits somewhere, an advance team sweeps the room/route/etc and seals it as they go.
   
5. Privacy and data security are totally lacking. The organizers failed to inform participants about what information was to be collected, and more severely, couldn't produce a detailed accounting when asked. The data collected was visible on monitors to casual observers, which completely negates most of the value and allows for theft.
   

In short, the photos show a group that appears to know how to spend a lot of money on toys, but doesn't know how to use them. I think this is a serious concern. The information they are collecting isn't providing security, and could actually undermine it.

The illusion of security is worse than no security at all.