Slashdot Mirror

← Back to Stories (view on slashdot.org)

WSIS Physical Security Cracked

Posted by CowboyNeal on from the watching-the-watchmen dept.

An anonymous reader writes "A group of activists has apparently bypassed physical security checks at the WSIS Meetings. Not only did they bypass the physical security with a fake card, they found the system uses RFID tags to monitor participants -- possibly even who they interact with and their movements through the conference."

3 of 196 comments (clear)

  1. RTFA by lurker412 · · Score: 4, Informative

    The World Summit on the Information Society is not a security conference. It is concerned with much broader issues of society and technology. You can find more info here

  2. Two comments by Anonymous Coward · · Score: 4, Informative

    I'm a delegate to WSIS, so I've been here for going on three days...

    First, the security here is quite interesting...as other posters have mentioned, getting into the actual facility is more or less impossible without the proper badge. The exploit that these individuals used was to simply trick the badging desk - a location right next door manned (mostly) by teenage girls. I highly doubt that they're trained security professionals.

    Two, the RFID badge has a range of about an inch. If there are transponders all over the place, I have yet to see them. The physical layout of the building would kaie it difficult to place them inconspicuously...there's far too much open space, with thirty foot ceilings...

    Just my two cents (CHF)...

  3. Better case is made by the "pictures" page by Halo- · · Score: 4, Informative
    I have to admit the main link was a bit of a let-down, but after following the link to the pictures page, I start see why this is a big deal. A few things happened which aren't well expressed in the main link:
    1. Participants were sent credentials which were supposed to serve as a second form of ID. The activists circumvented this second ID by simply claiming to be someone else and showing a generic fake ID. The list of participants was available beforehand, which was a mistake. Think of it like if an airport published lists of all the passengers on a plane and allowed "ticketless" travel using any form of ID. (instead of governement issued photo ID) You just need to say you're "John Smith" and present a fake anything (library card, etc...)
    2. Notice all the cameras in the photos? That's sorta creepy. My bank doesn't have that many.
    3. There are pictures of RFID scanners, which means the whole "they are gonna track participants movements" bit isn't entirely tinfoil-hat paranoia. The presence of the sensors implies they plan to track.
    4. There were metal detectors and X-Ray machines maned by the Swiss Army (insert knife joke here) at the entrances, but they didn't get placed until very later. The "safety" this buys the participants is marginal unless the entire conference center was sweep very, very carefully after the gates were put up. Most people with the motive to blow up an international conference don't do it as a spur of the moment thing. When a head of state visits somewhere, an advance team sweeps the room/route/etc and seals it as they go.
    5. Privacy and data security are totally lacking. The organizers failed to inform participants about what information was to be collected, and more severely, couldn't produce a detailed accounting when asked. The data collected was visible on monitors to casual observers, which completely negates most of the value and allows for theft.

    In short, the photos show a group that appears to know how to spend a lot of money on toys, but doesn't know how to use them. I think this is a serious concern. The information they are collecting isn't providing security, and could actually undermine it.

    The illusion of security is worse than no security at all.