Slashdot Mirror

← Back to Stories (view on slashdot.org)

WSIS Physical Security Cracked

Posted by CowboyNeal on from the watching-the-watchmen dept.

An anonymous reader writes "A group of activists has apparently bypassed physical security checks at the WSIS Meetings. Not only did they bypass the physical security with a fake card, they found the system uses RFID tags to monitor participants -- possibly even who they interact with and their movements through the conference."

28 of 196 comments (clear)

  1. Feels good by Hi_2k · · Score: 5, Funny

    These people are looking to be put in charge of my Packets, yet they cant even keep a couple of geeks out of a confrence room? I'm sure we'll all feel REALLY safe ordering online with them in charge.

    --
    When life gives you crap, Make Crapade.
    Sluggy Freelance.
    1. Re:Feels good by DataPath · · Score: 4, Insightful

      It's even better than that.

      The security at the conference is weak, and they're collecting personal data while they navigate the conference.

      I think they've pretty much proven they're the wrong people for the job.

      --
      Inconceivable!
    2. Re:Feels good by cduffy · · Score: 4, Interesting
      It's a security conference. There's a reasonable expectation is that security experts:
      1. Are innately concerned about avoiding unnecessary exposure of personal data (say, by displaying it in such a way that 3rd parties could observe or record personal information about other attendants).
      2. Will be able to use access control which is not circumvented by such a blatantly trivial mechanism as a fake ID.
      3. Will not permit other physical security measures (such as the use of metal sensors) to be trivially circumvented (as by smuggling in items which would not be permitted to be taken in during the conference itself beforehand).

      And so forth. The issue is not necessarily so much that the organizers are hostile as that they're incompetant in the very matter they're holding a conference about.
  2. Re:'Activist' is such a misnomer by Anonymous Coward · · Score: 5, Insightful

    activism PPronunciation Key(kt-vzm)
    n.

    The use of direct, often confrontational action, such as a demonstration or strike, **in opposition to** or support of a cause

    Nope, activist sounds right to me.

  3. Re:'Activist' is such a misnomer by glpierce · · Score: 5, Insightful

    I believe the word you're looking for is conservative.

    --
    G
  4. huh? by junkymailbox · · Score: 4, Funny
    Ok, so these guys "cracked" the system by finding the name of a person, got a fake id, went there, took a picture and walked in.

    sidenote: all them kids in the clubs must be great crackers .. I see them "cracked" and "bypassed physical security" all the time ..
    oh wait .. this is slashdot .. no one goes to clubs here ..
    then they disect the card that were given to them to find out that they have RFID chips but no one seems to know what it does. .. Wait .. how's this different than any other place that asks for your information .. like Police and Lawyers Love E-ZPass?

    1. Re:huh? by sholden · · Score: 5, Insightful

      You can't see the difference between this and a club?

      One is a venue which wants to transfer money from your wallet to them in exchange for alcohol and a good time. The government says they aren't allowed to take money from people below a certain age, so they don't let them in. If you have a fake ID, then why would the club care that you choose to spend your money on their product?

      One is a venue filled with the heads of governments of numerous countries, government ministers, UN bigwigs (like the Secretary-General), and other such VIPs (in some people's eyes). It doesn't want to sell people a product which the government has decreed you have to be a certain age to have, but possibly wants to stop VIPs being harrassed and bombs being planted.

    2. Re:huh? by segfault7375 · · Score: 5, Funny

      Yeah, but I bet you would feel differently about it if you were proven innocent because you were buying hand lotion and copy of Maxim when the crime was being committed.

  5. Well. . . by Anonymous Coward · · Score: 5, Funny

    Days before the Summit no physical security was available. Anyone could bring anything inside the conference

    Yep, it was fairly easy to sneak my tin foil hat in.

  6. so this is like 'hacking' by Anonymous Coward · · Score: 5, Funny

    except they were walking around and stuff.... neato.

  7. "Bypassed security" by JohnGrahamCumming · · Score: 5, Insightful

    Huh? If you RTFA you'll find that what they did was use a fake ID with the name of a real participant to obtain a badge. Nothing very clever about that.

    Basically the "researchers" represented themselves as being someone else and used a fake (potentially) illegal piece of identification. Doesn't seem clever, just seems fraudulent.

    They then go on to speculate about how "data mining" and RFID might be used for all sorts of nasty tricks and end up sounding like a bunch of paranoid crack-pots.

    So, if I buy a fake passport on a street corner and then use it enter Germany, did I just "crack" Germany's security and can I get my picture on Slashdot?

    John.

    1. Re:"Bypassed security" by irokitt · · Score: 5, Insightful

      Nobody is saying the "crackers" were clever. We're saying the "Safety Experts" were stupid. They should have taken precautions in both the physical and electronic realms.

      --
      If my answers frighten you, stop asking scary questions.
    2. Re:"Bypassed security" by DataPath · · Score: 4, Insightful

      I don't think the purpose of the writeup is to give m4d pr0pz to the 133t m34tsp4c3 haxxorz. It seems to me that the points they were trying to get across were:

      1) These people have little concern for security, seeing as how they didn't even comply with the multiple applicable laws governing that sort of conference
      2) These people have little concern for privacy, again, as they didn't comply with multiple applicable laws on the matter
      3) Their ineptitude could possibly be opening these people for extortion or blackmail, or even endangering their lives.
      4) These are the people who are deciding how the internet is going to be governed

      --
      Inconceivable!
    3. Re:"Bypassed security" by ShaunC · · Score: 4, Interesting
      If you RTFA you'll find that what they did was use a fake ID with the name of a real participant to obtain a badge. Nothing very clever about that.
      You'll also find that they should have been required to produce their letter of invitation and a registration number. They had neither, but got in anyway. Perhaps not so much clever as scary, this place is hopping with "important people" and anybody can walk right in with no invite and a fake ID.

      The security at freaking MacWorld was better (or worse, depending on your perspective) than this the last time I went! Unless you got your badge via mail, you had to produce not only your ID but also the credit card that you used to register. Not infallible, but at least a challenge - and Javits wasn't full of diplomats, either.
      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    4. Re:"Bypassed security" by Trigun · · Score: 4, Insightful

      Or they could have just sent out invitations by registered mail. If you wanted to get fancy, you could put the RFID in the invite, or *gasp* number them!

  8. Further proof (as if any was needed) by Anonymous Coward · · Score: 4, Funny

    that geeks are merely terrorists under another name!

  9. Tracking locations? by fred911 · · Score: 4, Interesting

    In order to track locations to see who's close to who, you need many, many rfid transceivers. Probably so many, so close there'd be other issues (rf issues).

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  10. Nothing is safe. by irokitt · · Score: 5, Insightful

    The fact that the security was breached is not the most alarming thing about this. Nothing programmed by man is ever completely safe. The scary thing is that people professing to be security concious were bested because of something so simple, and which could have been prevented or easily stopped.

    --
    If my answers frighten you, stop asking scary questions.
  11. Re:'Activist' is such a misnomer by anagama · · Score: 4, Interesting
    What's this WSIS about? It seems you sneer at activists when in fact, they might just be protecting your freedom.
    • It doesn't help that there are several topics of great import but huge controversy. The chief among these is Internet governance. In short: who gets to run the Internet?
      ***
      The United States, Europe and English-speaking partners such as Australia favour the existing private-company organisation, ICANN. Whereas developing nations, China, India, Brazil, South Africa and others all want a recognised international body to run the show, ITU.
    Follow the links back a bit.

    And for posters below who seem unimpressed that a quasi governmental agency can monitor who it is you mingle with, or go to private areas for private discussion - you deserve what you'll get. The internet so far has been a model of a borderless world. But many countries are terrified by this concept - you really want them collecting data, manipulating who the attendees will be to prevent certain individuals from blocking their plans? That's nuts.

    --
    What changed under Obama? Nothing Good
  12. Still Important by digitalvengeance · · Score: 4, Insightful

    Though many have criticized this article as not really representing cracking or bypassing security in any impressive manner, I think there is a deeper issue here.

    What information of use could be gleaned at future meetings or other UN events? The same people very likely do event security for this and other conferences, and the type of information that could be gleaned or the damage that could be done at other events is something to be taken seriously.

    Personally, I despise the UN - but they (through US) are a force in the world and a breach of their security is nothing to laugh at too quickly.

    --
    How many roads must a man walk down? 42.
  13. Historical parallel.. by irokitt · · Score: 5, Insightful

    The problem here was one of physical security-all these guys really needed to get started was a name. During the 80's/early 90's, one of the concerns in the security field was also physical security-a hacker posing as a janitor and accessing unsecured systems, or dumpster diving, or using personal connections to get at employees and talk something valuable out of them. I would think that people would have learned by now that it takes more than simple electronic measures to stop "hacking". This could have been prevented if the powers-that-are had made the ID process a little harder.

    --
    If my answers frighten you, stop asking scary questions.
  14. [RFID] Late night on slashdot and the nightmare... by the+man+with+the+pla · · Score: 5, Insightful

    begins.

    They are going to put these in tires. When you buy your tires the seller is going to be required to enter your information in a database.

    One day when you are going a little too fast in a school zone or run a yellow that switches to red too fast an underground computer is going to sense the rfid in your tire, immediately reporting the number via rf link to police headquarters.

    You would think that this would be for the purpose of giving you a ticket. You're right, you will get a ticket. But that is not the end the trail for your rfid number.

    It immediately gets sent to the state government where it checks to make sure you are not a deadbeat dad that the wherabouts of are unknown. Simultaneously sending it to the FBI to see if you are a name on the "patriot" act watchlist and indexes your location. If you drive on the same street on a regular basis they will know where to find you.

    You're not a deadbeatdad, lawbreaker, or terrorist you say??? Well the trail that your rfid number takes does not end there. Your rfid number is sold by cashed-strapped states to a commercial database under the auspices of "risk mitigation" that insurance companies subscribe to. Because you were speeding, you are at an increased risk and your car insurance rates are subsquently raised. Because you drive dangerously, your health insurance rates are also raised. Maybe they cancel your policy outright.

    You're thinking I'll just remove the rfid. No you won't. Driving with unregistered tires is against the law, and if the police can't scan you as you drive past his cruiser he pulls you over and immediately suspends your license and impounds your car. But you won't be able to remove it anyway, without destroying the tire, as it is purposefully integrated with the "steel belt".

    Does the trail end for your rfid tire number now? No, it most certainly doesn't. To see where it leads further, you are going to have to talk to my patent attorney.

    --
    The linux hacker
  15. Re:'Activist' is such a misnomer by Orne · · Score: 4, Interesting

    No, Reactionary is one tick stronger on the scale

    Political Leaning - "Left" to "Right"
    Revolutionary - Liberal - Status Quo - Conservative - Reactionary

    Government Intervention - "Weak" to "Strong"
    Anarchist - Libertarian - Status Quo - Authoritarian

  16. RTFA by lurker412 · · Score: 4, Informative

    The World Summit on the Information Society is not a security conference. It is concerned with much broader issues of society and technology. You can find more info here

  17. More than just Physical Security Issues by MojoReisen · · Score: 4, Insightful

    This is probably another case of "You get what you pay for", but the issues here go beyond simply using a fake ID to breach physical security. The fact that the data needed to fake the ID was culled from the attendee list on the website speaks volumes as to how much thought actually went into the security architecture for this event. I mean, really, someone should of thought of that possibility. Why didn't they verify or vet this identification in some way ?
    Another frightening fact is that these jokers' security processes, if you consider the RFIDs as 'security',are violating the laws of both the host country and the EU. This is the biggest issue, IMHO. "Security" also means adhering to all applicable laws and regulations, in order to limit your liability, and the liability of your employer.
    And what about these guys walking around snapping photos of the screener's monitors ? Whats up with that ?
    The bottom line is that these "security experts" at SportAccess, or wherever, are incompetent. Their security model was ill-conceived, poorly executed, needlessly intrusive and (obviously) completely ineffective.

    --
    "Nothing is impossible for the man who refuses to listen to reason"
  18. Two comments by Anonymous Coward · · Score: 4, Informative

    I'm a delegate to WSIS, so I've been here for going on three days...

    First, the security here is quite interesting...as other posters have mentioned, getting into the actual facility is more or less impossible without the proper badge. The exploit that these individuals used was to simply trick the badging desk - a location right next door manned (mostly) by teenage girls. I highly doubt that they're trained security professionals.

    Two, the RFID badge has a range of about an inch. If there are transponders all over the place, I have yet to see them. The physical layout of the building would kaie it difficult to place them inconspicuously...there's far too much open space, with thirty foot ceilings...

    Just my two cents (CHF)...

  19. Security by salesgeek · · Score: 5, Insightful

    When I was in the US Navy, I got to learn a few things that most security experts get to learn the hard and embarrasing way:

    1) Security is hard work and requires the involvement of people with great integrity willing to work very hard. Security requires the highest level of attention to detail, trust that proceedures will be followed and absolute trust that when the proceedures don't work, don't apply or are circumvented that the individual will make the right decisions.

    2) You cannot delegate security to any machine. This includes padlocks, safes, computers, surveilance systems, and alarm systems. These are all designed to assist the hard working humans with great integrity. They have no ability to make decisions when their processes fail, are circumvented or don't apply.

    3) The inclusion of anyone without great integrity inside a secured area is insecure. Loose lips sink ships. This is why security is so difficult in any semi-democratic organization - there is no way to exclude those you can't trust.

    4) Confidence is like corrosion. It slowly destroys even the strongest security just as corrosion will eventually sink the most powerful ship in the fleet.

    Sounds like WSIS violated three of four of these rules.

    --
    -- $G
  20. Better case is made by the "pictures" page by Halo- · · Score: 4, Informative
    I have to admit the main link was a bit of a let-down, but after following the link to the pictures page, I start see why this is a big deal. A few things happened which aren't well expressed in the main link:
    1. Participants were sent credentials which were supposed to serve as a second form of ID. The activists circumvented this second ID by simply claiming to be someone else and showing a generic fake ID. The list of participants was available beforehand, which was a mistake. Think of it like if an airport published lists of all the passengers on a plane and allowed "ticketless" travel using any form of ID. (instead of governement issued photo ID) You just need to say you're "John Smith" and present a fake anything (library card, etc...)
    2. Notice all the cameras in the photos? That's sorta creepy. My bank doesn't have that many.
    3. There are pictures of RFID scanners, which means the whole "they are gonna track participants movements" bit isn't entirely tinfoil-hat paranoia. The presence of the sensors implies they plan to track.
    4. There were metal detectors and X-Ray machines maned by the Swiss Army (insert knife joke here) at the entrances, but they didn't get placed until very later. The "safety" this buys the participants is marginal unless the entire conference center was sweep very, very carefully after the gates were put up. Most people with the motive to blow up an international conference don't do it as a spur of the moment thing. When a head of state visits somewhere, an advance team sweeps the room/route/etc and seals it as they go.
    5. Privacy and data security are totally lacking. The organizers failed to inform participants about what information was to be collected, and more severely, couldn't produce a detailed accounting when asked. The data collected was visible on monitors to casual observers, which completely negates most of the value and allows for theft.

    In short, the photos show a group that appears to know how to spend a lot of money on toys, but doesn't know how to use them. I think this is a serious concern. The information they are collecting isn't providing security, and could actually undermine it.

    The illusion of security is worse than no security at all.