WarCloning, the New WarDriving?

ChrisPaget writes "After my legal skirmishes with HID a while back, The Register has coverage of my latest RFID work — cloning Passport Cards and Electronic Drivers Licenses from a moving vehicle. Full details will be released at Shmoocon this weekend, but in the meantime there's video of the equipment and articles all over the place."

RFID on identification scares me

[sempiterna]

I'm very much afraid of government implementing rfid on a widespread level. I have to admit that if I was government, I'd probably push to do the same thing.

Having Big Brother being able to know who I am by walking into a door of the court house, or if a police officer pulls you over and 'scans your arm', really scares me.

The potential for abuse is tremendous.

Re:RFID on identification scares me

[steelcaress]

I always thought they should do more. I'm not particularly scared of it, but I always thought that since there's a massive amount of information available on you anyway, why not implement this in a useful way?

Go to a job interview, they could have a resume, letters of recommendation, supervisor comments, phone numbers, etc already on file. No more wasted paper or wasted time filling out the same info on different forms.

Go to a hospital, they could already have the meds you're on, anything you're allergic to, and any afflictions you currently suffer from along with symptoms, last blood pressure reading, x-rays, etc -- even if you've never been there.

Enlist in the military, they'd need things for that, including competencies, education, etc.

Insurance companies, well, unfortunately would have limited medical access.

The uses for a big pool of info, with limited access, would be massive. The best thing is that it wouldn't be available online -- it would be available on a data crystal or some other media capable of storing massive amounts of information. You could even have a retina scan or a galvanic skin sensor to make sure the right person has the medium, rather than a crook who ran off with your wallet or an identity thief. RFID doesn't scare me. I think it could be a step in the right direction. As a man who's tired of answering questions and filling out forms, I think this could be a boon, not a bane.

Re:RFID on identification scares me

[ushering05401]

Who knows what your prospective employer etc would see in your file?

Who knows if it would be true?

Oh wait.. there could be some sort of efficient appeals process to get improper notations removed from your file just as easy as fixing your credit history after getting ID jacked...

Boy, my grade school teachers didn't know how right they were when they threatened me with screwing up my 'permanent record.'

Re:RFID on identification scares me

[Neanderthal+Ninny]

No kidding.
Any form of transmittable broadcast information can be cloned and hacked, so like you, don't trust them. I have an FasTrak on my car but it is stored in a metal case to prevent it from being cloned or tracked for no good reason.
All companies that sell RFID and government agencies claim that their "technology" is safe, unhackable and unclonable but they haven't allow the real world (at least the hackers world) to have at it and truly prove they are safe, unhackable and unclonable. However, over time any encryption technology can be cracked with better and faster computers so any RFID can be cracked.

Re:RFID on identification scares me

[Jurily]

Go to a job interview, they could have a resume, letters of recommendation, supervisor comments, phone numbers, etc already on file. No more wasted paper or wasted time filling out the same info on different forms.

Go to a hospital, they could already have the meds you're on, anything you're allergic to, and any afflictions you currently suffer from along with symptoms, last blood pressure reading, x-rays, etc -- even if you've never been there.

Enlist in the military, they'd need things for that, including competencies, education, etc.

Likely this would result in employers having your medical record, the military having your CV, and hospitals your supervisor comments.

Where would you store all that data? Who would authorize accesses? Why not just give them a CD containing the needed info?

Also, the paperwork has one important aspect not covered by computers: the paper trail. Logs can be tampered with, a piece of paper signed by your doctor/employer/whatever in your safe can not.

In the land of CYA it can be important.

Re:RFID on identification scares me

[commodore64_love]

Go to a concentration camp; they could have a name, phone numbers, next of kin, final will and testament, etc already on file. No more wasted paper or wasted time filling out the same info on different forms. Just send them straight to the "showers" for processing.

Go to a job interview; they could have a genetic workup, list of potential diseases, previous health expenditures, current debt accumulation, etc already on file. No more hiring of people who are sickly & likely to aste company resources, or are deep in debt and potential thieves. They can be weeded out immediately.

Point:

Having information so easily available is dangerous. It's loss of power by the citizen & a gaining of power by the politicians and the corporations.

Re:RFID on identification scares me

[Chandon+Seldon]

However, over time any encryption technology can be cracked with better and faster computers

This is a common misconception. Modern encryption algorithms are strong enough that "better and faster computers" won't help break them; a classical computer powerful enough to brute force 256-bit AES is physically impossible. Even quantum computers will just mean that some specific techniques need larger keys to be secure.

Encryption algorithms do occasionally get broken through mathematical trickery, but from a user perspective the most likely security issue related to encryption is some sort of design oversight in the practical system that you use. Examples include the fact that your password is on a sticky note on your monitor, or the fact that DRAM doesn't clear immediately when a computer is powered off.

Re:RFID on identification scares me

This is a common misconception. Modern encryption algorithms are strong enough that "better and faster computers" won't help break them; a classical computer powerful enough to brute force 256-bit AES is physically impossible

And it is equally possible to get the correct key on the FIRST pass.

And no, 256-bit AES is not "physically impossible" to break in many situations, just in most of the useful ones.

Re:RFID on identification scares me

[I+cant+believe+its+n]

However, over time any encryption technology can be cracked with better and faster computers

This is a common misconception. Modern encryption algorithms are strong enough that "better and faster computers" won't help break them; a classical computer powerful enough to brute force 256-bit AES is physically impossible.

Do these RFID cards really use 256 bit AES encryption? Do they even use encryption? I assume they can't be super strong, given their limited size and the amount of power available to them, but I hope they at least reply differently given a replayed request?

Re:RFID on identification scares me

[LingNoi]

As usual XKCD has an answer to your "security" and it just came out today too. http://xkcd.com/538/

Re:RFID on identification scares me

[mugnyte]

You certainly don't want it to be like in the olden days, where people in the town would recognize you as soon as you walked in, including all of your reputation, simply by your face.

Re:RFID on identification scares me

Maybe Comcast could learn something from that:

Comcast: "Please enter your phone number" /me punches in phone number /me waits for an Account Executive

Person on phone: "What's your phone number?"

AAAAAAAAAAAARGH!

Re:RFID on identification scares me

[Have+Brain+Will+Rent]

mod parent up past 5... what? 5 is the limit? I don't give rat's ass mod him up past 5 anyway!

Re:RFID on identification scares me

[Chandon+Seldon]

And it is equally possible to get the correct key on the FIRST pass.

No. Not in any useful sense of the word "possible". No one will ever luck into guessing a randomly generated 256 bit key on the first try.

Re:RFID on identification scares me

[DoubleReed]

My understanding is RFID is intended to only encode a small amount of data.

But, that doesn't matter. There are many hardware mechanisms for keeping data with you (just carry a USB flash in your pocket).

The challenge for what you describe would be having universal data formats for each of these things. Everyone would need to have the infrastructure in place so that, for example, every time you went to a job interview they were set up to process the same format of input file.

XML? JSON? Something new?

It is probably inevitable that true open, extensible, simple data formats will become universal. I agree with you 100% that this will have a huge impact on society.

Just, I think RFID is a separate issue.

Re:RFID on identification scares me

[Fulcrum+of+Evil]

In the olden days, you could move to a new town and start over if you screwed up bad enough. Nowadays, you have to leave the country.

Re:RFID on identification scares me

I was government, I'd probably push to do the same thing

Because it would pull more revenue through your hands? Or because it expands your power over the people and sets a precedent for your next expansion of power and revenue?

Are you honestly saying that you don't blame them for putting self-interest over freedom and human rights? Because I sure do.

Re:RFID on identification scares me

[noidentity]

RFID doesn't scare me. I think it could be a step in the right direction. As a man who's tired of answering questions and filling out forms, I think this could be a boon, not a bane.

Agreed; convenience is where it's at.

Re:RFID on identification scares me

No more hiring of people who are sickly & likely to [w]aste company resources, or are... potential thieves. They can be weeded out immediately.

Why is this a bad thing? If you can put yourself in the shoes of a business owner, are you honestly saying you'd want to hire people who were likely to miss a lot of work, slack off, or outright steal from you? Somehow, I doubt that to be the case! Although, I could certainly see a business owner wanting his competitors to have to hire people like that.

... neat stuff, and a teensy bit scary ...

[ninjagin]

Saw a video linked at gizmodo. Neat stuff, Chris, if a bit scary.

Why?

[EmbeddedJanitor]

Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

And while you're driving around your car has license plates on it which can be scanned from far further than RFID.

The potential for abuse is already there and has been for a long time.

One cool thing with new tech is that it lifts the bar for the scammers. With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

Re:Why?

[faloi]

With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

Yeah, you also apparently need a couple of hundred bucks worth of stuff. And the added "advantage" to RFID is that most people will probably actually believe it's secure and take the scan at face value, making it easier than ever to pass off fake ID most places.

Re:Why?

[NonUniqueNickname]

your car has license plates on it which can be scanned from far further than RFID

Very few people carry their car's license plates in their wallet or purses. For most of us, having RFID on our driver's license is akin to having RFID implanted in our skull.

Re:Why?

[icebraining]

Yeah, but I bet it's easier to make a RFID protected wallet than extracting it from your skull.

Re:Why?

[physicsphairy]

One cool thing with new tech is that it lifts the bar for the scammers. With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

I think in most places drivers license/government ID are now done on plastic cards (not laminated). Getting a color printer for those plastic ID cards will set you back quite a few grand, which is a lot more than this guy is paying to copy RFID. And this way gives minimum exposure vs. needing to have physical access to something to copy it.

But, you know, there is not much defense against someone who waits to mug you in a lonely alleyway either. Maybe instead of focusing on preventing these sort of things, the primary focus should be on making the exploitation of vulnerabilities more susceptible to post-facto detective work. (for example, if you make the RFID tags require a stronger signal, that will make this kind of setup easier to remotely detect)

Re:Why?

Yeah you need cheap easily obtainable technology. Nothing more!

Re:Why?

[commodore64_love]

>>>Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

Perhaps in other countries, but not the U.S. The Supreme Court decided (v. Prouse) that a discretionary, suspicionless stop for a spot check of a motorist's driver's license and vehicle registration was invalid. The officer's conduct in that case was unconstitutional primarily on account of his exercise of "standardless and unconstrained discretion." A generalized roadblock that stopped all drivers would be allowed, but only in cases of border security or sobriety checks, not other tasks such as narcotics search.

Re:Why?

Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

This sort of thing has been declared unconstitutional many times over in Texas and other states. When the law gets tossed out, the state legislatures just pass another one or add insurance or seat belt checks, which are then eventually declared unconstitutional as well as soon as someone is willing and able to fight it up to a sufficiently high enough court and the cycle begins anew. Any RFID readable without the consent of the person possessing it should be declared unconstitutional as well, as well as asking for it without just cause.

The voters need to make it clear to these politicians that such invasions of our rights is completely unacceptable, unfortunately voters too often think it's not an invasion of rights and that it won't cause them a problem even if they realize it is an invasion of rights. You should be clearly in violation of the law before they stop you and ask you for identification.

Re:Why?

[davester666]

Using RFID isn't that big a leap for the police, as they already have access to all the information that it transmits, only with RFID, they may be able to retrieve the information without having to ask you (if you keep your DL,passport,whatever unshielded).

Using RFID IS a big leap for everybody else. Suddenly, anybody who has the inclination can find out your name, address, SIN, your digitized picture and fingerprints. Without your knowledge or permission.

With license plates, they do uniquely identify your vehicle, but in a way generally keeps you as an individual anonymous to the general population. It takes a non-trivial amount of effort for someone to convert each license plate to their owner, and it must be repeated for each plate. With RFID, after the initial investment, you can acquire a large amount of very specific, private information for a large number of individuals for no significant additional costs.

And for RFID-enabled ID's, I would guess that people 'authenticating' you using them are more likely to blindly use the RFID-encoded information, and not put a lot of effort into checking that the card itself is valid.

Re:Why?

[_Sprocket_]

Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

And while you're driving around your car has license plates on it which can be scanned from far further than RFID.

Asking to see the license still requires asking. It also requires driving for one to be (legally) provided. RFID allows for scanning a crowd and (potentially) getting a crowd of identities in less than a second.

OCR on license plates are very doable if you control the conditions. Make sure the vehicle is going the desired location and mount the camera in the perfect position. Back that up with occasional human to try and work out those cases where OCR fails. With RFID you put up antennas in a few strategic locations and you cover blocks of traffic without worrying about angles, lighting, and other bothersome conditions.

The potential for abuse is already there. RFID makes it more efficient.

Re:Why?

The U.S. you refer to has ceased to exist: http://epic.org/privacy/hiibel/. The officer still has to have "suspicion" but who isn't suspicious to a cop?

Re:Why?

Right....like that's going to work in practical terms.

Re:Why?

[RiotingPacifist]

I suspect your laws are similar to what we have in the UK, in theory to pull you over / search you they need reasonable suspicion, in practice they can just make shit up.

Re:Why?

[Chabil+Ha']

Reminds me of the movie Gattaca, though. "Who looks at photographs anymore?" The problem with your statement is that people would likely start relying on a technology that doesn't really establish identity. It only establishes the authenticity of the document.

Re:Why?

[troll8901]

I think in most places drivers license/government ID are now done on plastic cards (not laminated). Getting a color printer for those plastic ID cards will set you back quite a few grand

Just for the sake of argument, I think a consumer CD printer (e.g. Epson R240) can be modified to print onto a piece of rectangle. With the careful use of glossy ink, the end result may fool casual glances.

The only problem, of course, is getting a stack of blank cards that are inkjet printable and looks professional.

Re:Why?

[Anachragnome]

Yes, but if the bar is raised, for some stupid reason, the trust in such technology seems to increase.

What this means is that when the "scammers" actually do succeed in defeating protections, their fakes have just that much more "believability".

Think "Its so hard to duplicate, it must be real".

Just more of the same "security theatre" we've seen in the past, but with the potential for serious repercussions, IF we put our trust in the system. Which, quite frankly, I do not.

Re:Why?

uh, did you like, uh, even read the summary? dude! i could have sworn it was hinting at how easy it is to clone (i.e. steal) an identity...much worse than a fake driver's license to buy beer...

Re:Why?

[Scroatzilla]

Slightly off-topic, but I took a shaky photograph one time with a disposable film camera, in a parking lot. When I got the film developed, I was surprised to see that, in this accidental photo everything is motion blurred, upper right to lower left, except for the license plate of a particular car, which was clear and in focus with no visible motion blur.

Weeeird.

Re:Why?

Yeah, right. You go ahead and try that next time you're pulled over. You go right ahead and quote your Supreme Court decision to "Officer Friendly."

And don't drop the soap.

--
There's a good reason why I'm replying to this post as "Anonymous Coward"

Re:Why?

[Antique+Geekmeister]

The classic offense in the USA is "DWB", or "Driving While Black". That's not what they call it, but drive around the wrong neighborhood as a black man in a beat up car scanning house numbers, and you remain far more likely to be stopped by the police or local security than almost any other race or gender. There's been a lot of talk about how such discrimination can be avoided by "profiling", especially for not-very-random security checks, but try actually watching who gets pulled over for ID checks.

Re:Why?

Yeah, you also apparently need a couple of hundred bucks worth of stuff.

Meh... Any rfid hacker that can't do it with 17 cents worth of thin transformer wire and a surface mount capacitor snarfed off a dead 3.5" drive doesn't deserve a year's worth of free toll booth passage.

Re:Why?

[mckinnsb]

One cool thing with new tech is that it lifts the bar for the scammers. With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

Not in every state of the US.

Some states (see: Connecticut) have drivers licenses that are extremely difficult-if not impossible-to copy physically without having the exact same equipment that the DMV has. Connecticut's licenses in particular have layers of holographs and foil that overlap each other. A printer that can print on plastic combined with a laminator simply wouldn't produce anything even remotely close to the real thing. Anyone familiar with a Connecticut license - even an extremely drunk frat boy - would be able to spot the fake instantly.

Now lets talk passports. I don't think I have to get into this too much , but US passports are incredibly difficult to copy or reproduce. The majority of the time (from what I am told), passports are stolen and modified, not forged from scratch.

For your average scammer, acquiring the equipment to produce either is both expensive and extremely difficult. I'd guess that the companies who develop the machines that are capable of producing licenses or passports probably sign a contract with the state or federal government stating that they won't sell the equipment to unauthorized persons; so your only real alternative is to either get it through the black market or a contact at the company.

Now here is the problem illustrated by this experiment:

Chris Paget only spent 250 dollars on creating a device that can steal RFID's while moving. One of the primary motivating factors leading to the inclusion of the RFID in identification documents was the desire to obtain information about travellers without having to ask them to take their license or passport out of their pocket. Here is the important part: A passport or license that has to be taken out of the pocket is one that will be subject to visual scrutiny. A stolen RFID is not subject to visual scrutiny.

If this is true and reproducible, not only do RFID's present a security risk for their bearers, because I don't even have to see your license to copy its relevant information, but RFID's are not effective in achieving their original goal. If you cannot rely on the information given by RFID's , because someone could 'steal' one with only $250 of equipment, then you have to check each and every travelers' passport or license, then why do you have an RFID system in the first place?

Re:Why?

[smoker2]

I am not a number, I am a free man.

Are human rights to be restricted to those who have the mark ? How can you be anonymous if you can be scanned from a distance ?

I can't think of anything primarily done for the sake of convenience, that has turned out without having nasty side effects. Personal motor cars, cheap mortgages, credit cards, fast food, plastic packaging, party line voting, etc.
RFID is fine for bus tickets, or other temporary privileges but not for permanent personal ID.

Re:Why?

[lena_10326]

Perhaps in other countries, but not the U.S. The Supreme Court decided (v. Prouse) that a discretionary, suspicionless stop for a spot check of a motorist's driver's license and vehicle registration was invalid

They don't need much in the way of suspicion. Did you really believe seat-belt and cell phone/driving laws were about saving lives?

So once they pull you over, if you don't show your id, you'll be hit with something along the lines of interference with an investigation, obstruction of justice, or resisting arrest.

Re:Why?

[enos]

That's because of the flash. License plates are made to be reflective so the flash worked on it even though the plate was far away. Other plates were probably at a wrong angle. The blur is caused by a slow shutter speed, which means the scene was relatively poorly lit. The flash strobe is very fast, so it wasn't affected by the camera shake much.

Re:Why?

[sumdumass]

It's not just suspicious, it's beyond reasonable suspicion.

The problem is that your constitutional rights don't say unless suspicion, it says you are protected from unreasonable searches. That means that the cop has to find you suspicious in a way that a normal person with similar training could find the suspicion too. Long hair, being black in a white neighborhood, or looking like a hobo while driving a million dollar car aren't just causes.

Re:Why?

[Fulcrum+of+Evil]

Some states (see: Connecticut) have drivers licenses that are extremely difficult-if not impossible-to copy physically without having the exact same equipment that the DMV has.

So how hard would it be to scam/bribe a DMV worker?

Re:Why?

Harder than it would be to just get a job there.

Re:Why?

[Yvanhoe]

When police filters people who enter a building or who attend a political meeting, it is visible. The control, abnormal, is made in public for everyone to see. A RFID control, however, can be a single box the size of a case hidden behind the door. That is a huge difference in practice. A thing that we often overlook when discussing privacy issues.

Re:Why?

[noidentity]

Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

Yeah, things were better when you could drive a vehicle without a license.

Re:Why?

[radio4fan]

Actually, in the UK the police can stop any driver with *no* reason. They don't need reasonable suspicion of anything.

On the plus side, you don't need to carry your licence with you.

Re:Why?

Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

Naw, I'm white. They did do an inkless finger print of my index finger.

Re:Why?

[Richy_T]

Is there any evidence that they were worse?

Re:Why?

[CompMD]

"OCR on license plates are very doable"

Already done. The British call it ANPR, automated number plate recognition. It is very good. Its used on speed cameras all over the UK. The technology was developed as an antiterrorism system originally. British intelligence wanted to be able identify vehicles used by IRA bombers.

Re:Why?

[_Sprocket_]

Sure. And I see it used daily at the local county's tollroad. Works pretty well. But the toll lanes create a reasonably controlled environment and it still requires an occasional human to manually read a percentage of images. I'd be curious as to how ANPR handles things - I couldn't imagine the technology to be that different.

Re:Why?

[alecwood]

You can buy blank cards with mag strips on the back for making key cards for mag strip operated door locks.

There's a jig available for the Epson printer CD caddy for doing the credit card sized mini-cd. I use an R200, and the jig hold the CD by its edge, doesn't use the hole in the middle, so doesn't matter of there isn't one

You'd be surprised just how convincing the output from this combination can be.

If you need one with a chip embedded, for visual effect, then there are may suppliers of printable smart cards out there. I got some lovely unprinted Atmega 163's off eBay for playing around with cable TV - they worked a treat for this purpose too.

Re:Why?

[alecwood]

The key to ANPR success in the UK, and why it would be much more difficult to achieve in the US, is contrast.

The typeface, size, letter spacing, text and background colours are rigidly defined in law. Front only black on white is permitted, rear only black on yellow.

OCR is so much easier when you don't have to read purple text on a blue background, or yellow text on a white one

Re:Why?

[hoggoth]

Good luck with that. If you start quoting court decisions you will likely see the hot end of a tazor really quick. And then you will be arresting on charges of resisting arrest, fighting with an officer, and several other charges that struck the officer's fancy while he watched you squirm on the ground in agony.

I have several police officers in the family. This happens all the time.

Re:Why?

[_Sprocket_]

Interesting point. Of course, in my state the text is pretty high contrast (dark blue on white). Hmmm. Now that I'm thinking about it, I wonder if I can find out what the OCR error rate is for the tollroads; I have inside connections.

Re:Why?

I suspect your laws are similar to what we have in the UK, in theory to pull you over / search you they need reasonable suspicion, in practice they can just make shit up.

they can just make shit up.

South-hemispherian here, I have to say ... WOW.. I knew about you northern guys having that thing with the toilet water flushing the other way round and thought -that- was kind of weird, but now this.... have to see to believe..

Re:Why?

[HTH+NE1]

Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

Only if you've been witnessed driving without it. If you're a passenger or otherwise not driving, you can be compelled to truthfully identify yourself, but you don't need corroborating documentation.

This doesn't mean the authority involved won't overstep his bounds and arrest you anyway for failure to comply with (IAOO -- In the Armed Officer's Opinion) a lawful order and/or interfering in police business.

Re:Why?

[mckinnsb]

Fair question, a la the recent XKCD-put motif of "A human target is almost always weaker than the tech". Although I don't think you are looking for an answer, I'll bite, mostly because I'm bored and sick. It depends on your DMV, and your DMV worker.

First, all DMV's I've been to (NY/CT/MA) have CCTV cameras all over the place - so convincing a DMV employee to create a fake ID during work time is probably somewhat difficult. I would not be surprised if the machines used to produce licenses were set to shut down and start up on a time lock. Second, every one of those aforementioned DMVs had one or two resident State Troopers, monitoring those cameras and generally enforcing the law. It's not as if you would really need a plurality of civilian witnesses to bring a conviction down on someone, as one cop who is deployed to lawfully perform that specific purpose should do it, and most DMV employees would recognize that risk. Third, the penalty for doing so is a felony for both parties involved, and you cannot work for the DMV (or most government agencies AFAIK) with a felony, so the people at the DMV are probably not career criminals. Fourth, you don't really need a college education to work at the DMV (for most positions) and the DMV pays fairly decent for a HS grad job, so most DMV workers would need a hefty sum of money or a heavy arm twisting to be persuaded to create a false ID; it's a good livelihood with fairly decent job security as long as you can deal with your customers. The ones who do not have college educations would probably like to keep their job and a felony off their record, because most other high-paying HS grad jobs will not look on a felony kindly after you get kicked out of the DMV and released from jail. The ones who have college educations are probably smart enough to know that they would probably get caught, and have other options available to them if they are in need of more money that would quickly shrink in number if they were convicted of a felony.

All said and done, convincing a DMV employee to produce a fake license for you is still a lot harder than making an $250 dollar RFID ripper, which probably won't be CCTV monitored, brought to the policies attention, or land you in danger of acquiring a felony on your record.

Re:Why?

[Repossessed]

Um, they do random license checkpoints in this state all the time, its how they get around the 'no drunk driver checkpoint' rulings. Something about if they take a classified ad out people who want to avoid it can. (Because of course, everyone reads the classified section of the dead tree newspaper).

Of course, the courts here are also convinced that visiting a grocery store is reasonable suspicion of drunk driving.

Re:Why?

[shnull]

But still it's a bit hard to say have a bomb explode when a certain person walks by, just by scanning within a certain radius or maybe track you via satellite ? I think it's inhumane ... that's what makes it so human i suppose

My hat ain't enough

[sls1j]

Looks like I'll be getting a matching tin foil wallet to go with the hat.

Re:My hat ain't enough

[Gojira+Shipi-Taro]

Interestingly enough, when I got my new Passport Card, it came with a little Faraday Cage sleeve (metalized mylar) with the instruction to put the card there when not in use. I don't remember getting anything like that when I got my (RFID carrying) Passport a while back, so maybe there's some realization of the problem on the issuing end...

Re:My hat ain't enough

[complexmath]

I got a new Passport Card and plain old Passport at the same time, and the card had a sleeve while the Passport did not. I wondered whether the jacket of the Passport was lined and could only be scanned when open, but haven't bothered to investigate.

Re:My hat ain't enough

[MadHats]

A couple of years ago I invested $10 in a metal travel wallet that functions as a de facto Faraday Cage. Or you could spend 8x that on a microwoven stainless steel version...

Re:My hat ain't enough

[kaatochacha]

I just received a new US passport. The passport itself has a blurb about being shielded when closed. Don't know if this is true or not, as I haven't checked it myself, but the covers feel like there's something in them.

Re:My hat ain't enough

[joocemann]

Shoulda got it a long time ago... Its not like we didn't all see this coming. Anyone with half a brain knows that when you add technology to something simple and relatively secure, you then allow it to become complex and easily exploited.

E-voting?

Re:My hat ain't enough

[Jherek+Carnelian]

I just received a new US passport. The passport itself has a blurb about being shielded when closed. Don't know if this is true or not, as I haven't checked it myself, but the covers feel like there's something in them.

It is true and it is not. Building a faraday cage into the cover was one of the "concessions" they made in response to all the complaints about privacy issues. But... it only really works if the covers are tightly pressed together. Leaving it open a quarter inch or so may be enough to prevent official readers from picking up the RFID, but not enough to protect against someone with a reader with more juice - like anyone who is up to no good will certainly have.

Re:My hat ain't enough

[noidentity]

when I got my new Passport Card, it came with a little Faraday Cage sleeve (metalized mylar) with the instruction to put the card there when not in use. I don't remember getting anything like that when I got my (RFID carrying) Passport a while back, so maybe there's some realization of the problem on the issuing end...

Yes, unlike the old passports where you had to take them out and show them, with these new RFID-enabled passports with their Faraday sleeves, you merely have to take them out and scan them. Ain't technology great?

Re:My hat ain't enough

[waltaugust]

Identity Stronghold makes that sleeve that ships with the passport card. See this news article http://www.idstronghold.com/content/identity-strongholds-secure-sleeve-protect-us-passport-card They also have a passport book size sleeve on their website as well as badge holders.

WarCloning?

[spyder913]

WarDriving = Driving around finding open APs.
"WarCloning" = Driving around cloning RFID stuff.

Shouldn't it be "CloneDriving" or something else? Though I suppose all of them are equally dumb. So nevermind...

Re:WarCloning?

[spacerog]

No. I know your being funny, or at least modded that way, but the correct prefix is 'war' as in WarDialing, as in War Games (the movie), which is were the term comes from. "WarCloning" is a perfectly acceptable term.

- SR

Re:WarCloning?

[Ron_Fitzgerald]

"...what do freedom fighters fight?"

~ The late, great George Carlin

Re:WarCloning?

To expand on the explanation: Wardialing is the act of having a computer find phone numbers leading to computer modems by "scanning" blocks of phone numbers, i.e. dialing each number and listening for a carrier, like Mathew Broderick's character did in War Games. WarAnything is the act of actively or passively looking for something by scanning a block of candidates. WarDriving seems like an appropriate use of the war-prefix. WarCloning on the other hand is focussed on the cloning part, which is not a sensible application of the war-prefix. The act of finding suitable RFIDs to clone would fit that general definition though. An interesting thing to note is that the scanning is usually legal, while the attack on the discovered resources usually isn't, so I would prefer the name WarCloning not to stick, because it breaks that distinction.

Re:WarCloning?

[DMUTPeregrine]

CloneDriving is an activity that takes place on a golf course. It's very similar to seal clubbing, but mostly seems to involve sheep.

Re:WarCloning?

If your going with amalgamations, why not try these on for size:

DriveCloning
CloneWarring
DriveWarring

or the ever favorite:

WarWarring

Re:WarCloning?

[troll8901]

"I am Kahless... and I have returned."

~ Kahless II

Re:WarCloning?

[wootcat]

WarDriving = Driving around finding open APs. "WarCloning" = Driving around cloning RFID stuff. "WarClowning" = Driving around finding clowns to see how many you can fit in your car at one time.

Re:WarCloning?

[cellocgw]

No. I know your being funny, or at least modded that way, but the correct prefix is 'war' as in WarDialing, as in War Games (the movie), which is were the term comes from. "WarCloning" is a perfectly acceptable term.
Are you sure?
I was given the impression, way back when, that WARdriving was a semi-acronym for "wireless access reconnaissance" driving.

Good for crime fighting, scary for potential abuse

[hwyhobo]

Take a lesson from London video cameras and spread the RFID readers at each intersection, and now you can track everyone in the city remotely.

Protection

[riceboy50]

The first thing I did after receiving my RFID-embedded passport was to pick up one of these.

Re:Protection

[chill]

Really? The first thing I did was pick up one of these, which I already had on hand at the house. Mine is *guaranteed* effective. :-)

Re:Protection

You're doing it wrong. The first thing I did when I got mine was pick up one of these.

Re:Protection

[pluther]

The first thing I did was to put it in the microwave.

We are still supposed to do that to all our mail, right? To protect against anthrax? (Are we still living in fear of that? It's hard to keep up sometimes.)

Surely Homeland Security can't be upset at us for doing what they told us to do!

Re:Protection

[Garganus]

"The Hammer" ...Maybe that can be your nickname in federal pound-me-in-the-ass prison. article

Re:Protection

[chill]

Just out of curiosity, have you tested the effectiveness of that shielding wallet? If so, how?

Re:Protection

[riceboy50]

I haven't had a chance yet, but it should be easy to wave it next to an RFID reader. The ones I have encountered will beep if they are able to ping the chip, even if they don't know what to do with the information.

Re:Protection

I, for one, have. Well, not specifically that model perhaps but I have a wallet I have noticed to (at least nearly) entirely block RFID. Our tickets for public transport operate with cards that have RFID. Strong enough that they can be shown to the receivers in busses, trains, etc. even if the card is inside a wallet that is inside a handbag or something.

When I switched to my current wallet, I noticed that I no longer could get the things to notice the card from inside the wallet even if I touched the receiver with the wallet. The RFID ticket itself continues to work entirely well from outside the wallet so it's not about it...

I haven't throughly tested that it doesn't let anything through but should at least lower the distance from which a chip can be cloned by a lot.

Re:Protection

[ChrisPaget]

The shield that comes with the passport card is effective, at least as far as my research so far has suggested. It's worth mentioning though that according UW / RSA, the shields supplied with the electronic drivers license in Washington are ineffective at preventing reads (although they do reduce range somewhat) - http://www.rsa.com/rsalabs/node.asp?id=3557

Re:Protection

[rthille]

It didn't seem to help protect the passport when I put the passport in the sleeve, then the sleeve & passport together in the microwave...

Re:Protection

[chill]

I do believe the magnetron in the microwave is a tad more energetic than your average RFID reader. Well, I hope it is anyway. If not, we're going to have some seriously upset -- and sterile -- border control agents.

Thanks for the input, though.

Re:Protection

[msuarezalvarez]

Is that real? Was it ever a recommendation, to microwave mail?

Re:Protection

[Rogerborg]

You there! Hand in your geek credentials. Real nerds don't buy, they make their own.

Re:Good for crime fighting, scary for potential ab

[internerdj]

Ooops...
http://www.thinkgeek.com/gadgets/security/8cdd/

Where are the FUNCTIONAL RF-blocking covers?

[dltaylor]

I would like to get both passport and driver's license covers.

A google has so much noise that I cannot find the signal.

Any links to to something other than mumetal by the sheet?

Re:Where are the FUNCTIONAL RF-blocking covers?

For your driver's license, just use what I have for many years: an "Altoids" tin (or similar item). Perfectly sized for drivers licenses, credit cards, and other such things, and completely impervious to RF scanning technologies. I use one for my "wallet".

For a passport, well, they *did* have those jumbo tins a while back... ;)

Re:Where are the FUNCTIONAL RF-blocking covers?

[PayPaI]

I've got one of these for a passport, and it looks like they have card size sleeves as well.

Re:Where are the FUNCTIONAL RF-blocking covers?

[Shadyman]

For driver's licenses, you can go to Lowes: they have little gift card tins just big enough to fit their gift cards (which are standard credit card size)

Re:Where are the FUNCTIONAL RF-blocking covers?

[pjt33]

Unless you use your passport a lot (as in weekly) you can make your own and it will last for a couple of years. Take a sufficiently large sheet of metal foil and lay it flat. Cover it with duct tape. Fold and tape, and add a Velcro (or clone) fastener to keep it closed. I've had an RFID passport for about four years now and my second homemade wallet is still going strong, even though I fly internationally every few weeks.

The trickier one is how to shield cards which you want to use more frequently than that. The metro system in my city introduced RFID cards for reusable tickets last month, and I'm still thinking about how to carry two of those (for different zones) such that I can pull out / open at the one I want easily.

Re:Where are the FUNCTIONAL RF-blocking covers?

That's ingenious!

All this talk of tinfoil hats and aluminium wallets, and I never thought to think of a good old old-fashioned tin of travel mints!

Thank you!

Good

[El_Muerte_TDS]

I hope they do a lot of damage so that they scare enough people so that they finally start protesting against those terrible plans.

Re:Good for crime fighting, scary for potential ab

[hwyhobo]

In a brave new world of the future those will probably be outlawed...

Re:Good for crime fighting, scary for potential ab

[internerdj]

As scary to the government as it could be, wire mesh will never be outlawed where I live...http://en.wikipedia.org/wiki/Chicken_wire

Don't be scared

We're safe. Cloning RFIDs is illegal.

Re:Good for crime fighting, scary for potential ab

[icebraining]

What, will they outlaw aluminum sheets? Those bastards!

There are plenty of threats to our freedom right now, no need to be paranoid about the "scary new technologies".

tracking abuse..

[Adult+film+producer]

Are rfid tags available for the consumer right now? As another person pointed out the city of london is creating a grid of tracking stations so anybody can be located and followed remotely.. but if these tags can be cloned then why not buy up a million or two rfid tags, program the buggers and distribute them throughout big cities (inside car bumpers? tractor trailers? covertly inject them in food if their small enough..) This should really cause headaches for the people tracking..

RFID Gathering

[CaptCovert]

What worries me about all of this is not that the RFIDs can be picked up while driving around. A little consumer education (you are supposed to worry about who you give your SSN to, and you don't just leave your other PII laying around in plain sight usually) in the form of RF-blocking wallet linings will fix that. What I'm worried about is what happens in 5 years, when advances in RF technology (it is the new form of governmental ID, after all. Technology WILL follow suit) allow for hardware that I can hide on my person (antenna down the back of a coat lining, wired to a recorder in my pocket, or hell, dropped in the lining somewhere). At that point, all it takes is one man sitting in a train station or airport. You pull your ID out for scanning, and I harvest it. You may as well walk around with your SSN printed on your shirt.

Re:RFID Gathering

Stand in a airport with a suitcase.
What is wied about that?

Well in that you can have an antenna and battary, and computer.
And you know that there will be a lot of passports around you.
And what else that are using RFID.

Now get a group of your frinds to getter.
And now you are are standing along the path that normal persons will use.
When you all log a lot of data.
When you get home you will look at what ID you that poped up togetter at all of your.
And that way you can see what set of RFID that is belonging to the same person.

obligatory

Papers (rfid chip?) please...

I saw the video and it is inaccurate at best

[anand78]

The XR400 used in the drive through was a UHF reader. Reading a UHF tag is not as easy as the author described. All you have to do is put it against your body, and the salt water attenuates the signal, thus making the tag unreadable. Making such broad statements as scrap the whole real ID or national id, will be valid, if the author showed some substance.

Re:I saw the video and it is inaccurate at best

[couchslug]

"All you have to do is put it against your body, and the salt water attenuates the signal, thus making the tag unreadable. "

The old "prison wallet" looks better and better.

Re:I saw the video and it is inaccurate at best

[CrashandDie]

I have to agree I don't feel comfortable with RFID as a technology feat in identity cards or passports... Though, I wouldn't scrap electronic devices as a whole just yet.

A smartcard (the good ol' chip) is quite secure, and I yet have to find someone who can crack through the Master Keys to replace the applets on the chip (and even that wouldn't do him any good). A certificate generated on the card will never get out, if it is not marked exportable; actually, I would guess that if the solution required key escrow, you would probably generate it in an HSM and then put it on the card, but still. Most PKI certificates (more and more cards support 2048bit keys without a problem) are extremely robust.

I really love the idea of the Belgian government: give everyone a card, give everyone a certificate that is trusted by the government, so that they can sign stuff or encrypt stuff. And with PKI being what it is, other uses have been implemented leveraging the fact everyone has PKI credentials. Imagine the post guy coming round to deliver something, no signature, just put your card in, and type your PIN. Legal signature, done.

Knew this was coming

Ha ha ha. I knew this was coming. Ever since someone figured out how to use a pringles can to pick up wifi from a couple of miles away I knew no RFID for personal identification would be safe. Anybody with half a brain could have seen this coming for RFID.
If we don't learn from history, or we are arrogant enough to think we won't make the same mistakes on previously proven bad ideas, we WILL repeat history.

First thing I did, was get my passport renewed

As soon as the plans to do this was implemented, the first thing I did was have my passport renewed for another 10 years before they could put the chip inside it. researchers had already hacked them before they where released, so I thought it best to buy myself another 10 years to sort out all the problems with the technology.

Reading Passport RFID Cloning Passport RFID...

[Phizzle]

Couple of points - just because you can see a tag of the Passports RFID, doesn't mean you can do anything meaningful with that data. Having just traveled from US to London to Amsterdam and back, I got to say - good luck trying to walk through the check points with bogus data. Any nerd who thinks he can make a fake passport just because he can scan RFID is going to have his 30 year old cherry popped in real jail.

Where's the cloned passport?

[origamy]

He simply shows that he could read the RFID tag of the passport. Where's the new passport created (as in "Cloned") with it?

Sure, it's bad to be able to read the RFID information, but let's not over blow what is being done here out of proportion.

Makes it much harder at border crossings

With all those stinking hippies hanging on your back for the ride. Also makes customs more suspicious.

Stealing bandwidth is one thing, but this is going too far.

exaggerated description

[SethJohnson]

This fellow doesn't demonstrate cloning anything. He's just reading RFID codes in the video.

Seth

Tin Foil Hat!!

[corsec67]

I think that is a VERY legitimate use of a tinfoil hat... /Couldn't resist.

Re:Tin Foil Hat!!

[BiggerIsBetter]

Or a balaclava and goggles.

Lucas

WarDriving = Driving around finding open APs.
"WarCloning" = Driving around cloning RFID stuff.

Shouldn't it be "CloneDriving" or something else? Though I suppose all of them are equally dumb. So nevermind...

Someone call George Lucas (or his lawyers).

Re:Good for crime fighting, scary for potential ab

[hwyhobo]

What, will they outlaw aluminum sheets? Those bastards!

No. They will probably outlaw that particular application of aluminium foil. Plenty of such examples today. I'm sure it will have a smart sounding clause, something about impeding lawful functioning of RFID locators, or somesuch.

OT

Maybe in theory...

In reality they call/punch in your license plate, relate that to the owners drivers license....THEN pull you over for an expired license solely on that info. (the cop had already changed lanes to go elsewhere when the report came back)

Re:OT

[Bryansix]

Yes, this happened to a friend of mine. Although his license was not expired. It turns out the guy who sold him the car was wanted on an arrest warrant. In addition the change of ownership had not gone through with the DMV. So the Police thought he was their guy. However my friend is white and the arrest warrant was for a black man.

DNA CLONING

[sanman2]

Phew, I thought I was going to find an article telling me that evildoers are grabbing bits of people's DNA from hair, skin flakes, etc, and growing clones out of them.

Re:DNA CLONING

[HiThere]

And earlier today I was thinking of the Polynesian (well, specifically Hawaiian) taboos around the royal families. Any hair or finger nail clippings were ceremoniously burned. They had special privies built out over the ocean. Etc. To keep samples of their tissue from being collected by evil doers who would cast spells using them.

I was thinking more along the lines of targeted diseases...but clones are another possibility. The only problem is it takes so long to mature them. And they *so* don't want to do as they are told.

Its a lie

[dlmarti]

The Author claims you can read the SSID and reprogram another tag with this SSID. This is not true. The SSID is not a R/W field. While technically you could create an active device to pretend to be a tag with the fake SSID, it certainly is not trivial.

Re:Its a lie

[Muad'Dave]

The tags read in the video appear to be standard Class1Gen2 UHF tags encoded in EPC GDTI-96 format. Nothing would prevent you from writing that tag ID into any number of tags - I have programmed Class1Gen2 UHF tags for use with DOD CAGE codes in this exact manner.

Re:Its a lie

[Richy_T]

There are R/W tags out there. The one I was working with, I was able to make emulate another read-only tag that we used.

Re:linux fags sucking obama cock

And that is a good thing, shit for brains.

I have an even better solution

[Miseph]

We should make RFID highly controlled instead. Once we make RFID ownership illegal then only criminals will have RFID, and they'll be a whole lot easier to find.

Hey, it works for guns, right?

Re:I have an even better solution

[Fulcrum+of+Evil]

Nah, walmart would never stand for it.

HID...

My employee ID card is a HID ISOProx II card that opens the outside door to my building. I'd love to know how far away it could be picked up when it's clipped to my shirt.

no one knows AAA?

hm.....seems human are getting stupid as usual

Same as recording license plate numbers?

[John+Jorsett]

If the RFID is nothing but an ID number and the actual data is in a database somewhere, how would this be worse than, say, writing down the license plate numbers of the cars you see?

heh

[ImYourVirus]

Don't forget changing it, I assume it shouldn't be to hard to change the details...

Let me post some information about....me

Get a grip. Abuse is already running rampant. If you are truly scared of BB, get off the couch and do something about it versus just waiting around for it to happen. The government knows that people will not try to stop it because the people are too concerned with whatever is personally affecting them within their 10 sq. mi. bubble they live in.

As for the author, another person from IOA tooting his own horn. Why didn't he just wait for Shmoocon and let the journalists/reporters pick up on this?

Airport Demonstrations

[LuYu]

I thought about this when I first heard the news about RFIDs being included in passports -- and money. Now that there is a practical implementation, it is time for a bunch of privacy advocates to get a marquee style display and go to an international airport. They could stand outside of the arrivals customs area and scan and display people's personal information in order to demonstrate how completely these tags violate the passengers' Fourth Amendment rights.

The sign might look something like this:

Hello John Doe!
Your passport number is #########
Your SSN is ####-##-###
You are carrying two MasterCards, one Visa card, and one Diner's Club card.
You are carrying seven 100 dollar bills and ten 20 dollar bills. Say hello to Ben and Andy for us!
This information has all been made publicly available courtesy of Uncle Sam and your banks.
If you are offended by this sign, please contact your Congressmen as soon as possible.
If you would like further information, ask one of our friendly volunteers for an explanatory pamphlet!!

Have a Nice Day!

That should get people's attention. And it should be quite entertaining until the airport authorities figure it out. When they do, it would also be nice to point out that Freedom of Assembly is also an inalienable right!

Re:Airport Demonstrations

[CompMD]

That is so fake and unrealistic.

Nobody has a Diners Club card. :)

Reality Isn't A Photograph

[hyades1]

It seems that quite a few people missed the fact that TFA refers only to "proof of concept".

First of all, the odds that this technology will stand still are zero. Second, anybody who wanted to get really nasty would find a way to access the remote databases and do a little creative matchmaking. After all, it's not like anybody's ever managed to walk off with a few million tax records and credit card numbers and stuff like that before, is it? I seem to recall DB breaches were getting so common it was necessary to force disclosure of the fact. Third, the government has all the information by default, and the people running it are very often not your friend.

Wow

Next those nasty hackers will be driving around snarfing everyone's public PGP key, which is about as much as this amounts too.

Re:Good for crime fighting, scary for potential ab

[lamapper]

What makes you think they did not have RFID built into the cameras?

How about LCD screens too. I mean really, if you were going to put up Public LCDs, there is not anything preventing you from embedding them with whatever you want. Cameras, Infrared, RFID scanners, etc....

His reader shows...

[Muad'Dave]

...3 standard EPC tags formatted as GDTI-96's (non-PDF). The GS1 Company Prefix is 0893599002, and the Document Type is 1. The serial numbers are there as well, but I'm not going to post them.

Losing your edge

[halcyon1234]

This story's been online for hours now, and there's no Clone War jokes? Alright, everyone. Turn in your geek cards. And I know which one of you have them. (Thanks RFID!)

RFID standards

The government deliberately chose a longer-range "vicinity" RFID type for passport cards and drivers licenses, rather than the ICAO standard "proximity" RFID type used in passports and specfied by ICAO for passport cards, in order to ensure that they would be readable at longer range. This is a feature, not a bug.

Copyrights and Serial Numbers r/o ?

[freaker_TuC]

I'm afraid you can't just copy the rfid tag of a passport or a visa card because the serial number is r/o while some parts are r/w (if I'm not wrong);
Also there is the law of Copyright, which protects passports, travelling documents and even money...

although you might be able to stuff those databases with "known test cards" ...

It's quite freightening, soon as rfid can be cloned perfectly, I hope it'd cause the world again to swap to alternative more controlled technologies again.

How far do you trust that unknown with a scanner?

[freaker_TuC]

Whatever can be done, will be done ...