WarCloning, the New WarDriving?

ChrisPaget writes "After my legal skirmishes with HID a while back, The Register has coverage of my latest RFID work — cloning Passport Cards and Electronic Drivers Licenses from a moving vehicle. Full details will be released at Shmoocon this weekend, but in the meantime there's video of the equipment and articles all over the place."

RFID on identification scares me

[sempiterna]

I'm very much afraid of government implementing rfid on a widespread level. I have to admit that if I was government, I'd probably push to do the same thing.

Having Big Brother being able to know who I am by walking into a door of the court house, or if a police officer pulls you over and 'scans your arm', really scares me.

The potential for abuse is tremendous.

Re:RFID on identification scares me

[steelcaress]

I always thought they should do more. I'm not particularly scared of it, but I always thought that since there's a massive amount of information available on you anyway, why not implement this in a useful way?

Go to a job interview, they could have a resume, letters of recommendation, supervisor comments, phone numbers, etc already on file. No more wasted paper or wasted time filling out the same info on different forms.

Go to a hospital, they could already have the meds you're on, anything you're allergic to, and any afflictions you currently suffer from along with symptoms, last blood pressure reading, x-rays, etc -- even if you've never been there.

Enlist in the military, they'd need things for that, including competencies, education, etc.

Insurance companies, well, unfortunately would have limited medical access.

The uses for a big pool of info, with limited access, would be massive. The best thing is that it wouldn't be available online -- it would be available on a data crystal or some other media capable of storing massive amounts of information. You could even have a retina scan or a galvanic skin sensor to make sure the right person has the medium, rather than a crook who ran off with your wallet or an identity thief. RFID doesn't scare me. I think it could be a step in the right direction. As a man who's tired of answering questions and filling out forms, I think this could be a boon, not a bane.

Re:RFID on identification scares me

[ushering05401]

Who knows what your prospective employer etc would see in your file?

Who knows if it would be true?

Oh wait.. there could be some sort of efficient appeals process to get improper notations removed from your file just as easy as fixing your credit history after getting ID jacked...

Boy, my grade school teachers didn't know how right they were when they threatened me with screwing up my 'permanent record.'

Re:RFID on identification scares me

[Neanderthal+Ninny]

No kidding.
Any form of transmittable broadcast information can be cloned and hacked, so like you, don't trust them. I have an FasTrak on my car but it is stored in a metal case to prevent it from being cloned or tracked for no good reason.
All companies that sell RFID and government agencies claim that their "technology" is safe, unhackable and unclonable but they haven't allow the real world (at least the hackers world) to have at it and truly prove they are safe, unhackable and unclonable. However, over time any encryption technology can be cracked with better and faster computers so any RFID can be cracked.

Re:RFID on identification scares me

[Jurily]

Go to a job interview, they could have a resume, letters of recommendation, supervisor comments, phone numbers, etc already on file. No more wasted paper or wasted time filling out the same info on different forms.

Go to a hospital, they could already have the meds you're on, anything you're allergic to, and any afflictions you currently suffer from along with symptoms, last blood pressure reading, x-rays, etc -- even if you've never been there.

Enlist in the military, they'd need things for that, including competencies, education, etc.

Likely this would result in employers having your medical record, the military having your CV, and hospitals your supervisor comments.

Where would you store all that data? Who would authorize accesses? Why not just give them a CD containing the needed info?

Also, the paperwork has one important aspect not covered by computers: the paper trail. Logs can be tampered with, a piece of paper signed by your doctor/employer/whatever in your safe can not.

In the land of CYA it can be important.

Re:RFID on identification scares me

[commodore64_love]

Go to a concentration camp; they could have a name, phone numbers, next of kin, final will and testament, etc already on file. No more wasted paper or wasted time filling out the same info on different forms. Just send them straight to the "showers" for processing.

Go to a job interview; they could have a genetic workup, list of potential diseases, previous health expenditures, current debt accumulation, etc already on file. No more hiring of people who are sickly & likely to aste company resources, or are deep in debt and potential thieves. They can be weeded out immediately.

Point:

Having information so easily available is dangerous. It's loss of power by the citizen & a gaining of power by the politicians and the corporations.

Re:RFID on identification scares me

[LingNoi]

As usual XKCD has an answer to your "security" and it just came out today too. http://xkcd.com/538/

Why?

[EmbeddedJanitor]

Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

And while you're driving around your car has license plates on it which can be scanned from far further than RFID.

The potential for abuse is already there and has been for a long time.

One cool thing with new tech is that it lifts the bar for the scammers. With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

Re:Why?

[faloi]

With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

Yeah, you also apparently need a couple of hundred bucks worth of stuff. And the added "advantage" to RFID is that most people will probably actually believe it's secure and take the scan at face value, making it easier than ever to pass off fake ID most places.

Re:Why?

[NonUniqueNickname]

your car has license plates on it which can be scanned from far further than RFID

Very few people carry their car's license plates in their wallet or purses. For most of us, having RFID on our driver's license is akin to having RFID implanted in our skull.

Re:Why?

[icebraining]

Yeah, but I bet it's easier to make a RFID protected wallet than extracting it from your skull.

Re:Why?

[commodore64_love]

>>>Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

Perhaps in other countries, but not the U.S. The Supreme Court decided (v. Prouse) that a discretionary, suspicionless stop for a spot check of a motorist's driver's license and vehicle registration was invalid. The officer's conduct in that case was unconstitutional primarily on account of his exercise of "standardless and unconstrained discretion." A generalized roadblock that stopped all drivers would be allowed, but only in cases of border security or sobriety checks, not other tasks such as narcotics search.

Re:Why?

[davester666]

Using RFID isn't that big a leap for the police, as they already have access to all the information that it transmits, only with RFID, they may be able to retrieve the information without having to ask you (if you keep your DL,passport,whatever unshielded).

Using RFID IS a big leap for everybody else. Suddenly, anybody who has the inclination can find out your name, address, SIN, your digitized picture and fingerprints. Without your knowledge or permission.

With license plates, they do uniquely identify your vehicle, but in a way generally keeps you as an individual anonymous to the general population. It takes a non-trivial amount of effort for someone to convert each license plate to their owner, and it must be repeated for each plate. With RFID, after the initial investment, you can acquire a large amount of very specific, private information for a large number of individuals for no significant additional costs.

And for RFID-enabled ID's, I would guess that people 'authenticating' you using them are more likely to blindly use the RFID-encoded information, and not put a lot of effort into checking that the card itself is valid.

Re:Why?

[_Sprocket_]

Right now the police can pull you over and ask for your license. Don't show it and you see the inside of a cell.

And while you're driving around your car has license plates on it which can be scanned from far further than RFID.

Asking to see the license still requires asking. It also requires driving for one to be (legally) provided. RFID allows for scanning a crowd and (potentially) getting a crowd of identities in less than a second.

OCR on license plates are very doable if you control the conditions. Make sure the vehicle is going the desired location and mount the camera in the perfect position. Back that up with occasional human to try and work out those cases where OCR fails. With RFID you put up antennas in a few strategic locations and you cover blocks of traffic without worrying about angles, lighting, and other bothersome conditions.

The potential for abuse is already there. RFID makes it more efficient.

Re:Why?

The U.S. you refer to has ceased to exist: http://epic.org/privacy/hiibel/. The officer still has to have "suspicion" but who isn't suspicious to a cop?

Re:Why?

[RiotingPacifist]

I suspect your laws are similar to what we have in the UK, in theory to pull you over / search you they need reasonable suspicion, in practice they can just make shit up.

Re:Why?

[troll8901]

I think in most places drivers license/government ID are now done on plastic cards (not laminated). Getting a color printer for those plastic ID cards will set you back quite a few grand

Just for the sake of argument, I think a consumer CD printer (e.g. Epson R240) can be modified to print onto a piece of rectangle. With the careful use of glossy ink, the end result may fool casual glances.

The only problem, of course, is getting a stack of blank cards that are inkjet printable and looks professional.

Re:Why?

[mckinnsb]

One cool thing with new tech is that it lifts the bar for the scammers. With RFID you need a lot more than a photocopier and laminator to make a fake drivers license.

Not in every state of the US.

Some states (see: Connecticut) have drivers licenses that are extremely difficult-if not impossible-to copy physically without having the exact same equipment that the DMV has. Connecticut's licenses in particular have layers of holographs and foil that overlap each other. A printer that can print on plastic combined with a laminator simply wouldn't produce anything even remotely close to the real thing. Anyone familiar with a Connecticut license - even an extremely drunk frat boy - would be able to spot the fake instantly.

Now lets talk passports. I don't think I have to get into this too much , but US passports are incredibly difficult to copy or reproduce. The majority of the time (from what I am told), passports are stolen and modified, not forged from scratch.

For your average scammer, acquiring the equipment to produce either is both expensive and extremely difficult. I'd guess that the companies who develop the machines that are capable of producing licenses or passports probably sign a contract with the state or federal government stating that they won't sell the equipment to unauthorized persons; so your only real alternative is to either get it through the black market or a contact at the company.

Now here is the problem illustrated by this experiment:

Chris Paget only spent 250 dollars on creating a device that can steal RFID's while moving. One of the primary motivating factors leading to the inclusion of the RFID in identification documents was the desire to obtain information about travellers without having to ask them to take their license or passport out of their pocket. Here is the important part: A passport or license that has to be taken out of the pocket is one that will be subject to visual scrutiny. A stolen RFID is not subject to visual scrutiny.

If this is true and reproducible, not only do RFID's present a security risk for their bearers, because I don't even have to see your license to copy its relevant information, but RFID's are not effective in achieving their original goal. If you cannot rely on the information given by RFID's , because someone could 'steal' one with only $250 of equipment, then you have to check each and every travelers' passport or license, then why do you have an RFID system in the first place?

Re:Why?

[mckinnsb]

Fair question, a la the recent XKCD-put motif of "A human target is almost always weaker than the tech". Although I don't think you are looking for an answer, I'll bite, mostly because I'm bored and sick. It depends on your DMV, and your DMV worker.

First, all DMV's I've been to (NY/CT/MA) have CCTV cameras all over the place - so convincing a DMV employee to create a fake ID during work time is probably somewhat difficult. I would not be surprised if the machines used to produce licenses were set to shut down and start up on a time lock. Second, every one of those aforementioned DMVs had one or two resident State Troopers, monitoring those cameras and generally enforcing the law. It's not as if you would really need a plurality of civilian witnesses to bring a conviction down on someone, as one cop who is deployed to lawfully perform that specific purpose should do it, and most DMV employees would recognize that risk. Third, the penalty for doing so is a felony for both parties involved, and you cannot work for the DMV (or most government agencies AFAIK) with a felony, so the people at the DMV are probably not career criminals. Fourth, you don't really need a college education to work at the DMV (for most positions) and the DMV pays fairly decent for a HS grad job, so most DMV workers would need a hefty sum of money or a heavy arm twisting to be persuaded to create a false ID; it's a good livelihood with fairly decent job security as long as you can deal with your customers. The ones who do not have college educations would probably like to keep their job and a felony off their record, because most other high-paying HS grad jobs will not look on a felony kindly after you get kicked out of the DMV and released from jail. The ones who have college educations are probably smart enough to know that they would probably get caught, and have other options available to them if they are in need of more money that would quickly shrink in number if they were convicted of a felony.

All said and done, convincing a DMV employee to produce a fake license for you is still a lot harder than making an $250 dollar RFID ripper, which probably won't be CCTV monitored, brought to the policies attention, or land you in danger of acquiring a felony on your record.

My hat ain't enough

[sls1j]

Looks like I'll be getting a matching tin foil wallet to go with the hat.

Re:My hat ain't enough

[Gojira+Shipi-Taro]

Interestingly enough, when I got my new Passport Card, it came with a little Faraday Cage sleeve (metalized mylar) with the instruction to put the card there when not in use. I don't remember getting anything like that when I got my (RFID carrying) Passport a while back, so maybe there's some realization of the problem on the issuing end...

Re:My hat ain't enough

[kaatochacha]

I just received a new US passport. The passport itself has a blurb about being shielded when closed. Don't know if this is true or not, as I haven't checked it myself, but the covers feel like there's something in them.

Re:My hat ain't enough

[Jherek+Carnelian]

I just received a new US passport. The passport itself has a blurb about being shielded when closed. Don't know if this is true or not, as I haven't checked it myself, but the covers feel like there's something in them.

It is true and it is not. Building a faraday cage into the cover was one of the "concessions" they made in response to all the complaints about privacy issues. But... it only really works if the covers are tightly pressed together. Leaving it open a quarter inch or so may be enough to prevent official readers from picking up the RFID, but not enough to protect against someone with a reader with more juice - like anyone who is up to no good will certainly have.

WarCloning?

[spyder913]

WarDriving = Driving around finding open APs.
"WarCloning" = Driving around cloning RFID stuff.

Shouldn't it be "CloneDriving" or something else? Though I suppose all of them are equally dumb. So nevermind...

Good for crime fighting, scary for potential abuse

[hwyhobo]

Take a lesson from London video cameras and spread the RFID readers at each intersection, and now you can track everyone in the city remotely.

Protection

[riceboy50]

The first thing I did after receiving my RFID-embedded passport was to pick up one of these.

Re:Protection

[chill]

Really? The first thing I did was pick up one of these, which I already had on hand at the house. Mine is *guaranteed* effective. :-)

Re:Protection

[pluther]

The first thing I did was to put it in the microwave.

We are still supposed to do that to all our mail, right? To protect against anthrax? (Are we still living in fear of that? It's hard to keep up sometimes.)

Surely Homeland Security can't be upset at us for doing what they told us to do!

Re:Protection

[chill]

I do believe the magnetron in the microwave is a tad more energetic than your average RFID reader. Well, I hope it is anyway. If not, we're going to have some seriously upset -- and sterile -- border control agents.

Thanks for the input, though.

Re:Good for crime fighting, scary for potential ab

[internerdj]

Ooops...
http://www.thinkgeek.com/gadgets/security/8cdd/

Re:Where are the FUNCTIONAL RF-blocking covers?

For your driver's license, just use what I have for many years: an "Altoids" tin (or similar item). Perfectly sized for drivers licenses, credit cards, and other such things, and completely impervious to RF scanning technologies. I use one for my "wallet".

For a passport, well, they *did* have those jumbo tins a while back... ;)

Don't be scared

We're safe. Cloning RFIDs is illegal.

tracking abuse..

[Adult+film+producer]

Are rfid tags available for the consumer right now? As another person pointed out the city of london is creating a grid of tracking stations so anybody can be located and followed remotely.. but if these tags can be cloned then why not buy up a million or two rfid tags, program the buggers and distribute them throughout big cities (inside car bumpers? tractor trailers? covertly inject them in food if their small enough..) This should really cause headaches for the people tracking..

RFID Gathering

[CaptCovert]

What worries me about all of this is not that the RFIDs can be picked up while driving around. A little consumer education (you are supposed to worry about who you give your SSN to, and you don't just leave your other PII laying around in plain sight usually) in the form of RF-blocking wallet linings will fix that. What I'm worried about is what happens in 5 years, when advances in RF technology (it is the new form of governmental ID, after all. Technology WILL follow suit) allow for hardware that I can hide on my person (antenna down the back of a coat lining, wired to a recorder in my pocket, or hell, dropped in the lining somewhere). At that point, all it takes is one man sitting in a train station or airport. You pull your ID out for scanning, and I harvest it. You may as well walk around with your SSN printed on your shirt.

I saw the video and it is inaccurate at best

[anand78]

The XR400 used in the drive through was a UHF reader. Reading a UHF tag is not as easy as the author described. All you have to do is put it against your body, and the salt water attenuates the signal, thus making the tag unreadable. Making such broad statements as scrap the whole real ID or national id, will be valid, if the author showed some substance.

exaggerated description

[SethJohnson]

This fellow doesn't demonstrate cloning anything. He's just reading RFID codes in the video.

Seth

Tin Foil Hat!!

[corsec67]

I think that is a VERY legitimate use of a tinfoil hat... /Couldn't resist.

Its a lie

[dlmarti]

The Author claims you can read the SSID and reprogram another tag with this SSID. This is not true. The SSID is not a R/W field. While technically you could create an active device to pretend to be a tag with the fake SSID, it certainly is not trivial.

I have an even better solution

[Miseph]

We should make RFID highly controlled instead. Once we make RFID ownership illegal then only criminals will have RFID, and they'll be a whole lot easier to find.

Hey, it works for guns, right?

Airport Demonstrations

[LuYu]

I thought about this when I first heard the news about RFIDs being included in passports -- and money. Now that there is a practical implementation, it is time for a bunch of privacy advocates to get a marquee style display and go to an international airport. They could stand outside of the arrivals customs area and scan and display people's personal information in order to demonstrate how completely these tags violate the passengers' Fourth Amendment rights.

The sign might look something like this:

Hello John Doe!
Your passport number is #########
Your SSN is ####-##-###
You are carrying two MasterCards, one Visa card, and one Diner's Club card.
You are carrying seven 100 dollar bills and ten 20 dollar bills. Say hello to Ben and Andy for us!
This information has all been made publicly available courtesy of Uncle Sam and your banks.
If you are offended by this sign, please contact your Congressmen as soon as possible.
If you would like further information, ask one of our friendly volunteers for an explanatory pamphlet!!

Have a Nice Day!

That should get people's attention. And it should be quite entertaining until the airport authorities figure it out. When they do, it would also be nice to point out that Freedom of Assembly is also an inalienable right!