Slashdot Mirror
Feds At DefCon Alarmed After RFIDs Scanned
FourthAge writes "Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera. The reader sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks. The 'security enhancing' RFID chips are now found in passports, official documents and ID cards. 'For $30 to $50, the common, average person can put [a portable RFID-reading kit] together,' said security expert Brian Marcus, one of the people behind the RFID webcam project. 'This is why we're so adamant about making people aware this is very dangerous.'"
...the Feds try to ban the tech to read the RFIDs instead of urging credit card manufacturers/the state department to back off on putting RFID chips into everything?
To the haters: You can't win. If you mod me down, I shall become more powerful than you could possibly imagine
Why would they be surprised? This has been common knowledge for years.
If you have to carry an RFID'ed object that contains sensitive information, keep it shielded at all times or destroy it.
They're attending a security convention with id cards that can be read from their pockets.
It's a good thing they didn't have rfid credit cards.
If it can be done, it will be done.
They're using their grammar skills there.
People can't surreptitiously read personal identifying information from a bar code that's in your pocket.
So these sloppy mofos are the ones that are supposed to be "protecting" us? Laughable.
There is a war going on for your mind.
How could they be surprised by this? Were they not aware of the demographic group that attends Defcon? They probably just forgot to wear their tin-foil hats
It is the universe that makes fun of us all.
There is no bar code on my passport, credit card or driver's license. Even if there was, it's unlikely that person sitting at the next table with a portable bar code reader could read the bar code off my Visa card while it's in my wallet.
I don't care why you're posting AC
Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera...
erm... not quite what the Wired Article says:
But the device, which had a read range of 2 to 3 feet, caught only five people carrying RFID cards before Feds attending the conference got wind of the project and were concerned they might have been scanned
Still I suppose the Feds have probably hacked into the Wired Article and fixed that one...
Sig (appended to the end of comments you post, 120 chars)
Right, but they sure can read whatever your RFID has to say. The problem is twofold:
1) Ignorant implementers put sensitive data on RFID's in plaintext.
2) Users are unaware of what data is actually *in* their RFID items.
RFID tags are dumb, low powered, even passive devices. If you can't afford active RFID's with public key encryption, don't put sensitive data on the damn things!
"Priest asked Adam Laurie, one of the researchers behind the project, to "please do the right thing," and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected."
...they have nothing to fear. Let's see how they like that argument used against _them_!
They should've used the foil protective sleeve provided with the document in question and reccommended by the organization who provided the document.
I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a reccommendation to keep the license in the protective sleeve when not in use.
That's right - the government is providing tinfoil hats for your RFIDs already.
retrorocket.o not found, launch anyway?
I was charged with writing POS software where I work. After looking into using scanners, I came across RFID. As it turns out, instead of needing to scan your crap, you can just have a magic wand magically take inventory for you. In fact, after looking into it, I realized I could rig sensors in our storage room to automatically re-take inventory periodically.
I'm sure some people are pushing for RFID for the wrong reasons, but I'm all for it as a replacement for barcodes as far as keeping stock goes. Imagine going to Walmart, and your shopping buggy automatically tells the clerk how much money you owe! Well, that might be a ways off, but it's possible.
I think RFID is an awesome tech, it just has a risk for being abused. Just like barcodes are awesome, but we don't want them on our forehead (unless we're playing shadow run, then it's 'cool.)
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
... my passport certainly does. I got mine at ThinkGeek.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
That's scary!
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
A mag strip is as similar to a barcode as a christmas tree is to a sequoia...
There's nothing particularly special on the RFID chip. A parking facility card and a passport generate the same amount of interesting information. A unique ID. Whew!
The problem is when you have another government computer that is counting on the Unique ID to be a UNIQUE ID, and using ONLY THAT parameter (plus other info also on the card) to identify someone - congratulations, you have just stolen someone else's identity.
Seven puppies were harmed during the making of this post.
What worries me is the black hat demo where their RFID detector detected US passports within range of a garbage can and detonated an explosive in said garbage can. No barcode/magstrip can be read remotely to determine your country of origin and action taken based on that.
Paget announced during his DefCon talk that his security consulting company, H4rdw4re, will be releasing a $50 kit at the end of August that will make reading 125-kHz RFID chips â" the kind embedded in employee access cards â" trivial. It will include open source software for reading, storing and re-transmitting card data and will also include a software tool to decode the RFID encryption used in car keys for Toyota, BMW and Lexus models. This would allow an attacker to scan an unsuspecting car-ownerâ(TM)s key, decrypt the data and open the car. He told Threat Level theyâ(TM)re aiming to achieve a reading range of 12 to 18 inches with the kit.
Just wait until someone creates a small RFID reader and hooks it up to an iPhone in their pocket (a combo that would be virtually undetectable) and starts walking through the subway collecting info. We can already pick up the credit card owner's name, credit card number, expiration date, etc. right off of the RFID tags present in AMEX cards.
Not everyone. A couple years ago I worked at a place that used barcoded cards as entrance badges. Swipe the card through the scanner and you're in. It looked like a mag stripe -- the barcode was printed black-on-black, with inks that reflected differently in the infrared. But it was just a 1-D barcode. And yes, it was trivial to use an ordinary flatbed scanner and crank up the contrast in Photoshop to view the barcode. Print it out on a laser printer and the copy would work just as well as the original.
Granted, this was at a place that made barcode printers, including badge printers, and it was a matter of eating our own dog food. But although we made the printers, the overall badge-scanning system was made by an outside vendor and we weren't their only customer. So obviously someone could be convinced it was a good idea.
And actually it's not much worse than an ordinary metal key. If you have physical access to an ordinary key you can photocopy it, and create a workable duplicate from the photocopy. It just takes equipment not normally found in every office and public library in the country.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Um, hello? They were selling nice (and very effective) RFID blocking wallets and passport holders there for $20. If you're flying Feds halfway across the country to attend DEFCON, I'm pretty sure you can afford 20 fucking dollars to give yourself some peace of mind.
Of course, some idiot in Gov will propose a 3 billion dollar project called Protect-A-Fed that will invest thousands of man-hours to devise such a device that could prevent RFID tags from being captured...and 4-billion dollars later you'll have a "new and improved" Government-issue $20 RFID wallet.
That analogy was so bad I had to check your username!
God invented whiskey so the Irish would not rule the world.
There are several published surveys of criminals in prison investigating what they do, how they evaluate targets, and what conditions discourage them from operating in given localities. The risk of being shot by a victim is a major factor. Apparently even criminals are capable of minimal cost-benefit analysis.
------ The only greater hazard to your liberty than n politicians is n+1 politicians.
Morton Grove Illinois banned them, Kennesaw Georgia required them (no enforcement though, just symbolic) Crime went way up in Morton Grove and dropped in Kennesaw.
I've lived a buncha places, the area with by far the least amount of crime I have seen was Vermont, which is one of two states that have basically a pure no BS second amendment stance. It works once everyone gets used to it.
I have a RFID passport right here.
Here on page five:
This passport must not be altered or mutilated in any way. Alteration could make the passport invalid, and if willful , may subject you to prosecution (Title 18, U.S. Code, Section 1543.
Yes you can take a photocopy of the key and make a duplicate, but not without raising suspicions from the guys making the duplicate keys (possibly with a phone call to local or state police) or you have to have the equipment yourself and it isn't cheap. With the barcode, you just have to go to the nearest copy machine, and poof, you are in. RFIDs are not quite as easy as the barcode in that sense, but it doesn't cost more then a couple Benjamins to do it.
Again, RFID is a great technology for inventory, NOT access control or data storage! It was designed to be the update to barcodes for stores and warehouses to allow computer systems to keep track of the products, maybe include how old they are as well for things that have sell-by dates. Basically to better, more easily manage a warehouse full of stuff without needing an army of people running around with barcode scanners, scanning everything all the time...But it was not designed with security in mind, which is why all these companies and policies that are being pushed to use it in places which have security concerns should get smacks on the side of the head until they realise that this is NOT the product to do it with.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"