Slashdot Mirror

← Back to Stories (view on slashdot.org)

Germany To Roll Out ID Cards With Embedded RFID

Posted by Soulskill on from the meine-Brieftasche-ist-radioaktiv dept.

An anonymous reader writes "The production of RFID chips, an integral element of the new generation of German identity cards, has started after the government gave a 10-year contract to the chipmaker NXP in the Netherlands. Citizens will receive the mandatory new ID cards starting from the first of November. The new card allows German authorities to identify people with speed and accuracy, the government said. These authorities include the police, customs and tax authorities and of course the local registration and passport granting authorities. There are some concerns that the use of RFID chips will pose a security or privacy risk, however. Early versions of the electronic passports, using RFID chips with a protocol called 'basic access control' (BAC), were successfully hacked by university researchers and security experts."

26 of 235 comments (clear)

  1. perfect bomb triggers by vinsci · · Score: 5, Interesting

    The new card allows German authorities to identify people with speed and accuracy, the government said.

    Unfortunately, they will also make perfect bomb triggers, when the target walks by.

    --

    Trusted Computing FAQ | Free Dawit Isaak!
    1. Re:perfect bomb triggers by Anonymous Coward · · Score: 5, Interesting

      Won't happen.

      The chip is based on the ISO14443-A standard and you can only communicate with it over at most 15 cm distance (about 6 inch). Under normal conditions the range goes down to roughly one inch. You have to walk very close to the bomb to set it off.

      A bomb will also have a hard time to identify you. The chip has an ID that is public readable, but for privacy reasons this ID is a random number that is only valid for a single transaction session.

      Also the article is wrong. The pass will not use the BAC protocol but the much improved PACE protocol. That's state of the art crypto. It's still broken by design because you can do a simple man in the middle attack over the air, but it is a lot better..

    2. Re:perfect bomb triggers by ewanm89 · · Score: 5, Informative

      Is 96ft (~29m) far enough away, that's the Defcon record. Blackhat USA 2010 has beat it don't know the practical distance achieved but the paper gives a theoretical maximum of 565ft (~172m). Want to change some of those assumptions? It's a radio, distance is based on three things transmitter power, receiver sensitivity and atmospheric conditions the first 2 can be controlled very easily.

    3. Re:perfect bomb triggers by Anonymous Coward · · Score: 3, Informative

      They just spoofed, they haven't talked to the TAG at all!

      ISO14443-A and other NFC tags simply don't work like this:

      You need a two way communication. From the reader to the tag, and from the tag to the reader. The ISO14443-A tag is not capable to actively send out answers. Instead it loads down the magnetic field that powers it. This load is measured on the side of the reader and interpreted as answers from the tag.

      If I remember right the tag must be able to pull about 10% of energy out of the magnetic field to transmit data.

      And this puts a simply physical constraint on the range:

      You can't simply make the reader put out a stronger magnetic field. This would increase the range from the reader to the tag, but it would also make it almost impossible for the tag to answer because it can't remove that much energy anymore. If you lower the energy of the field the tag doesn't has enough power to operate.

      The 15 cm

      In the lab you can get a longer distance than 15 cm... Maybe up to half a meter or so. To do so you have to calibrate the resonant frequency of the tag and the reader so that they are almost perfectly coupled. And you have to do this in an RF shielded room because every disturbance in the RF field would interfere the transfer.

      What the Defcon guys did was to listen to a running communication between a reader and a tag from afar. That is indeed possible up to such a range.. That will not tell you anything interesting except the fact that a tag was read because the first thing the pass does is to do a Diffie-Hellmann key exchange (part of the PACE protocol). Oh - you get the ID from the tag, but as I wrote earlier the ID is random ...

      Not much gained..

          http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

  2. time to buy by zerothink · · Score: 4, Informative

    It's time to buy RFID-blocking cover/wallet/bag/whatever. Or feel free to have some fun with aluminum foil - http://www.rpi-polymath.com/ducttape/RFIDWallet.php

    1. Re:time to buy by MikeyVB · · Score: 4, Informative

      For the curious, it takes approximately 4 layers of aluminum foil to block a scanner from activating the RFID signal when your Al lined wallet is point blank from a standard scanner.

      (After receiving an RFID enabled ID card here in the Netherlands last year, I tested it on our office copy/scanner RFID reader, and then simply lined my wallet with double the number of layers it took to block the signal. Works like a charm!)

    2. Re:time to buy by drewhk · · Score: 3, Interesting

      All of my IDs and cards fit nicely in a metallic business card case. It's cheap, small, looks nice and blocks radio.

  3. Re:EU passports by Anonymous Coward · · Score: 3, Informative

    On the contrary. Since the new EU passports contain fingerprint data and a digital version of the picture, much of the contention about the new passports revolved around the creation of a central database of biometric information. If the passports were just an index into the database, then that database would be inevitable.

    It is important that technology-minded users learn not to apply the usual centralist approach to everything. We are not cattle.

  4. Awesome... by Anonymous Coward · · Score: 5, Funny

    I've always wanted to be a german.

    And now i can be a bunch of them!

    1. Re:Awesome... by think_nix · · Score: 4, Informative

      True to that check this out:

      http://www.personalausweisportal.de/cln_164/DE/Neue-Moeglichkeiten/Online-Ausweisfunktion/online-ausweisfunktion_node.html

      The new online functions! If you dont understand german try google translate, here a quick translation

      Identification on the Internet and on machines can in the future be done with the new identity card. This is simple and safe as the presentation of your previous card today.
      Even without being personally present you can use the online identity function (also: eID function) authenticate everywhere (where personalized services - are consequently offered and directly tailored to the individual user). With your new personal ID and your 6-digit PIN you can prove your identity in the electronic world simple, safe and reliable.

      That is just the first paragraph , better than the Sunday comics !

  5. Re:EU passports by udippel · · Score: 5, Funny

    The first three posts in this discussion are - as of now - ACs. Though different from the normal 'First Piss Post'-category. They are spot on the topic. Still ACs. Why?
    Already fearful of being tracked? Yes, you are. Through your IP-addresses.
    Next year you can be tracked by having your Personalausweis in your pocket. Or in your bag. You need it, because you want to enter an official building; the Rathaus.
    Or doing banking business:
    "Guten Morgen, Frau Müller."
    "Uh, Sie kennen mich?"
    "Nein, aber Sie haben Ihren Ausweis dabei! Ich denke Sie wollen Ihren Urlaub bezahlen!?"
    "Woher wissen Sie das?"
    "Nun, als Sie hier hereinkamen, hat unsere Sicherheitssoftware gemeldet, dass Sie gerade auch im Reisebüro waren."

    Oh, what a brave new world we weave ... .

  6. Re:The US started it by rolfwind · · Score: 3, Informative

    Oh, I guess a source would be helpful ;)

    http://www.alternet.org/story/142239/will_biometric_passports_lead_to_a_state_of_constant_surveillance/

  7. Re:The US started it by Jane+Q.+Public · · Score: 3, Informative

    Yes, but the law also states that a passport's RFID malfunctions, the passport is still legal. 10 seconds in the microwave is just about right.

  8. On the BAC thing... by Wdi · · Score: 3, Interesting

    This is the standard required by US immigration for foreign biometric passports.

    And only with these you can take advantage of visa-waiver (minus ESTA, minus new tourism support fee) entry into the US.

    So either your passport supports this, or you can make an appointment weeks in advance at a select US consulate in a city only a few hundred kilometers away if you want to travel.

  9. Re:Who woulda thunk it by Urkki · · Score: 4, Interesting

    Yes, and the government is out on tracking everybody! Really if they want to track you they will no matter what. If I have to choose between a RFID chip in my ID card or a tinfoil hat and wallet. I'll take the RFID chip cause the chance of it being useful exceeds the chance of the government bothering to track everything I do.

    No, the thing is, without this kind of technology, they can choose a number of individuals they have resources to track at the same time. With this type of technology, they can track everybody at the same time. With modern storage capacities, a future government can retroactively check what you have been doing through your life.

    And it becomes a slippery slope. It starts with tracking terrorist suspects, proceeds to solving other crimes, and ends with tracking people who disagree with the current party in power and threaten their next election win, and after that all bets are off. Just hope you never visited a house where some opposition activist lived back then...

  10. Outsourced to the Netherlands by shikaisi · · Score: 3, Funny

    I find the most intriguing part of this whole thing is the decision to outsource the chips to a Dutch company. I wonder how long it will be before all the RFIDs fail and send only a message saying "Give us our bikes back".

    --
    No left turn unstoned.
  11. Re:right, before Zee Germans get there by Tom · · Score: 4, Interesting

    No, they look to the government for guidance still. It's in the character. They still don't have real freedom of speech there.

    So it is only "freedom" if it is identical to your version of freedom ?

    Please, cut down the arrogance a few notches, you'll notice the rest of the world likes you a lot better if you don't go around all the time assuming that your way is the one and only true path to whatever.

    Our freedom of speech (I'm german) is as real as yours. We just have some priorities differently. For example, we don't allow people to threaten abortion doctors with murder under the cover of "free speech". Our version of your "free speech" is called "freie Meinungsäußerung". That has three parts: Free, speech and opinion. What it means is you can freely express your opinion. If you leave the area of expressing your opinion - and "we'll kill you" isn't an opinion anymore - you may run into trouble.

    And no, we don't look for the government for guidance. In fact, our current government is such a joke, anyone who does look to them for anything except satire is retarded. However, what we do is not share the ridiculous paranoia about the government that is visible in the US. We don't think anything done by the government is automatically evil and to be mistrusted. We view the government as an entity much like many others - capable of both good and evil.

    --
    Assorted stuff I do sometimes: Lemuria.org
  12. Re:right, before Zee Germans get there by ultranova · · Score: 3, Insightful

    you'd think history would have taught them to maximize personal liberties, not to diminish them in any way?

    Second World War was generations ago. The lessons have been forgotten, so authoritarianism and militarism are once again on the rise in Europe, and will once again lead to the world burning. That will be followed by the survivors being horrified of what they have seen and done, and swearing "never again", but a few generations later things will deteriorate again. That is the cycle of human history, and it cannot be broken, since no matter what lessons you might learn, your children won't, and their children certainly won't care.

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  13. Re:Barcodes don't radiate information by TheRaven64 · · Score: 5, Insightful

    You could have a card with RFID which embeds a key that unlocks data in the database. Since governments have control over the database one wouldn't have to worry much their data being looked at by unauthorised staff and if the database was ever stolen only your physical card could unlock it.

    You obviously have a very different government to mine. If it's in a government database in the UK, the odds are that copies of it will be posted to the wrong address on unencrypted DVD-Rs, left on hard drives on trains or in taxies, leaked to the press, or used by council employees for private purposes.

    A better solution is not to store the information in either place. Store it on the passport in encrypted form and store the encryption key in the central database (or vice versa). You then need to both do a database query and scan the passport to have access to the data. If someone gets a copy of the database, it's no use to them without the passports. If someone steals a passport, they can't access the information on it.

    --
    I am TheRaven on Soylent News
  14. Mythbusters - RFID by object404 · · Score: 5, Interesting

    Adam Savage's talk on the 2008 Hackers on Planet Earth (HOPE) conference on why Mythbusters was forced to not do the "how easy it is to hack RFID tags" episode is very, very interesting.

    --
    http://twitter.com/object404
  15. Re:right, before Zee Germans get there by roman_mir · · Score: 3, Informative

    You are mistaken as to what is freedom of speech in USA, nobody is allowed to make direct threats of murder for example, but one can have an opinion that abortion doctors must be killed, it's an opinion.

    Of-course one person's opinion may lead to another person's action, but the correct thing to do is to hold the one who takes action as the responsible party, not the one who says he has an opinion.

    I am not American, in fact at this very moment I am in Germany, though I am Canadian, born in the former USSR.

    I hold every single thing that government says or does as suspicious, I don't trust government at all, in any single one thing ever, and I am not an American.

    --
    You can't handle the truth.
  16. Re:identity cards, not passports by DJRumpy · · Score: 4, Interesting

    Yes, but you have to remember that Americans have a lot fatter asses than they have in Europe.

    I wouldn't be so quick to jump on that bandwagon. Although this is an older site, I can't imagine things have changed drastically in 5 years. The page was also updated in Dec of 2009:

    http://www.malehealth.co.uk/weight/18962-now-were-fatter-americans

    Two out of three US men — 67% - are overweight or obese. Finland, Germany, Greece, Cyprus, the Czech Republic, Slovakia and Malta have now all exceeded this figure. England and Wales are not far behind.

    The EU is so worried about it that it has launched its own campaign against obesity. 'The time when obesity was thought to be a problem on the other side of the Atlantic has gone by,' said Mars Di Bartolomeo, Luxembourg's Minister of Health.

    The tubby top ten:

    Greece (78.6% of blokes are overweight or obese)
    Germany (75.4%)
    Czech Republic (73.2%)
    Cyprus (72.6%)
    Slovakia (69%)
    Malta (68%)
    Finland (67.8%)
    Slovenia (66.5%)
    Ireland (66.4%)
    England and Wales (65.4%).

    Frankly, I don't think urban sprawl has anything to do with obesity in a significant way. I think it has to do with fat/calorie content of restaurant food (especially so in the US), and the fact that 'eating out', which used to be the odd occurrence here, has become more the norm for a high percentage of homes. Way too much fast food, or even regular restaurants that don't have healthy menu's. We also spend far more time isolated in our homes, on the internet, and watching TV.

    On a side note, I eat out a couple of times a week but I adapt my intake to compensate for shitty food that I might eat on occasion. I also spend 6-10 hours a week in the gym doing heavy lifting and I bicycle for 8-16 miles on the weekends. I live in the the deep south where obesity is even higher than the 'norm' for the U.S.

    I sometimes feel like a stranger in my own land given the looks I get in public at times.

  17. Fry it by mwissel · · Score: 5, Informative

    What TFA forgets to mention is, that the ID card remains valid when you kill the RFID chip, as it still allows a person to be identified. Also, the fingerprint is a voluntary information to be stored. Most people won't know or bother and just let them store it anyway, though. For my fellow citizens: get yourself a new ID card w/o RFID just now (it is only a few Euros more expensive when you "loose" your current ID). If you have to get, for some reasons, an ID card with RFID on it, just put it in the microwave oven for a minute or so. Chaos Computer Club has proven this to kill the chip reliably.

  18. Re:right, before Zee Germans get there by cpghost · · Score: 3, Interesting

    However, the fundamental liberties encoded in the German Basic Law (it's not a Constitution in the US sense) have eroded substantially in the last decades, because, unlike the U.S. with is very reluctant to amend its Constitution, Germans love to modify their Grundgesetz regularly... mostly to make it worse, i.e. take one more liberty away.

    --
    cpghost at Cordula's Web.
  19. Re:Who woulda thunk it (Idiocracy) by Skylinux · · Score: 3, Funny

    IPPA Computer: Welcome to the Identity Processsing Program of Uhmerica! Please insert your forearm into the forearm receptacle!
    IPPA Computer: Thank you! Please speak your name as it appears on your current federal identity card, document G24L8!
    Pvt. Joe Bowers: I'm not sure if...
    IPPA Computer: You have entered the name "Not Sure." Is this correct, Not Sure?
    Pvt. Joe Bowers: No, it's not correct...
    IPPA Computer: Thank you! "Not" is correct. Is "Sure" correct?
    Pvt. Joe Bowers: No, it's not, my name is Joe...
    IPPA Computer: You have already confirmed your first name is "Not." Please confirm your last name, "Sure."
    Pvt. Joe Bowers: My last name is not "Sure!"
    IPPA Computer: Thank you, Not Sure!
    Pvt. Joe Bowers: No, what I mean is my name is Joe...
    IPPA Computer: Confirmation is complete. Please wait while I tattoo your new identity on your arm!

    --
    Everyone who buys Wild Hunt will receive 16 specially prepared DLCs absolutely for free, regardless of platform.
  20. Re:right, before Zee Germans get there by rcamans · · Score: 3, Interesting

    It is illegal to threaten anyone in America with murder or any other form of harm. You have been reading and believing too many anti-American rags. (all rags published in Europe, for example).
    Cut down your own arrogance a few notches.

    Your government (Germany) has been maximum evil overlords more than once. Why do you have the idea that they have changed? Maybe they have learned to be less obvious about it, and not get caught?

    The American gov sucks big time, and will abuse any power that they can get their hands on, legally or illegally.
    Your gov is the same.

    The only difference is the morals and ethics of the people currently in the gov with access to these powers.
    American gov employees are low on the morals scale.
    I am sure Germans are similar. I think there is something about working for the gov, and military, that reduces morals, and attracts people with low morals, like our Bill Clinton, and a recent top gov official in Germany?

    Comparing bad to bad just wastes time and energy. They are all bad. Get over it. Stop crowing that your bad gov is not as bad as ours.

    --
    wake up and hold your nose