Slashdot Mirror

← Back to Stories (view on slashdot.org)

Germany To Roll Out ID Cards With Embedded RFID

Posted by Soulskill on from the meine-Brieftasche-ist-radioaktiv dept.

An anonymous reader writes "The production of RFID chips, an integral element of the new generation of German identity cards, has started after the government gave a 10-year contract to the chipmaker NXP in the Netherlands. Citizens will receive the mandatory new ID cards starting from the first of November. The new card allows German authorities to identify people with speed and accuracy, the government said. These authorities include the police, customs and tax authorities and of course the local registration and passport granting authorities. There are some concerns that the use of RFID chips will pose a security or privacy risk, however. Early versions of the electronic passports, using RFID chips with a protocol called 'basic access control' (BAC), were successfully hacked by university researchers and security experts."

8 of 235 comments (clear)

  1. perfect bomb triggers by vinsci · · Score: 5, Interesting

    The new card allows German authorities to identify people with speed and accuracy, the government said.

    Unfortunately, they will also make perfect bomb triggers, when the target walks by.

    --

    Trusted Computing FAQ | Free Dawit Isaak!
    1. Re:perfect bomb triggers by Anonymous Coward · · Score: 5, Interesting

      Won't happen.

      The chip is based on the ISO14443-A standard and you can only communicate with it over at most 15 cm distance (about 6 inch). Under normal conditions the range goes down to roughly one inch. You have to walk very close to the bomb to set it off.

      A bomb will also have a hard time to identify you. The chip has an ID that is public readable, but for privacy reasons this ID is a random number that is only valid for a single transaction session.

      Also the article is wrong. The pass will not use the BAC protocol but the much improved PACE protocol. That's state of the art crypto. It's still broken by design because you can do a simple man in the middle attack over the air, but it is a lot better..

    2. Re:perfect bomb triggers by ewanm89 · · Score: 5, Informative

      Is 96ft (~29m) far enough away, that's the Defcon record. Blackhat USA 2010 has beat it don't know the practical distance achieved but the paper gives a theoretical maximum of 565ft (~172m). Want to change some of those assumptions? It's a radio, distance is based on three things transmitter power, receiver sensitivity and atmospheric conditions the first 2 can be controlled very easily.

  2. Awesome... by Anonymous Coward · · Score: 5, Funny

    I've always wanted to be a german.

    And now i can be a bunch of them!

  3. Re:EU passports by udippel · · Score: 5, Funny

    The first three posts in this discussion are - as of now - ACs. Though different from the normal 'First Piss Post'-category. They are spot on the topic. Still ACs. Why?
    Already fearful of being tracked? Yes, you are. Through your IP-addresses.
    Next year you can be tracked by having your Personalausweis in your pocket. Or in your bag. You need it, because you want to enter an official building; the Rathaus.
    Or doing banking business:
    "Guten Morgen, Frau Müller."
    "Uh, Sie kennen mich?"
    "Nein, aber Sie haben Ihren Ausweis dabei! Ich denke Sie wollen Ihren Urlaub bezahlen!?"
    "Woher wissen Sie das?"
    "Nun, als Sie hier hereinkamen, hat unsere Sicherheitssoftware gemeldet, dass Sie gerade auch im Reisebüro waren."

    Oh, what a brave new world we weave ... .

  4. Re:Barcodes don't radiate information by TheRaven64 · · Score: 5, Insightful

    You could have a card with RFID which embeds a key that unlocks data in the database. Since governments have control over the database one wouldn't have to worry much their data being looked at by unauthorised staff and if the database was ever stolen only your physical card could unlock it.

    You obviously have a very different government to mine. If it's in a government database in the UK, the odds are that copies of it will be posted to the wrong address on unencrypted DVD-Rs, left on hard drives on trains or in taxies, leaked to the press, or used by council employees for private purposes.

    A better solution is not to store the information in either place. Store it on the passport in encrypted form and store the encryption key in the central database (or vice versa). You then need to both do a database query and scan the passport to have access to the data. If someone gets a copy of the database, it's no use to them without the passports. If someone steals a passport, they can't access the information on it.

    --
    I am TheRaven on Soylent News
  5. Mythbusters - RFID by object404 · · Score: 5, Interesting

    Adam Savage's talk on the 2008 Hackers on Planet Earth (HOPE) conference on why Mythbusters was forced to not do the "how easy it is to hack RFID tags" episode is very, very interesting.

    --
    http://twitter.com/object404
  6. Fry it by mwissel · · Score: 5, Informative

    What TFA forgets to mention is, that the ID card remains valid when you kill the RFID chip, as it still allows a person to be identified. Also, the fingerprint is a voluntary information to be stored. Most people won't know or bother and just let them store it anyway, though. For my fellow citizens: get yourself a new ID card w/o RFID just now (it is only a few Euros more expensive when you "loose" your current ID). If you have to get, for some reasons, an ID card with RFID on it, just put it in the microwave oven for a minute or so. Chaos Computer Club has proven this to kill the chip reliably.