Re: Government RFID busted

in my opinion this technology was prematurely released without proper
security considerations. Te beirut scenario is quite interesting :-)
and it is indeed a possibility,

Munyaradzi


On 2/4/09, Al Rivas <ARivas@xxxxxxxxxxxxxxxxxxx> wrote:
I would say Dan's war drive was useful. And those that would clone those
documents would probably find the technique quite useful. Yes, RFID is
doing what it's supposed to but I'd put over 90% of people don't realize
that their information available to cloning this easily. We (sec pros,
technogeeks, etc) form only a small percentage of the population. Knowing
the bear **** in the woods is only useful because it is a common frame of
reference. Unless we inform the general public that their/our information
is accessible this way, we will be the only ones that even know the bear
exists.

It would be useless to see another gov program spend billions on something
which is supposed to increase security but instead has security holes in it
then say after the fact, "but that's the way it works."

-----Original Message-----
From: Prodigi Child [mailto:prodigi.child@xxxxxxxxx]
Sent: Wednesday, February 04, 2009 1:35 AM
To: Al Rivas; pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Government RFID busted

I agree that having RFID chips in IDs is a bad idea (Imagine a terrorist in
Beirut checking his scanner "Hmm 5 Americans in the area.. let's go
hunting!") but is a 'war drive' to read the RFID tags from the passports
really useful? It's one of those "duh" things like a study trying to
determine if bears **** in the woods.

I mean, they are doing what they are supposed to do in the first place,
which is be read by RFID scanners, albeit from further away than what they
claimed was possible.




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Al Rivas
Sent: Monday, February 02, 2009 10:58 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Government RFID busted

So the U.S. government has had this idea to tag our passports, drivers
licenses etc, with RFID. Dan Goodin, has created this video showing why
this is not a good idea. The problem is that technology is growing in
breadth and complexity faster than bureaucrats can wrap their minds around
it. The vast majority of the decision makers on these programs can't spell
computer and have only slight exposure to . "the internets".

Someone presents them with a technology, (I'd bet the farm that the
presenter sells that particular technology), and the bureaucratic bean
counter says "Whoopee ! And how much is my cut so I can vote for this ?"

Everyone makes money, and America is safer, they have the PowerPoint Slides
that say so.

Here's an excerpt from the article "Using inexpensive off-the-shelf
components, an information security expert has built a mobile platform that
can clone large numbers of the unique electronic identifiers used in US
passport cards and next generation drivers licenses."

Here's Dan's excellent video showing how he did it :

http://www.engadget.com/2009/02/02/video-hacker-war-drives-san-francisco-clo
ning-rfid-passports/


Excerpt from Western Hemisphere Travel Initiative - the project injecting
RFID into government docs.
"Each day, an average of 1.1 million pedestrians and passengers enter the
United States for business or pleasure. In order to facilitate cross-border
travel for U.S. citizens while enhancing the security of our citizens and
travelers, the Department of Homeland Security (DHS) proposes to expand the
use of vicinity radio frequency identification (RFID) technology at land
border ports of entry. The use of this technology will be a key component of
the PASS System (People, Access Security Service), announced in January 2006
by Secretaries Rice and Chertoff as part of their Joint Vision -"Secure
Borders and Open Doors in the Information Age.""






Relevant Pages

  • Re: Merchandize Security
    ... The technology is called RFID. ... at this time the security consists of the beep ... going off if the rfid tag has not been disabled.Most cash registers have ...
    (microsoft.public.vb.general.discussion)
  • RE: Government RFID busted
    ... It would be useless to see another gov program spend billions on something which is supposed to increase security but instead has security holes in it then say after the fact, "but that's the way it works." ... Subject: Government RFID busted ... Someone presents them with a technology, (I'd bet the farm that the ...
    (Pen-Test)
  • RE: Government RFID busted
    ... Beirut checking his scanner "Hmm 5 Americans in the area.. ... hunting!") but is a 'war drive' to read the RFID tags from the passports ... Someone presents them with a technology, (I'd bet the farm that the ... an information security expert has built a mobile platform that ...
    (Pen-Test)
  • RE: Government RFID busted
    ... 1- The passport covers are supposed to provide a sheet that hides the RFID signals. ... Only when a passport is opened would a scanner be able to read the stored data. ... All risks and potential security threats are being studied. ... Someone presents them with a technology, (I'd bet the farm that the ...
    (Pen-Test)
  • [Full-disclosure] ARES 2007: Paper submission system is ready - Submission Deadline 19-1
    ... Vienna University of Technology, Austria ... The 1st International Conference on Availability, Reliability and Security ... Maria Wimmer, University of Koblenz-Landau, Germany ...
    (Full-Disclosure)