Armed Polite Society
Main Forums => The Roundtable => Topic started by: roo_ster on February 11, 2009, 11:47:18 AM
-
Do please click through the link to watch the 5 minute video of the hacker explaining how it works as he harvests the passports.
RFID tags in identification documents is one of those Really Bad Ideas that gov't goons latch on to and won't let go of.
http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/
Passport RFIDs cloned wholesale by $250 eBay auction spree
Video demo shows you how
By Dan Goodin in San Francisco
Posted in Security, 2nd February 2009 06:02 GMT
Using inexpensive off-the-shelf components, an information security expert has built a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation drivers licenses.
The $250 proof-of-concept device - which researcher Chris Paget built in his spare time - operates out of his vehicle and contains everything needed to sniff and then clone RFID, or radio frequency identification, tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners.
Paget's contraption builds off the work of researchers at RSA and the University of Washington, which last year found weaknesses in US passport cards and so-called EDLs, or enhanced drivers' licenses. So far, about 750,000 people have applied for the passport cards, which are credit card-sized alternatives to passports for travel between the US and Mexico, Canada, the Caribbean, and Bermuda. EDLs are currently offered by Washington and New York states.
"It's one thing to say that something can be done, it's another thing completely to actually do it," Paget said in explaining why he built the device. "It's mainly to defeat the argument that you can't do it in the real world, that there's no real-world attack here, that it's all theoretical."
Use of the cards is expected to rise as US officials continue to encourage their adoption. Civil liberties groups have criticized the cards and a travel industry association has called on the federal government to suspend their use (http://www.theregister.co.uk/2008/12/01/rfid_scanning_under_fire/) until the risks can be better understood.
The cards make use of the RFID equivalent of optical barcodes known as electronic product code tags, which are widely used to track cattle and merchandise as it's shipped and then stored in warehouses. Because the technology employs no encryption and can be read from distances of more than a mile, the tags are highly susceptible (PDF) (http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/EPC_RFID/Gen2authentication--22Oct08a.pdf) to cloning and tracking, researchers have concluded.
Paget's device consists of a Symbol XR400 RFID reader (now manufactured by Motorola), a Motorola AN400 patch antenna mounted to the side of his Volvo XC90, and a Dell 710m that's connected to the RFID reader by ethernet cable. The laptop runs a Windows application Paget developed that continuously prompts the RFID reader to look for tags and logs the serial number each time one is detected. He bought most of the gear via auctions listed on eBay.
And if you read on, we'll show you video proof that the thing actually works.
He plans to release the software's source code during a demonstration at the Shmoocon hacker convention (http://www.shmoocon.org/) to be held later this month in Washington.
Paget's device has a range of about 30 feet, making it ideal for discretely skimming the EDL and passport card tags of people who pass by his vehicle. With modifications, Paget says his device could read RFID identifiers that are more than a mile away. The antenna was concealed by the vehicle's tinted window, and the PC and RFID reader fit well below the eye line, making it virtually undetectable by passersby.
To be sure, the RFID tags contain no personally identifiable information, but rather what amounts to a record pointer to a secure Department of Homeland Security database. But because the pointer is a unique number, the American Civil Liberties Union and other civil libertarians warn the cards are still susceptible to abuse, especially if their RFID tags can be read and captured in large numbers. Cloning the unique electronic identifier is the first step in creating fraudulent passport cards, they say.
The cards also amount to electronic license plates that could be used to conduct clandestine surveillance. Law enforcement officials could scan them at political rallies and then store them in databases. The tags could also be correlated to other signals, such as electronic toll-booth payment systems or RFID-based credit cards, to track the detailed movements of their holders.
Not that the Feds Care
Officials with the US Customs and Border Protection Department say they have no plans to overhaul the technology used in passport cards. RFID signals allow border agents to process travelers more quickly and bring an added level of security to the process, spokeswoman Kelly Ivahnenko said. The cards come with protective sleeves that prevent the RFID tags from being readable, she added, and even if they are captured, she said there is little anyone can do with the information.
"From our standpoint the privacy issues have been misrepresented and blown out of proportion," she told The Reg. "Anytime that you have a new technology and use it in a new way, there are always going to be far-out ways to use information nefariously. We want travelers to be aware of the technology and to know how it works so that they can be comfortable using it."
A spokesman from the US State Department - which processes applications for passport cards and then issues them - declined to comment.
But critics contend the risks are real, especially if RFID-enable identification becomes universal.
"Just like a social security number, the unique identifier number on this document must be properly safeguarded," said Nicole Ozer, Technology and Civil Liberties policy director of the ACLU of Northern California. "If it falls into the wrong hands, it can be used for tracking, stalking, identity theft, and counterfeiting. If the government continues to stick its head in the sand and ignore the very real privacy and security threats that researchers, civil liberties organizations, and even industry groups have repeatedly brought to its attention, the American people will pay a very high price."
-
I had read that wrapping one's passport in foil would work to prevent unauthorized intrusion.
-
This is why you put your NewID compliant driver's license in the microwave.
-
The cards make use of the RFID equivalent of optical barcodes known as electronic product code tags, which are widely used to track cattle and merchandise as it's shipped and then stored in warehouses. Because the technology employs no encryption and can be read from distances of more than a mile, the tags are highly susceptible (PDF) (http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/EPC_RFID/Gen2authentication--22Oct08a.pdf) to cloning and tracking, researchers have concluded.
Reading passive RFID from a mile away? I don't think so.
I could believe maybe reading passive RFID from a few dozen feet away in normal situations.
-
I had read that wrapping one's passport in foil would work to prevent unauthorized intrusion.
That would work.
A steel or copper mesh wallet would be pretty cool.
-
There was another link about this somewhere I saw. I didn't see where he was able to get personal information and all that off the passport?
-
The attack described here isn't to glean information from the RFID tags in DLs and passports, it's to simply read and mimic a tag without knowing or caring what it says.
-
I work in an office that secures the doors with RFID. I carry a badge on my belt to get in.
This means that I could clone my co-workers badge for a paltry $250 in parts and gain access to parts of the building to which I currently have no access.
Or... someone who doesn't have ANY business in the building can sit in the parking lot with a laptop as I walk in, grab my RFID, and output it to his own card. Walk in behind me and be "me" to all the doorpads.
Great. ;/
-
Reading passive RFID from a mile away? I don't think so.
I could believe maybe reading passive RFID from a few dozen feet away in normal situations.
Best be ready to believe more than that.
It is a matter of antenna, power, and receiver sensitivity, simply put.
The rig in the OP had an effective range of 30'. Get yourself a nice directional antenna and boost the power and you can sit a long ways off and glean the data. You'll need line of sight of course. Considering that folks have rigged Wifi hardware to communicate in excess of 50 miles 173 miles (unamplified), one mile for this application is no great stretch.
http://en.wikipedia.org/wiki/Long-range_Wi-Fi#Longest_unamplified_Wi-Fi_link
I have some knowledge in this area, having done similar hack on my Wifi setup. If the RFID hacker got his hands on, say, a Primestar dish antenna, he could likely point it at a choke point and clone passport RFIDs at ranges much greater than a mile.
-
Beat the back cover of your passport with a hammer. Should destroy the RFID chip.
-
Is there a sure way of disabling the RFID in a passport permanently without making it visible or destroying a part of the passport? The beating it with a hammer will probably leave some clues as to what you did.
-
Is there a sure way of disabling the RFID in a passport permanently without making it visible or destroying a part of the passport? The beating it with a hammer will probably leave some clues as to what you did.
Microwave it.
-
I have some knowledge in this area, having done similar hack on my Wifi setup. If the RFID hacker got his hands on, say, a Primestar dish antenna, he could likely point it at a choke point and clone passport RFIDs at ranges much greater than a mile.
Old Primestar dishes. Is there anything they can't do?
-
Lo, Med, Hi, thaw, defrost... which?
And for how long?
-
Our badges at work are supposed to be coded like that. We just went through an iteration of badge holder that was supposed to block unknown scanners from picking them up. The holders were expensive and failed for other reasons. But what I thought was interesting was the gate gaurds have you take them out of the holders so they have their hands on the badge. Wouldn't a gate that everybody has to go though be a great place to focus a scanner? I ask about it but they thought I was a trouble maker.
-
Lo, Med, Hi, thaw, defrost... which?
And for how long?
Can't imagine it would take more than a couple seconds to fry it good. Certainly no longer than it takes to nuke a CD, or get one of those bread twisty ties a-sparkin'.
-
Best be ready to believe more than that.
It is a matter of antenna, power, and receiver sensitivity, simply put.
The rig in the OP had an effective range of 30'. Get yourself a nice directional antenna and boost the power and you can sit a long ways off and glean the data. You'll need line of sight of course. Considering that folks have rigged Wifi hardware to communicate in excess of 50 miles 173 miles (unamplified), one mile for this application is no great stretch.
http://en.wikipedia.org/wiki/Long-range_Wi-Fi#Longest_unamplified_Wi-Fi_link
I have some knowledge in this area, having done similar hack on my Wifi setup. If the RFID hacker got his hands on, say, a Primestar dish antenna, he could likely point it at a choke point and clone passport RFIDs at ranges much greater than a mile.
Having designed a passive RFID system in the past, I'm highly skeptical that a passive RFIDs can capture and re-resonate signals strong enough to do that. The amount of RF energy needed to transmit one mile and then back again are just to great for a typical RFID patch.
If passive RFID worked at one mile, there'd be little reason to ever use an active RFID.
-
Old Primestar dishes. Is there anything they can't do?
They don't make very good sleds. =D
Lo, Med, Hi, thaw, defrost... which?
And for how long?
Until right before it flames up.
-
Okay but if you nuke your passport, will it then be invalid when they can't read the RFID chip at customs?
-
I've got an RFID blocker they issued me with my CAC card, but of course the thing is so blocky I never use it and keep the card in my ID wallet. There's still supposed to be other tech in CAC cards to keep them from being cloned, but I don't know what it is. Cloning them could be serious since they're supposed to have people's clearance level and stuff on them.
-
You can get wallets that block RFIDs. ThinkGeek.com sells em:
http://www.thinkgeek.com/gadgets/security/8cdd/
-
Okay but if you nuke your passport, will it then be invalid when they can't read the RFID chip at customs?
Nope. The information contained in the RFID tag is supposed to be the same information printed inside the passport. The guy at customs will simply have to read it with his eyes and enter it into the computer using his fingers.
-
Microwave it.
I've heard (on FlyerTalk, where the subject comes up with some regularity) that microwaving your RFID passport can result in scorch marks to the document. An alternate suggestion was to place a block of wood over the tag in the back cover and beat on that for a bit, which prevents putting hammerhead-shaped dents in the cover.
-
Okay but if you nuke your passport, will it then be invalid when they can't read the RFID chip at customs?
It just doesn't work. It's not your fault. The airport xray must have ruined it.
And yes, they'll still take it, they just have to enter the data by hand instead of swiping it past a low-power reader that was their basis for calling it "safe". They ignored the fact that someone could make a homebrew with more power to interrogate an RFID from across a room. They're passive devices, powered by the signal like an ancient crystal radio. When the pulse of energy at the right frequency hits the RFID (antenna and chip) it causes the RFID to return a weak signal containing a few bits.
It just seemed like a stupid idea all around, and there were warnings about virtual pickpocketing years ago.
-
Would degaussing work?
-
I had read that wrapping one's passport in foil would work to prevent unauthorized intrusion.
Tried it on the entry key-cards at work, which have a naked range of about 6 inches. Wrapping the wallet in one layer of foil still allowed the card to trip the lock (from within the wallet) at contact range. It took two layers, of the heavy-duty foil they use for the vacuum systems too, not normal cooking foil.
-
You can get wallets that block RFIDs. ThinkGeek.com sells em:
http://www.thinkgeek.com/gadgets/security/8cdd/
They also sell RFID-blocking passport holders, though they're out of stock at the moment:
http://www.thinkgeek.com/gadgets/security/910f (http://www.thinkgeek.com/gadgets/security/910f)
-
Lo, Med, Hi, thaw, defrost... which?
And for how long?
You do it on high power for 2 seconds less than it took the first passport to burst into flames.
-
I don't know what was wrong with the bar code that is/was on passports. That seemed to be pretty efficient.
-
The single biggest problem with RFID technology is it is exceedingly susceptible to static electricity. Plans are to put these things in just about anything. Problem is static electricity inherent in production processes kill 'em before they get planted. The sure fire way of destroying the buggers is to zap 'em with ESD or electro-static discharge. Draw a static arc and they will die. I can see a business plan coming together to produce and distribute a consumer device designed to zap chips. I can also see fed.gov writing laws to hinder attempts to establish privacy.