RE: Government RFID busted

[Al Rivas <ARivas () hyphensolutions com>]

I would say Dan's war drive was useful.  And those that would clone those documents would probably find the technique 
quite useful.  Yes, RFID is doing what it's supposed to but I'd put over 90% of people don't realize that their 
information available to cloning this easily.  We (sec pros, technogeeks, etc) form only a small percentage of the 
population.  Knowing the bear **** in the woods is only useful because it is a common frame of reference.  Unless we 
inform the general public that their/our information is accessible this way, we will be the only ones that even know 
the bear exists.

It would be useless to see another gov program spend billions on something which is supposed to increase security but 
instead has security holes in it then say after the fact, "but that's the way it works."

-----Original Message-----
From: Prodigi Child [mailto:prodigi.child () gmail com] 
Sent: Wednesday, February 04, 2009 1:35 AM
To: Al Rivas; pen-test () securityfocus com
Subject: RE: Government RFID busted

I agree that having RFID chips in IDs is a bad idea (Imagine a terrorist in
Beirut checking his scanner "Hmm 5 Americans in the area.. let's go
hunting!") but is a 'war drive' to read the RFID tags from the passports
really useful? It's one of those "duh" things like a study trying to
determine if bears **** in the woods.

I mean, they are doing what they are supposed to do in the first place,
which is be read by RFID scanners, albeit from further away than what they
claimed was possible.




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Al Rivas
Sent: Monday, February 02, 2009 10:58 AM
To: pen-test () securityfocus com
Subject: Government RFID busted

So the U.S. government has had this idea to tag our passports, drivers
licenses etc, with RFID.  Dan Goodin, has created this video showing why
this is not a good idea.  The problem is that technology is growing in
breadth and complexity faster than bureaucrats can wrap their minds around
it.  The vast majority of the decision makers on these programs can't spell
computer and have only slight exposure to . "the internets".  

Someone presents them with a technology, (I'd bet the farm that the
presenter sells that particular technology), and the bureaucratic bean
counter says "Whoopee !  And how much is my cut so I can vote for this ?"

Everyone makes money, and America is safer, they have the PowerPoint Slides
that say so.

Here's an excerpt from the article "Using inexpensive off-the-shelf
components, an information security expert has built a mobile platform that
can clone large numbers of the unique electronic identifiers used in US
passport cards and next generation drivers licenses."

Here's Dan's excellent video showing how he did it :

http://www.engadget.com/2009/02/02/video-hacker-war-drives-san-francisco-clo
ning-rfid-passports/


Excerpt from Western Hemisphere Travel Initiative - the project injecting
RFID into government docs.
"Each day, an average of 1.1 million pedestrians and passengers enter the
United States for business or pleasure. In order to facilitate cross-border
travel for U.S. citizens while enhancing the security of our citizens and
travelers, the Department of Homeland Security (DHS) proposes to expand the
use of vicinity radio frequency identification (RFID) technology at land
border ports of entry. The use of this technology will be a key component of
the PASS System (People, Access Security Service), announced in January 2006
by Secretaries Rice and Chertoff as part of their Joint Vision -"Secure
Borders and Open Doors in the Information Age.""