RE: Government RFID busted

["Rui Pereira (WCG)" <wavefront1 () shaw ca>]

Why do these RFID passports / cards not come with an off switch and a
timeout that turns them off automatically unless the user manually activates
them? Surely one does not need the functionality these devices provide at
all time, only at a border control post or airport, say?

See
http://www.newscientist.com/article/mg19926726.300-off-switch-could-protect-
your-smartcard-secrets.html 

Or is everybody so brain-dead they miss the obvious?

Thank You
 
Rui Pereira,
Principal Consultant
WaveFront Consulting Group
 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Prodigi Child
Sent: February 5, 2009 10:50 PM
To: 'Hleihel, Mohammed [SOS]'; 'Al Rivas'; pen-test () securityfocus com
Subject: RE: Government RFID busted

Mohammed,

Actually, in the first sentence of the video he states he is working
sniffing for a passport CARD, not a passport BOOK. Passport CARDS do not
necessarily have covers, and neither does the EDL (although it purportedly
comes with an optional case/cover). I know that the passport books include
metallic elements in the cover which is supposed to block RFID traffic and
that its effectiveness is dubious.

Have a good day.

-----Original Message-----
From: Hleihel, Mohammed [SOS] [mailto:mohammed.hleihel () sos state ia us] 
Sent: Thursday, February 05, 2009 12:38 PM
To: Prodigi Child; Al Rivas; pen-test () securityfocus com
Subject: RE: Government RFID busted

Read more and investigate before making such baseless assumptions.

1- The passport covers are supposed to provide a sheet that hides the RFID
signals. Only when a passport is opened would a scanner be able to read the
stored data.
2- The Secretary of State is working with many agencies regarding securing
this project. All risks and potential security threats are being studied.
The government corporation has been satisfactory to a lot of privacy
experts.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Prodigi Child
Sent: Wednesday, February 04, 2009 1:35 AM
To: 'Al Rivas'; pen-test () securityfocus com
Subject: RE: Government RFID busted

I agree that having RFID chips in IDs is a bad idea (Imagine a terrorist in
Beirut checking his scanner "Hmm 5 Americans in the area.. let's go
hunting!") but is a 'war drive' to read the RFID tags from the passports
really useful? It's one of those "duh" things like a study trying to
determine if bears **** in the woods.

I mean, they are doing what they are supposed to do in the first place,
which is be read by RFID scanners, albeit from further away than what they
claimed was possible.




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Al Rivas
Sent: Monday, February 02, 2009 10:58 AM
To: pen-test () securityfocus com
Subject: Government RFID busted

So the U.S. government has had this idea to tag our passports, drivers
licenses etc, with RFID.  Dan Goodin, has created this video showing why
this is not a good idea.  The problem is that technology is growing in
breadth and complexity faster than bureaucrats can wrap their minds around
it.  The vast majority of the decision makers on these programs can't spell
computer and have only slight exposure to . "the internets".  

Someone presents them with a technology, (I'd bet the farm that the
presenter sells that particular technology), and the bureaucratic bean
counter says "Whoopee !  And how much is my cut so I can vote for this ?"

Everyone makes money, and America is safer, they have the PowerPoint Slides
that say so.

Here's an excerpt from the article "Using inexpensive off-the-shelf
components, an information security expert has built a mobile platform that
can clone large numbers of the unique electronic identifiers used in US
passport cards and next generation drivers licenses."

Here's Dan's excellent video showing how he did it :

http://www.engadget.com/2009/02/02/video-hacker-war-drives-san-francisco-clo
ning-rfid-passports/


Excerpt from Western Hemisphere Travel Initiative - the project injecting
RFID into government docs.
"Each day, an average of 1.1 million pedestrians and passengers enter the
United States for business or pleasure. In order to facilitate cross-border
travel for U.S. citizens while enhancing the security of our citizens and
travelers, the Department of Homeland Security (DHS) proposes to expand the
use of vicinity radio frequency identification (RFID) technology at land
border ports of entry. The use of this technology will be a key component of
the PASS System (People, Access Security Service), announced in January 2006
by Secretaries Rice and Chertoff as part of their Joint Vision -"Secure
Borders and Open Doors in the Information Age.""






No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.0.233 / Virus Database: 270.10.20/1943 - Release Date: 02/09/09
17:40:00