RE: Government RFID busted

[<securityfocus () joepete com>]

I think a more obvious question is why choose RFID as a medium to begin
with? A contact smartcard makes far more sense for passports.

It's not like anyone will be crossing borders simply by waving a card within
proximity of a reader. There will be actual people looking at these
passports, matching picture to faces, asking questions, etc. Right? So why
not use a contact smartcard, which can store more data, provide better
encryption and most important, reduce a huge opportunity for data leak to
anyone with a strong enough antenna?


--
JoePete



> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Hleihel, Mohammed [SOS]
> Sent: Wednesday, February 11, 2009 12:06 PM
> To: Prodigi Child pen-test () securityfocus com; 
> Subject: RE: Government RFID busted
>
> Good point. Which makes it impossible for a terrorist in Beirut to
> detonate a bomb once an American is in sight because passport CARDS can
> only be used to travel to (Mexico, Canada and the Caribbean countries?)
>
> Again, I am not defending the government on EDLs. But based on what I read
> and saw, international passports have been better equipped. The State
> Department has worked with security experts, and many changes have been
> implemented.
>
> -Mohammed Hleihel
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Prodigi Child
> Sent: Friday, February 06, 2009 12:50 AM
> To: Hleihel, Mohammed [SOS]; 'Al Rivas'; pen-test () securityfocus com
> Subject: RE: Government RFID busted
>
> Mohammed,
>
> Actually, in the first sentence of the video he states he is working
> sniffing for a passport CARD, not a passport BOOK. Passport CARDS do not
> necessarily have covers, and neither does the EDL (although it purportedly
> comes with an optional case/cover). I know that the passport books include
> metallic elements in the cover which is supposed to block RFID traffic and
> that its effectiveness is dubious.
>
> Have a good day.
>
> -----Original Message-----
> From: Hleihel, Mohammed [SOS] [mailto:mohammed.hleihel () sos state ia us]
> Sent: Thursday, February 05, 2009 12:38 PM
> To: Prodigi Child; Al Rivas; pen-test () securityfocus com
> Subject: RE: Government RFID busted
>
> Read more and investigate before making such baseless assumptions.
>
> 1- The passport covers are supposed to provide a sheet that hides the RFID
> signals. Only when a passport is opened would a scanner be able to read
> the
> stored data.
> 2- The Secretary of State is working with many agencies regarding securing
> this project. All risks and potential security threats are being studied.
> The government corporation has been satisfactory to a lot of privacy
> experts.
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On
> Behalf Of Prodigi Child
> Sent: Wednesday, February 04, 2009 1:35 AM
> To: 'Al Rivas'; pen-test () securityfocus com
> Subject: RE: Government RFID busted
>
> I agree that having RFID chips in IDs is a bad idea (Imagine a terrorist
> in
> Beirut checking his scanner "Hmm 5 Americans in the area.. let's go
> hunting!") but is a 'war drive' to read the RFID tags from the passports
> really useful? It's one of those "duh" things like a study trying to
> determine if bears **** in the woods.
>
> I mean, they are doing what they are supposed to do in the first place,
> which is be read by RFID scanners, albeit from further away than what they
> claimed was possible.
>
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On
> Behalf Of Al Rivas
> Sent: Monday, February 02, 2009 10:58 AM
> To: pen-test () securityfocus com
> Subject: Government RFID busted
>
> So the U.S. government has had this idea to tag our passports, drivers
> licenses etc, with RFID.  Dan Goodin, has created this video showing why
> this is not a good idea.  The problem is that technology is growing in
> breadth and complexity faster than bureaucrats can wrap their minds around
> it.  The vast majority of the decision makers on these programs can't
> spell
> computer and have only slight exposure to . "the internets".
>
> Someone presents them with a technology, (I'd bet the farm that the
> presenter sells that particular technology), and the bureaucratic bean
> counter says "Whoopee !  And how much is my cut so I can vote for this ?"
>
> Everyone makes money, and America is safer, they have the PowerPoint
> Slides
> that say so.
>
> Here's an excerpt from the article "Using inexpensive off-the-shelf
> components, an information security expert has built a mobile platform
> that
> can clone large numbers of the unique electronic identifiers used in US
> passport cards and next generation drivers licenses."
>
> Here's Dan's excellent video showing how he did it :
>
> http://www.engadget.com/2009/02/02/video-hacker-war-drives-san-francisco-
> clo
> ning-rfid-passports/
>
>
> Excerpt from Western Hemisphere Travel Initiative - the project injecting
> RFID into government docs.
> "Each day, an average of 1.1 million pedestrians and passengers enter the
> United States for business or pleasure. In order to facilitate cross-
> border
> travel for U.S. citizens while enhancing the security of our citizens and
> travelers, the Department of Homeland Security (DHS) proposes to expand
> the
> use of vicinity radio frequency identification (RFID) technology at land
> border ports of entry. The use of this technology will be a key component
> of
> the PASS System (People, Access Security Service), announced in January
> 2006
> by Secretaries Rice and Chertoff as part of their Joint Vision -"Secure
> Borders and Open Doors in the Information Age.""