Penetration Testing mailing list archives
Re: Government RFID busted
From: VM <vmemaillist () gmail com>
Date: Fri, 13 Feb 2009 03:26:31 -0500
However, the tag will be a unique identifier for the RFID-enabled card. Once access to the information that is maintained in the DHS database is obtained (it's only a matter of time: hacking/social engineering, stolen laptops/computers, etc.), one can track a vicinity RFID-enabled card holder or clone the RFID-enabled card to impersonate that person (albeit imbedded in a fraudulent ID, e.g. Passport).
If we should not be concerned with the ability to read/receive the tag's identification number then we should be able to program the RFID-enabled cards with the cardholders unique Social Security or Resident's ID number. The Social Security or Resident's ID number by itself does not provide personal information. However, there is a market for obtaining the personal information of the person who's Social Security number was captured. This issue is widely known today as identity theft.
I agree with the person who wrote that vicinity RFID is not needed when contact readers would suffice given the need to present the IDs for visual inspection.
On Feb 12, 2009, at 3:37 PM, Shreyas Zare wrote:
You will need a database to get the info as the RFID is only storing a tag. Just read what Prodigi Child <prodigi.child () gmail com> wrote:According to the DHS Fact Sheet(http://www.dhs.gov/xnews/releases/pr_1161115330477.shtm), "No personal information would be transmitted or stored on the vicinity RFID- enabled card. The technology will transmit only a number between the card and thereader which will be matched against a DHS database."Regards, On Fri, Feb 13, 2009 at 1:09 AM, Miller Grey <vigilantgregorius () gmail com> wrote:...a compromised reader connected to a database? What database? yes, the reader at the border is accessible to certain people working there, most likely border patrol agents.On Wed, Feb 11, 2009 at 1:31 PM, Shreyas Zare <shreyas () technitium com> wrote:Hi,What can one do with the tag ? just use a compromised RFID reader thatis connected to database and get the details. Also, the reader at border is accessible to certain people working there, which can be misused too for gaining unauthorized access. Regards,On Wed, Feb 11, 2009 at 2:28 AM, Prodigi Child <prodigi.child () gmail com> wrote:What do you mean by the data is not encrypted? Specifically what data are you talking about? According to the video it looks like all he got was a'tag.' According to the DHS Fact Sheet(http://www.dhs.gov/xnews/releases/pr_1161115330477.shtm), "No personal information would be transmitted or stored on the vicinity RFID- enabled card. The technology will transmit only a number between the card and thereader which will be matched against a DHS database."So this war driver just for the number that is transmitted between the cardand the reader. According to the State Department(http://travel.state.gov/passport/ppt_card/ppt_card_3921.html), "There willbe no personal information written to the RFID chip."If the DHS and State Department are not lying, then to fully 'clone' a passport card wouldn't you still need physical access to it (to get all ofthe personal information)?So I repeat (and re-word) my original question. How was this useful? If all he got was an identifier for the passport card, and there is no personal information on it, what is the threat? Why should I care if someone can readmy passport card's tag? -----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] OnBehalf Of Mythic Glyph Sent: Thursday, February 05, 2009 1:52 PM To: pen-test () securityfocus com Subject: RE: Government RFID bustedYes, it's a truism that an RFID scanner can read data from RFID chips, but that was not the point of the video. Rather, the video was created to alert the public to the fact that - contrary to popular belief - the information in the RFID could be read easily, cheaply, and discretely by almost anyone at any time. I was personally surprised to learn that the data was notencrypted at all... -----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] OnBehalf Of Prodigi Child Sent: Wednesday, February 04, 2009 2:35 AM To: 'Al Rivas'; pen-test () securityfocus com Subject: RE: Government RFID bustedI agree that having RFID chips in IDs is a bad idea (Imagine a terrorist inBeirut checking his scanner "Hmm 5 Americans in the area.. let's gohunting!") but is a 'war drive' to read the RFID tags from the passports really useful? It's one of those "duh" things like a study trying todetermine if bears **** in the woods.I mean, they are doing what they are supposed to do in the first place, which is be read by RFID scanners, albeit from further away than what theyclaimed was possible. -----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] OnBehalf Of Al Rivas Sent: Monday, February 02, 2009 10:58 AM To: pen-test () securityfocus com Subject: Government RFID bustedSo the U.S. government has had this idea to tag our passports, drivers licenses etc, with RFID. Dan Goodin, has created this video showing why this is not a good idea. The problem is that technology is growing in breadth and complexity faster than bureaucrats can wrap their minds around it. The vast majority of the decision makers on these programs can't spellcomputer and have only slight exposure to . "the internets". Someone presents them with a technology, (I'd bet the farm that thepresenter sells that particular technology), and the bureaucratic bean counter says "Whoopee ! And how much is my cut so I can vote for this ?"Everyone makes money, and America is safer, they have the PowerPoint Slidesthat say so. Here's an excerpt from the article "Using inexpensive off-the-shelfcomponents, an information security expert has built a mobile platform that can clone large numbers of the unique electronic identifiers used in USpassport cards and next generation drivers licenses." Here's Dan's excellent video showing how he did it :http://www.engadget.com/2009/02/02/video-hacker-war-drives-san- francisco-cloning-rfid-passports/Excerpt from Western Hemisphere Travel Initiative - the project injectingRFID into government docs."Each day, an average of 1.1 million pedestrians and passengers enter the United States for business or pleasure. In order to facilitate cross-border travel for U.S. citizens while enhancing the security of our citizens and travelers, the Department of Homeland Security (DHS) proposes to expand the use of vicinity radio frequency identification (RFID) technology at land border ports of entry. The use of this technology will be a key component of the PASS System (People, Access Security Service), announced in January 2006 by Secretaries Rice and Chertoff as part of their Joint Vision -"SecureBorders and Open Doors in the Information Age.""-- ("Computers have a strange habit of doing what you say, not what you mean." - SANS Top 25 Most Dangerous Programming Errors) Shreyas Zare Co-Founder, Technitium eMail: shreyas () technitium com ..::< The Technitium Team >::.. Visit us at www.technitium.com Contact us at theteam () technitium com Join Sci-Tech News group and get the latest science & technology news in your inbox. Visit http://tech.groups.yahoo.com/group/sci-tech-news to join.
Current thread:
- RE: Government RFID busted, (continued)
- RE: Government RFID busted Al Rivas (Feb 10)
- RE: Government RFID busted Hleihel, Mohammed [SOS] (Feb 10)
- RE: Government RFID busted Prodigi Child (Feb 10)
- RE: Government RFID busted Rui Pereira (WCG) (Feb 11)
- RE: Government RFID busted Hleihel, Mohammed [SOS] (Feb 11)
- RE: Government RFID busted securityfocus (Feb 12)
- RE: Government RFID busted Prodigi Child (Feb 11)
- Re: Government RFID busted Shreyas Zare (Feb 11)
- Message not available
- Re: Government RFID busted Shreyas Zare (Feb 12)
- Re: Government RFID busted VM (Feb 18)