Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Feds At DefCon Alarmed After RFIDs Scanned

CmdrTaco posted more than 4 years ago | from the oh-sure-now-you're-alarmed dept.

Security 509

FourthAge writes "Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera. The reader sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks. The 'security enhancing' RFID chips are now found in passports, official documents and ID cards. 'For $30 to $50, the common, average person can put [a portable RFID-reading kit] together,' said security expert Brian Marcus, one of the people behind the RFID webcam project. 'This is why we're so adamant about making people aware this is very dangerous.'"

cancel ×

509 comments

What do you bet... (5, Insightful)

thisnamestoolong (1584383) | more than 4 years ago | (#28971251)

...the Feds try to ban the tech to read the RFIDs instead of urging credit card manufacturers/the state department to back off on putting RFID chips into everything?

AS SEEN ON DIGG (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28971321)

About two days ago now. [digg.com]
 
Lol, Slashdot, for getting your "news" too little and too late from a secondary or tertiary source.

Re:What do you bet... (4, Insightful)

commodore64_love (1445365) | more than 4 years ago | (#28971369)

It's easier to outlaw gadgets than to admit you're wrong.

That's why, thanks to recent laws, only criminals carry guns. Pretty soon only criminals will have webcameras or RFID sniffers.

Re:What do you bet... (1)

morgan_greywolf (835522) | more than 4 years ago | (#28971679)

That's why, thanks to recent laws, only criminals carry guns.

Blatantly false, at least in the United States. [ibiblio.org]

Re:What do you bet... (4, Insightful)

Shakrai (717556) | more than 4 years ago | (#28971915)

Blatantly true, at least in parts of the United States

Fixed that for you. If you think you can get a carry permit in New York City/San Francisco/Chicago as a law abiding American citizen think again. The only way that happens is if you are rich and have political connections. The rest of us poor slobs don't have the right to defend ourselves if we are unlucky enough to live in a part of the country run by the anti-gun zealots.

This will eventually change when the 2nd amendment is incorporated against the states but it doesn't change the fact that right now you effectively have no right to keep and bear arms if you live in the wrong part of the country.

Re:What do you bet... (3, Funny)

bill_mcgonigle (4333) | more than 4 years ago | (#28972075)

The only way that happens is if you are rich and have political connections.

That's not entirely true - if you're a bodyguard of a rich (important) person, you can legally protect them too.

Re:What do you bet... (4, Insightful)

Shakrai (717556) | more than 4 years ago | (#28972115)

Sad but true. My favorite is the Hollywood types that rant about the evils of firearm ownership while being protected by armed bodyguards. Fucking hypocrites.

All animals are equal but some are more equal than others.

Re:What do you bet... (1)

Zantac69 (1331461) | more than 4 years ago | (#28971377)

Yeah - I was happy that my passport was one of the old school ones without RFID...but since I have had to renew it, I have to get one of those "blocker wallets" to keep it safe when I travel. Wish there would have been a box I could have selected that said "NORFIDKTHXBIBI"

Re:What do you bet... (1, Interesting)

commodore64_love (1445365) | more than 4 years ago | (#28971437)

Is it possible to remove the RFID device?

The Congressional mandate for RFIDs is similar to the stupidity that gave us a bunch of computer-controlled voting booths (which are easily hacked, or prone to errors). The politicians don't understand technology. To them it's just "magic" that will cure everything, therefore they mandate this stuff without putting any thought into it, basing their decision upon faith rather than reason. They don't realize this "magic" has serious flaws that makes it less-desirable than the old paper-based methods.

Re:What do you bet... (2, Informative)

vintagepc (1388833) | more than 4 years ago | (#28971653)

Is it possible to remove the RFID device?

Yes... with a hammer.

Re:What do you bet... (4, Insightful)

ColdWetDog (752185) | more than 4 years ago | (#28971999)

A brief trip to the microwave works better. Fewer indentations on the cover ("No officer, it doesn't look like someone's been beating this passport with a hammer, why do you ask?").

Not quite as satisfying however.

Re:What do you bet... (1)

Shadow of Eternity (795165) | more than 4 years ago | (#28972089)

an extremely steady hand and a scalpel would be more fun. Replace your chip with something full of goatse or whatever the equivalent would be.

Re:What do you bet... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#28972177)

I doubt replacing any part of your passport didn't void it.

Re:What do you bet... (3, Insightful)

Boscrossos (997520) | more than 4 years ago | (#28971711)

Actually, they likely base their decision on the basis of lobby work done by industry experts. After all, who better to trust than an expert, right? Problem is, these experts are usually employed by the industry selling the technology, and as such, rarely go into the downsides too much. Barring counter-lobbying from another source (NGO or public initiative), it's likely the politicians really are convinced they're doing the right thing, because clearly, there are no downsides, or they'd have heard about it.

Re:What do you bet... (3, Insightful)

DirtyUncleRon69 (1492865) | more than 4 years ago | (#28971443)

So our passports will need tinfoil hats now too?

Re:What do you bet... (3, Interesting)

Andy Dodd (701) | more than 4 years ago | (#28971611)

My New York EDL came with a foil-lined protective sleeve.

Re:What do you bet... (5, Interesting)

oenone.ablaze (1133385) | more than 4 years ago | (#28971447)

This is a legal gray area, but a couple years back Wired suggested that hitting the passport's chip with a hammer would disable the RFID without obvious signs--a disabled RFID chip does not invalidate the passport.

Re:What do you bet... (1)

hacker (14635) | more than 4 years ago | (#28971869)

"This is a legal gray area, but a couple years back Wired suggested that hitting the passport's chip with a hammer would disable the RFID without obvious signs--a disabled RFID chip does not invalidate the passport."

I seem to recall that putting it in a microwave on the "defrost" setting for a minute or so had the same effect, without destroying the passport itself.

Now, whether you're in a long line of people with "valid", functioning passports and yours is the only one not functioning (for the RFID scanner that TSA uses), might be in a legal gray area, but it might also gain you some additional, unwanted scrutiny into your job, your background, your hobbies and anything else.

Finding this Slashdot article in your browser cache, and you being in possession of a disabled RFID passport might be enough probable cause to dig deeper and find more. And more.

Re:What do you bet... (3, Interesting)

Shakrai (717556) | more than 4 years ago | (#28972025)

I seem to recall that putting it in a microwave on the "defrost" setting for a minute or so had the same effect, without destroying the passport itself.

Think again. I tried this with a RFID'ed credit card just to see what would happen and the results were rather spectacular. The RFID chip was destroyed in under a second but generated a shower of sparks that melted a large portion of the credit card and rendered it completely unusable. Of course that was the point -- I'd made the credit card company send me a card without a chip in it -- but I'm guessing you don't want to try and use a scorched and carbonized passport.......

Finding this Slashdot article in your browser cache, and you being in possession of a disabled RFID passport might be enough probable cause to dig deeper and find more. And more.

It would take a bit more than a disabled RFID chip to get probable cause to search your computer. That said, I wouldn't try the hammer or the microwave with my passport. I'd be surprised if there isn't a law on the books about mutilating those types of documents. It's easy enough to keep the thing in a foil pouch until you need to use it -- and if I'm not traveling out of the country my passport lives in a safe deposit box anyway.

Re:What do you bet... (1)

TooMuchToDo (882796) | more than 4 years ago | (#28972083)

Citation? My wife and I are about to travel to Japan, my passport is a couple of years older than hers and has no RFID, but hers does. I thought that we could damage the tag with a hammer or run it through the microwave, but I wanted to make sure this wasn't going to become a problem once we hit customs.

Re:What do you bet... (3, Informative)

oenone.ablaze (1133385) | more than 4 years ago | (#28972151)

Trust this [wired.com] insofar as you trust Wired. They say that the microwave will leave scorch marks, so this is NOT recommended. I suppose blunt force trauma is virtually undetectable or at least explainable by wear and tear throughout the course of your travels.

Re:What do you bet... (2, Interesting)

ElSupreme (1217088) | more than 4 years ago | (#28971555)

You can microwave it. The RFID antenna collects to much power and fries the circuit. Should take a second or two.

Re:What do you bet... (4, Insightful)

FreeUser (11483) | more than 4 years ago | (#28971765)

You can microwave it. The RFID antenna collects to much power and fries the circuit. Should take a second or two.

While an inoperative RFID may not invalidate your passport, I suspect a big honking scorch mark in the middle of the thing just might.

Re:What do you bet... (1)

Kartoffel (30238) | more than 4 years ago | (#28971449)

If they ban RFID readers, only criminals will read RFID's. Sort of makes the legal use of RFID's a little awkward, ya think?

Re:What do you bet... (5, Insightful)

multisync (218450) | more than 4 years ago | (#28971479)

I found this part really interesting:

It's not known if any Feds were caught by the reader. The group that set it up never looked closely at the captured data before it was destroyed. Priest told Threat Level that one person caught by the camera resembled a Fed he knew, but he couldn't positively identify him.

"But it was enough for me to be concerned," he said. "There were people here who were not supposed to be identified for what they were doing ... I was [concerned] that people who didn't want to be photographed were photographed."

Priest asked Adam Laurie, one of the researchers behind the project, to "please do the right thing," and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected.

Nice to see that - after they made their point - the organizers and attendees at "one of the most hostile hacker environments in the country" did the right thing and destroyed the data. I'm sure we could count on law enforcement, our employers and credit card companies to show the same moral character.

Re:What do you bet... (2, Funny)

LiquidCoooled (634315) | more than 4 years ago | (#28971567)

screw moral character.
don't you watch tv - give up the blank card keeping the real data somewhere else.

Re:What do you bet... (0, Redundant)

thisnamestoolong (1584383) | more than 4 years ago | (#28971623)

Mod parent "Funny"

Re:What do you bet... (3, Insightful)

siloko (1133863) | more than 4 years ago | (#28971629)

I'm sure we could count on law enforcement, our employers and credit card companies to show the same moral character.

Ha ha very good! The sad thing is they would keep the data while telling the media they didn't, then justify keeping it when there lies are exposed, then mock outrage when it gets stolen, then bungled legislation when the peasants revolt. It's written in my tea leaves - which at least will be destroyed on MY say so!

Re:What do you bet... (1)

Jewbird (596227) | more than 4 years ago | (#28971509)

Get your RFID cloners now! Ever wanted to be a CIA agent despite your unfavorable history of drug usage? Now you can be!

Re:What do you bet... (0)

Anonymous Coward | more than 4 years ago | (#28971817)

The CIA actually isn't as strict about that sort of thing as the FBI is. The CIA figures that real-world, gritty experience (and low moral character) is actually desirable for a fucking worthless, dirty spy. Go figure, right?

Re:What do you bet... (1)

hesaigo999ca (786966) | more than 4 years ago | (#28971865)

Is it possible that even if you go to use the RFID info (which is encrypted) that it may have been consummated with a hash sum of the actual card number on the card...?

Just a thought?

duh? (4, Informative)

Kartoffel (30238) | more than 4 years ago | (#28971257)

Why would they be surprised? This has been common knowledge for years.

If you have to carry an RFID'ed object that contains sensitive information, keep it shielded at all times or destroy it.

Re:duh? (1)

purpledinoz (573045) | more than 4 years ago | (#28971371)

This is completely beyond my comprehension that the Feds are surprised by this. I just assumed that they were doing this on purpose to achieve some grander goal. It's either that, or they are retarded. In fact, there are many things that are happening now which makes me think: "Are they doing this on purpose? Or are they retarded?"

Re:duh? (3, Insightful)

ShieldW0lf (601553) | more than 4 years ago | (#28971487)

This is completely beyond my comprehension that the Feds are surprised by this. I just assumed that they were doing this on purpose to achieve some grander goal. It's either that, or they are retarded. In fact, there are many things that are happening now which makes me think: "Are they doing this on purpose? Or are they retarded?"

They're faithfully participating in a system which is intentionally insane. It's not that hard to understand...

Re:duh? (1)

Jewbird (596227) | more than 4 years ago | (#28971559)

> They're faithfully participating in a system which is intentionally insane. It's not that hard to understand... Only 15 years until retirement...

Re:duh? (0)

Anonymous Coward | more than 4 years ago | (#28971505)

This is completely beyond my comprehension that the Feds are surprised by this.

A better explanation is that the US federal government is a very big organization, and not everyone who works there is fully aware of what everyone else is doing.

And not everyone who works for the US federal government is a moron, some are very bright.

Re:duh? (1)

Darkness404 (1287218) | more than 4 years ago | (#28971769)

Except for the fact that RFID is embedded in most recent passports and stuff should be common knowledge to the average citizen, let alone someone working for the government. Similarly, it should be common knowledge that they can track them and extract info from them.

Re:duh? (1)

jmauro (32523) | more than 4 years ago | (#28971535)

Usually it's on purpose, but not for nefarious reasons. More likely it's because some RFID contractor\vendor got to the government person in the upper levels of charge and convinced them they need this feature in their IDs whether it's a good idea or not (it does help the previous vendor\contractors bottom line which is all that matters really). It then gets implemented regardless of any security conserns.

Re:duh? (2, Funny)

wereHamster (696088) | more than 4 years ago | (#28971609)

In fact, there are many things that are happening now which makes me think: "Are they doing this on purpose? Or are they retarded?"

Definitely retarded (see http://en.wikipedia.org/wiki/Hanlon's_razor [wikipedia.org] ).

Re:duh? (1)

dzfoo (772245) | more than 4 years ago | (#28971617)

It's not so incomprehensible. These "Feds", after all, are individuals; just regular people. These are not high-tech über-spies, but pencil-pushing bureaucrats. They probably thought, much like most of the unsavvy masses, that if the technology was adopted for sensitive data, then at some level, some "experts" must have vouched for their security. After all, they're experts, they must know what they are doing.

Is it odd then that their confidence is shaken when their assumptions are invalidated? It's the same as a regular private citizen just discovering that their social security number--the one they give away freely to whomever asks for it (to verify their identity only, of course)--can be used to "steal" their identity by the very entities asking for it.

No, it's very comprehensible. If we are to have a chance at fixing the system we must make sure to educate everyone, including those in positions of authority who we assume know better.

        -dZ.

Re:duh? (2, Interesting)

hacker (14635) | more than 4 years ago | (#28971779)

"These "Feds", after all, are individuals; just regular people. These are not high-tech über-spies, but pencil-pushing bureaucrats."

"pencil-pushing bureaucrats" do not belong in attendance at DefCon, period.

It is precisely these kind of people (those who use, but completely lack the understanding of the underlying technology), that cause the proliferation of malware, spam and other methodologies of subterfuge.

Send your best people to DefCon, and even they won't be good enough, but if you send pencil-pushing bureaucrats, you deserve to be scanned and have your personal information made public.

Hrmph!

Re:duh? (0)

Anonymous Coward | more than 4 years ago | (#28971671)

"Are they doing this on purpose? Or are they retarded?"

Yes, and they are "civil servants", which means they're lazy too.

Re:duh? (0)

Anonymous Coward | more than 4 years ago | (#28971413)

If it contains sensitive data or not doesn't really matter that much. The fact that it answers the same to the same challenge would be enough to tie an RFID device to a person (with the webcam), and also to tie different RFID-tags to the same (still anonomous) person. All it takes after that is to obtain the identity of the person in question (either by use of the picture or by compromising one of the RFIDs (could be a trivial one as for example a departmentstore card)) and you have an instrument for a very efficient sociogram.

Now, my question to the security experts is: Does all RFID have a unique identifier? Would an RFID answer the same to the same challenge each time? If not, would there be enough of a pattern to figure out what algorithm or salt is used, even if the data is still unreadable?

Re:duh? (1)

thomasdz (178114) | more than 4 years ago | (#28971821)

It's like the whole analog cellphone/scanner debacle
People had been buying radio scanners for years and years and then it hit the news that some scanners could listen in on cell phone conversations...but even AFTER it was well known, there were still multiple politicians in various countries caught by "journalists" having cell phone conversations with supposedly confidential and/or secret content.
Finally the feds made it illegal to sell scanners that could scan the analog cell phone range.... nobody actually fixed the problem. Now that we've (mostly) switched the world to digital cell phones, the interception risk isn't that big, but still, I agree with the parent post... "duh".

TDz.
 

bar-codes (1)

Lord Ender (156273) | more than 4 years ago | (#28971259)

RFID is a slightly-longer-range bar-code that doesn't require line-of-sight. But it would certainly be possible to use a digital camera or scanning lasers to do this same sort of thing to any visible bar-codes.

It doesn't really make sense to say RFID is "very dangerous" unless you have that same fear of bar-codes.

Re:bar-codes (4, Insightful)

ari_j (90255) | more than 4 years ago | (#28971299)

People can't surreptitiously read personal identifying information from a bar code that's in your pocket.

Re:bar-codes (4, Insightful)

Kartoffel (30238) | more than 4 years ago | (#28971391)

Right, but they sure can read whatever your RFID has to say. The problem is twofold:

1) Ignorant implementers put sensitive data on RFID's in plaintext.
2) Users are unaware of what data is actually *in* their RFID items.

RFID tags are dumb, low powered, even passive devices. If you can't afford active RFID's with public key encryption, don't put sensitive data on the damn things!

Re:bar-codes (4, Insightful)

multisync (218450) | more than 4 years ago | (#28971325)

It doesn't really make sense to say RFID is "very dangerous" unless you have that same fear of bar-codes.

There is no bar code on my passport, credit card or driver's license. Even if there was, it's unlikely that person sitting at the next table with a portable bar code reader could read the bar code off my Visa card while it's in my wallet.

Re:bar-codes (1)

Atzanteol (99067) | more than 4 years ago | (#28971373)

There's a bar code on my license. And are you telling me you don't have a magnetic strip on your credit card (that's similar to a bar code)?

Re:bar-codes (1)

psm321 (450181) | more than 4 years ago | (#28971807)

You have the technology to read a magnetic strip with a camera and line-of-sight? Because that's what the GP was talking about.

Re:bar-codes (5, Insightful)

socsoc (1116769) | more than 4 years ago | (#28972049)

A mag strip is as similar to a barcode as a christmas tree is to a sequoia...

Re:bar-codes (1)

eht (8912) | more than 4 years ago | (#28971409)

Just as a note, New York has bar codes on their driver licenses.
http://www.instructables.com/id/Decode-Your-License/ [instructables.com]

You're still quite correct in that they can't be read in your wallet, but that what RFID blocking wallets are for anyway.

Re:bar-codes (1)

SilverJets (131916) | more than 4 years ago | (#28971511)

Which is great until you take the card or passport out of the RFID blocking wallet. Then a RFID reader nearby can pick up the information from a distance away. On the other hand, I think I'd notice someone leaning in real close to me with a barcode scanner trying to read my card.

Re:bar-codes (1)

Lord Ender (156273) | more than 4 years ago | (#28971521)

Are you kidding? There already are bar-codes on things like driver's licenses. And they can be photographed and decoded by the person sitting next to you at the bar. Where is the outrage? "very dangerous" indeed.

Re:bar-codes (2, Insightful)

Teun (17872) | more than 4 years ago | (#28971701)

It's worse, virtually any type of ID has this other code on the outside, it's purposely done in a contrasting colour so it's easy to copy and photograph and is called Alphabet.

That's scary!

Re:bar-codes (4, Interesting)

TooMuchToDo (882796) | more than 4 years ago | (#28972143)

What worries me is the black hat demo where their RFID detector detected US passports within range of a garbage can and detonated an explosive in said garbage can. No barcode/magstrip can be read remotely to determine your country of origin and action taken based on that.

Re:bar-codes (1)

Kartoffel (30238) | more than 4 years ago | (#28971527)

Your credit card has a magnetic "bar code". I don't know where your driver's license is from, but many licenses come with both magnetic strips *and* a 1-D or 2-D bar code. I can take a cell phone picture of my license's 2-D code and within seconds, pull out my full name, date of birth, endorsements/restrictions, address and license number.

Don't be afraid of the technology - just be afraid of leaking sensitive information.

Re:bar-codes (1)

thisnamestoolong (1584383) | more than 4 years ago | (#28971339)

"RFID is a slightly-longer-range bar-code that doesn't require line-of-sight. But it would certainly be possible to use a digital camera or scanning lasers to do this same sort of thing to any visible bar-codes.

Doesn't this suggest that RFID is a much less secure tech? A barcode or magnetic strip is safe in your wallet in your back pocket, RFID is not. That is like saying that because your windows can still be broken, it is not a security risk to leave your front door open when you leave the house.

Re:bar-codes (1)

Fallen Kell (165468) | more than 4 years ago | (#28971433)

Except the problem is that RFID is being used in a manner that barcodes are not being used. Everyone knows it is utterly stupid to rely on a barcode as an access code for a company, build, or secured facility. Too bad they did not make the same jump in conclusion with RFID. And because they can store more information in RFID, it is being used to hold personal identification data, not just a number (which is what barcodes encode).

Re:bar-codes (1)

Lord Ender (156273) | more than 4 years ago | (#28971547)

I'll grant you that. But this is not a problem with RFID. It's a problem with some misapplications of it. RFID itself is a fantastic technology.

Re:bar-codes (1)

krou (1027572) | more than 4 years ago | (#28971461)

"RFID is a slightly-longer-range bar-code that doesn't require line-of-sight."

RFID is not just like another barcode, because it uniquely identifies an individual product (or person). The numbering scheme for RFID is estimated to be able to uniquely number everyone product and person on the planet for the next several hundred years.

Also, talking about it being "remotely readable" obscures the fact that you don't require line of sight to read an RFID chip, as it can be read through clothes, or bags. Combine this with the unique number, and you have a very powerful tracking and profiling tool.

Re:bar-codes (0, Redundant)

krou (1027572) | more than 4 years ago | (#28971493)

Doh, sorry ... of course, your quote shows you did mention line of sight. I've had a few drinks ;)

Re:bar-codes (1)

Lord Ender (156273) | more than 4 years ago | (#28972145)

/me hands krou a cup of coffee

Sounds like a new cop-detector tool... (1, Informative)

Anonymous Coward | more than 4 years ago | (#28971287)

If an officer is under cover, they may still be carrying their ID. Looks like a discreet RFID scanner may be added to future tool kits of various orginizations that want to avoid making deals with undercover cops.

Re:Sounds like a new cop-detector tool... (1)

Kartoffel (30238) | more than 4 years ago | (#28971401)

Or just don't carry incriminating ID while undercover.

A FedSnitch? (1)

SEWilco (27983) | more than 4 years ago | (#28971549)

It's simplest when federal agents are the first ones carrying RFID documents. Construction of the device is more difficult when everyone's shirt, shoes, and underwear has a chip, as the detector then has to know what kinds of codes are in ID cards of various types.

Re:A FedSnitch? (1)

etwills (471396) | more than 4 years ago | (#28972065)

Construction of the device is more difficult when everyone's shirt, shoes, and underwear has a chip, as the detector then has to know what kinds of codes are in ID cards of various types.

...at which point we could back up whether Commandos do actually "go Commando" with real statistics!

// Suddenly not at all curious about whether it's true...

wait a minute (2, Informative)

DragonTHC (208439) | more than 4 years ago | (#28971291)

They're attending a security convention with id cards that can be read from their pockets.

It's a good thing they didn't have rfid credit cards.

If it can be done, it will be done.

Cops (2, Insightful)

Jaysyn (203771) | more than 4 years ago | (#28971303)

So these sloppy mofos are the ones that are supposed to be "protecting" us? Laughable.

Surprising? (2, Insightful)

Noam.of.Doom (934040) | more than 4 years ago | (#28971317)

How could they be surprised by this? Were they not aware of the demographic group that attends Defcon? They probably just forgot to wear their tin-foil hats

Re:Surprising? (1)

djdavetrouble (442175) | more than 4 years ago | (#28971483)

Well for one thing, it was a trap, and that is the nature of traps, they surprise you.

Re:Surprising? (1)

Andy Dodd (701) | more than 4 years ago | (#28971573)

The funny thing is that RFID-enabled documents (at least New York State EDLs) come with small "RF protection sleeves" that effectively amount to a tinfoil hat for the RFID...

Re:Surprising? (1)

value_added (719364) | more than 4 years ago | (#28971695)

How could they be surprised by this?

Everything is surprising when something assumed to private gets made public. Googling your name for the first time is one example. A better one would be what I recall happening in towns in the South. People would take pictures of cars (with license plates showing) parked in the lot of an adult bookstore or strip club and publish them somehwere or just put them up for display on supermarket bulletin boards. Why be surprised at a picture of your car, right?

Granted, electronic eavesdropping is more subtle, but the same principle applies. You can argue in the abstract about the need for wireless encryption until the cows come home, but it won't get through to the average person until you can demonstrate a lack of security by actually showing them the passwords you sniffed. In the DefCon case, they took a photo and plastered it up for everyone to see.

They probably just forgot to wear their tin-foil hats

You mean tin-foil wallets. Humorously enough, Farraday-shielded wallets were on sale.

Paging Mr Orwell - 1984 is calling. (1)

Option1 (572066) | more than 4 years ago | (#28971341)

Being watched is one thing and, with the proliferation of security cameras, to be expected now days. It was the first step.

Being watched and identified is another thing entirely. The first step was bad enough, this one strikes me as a step too far - so, yes, I would agree it is dangerous.

Neil

Finally ! (1)

Yvanhoe (564877) | more than 4 years ago | (#28971345)

So, do we have picture of the federal agents that were there ? Is this not supposed to be a criminal offense ? And who is (legally) to blame on this one ? Poor procedures ? Decision to use RFID in a situation where it should not be used ? Are they going to say that this is entirely hackers' fault ?

Misleading post text... (5, Informative)

sifi (170630) | more than 4 years ago | (#28971353)

Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera...

erm... not quite what the Wired Article says:

But the device, which had a read range of 2 to 3 feet, caught only five people carrying RFID cards before Feds attending the conference got wind of the project and were concerned they might have been scanned

Still I suppose the Feds have probably hacked into the Wired Article and fixed that one...

The data was destroyed (2, Informative)

doug141 (863552) | more than 4 years ago | (#28971403)

"Priest asked Adam Laurie, one of the researchers behind the project, to "please do the right thing," and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected."

Re:The data was destroyed (2, Funny)

Anonymous Coward | more than 4 years ago | (#28971469)

The Feds are later seen picking up the pieces of the smashed SD card for 'forensic analysis'.

Re:The data was destroyed (1)

Daetrin (576516) | more than 4 years ago | (#28971771)

"Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected."

What is this, education through obfuscation? "This card i just destroyed contained data from reading any RFID chips that were on you. And then we used the webcam to do a retina scan and a palm print scan, it also performed a complimentary palm reading. (Agent Smith, i see a tall dark stranger in your future.) Finally through a careful data analysis we were able to refine an image of your skin cells well enough to perform a full DNA scan. Seriously, it was all there on that card i just smashed."

If they have done nothing wrong... (5, Insightful)

Anonymous Coward | more than 4 years ago | (#28971543)

...they have nothing to fear. Let's see how they like that argument used against _them_!

Silly Feds (4, Interesting)

Andy Dodd (701) | more than 4 years ago | (#28971565)

They should've used the foil protective sleeve provided with the document in question and reccommended by the organization who provided the document.

I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a reccommendation to keep the license in the protective sleeve when not in use.

That's right - the government is providing tinfoil hats for your RFIDs already.

Re:Silly Feds (2, Insightful)

feldicus (1367687) | more than 4 years ago | (#28971687)

So they give you something that they want to read wirelessly, then give you something to keep it from being read wirelessly? Ah, government thought in action.

Re:Silly Feds (4, Insightful)

aynoknman (1071612) | more than 4 years ago | (#28971907)

I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a recommendation to keep the license in the protective sleeve when not in use.

That's right - the government is providing tinfoil hats for your RFIDs already.

As asinine as possible. The advantage of RFID is convenience. Let's use it and then make it less convenient to use.

General lesson: Convenient or secure. That's an XOR.

Missing the point. (5, Insightful)

BlueKitties (1541613) | more than 4 years ago | (#28971583)

I was charged with writing POS software where I work. After looking into using scanners, I came across RFID. As it turns out, instead of needing to scan your crap, you can just have a magic wand magically take inventory for you. In fact, after looking into it, I realized I could rig sensors in our storage room to automatically re-take inventory periodically.

I'm sure some people are pushing for RFID for the wrong reasons, but I'm all for it as a replacement for barcodes as far as keeping stock goes. Imagine going to Walmart, and your shopping buggy automatically tells the clerk how much money you owe! Well, that might be a ways off, but it's possible.

I think RFID is an awesome tech, it just has a risk for being abused. Just like barcodes are awesome, but we don't want them on our forehead (unless we're playing shadow run, then it's 'cool.)

Re:Missing the point. (1)

feldicus (1367687) | more than 4 years ago | (#28971675)

I think this is the kind of thing RFID was invented for. I had a similar experience after playing with RFID at work.

Re:Missing the point. (4, Insightful)

TooMuchToDo (882796) | more than 4 years ago | (#28972187)

RFID tracking inventory/rail cars/etc. = OK
RFID tracking people = NOT OK

Kind of overreaction.... (1)

Lumpy (12016) | more than 4 years ago | (#28971591)

Yes attaching the RFID info to the photo gives you a better data aggregate but the same "problem" they were worried about can be caused by a web-cam designed to snap photos of ANYONE that goes past it.

the only thing the RFID reader does is try to nab someone with a access card in their wallet. It will not identify just "feds" but anyone that has a card access system in their workplace. So all Comcast employees will get read, Verizon employees, etc... making a very high signal to noise ratio that is approaching that of just taking everyone's photo.

Now look for a SPECIFIC badge, like the black hat badges that have your name and type in it, THAT is useful. Plus make that reader higher power, grab a 3 foot directional range and it becomes useful at choke points.

Re:Kind of overreaction.... (1)

RingDev (879105) | more than 4 years ago | (#28972027)

So all Comcast employees will get read, Verizon employees, etc... making a very high signal to noise ratio that is approaching that of just taking everyone's photo.

And you can't come up with a way to develop a value to the data of who, regardless of affiliation, attended a black hat hacker convention? Or any non-mainstream group event for that matter.

-Rick

This is really weird. (1)

feldicus (1367687) | more than 4 years ago | (#28971641)

Wasn't this explained not long after the inclusion of RFID chips in passports announced? I just don't understand how it could have been ignored by the government for this long. I'm not this kind of hacker, but even my brief exposure to RFID at work (for inventory management) made me think that it would make a really awful system for sensitive data.

Re:This is really weird. (1)

Culture20 (968837) | more than 4 years ago | (#28971729)

I just don't understand how it could have been ignored by the government for this long.

Large sections of the government listen only to other sections of the government.

I don't wear a tinfoil hat, but ... (4, Interesting)

Charles Dodgeson (248492) | more than 4 years ago | (#28971649)

... my passport certainly does. I got mine at ThinkGeek [thinkgeek.com] .

Nothing to see there ... (1)

slb (72208) | more than 4 years ago | (#28971699)

What does this article bring to us about RFID security that we did not already know ?

An RFID tag can be read from afar ! Oh big deal, but isn't it the precise purpose of a contactless badge or ID card to be read this way ?

Did these guy break any security protection in any contactless card ? No.

They're just telling us that they scared some clueless FEDs attending the conference. That could be an interesting information if only their paper wasn't full of hype and so void of content relating to the security of RFID cards.

They jump to the conclusion that being able to read an RFID card with an RFID reader "is very dangerous" but aside movie-plot scenarios I hardly see how being able to read a random number on some random card is a threat to anybody.

Seriously, how could privacy concerned people focus on this when we're basically broadcasting ourselves on the Internet and our neighboorhood (purchases with credit card, cellphone broadcasting a unique ID at a range a thousand time bigger than what any RFID tag could achieve, etc.) ?

SN != AL (1)

i_want_you_to_throw_ (559379) | more than 4 years ago | (#28971719)

SN != AL It's not tinfoil, it's aluminum foil. You'd think that the flock of nerds here would have that figured by now.

The Feds are alarmed? (1)

i_want_you_to_throw_ (559379) | more than 4 years ago | (#28971731)

You don't say? They go to Defcon and this happens? Good gracious me oh my. Kinda the point of DefCon isn't it?

It makes "Spot the Fed" so much easier (1)

crmanriq (63162) | more than 4 years ago | (#28971741)

"But it was enough for me to be concerned," he said." There were people here who were not supposed to be identified for what they were doing ⦠I was [concerned] that people who didnâ(TM)t want to be photographed were photographed."

There are RFID blocking Wallets on the market (1)

netsavior (627338) | more than 4 years ago | (#28971751)

If you are worried about this, there are very simple measures you can take.

The Federal Agents weren't Pwnd (1, Interesting)

mpapet (761907) | more than 4 years ago | (#28971797)

I know that some think this is some kind of critical failure, especially on slashdot. But it isn't.

1. Agents don't know or understand what's on the card(s). They probably fell into the same false belief the scanner operators have just because they don't know any better.
2. There's nothing particularly special on the RFID chip. A parking facility card and a passport generate the same amount of interesting information. A unique ID. Whew! you got me there. There's a particularly obsessive set of slashdotters that watch too much television and come to believe something can be done with this information. The hurdles are so many the odds of winning the lottery are better than doing something useful with the unique ID.
3. If this were a crypto-capable chip and they got the secrets off the chip with a passive scan, they'd still have a unique ID. It would be a minor accomplishment, but no one cares.

Move along.
 

Re:The Federal Agents weren't Pwnd (5, Insightful)

Dunbal (464142) | more than 4 years ago | (#28972129)

There's nothing particularly special on the RFID chip. A parking facility card and a passport generate the same amount of interesting information. A unique ID. Whew!

      The problem is when you have another government computer that is counting on the Unique ID to be a UNIQUE ID, and using ONLY THAT parameter (plus other info also on the card) to identify someone - congratulations, you have just stolen someone else's identity.

Tin foil and duct tape futures ... (1)

Rambo Tribble (1273454) | more than 4 years ago | (#28972113)

... the smart investor's strategy.

Any reason you can't physically disable it? (0)

Anonymous Coward | more than 4 years ago | (#28972179)

Isn't it simpler to staple or put a needle through the tag? That should still pass basic scrutiny.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...