Tinfoil wallets anyone?
August 3, 2006 4:42 AM Subscribe
Technological convenience or target identifier? In the most recent chapter in the RFID + US Passport story, LA-based security analysts Flexilis--those of the world record attempt RFID read at last year's DEFCON--noticed a security vulnerability in the RF shielding being proposed for the October release of the next generation US passport. And they made a hell of a proof of concept video showing a possible exploit of the vulnerability.
Oh, and the video and findings were presented at this year's Black Hat Briefings in Las Vegas. I knew I forgot a link when I hit post...
posted by quite unimportant at 4:52 AM on August 3, 2006
posted by quite unimportant at 4:52 AM on August 3, 2006
6 Inches?
I know, this is a legitimate security problem, but 6 inches isn't a whole lot of space to be scanning. When people talk about passport identification issues, I usually see things in terms of reading from several feet away.
Methinks the Flexilis guys are aiming to sell a new system to the DOD..
posted by WetherMan at 4:56 AM on August 3, 2006
I know, this is a legitimate security problem, but 6 inches isn't a whole lot of space to be scanning. When people talk about passport identification issues, I usually see things in terms of reading from several feet away.
Methinks the Flexilis guys are aiming to sell a new system to the DOD..
posted by WetherMan at 4:56 AM on August 3, 2006
I know, this is a legitimate security problem, but 6 inches isn't a whole lot of space to be scanning.
Put the scanner in a doorframe, and you'll catch a great number of people with passports in purses and pockets.
posted by eriko at 5:13 AM on August 3, 2006
The "terrorist threat" of targeting citizens carrying particular national passports is the key piece here. Six inches to detonate an explosive device of sufficient power is a lot when your goal is to create mayhem and destruction. And as eriko points out, you just have to put the scanner in a doorframe.
These guys may be selling a better shield, to which I say, "more power to them." The whole idea of an RFID tag in the passport was a mistake to begin with, as far as I'm concerned.
posted by aldus_manutius at 5:46 AM on August 3, 2006
These guys may be selling a better shield, to which I say, "more power to them." The whole idea of an RFID tag in the passport was a mistake to begin with, as far as I'm concerned.
posted by aldus_manutius at 5:46 AM on August 3, 2006
Lead will block it, right? I'm asking quite seriously.
posted by Faint of Butt at 6:14 AM on August 3, 2006
posted by Faint of Butt at 6:14 AM on August 3, 2006
FYI - they don't say that the country of origin of the passport is detectable, just that it may be detectable.
As an aside, carrying a passport in a way that it can fall open a half an inch usually implies a passport that can be easily stolen (ie, if the pocket is loose enough, it's a pickpocket target. If the passport is in a bag, it means a bag can be stolen), and that's just plain bad news from the start.
posted by plinth at 6:14 AM on August 3, 2006
As an aside, carrying a passport in a way that it can fall open a half an inch usually implies a passport that can be easily stolen (ie, if the pocket is loose enough, it's a pickpocket target. If the passport is in a bag, it means a bag can be stolen), and that's just plain bad news from the start.
posted by plinth at 6:14 AM on August 3, 2006
6 inches is pretty marginal..
Improving the design is a no brainer though. How about an elastic strap to keep the book closed? I guess that would be harder to patent.
posted by Chuckles at 6:20 AM on August 3, 2006
Improving the design is a no brainer though. How about an elastic strap to keep the book closed? I guess that would be harder to patent.
posted by Chuckles at 6:20 AM on August 3, 2006
Lead will block it, right? I'm asking quite seriously.
Any conductor. Openings in the conductor can have very unpredictable effects though - tinfoil hats actually amplify signals in the band of interest :P
posted by Chuckles at 6:22 AM on August 3, 2006
Any conductor. Openings in the conductor can have very unpredictable effects though - tinfoil hats actually amplify signals in the band of interest :P
posted by Chuckles at 6:22 AM on August 3, 2006
WetherMan writes "Methinks the Flexilis guys are aiming to sell a new system to the DOD."
Envious, eh ? Yes they come up with yet another way to exploit the terror craze, but that's only the consequence of poor designs by "adults" who are interested in selling the rdif passport, not it increasing security for anybody. Futher proof : a defence system worth trillions was built and sold to US, but it can't protect citizens from guys with knives on a plane !
Next on mefi: bunch of "experts" agree these kids are helping terrorist with ideas , suggesting the subhumans don't have idea of their own. Cue right wing talking head suggesting these kids should be sent up a river to a rieducational facility to which you can donate money, it's only 19.95 to help these kids who have the worse cancer ever : a working brain !
posted by elpapacito at 6:42 AM on August 3, 2006
Envious, eh ? Yes they come up with yet another way to exploit the terror craze, but that's only the consequence of poor designs by "adults" who are interested in selling the rdif passport, not it increasing security for anybody. Futher proof : a defence system worth trillions was built and sold to US, but it can't protect citizens from guys with knives on a plane !
Next on mefi: bunch of "experts" agree these kids are helping terrorist with ideas , suggesting the subhumans don't have idea of their own. Cue right wing talking head suggesting these kids should be sent up a river to a rieducational facility to which you can donate money, it's only 19.95 to help these kids who have the worse cancer ever : a working brain !
posted by elpapacito at 6:42 AM on August 3, 2006
This was a concern from years ago, wasn't it? I'm surprised they haven't tightened up already.
Initial thoughts were that assailants would stalk airports with a concealed detector and anyone with an RFID passport becomes an obvious and lucrative target for kidnapping.
posted by NinjaTadpole at 6:52 AM on August 3, 2006
Initial thoughts were that assailants would stalk airports with a concealed detector and anyone with an RFID passport becomes an obvious and lucrative target for kidnapping.
posted by NinjaTadpole at 6:52 AM on August 3, 2006
WetherMan writes "I know, this is a legitimate security problem, but 6 inches isn't a whole lot of space to be scanning."
Near any airport's security check you can walk past a long queue of people and harvest a lot of IDs that way. If you were to pull this off, say, around 6pm in most major US airports you could easily end up with hundreds of identities for sale.
posted by clevershark at 8:02 AM on August 3, 2006
Near any airport's security check you can walk past a long queue of people and harvest a lot of IDs that way. If you were to pull this off, say, around 6pm in most major US airports you could easily end up with hundreds of identities for sale.
posted by clevershark at 8:02 AM on August 3, 2006
NinjaTadpole writes "Initial thoughts were that assailants would stalk airports with a concealed detector and anyone with an RFID passport becomes an obvious and lucrative target for kidnapping."
You know, if all one wants to do is ID Americans and tell them apart from non-Americans, you don't necessarily need RFID detection -- just eyes and ears.
Besides, in a situation like a security queue at an airport, most people will have their passport in their hands and in plain sight anyway. Passports are easily identifiable by country if you can see them.
posted by clevershark at 8:08 AM on August 3, 2006
You know, if all one wants to do is ID Americans and tell them apart from non-Americans, you don't necessarily need RFID detection -- just eyes and ears.
Besides, in a situation like a security queue at an airport, most people will have their passport in their hands and in plain sight anyway. Passports are easily identifiable by country if you can see them.
posted by clevershark at 8:08 AM on August 3, 2006
Meanwhile, I'm just supposed to take their word for it that the video is for real?? I mean, look at the editing for the "failure".
posted by ddf at 8:23 AM on August 3, 2006
posted by ddf at 8:23 AM on August 3, 2006
you could easily end up with hundreds of identities for sale.
The video did not claim that identifying data was readable at 6 inches, only that presence was detectable.
posted by Chuckles at 8:25 AM on August 3, 2006
The video did not claim that identifying data was readable at 6 inches, only that presence was detectable.
posted by Chuckles at 8:25 AM on August 3, 2006
I'd like to introduce a brand new product from SteveInMaineCo: It's a passport wallet that's RF shielded, and if you order today you'll receive a free positive closure mechanism and your choice of embossed initials.
Problem solved.
SteveInMaineCo - we're the "oi" in security paranoia.
posted by SteveInMaine at 8:32 AM on August 3, 2006
Problem solved.
SteveInMaineCo - we're the "oi" in security paranoia.
posted by SteveInMaine at 8:32 AM on August 3, 2006
I agree with most of you, in that, sure, this is a security hole that can be closed with a rubber band. However, the thought that one can rig a bomb set with a trigger device that passively scans for a unique response upon which it detonates give me the heebies. A lot like the slamhound in Count Zero, except it waits for you to come to it.
Australian, no. British, no. Dutch, no. French, no. Americ*BOOM*
posted by quite unimportant at 8:59 AM on August 3, 2006
Australian, no. British, no. Dutch, no. French, no. Americ*BOOM*
posted by quite unimportant at 8:59 AM on August 3, 2006
On the flip side, cloning e-passorts has been demostrated. via /.
posted by MikeKD at 9:21 AM on August 3, 2006
posted by MikeKD at 9:21 AM on August 3, 2006
Two things:
It's six inches now. It will be more tomorrow and even more next week. This sort of technology only gets better and cheaper.
Also, how many countries have gone RFID? If RFID passports equals North America or Western Europe it's not like you need to get picky after that.
posted by Kid Charlemagne at 9:24 AM on August 3, 2006
It's six inches now. It will be more tomorrow and even more next week. This sort of technology only gets better and cheaper.
Also, how many countries have gone RFID? If RFID passports equals North America or Western Europe it's not like you need to get picky after that.
posted by Kid Charlemagne at 9:24 AM on August 3, 2006
Is it against the law to intentionally cripple/destroy this aspect of a passport?
I mean, couldn't I just drive a needle through the RFID chip?
posted by aramaic at 12:09 PM on August 3, 2006
I mean, couldn't I just drive a needle through the RFID chip?
posted by aramaic at 12:09 PM on August 3, 2006
a trigger device that passively scans for a unique response
It's not, nor can it be passive scan without having a power source in the passport or direct contact (at which point it doesn't have to be RFID, now does it?).
The core technology for RFID of this type is induction. If the ID doesn't have power, it will get power from the reader via induction. The reader drives current through a coil and other coils in range will respond. Door frames are nice because they provide room for a fairly substantial coil that will have a good reading distance and will be fairly impervious to angle of approach. Coils embedded in a drop ceiling are even better.
However, to get a really wide read range, you need more power which is pretty easy to detect if you want to look for it.
I was hoping for better from the demo, honestly. I wanted to see three read stations and have the passport trangulated on and hit with a simulated grenade. I guess my standards are too high.
But again, this is not a cheap, effective way the way to target US citizens. The cheap, effective way is to tail a tour bus and ram it with a vehicle bomb or have a mark drop in an extra special suitcase when the bus gets loaded up.
posted by plinth at 12:31 PM on August 3, 2006
It's not, nor can it be passive scan without having a power source in the passport or direct contact (at which point it doesn't have to be RFID, now does it?).
The core technology for RFID of this type is induction. If the ID doesn't have power, it will get power from the reader via induction. The reader drives current through a coil and other coils in range will respond. Door frames are nice because they provide room for a fairly substantial coil that will have a good reading distance and will be fairly impervious to angle of approach. Coils embedded in a drop ceiling are even better.
However, to get a really wide read range, you need more power which is pretty easy to detect if you want to look for it.
I was hoping for better from the demo, honestly. I wanted to see three read stations and have the passport trangulated on and hit with a simulated grenade. I guess my standards are too high.
But again, this is not a cheap, effective way the way to target US citizens. The cheap, effective way is to tail a tour bus and ram it with a vehicle bomb or have a mark drop in an extra special suitcase when the bus gets loaded up.
posted by plinth at 12:31 PM on August 3, 2006
Kid Charlemagne wrote "It's six inches now. It will be more tomorrow and even more next week. This sort of technology only gets better and cheaper."
Seriously? You haven't noticed any parallel relationship between trusted technology enhancement and the evolution of matching exploits? I'll assume you're surfing the web with either FireFox or a stone tablet.
posted by VulcanMike at 6:24 PM on August 3, 2006
Seriously? You haven't noticed any parallel relationship between trusted technology enhancement and the evolution of matching exploits? I'll assume you're surfing the web with either FireFox or a stone tablet.
posted by VulcanMike at 6:24 PM on August 3, 2006
« Older TED talks, give it a listen. | Awwwww - Baby Hippo & Old Turtle make friends. Newer »
This thread has been archived and is closed to new comments
posted by quite unimportant at 4:43 AM on August 3, 2006