Comments on: RFID Kills

By: Cypherpunk

Cypherpunk — Thu, 31 Mar 2005 14:59:27 +0000

There are different attacks here which aren’t being clearly distinguished. One is identity theft. But most European hotels make you leave your passport at the desk overnight, so it’s already easy for them to steal your information. The other is this claimed ability to identify Americans in a crowd. Some people have even talked about drive by shooters able to figure out which cafes have more Americans. That is not feasible, given the technological descriptions I’ve seen.
Slashdot has picked up on the Wired article this morning, http://yro.slashdot.org/yro/05/03/31/1541257.shtml. Again we see the same kind of fear mongering and uninformed speculation.
Why am I the only one in the security community who wishes for unbiased and objective information to be promulgated? Again and again I see this effect where supposed professionals are happy to prostitute their expertise in service of a political cause. Can’t you see the need for a place people can go to which avoids politics and just tries to answer technological questions in order to give people the information they need to make decisions? Not emphasizing worst-case or best-case scenarios, but simply being realistic and using the best knowledge available today to provide the most objective and realistic estimates of the capabilities of these technologies. Some facts would support one side, and some facts would support the other. That’s reality! That’s how the world works. It’s not black and white.
That is the kind of information a true security professional should want to supply. What is wrong with our community, that our professional ethics are so weak that we encourage people to deploy bad arguments and mistaken interpretations, just because they are erring in a way that favors the side we like better?

By: DM

DM — Wed, 30 Mar 2005 23:55:52 +0000

@Cypherpunk:
The problem isn’t just customs. As you (via Bailey) point out, Americans stand out like sore thumbs in most foreign countries. It seems that it would be trivial to get someone nearby with a battery powered receiver to snarf the contents of the passport RFID. Or pay off a hotel clerk to put a reader under the desk. (Admittedly they could just as easily pay off someone to scan the passport with a swipe or contact reader, but that would probably be more obvious.)
-DM

By: adam

adam — Wed, 30 Mar 2005 22:59:51 +0000

I think that Schneier’s 5 part test would be useful. What problem are these chips solving that a contact-ful or barcode system would not solve? Then we might need to evaluate if the risk that radios will work differently than designed is worth taking.

By: Cypherpunk

Cypherpunk — Wed, 30 Mar 2005 19:52:07 +0000

TPM, a serious appeal for objectivity is not vitriol. Maybe you need a new dictionary.
Wired had an article on this topic yesterday, http://wired.com/news/privacy/0,1848,67025,00.html. Homeland Security is trying not to call the passport chips RFIDs, preferring to call them contactless chips. One difference is that commercial RFIDs can be read several feet away while these are designed only to be read at a distance of a few inches: “RFID manufacturers are typically making radio tags for ID documents that comply with ISO/IEC 14443, the contactless chip industry technology standard. This standard limits transmission ranges to a distance of about 4 inches. Other RFID tags can be read at distances up to 30 feet, making them easier targets for identity thieves trying to capture their data, said Broghamer.”
“Broghamer would not admit to something engineers testing ISO/IEC 14443-compliant chips have demonstrated, however: that electronic eavesdroppers up to 30 feet away can capture data (including biometric records) while it is being sent by the chips to an authorized reader device.”
This still requires a reader to be 4 inches from the device to feed it power, while the eavesdroppers are some distance off. But how would this play out in the passport scenario? Readers will be in customs, how could terrorists set up an antenna for eavesdropping 30 feet away? Even if they could, how much does this really gain them? They can already tell what nationality people are just from the color of their passports.
Wired goes on, “ISO/IEC 14443-compliant chips can also be read directly over much longer distances by specially built devices, according to a Tel Aviv University study (.pdf)” and links to http://eprint.iacr.org/2005/052. But if you look at that paper it describes something completely different and still requires a reader to be 4 inches from the chip; the reader then sends a radio signal to a remote device.
Consider the comment from Dennis Bailey at the trackback: “Seriously, if a terrorist wants to identify an American overseas, there is no need to employ a high tech scanner to eavesdrop on RFID signals at distances ranging from 10 feet to 10 inches depending upon which expert you cite. Americans stand out like sore thumbs in most foreign countries and it doesn’t take great powers of observation to detect one. Let’s give the terrorists a little credit.”
It’s unfortunate that this is turning into another area, like Trusted Computing, where we have to choose between the whitewash of the industry supporting it and the paranoia of its rabid opponents. No middle ground seems possible. That’s forgivable in politics, but appallingly unprofessional for a supposedly truth oriented security community.

By: Talking Points Memo

Talking Points Memo — Tue, 29 Mar 2005 09:52:54 +0000

Thanks for posting that pile of vitriol, “Cypherpunk.” The security experts will get twisted into little knots, and ignore the need for a use case before a threat analysis. Our plan proceeds apace, and we’ll both get fine jobs with the contactless card industry when we retire from civil service.

By: Cypherpunk

Cypherpunk — Tue, 29 Mar 2005 01:03:38 +0000

This is another area where professional paranoids are letting their fears get ahead of the facts. We read of “purported U.S. Department of Homeland Security reports” of PASSIVE eavesdropping of RFID signals – meaning that some kind of equipment can pick up a handshake if the RFID is being powered by a (much closer) active reader. Then this is transmuted into devices that can count how many Americans are in the right vs left sides of a plaza. But we don’t even know if these second-hand, unsubstantiated reports are real.
People in security must understand that they discredit themselves by blowing smoke over unrealistic threats just as much as when they fail to recognize real problems. Crying wolf about RFIDs is only going to make the public less likely to heed the warnings of security experts the next time a genuine danger comes along.
There is no such thing as erring on the side of caution during a threat analysis! The analysis phase should be as factual and realistic as you can make it. Then, when it is time to plan for action, that is when you decide how much risk you are willing to carry and how remote the threats can be and still be considered worth addressing.
Show me such a realistic threat analysis of RFIDs. That should be the first step before any security expert is willing to make recommendations. Certianly this rfidkills web site is the last place we can expect unbiased and objective analysis.

By: The Open Society Paradox

The Open Society Paradox — Mon, 28 Mar 2005 22:09:02 +0000

Hyperbole of the Day (Runner Up)

The normally rational-minded Emergent Chaos gets a little caught up in all the passport RFID hype and succumbs to using some extravagant exaggeration in his title, RFID Kills. To be fair, he borrows the title from some paranoid blogger with…

By: Pete

Pete — Mon, 28 Mar 2005 21:25:05 +0000

two words: mylar wallets.

By: Chris Walsh

Chris Walsh — Mon, 28 Mar 2005 16:04:46 +0000

cipher -- Some skepticism re: flexilis-like RFID interception may be warranted, but the science seems well-understood. For example, Avi Rubin and co at RFIDanalysis dot org say:

The second mode of attack is passive eavesdropping. Limitations on the effective range of active scanning stem from the requirement that a reader antenna furnish power to the target DST. An attacker might instead eavesdrop on the communication between a legitimate reader and a target DST during a valid authentication session. In this case, the attacker need not furnish power to the DST; the effective eavesdropping range then depends solely on the ability to intercept the signal emitted by the DST. We have not performed any experiments to determine the range at which this attack might be mounted. It is worth noting purported U.S. Department of Homeland Security reports, however, of successful eavesdropping of this kind on 13.56 Mhz tags at a distance of some tens of feet. The DST, however, operates at 134 kHz. Signals at this considerably lower frequency penetrate obstacles more effectively, which may facilitate eavesdropping; on the other hand, larger antennas are required for effective signal interception.

A practical prox card cloner has been built, with schematics thoughtfully provided, by Jonathan Westhues. Use the http protocol to eyeball http://cq.cx/prox.pl (Sorry to obfuscate but links in comments get eaten, it seems) [Adam adds: trying to find a good balance for this. Sorry.]

By: adam

adam — Mon, 28 Mar 2005 13:38:47 +0000

If you’re right, then Ian’s argument is wrong, and the RFID chip won’t speed things up. Which leads back to the “Why” question.
Also, I sometimes have trouble with my bluetooth devices when they’re in my hands. The Flexilis guys make them work at over a mile.