Shostack + Friends Blog Archive

 

RFID Kills

The US Government is pushing a plan to add radios to every passport in the world. These radios will broadcast all the information in your passport to any immigration officer, id thief, or terrorist who wants it.

Want to see if there are more Americans on the right or left side of the plaza? No problem. Uncle Sam is helping the terrorists. There is no good reason for this. Canada, Germany, the Netherlands and Britain have all opposed this. The technical term for these chips is RFID, but really, they’re just small radios that invite thugs and terrorists to attack you as you travel abroad. If we need electronic chips in passports, they don’t need to include radios. I’ve never even seen anyone make an argument for the radios.

I’ve covered this in RFID Passport data won’t be encrypted and The Open Passport, and in small bits have pointed to articles by Ian Grigg and Ryan Singel.

Bill Scannell has set up a web site to make it easy to send your comments to Uncle Sam. Take five minutes and tell them: No RFID chips in passports. They don’t make sense, and RFID Kills.

13 comments on "RFID Kills"

  • Iang says:

    The argument for RFIDs comes from the payments world where contactless payment cards have been shown to be a fundamental enabler of small value payment systems. In applications like mass transit systems, the difference between a 3 second swipe with an old dirty card and a 1 second wave-through with a handbag are not just important but can make the difference between a success and a disaster.
    One can see the easy analogue – just look at LAX when you come in from the Pacific or South America. Plan to loose an hour of your life as you shuffle forward slowly …
    But there is a world of difference between a payment system that deals in a buck a time, and never more than $100 and things like passports which are integral in failures such as failed flight connections, rejection of right to travel, incarceration, military service, interrogation for being on the wrong list, torture and ultimately death.
    I would suspect that this is evidence that the processes in place are not oriented towards security.

  • adam says:

    So, if that’s the case, why not have a scanner at the greeter station? Every US border patrol I’ve been at in the last 5 or so years has a greeter who tells you “station 1, station 5…” Have them scan the passports as they tell you which line.
    Alternately, provide free luggage carts so that people dont have to fumble with their stuff as they’re walking up.
    If this is the problem, there are lots of ways to fix it that don’t entail problems everywhere you go.

  • Cypherpunk says:

    I’m skeptical that these chips can be read as far away as people are saying. We’ve used them at work for years, and you have to wave the card within a few inches of the sensor for them to work.

  • adam says:

    If you’re right, then Ian’s argument is wrong, and the RFID chip won’t speed things up. Which leads back to the “Why” question.
    Also, I sometimes have trouble with my bluetooth devices when they’re in my hands. The Flexilis guys make them work at over a mile.

  • Chris Walsh says:

    cipher —
    Some skepticism re: flexilis-like RFID interception may be warranted, but the science seems well-understood. For example,
    Avi Rubin and co at RFIDanalysis dot org say:

    The second mode of attack is passive eavesdropping. Limitations on the effective range of active scanning stem from the requirement that a reader antenna furnish power to the target DST. An attacker might instead eavesdrop on the communication between a legitimate reader and a target DST during a valid authentication session. In this case, the attacker need not furnish power to the DST; the effective eavesdropping range then depends solely on the ability to intercept the signal emitted by the DST. We have not performed any experiments to determine the range at which this attack might be mounted. It is worth noting purported U.S. Department of Homeland Security reports, however, of successful eavesdropping of this kind on 13.56 Mhz tags at a distance of some tens of feet. The DST, however, operates at 134 kHz. Signals at this considerably lower frequency penetrate obstacles more effectively, which may facilitate eavesdropping; on the other hand, larger antennas are required for effective signal interception.

    A practical prox card cloner has been built, with schematics thoughtfully provided, by Jonathan Westhues.
    Use the http protocol to eyeball http://cq.cx/prox.pl
    (Sorry to obfuscate but links in comments get eaten, it seems)
    [Adam adds: trying to find a good balance for this. Sorry.]

  • Pete says:

    two words: mylar wallets.

  • Hyperbole of the Day (Runner Up)

    The normally rational-minded Emergent Chaos gets a little caught up in all the passport RFID hype and succumbs to using some extravagant exaggeration in his title, RFID Kills. To be fair, he borrows the title from some paranoid blogger with…

  • Cypherpunk says:

    This is another area where professional paranoids are letting their fears get ahead of the facts. We read of “purported U.S. Department of Homeland Security reports” of PASSIVE eavesdropping of RFID signals – meaning that some kind of equipment can pick up a handshake if the RFID is being powered by a (much closer) active reader. Then this is transmuted into devices that can count how many Americans are in the right vs left sides of a plaza. But we don’t even know if these second-hand, unsubstantiated reports are real.
    People in security must understand that they discredit themselves by blowing smoke over unrealistic threats just as much as when they fail to recognize real problems. Crying wolf about RFIDs is only going to make the public less likely to heed the warnings of security experts the next time a genuine danger comes along.
    There is no such thing as erring on the side of caution during a threat analysis! The analysis phase should be as factual and realistic as you can make it. Then, when it is time to plan for action, that is when you decide how much risk you are willing to carry and how remote the threats can be and still be considered worth addressing.
    Show me such a realistic threat analysis of RFIDs. That should be the first step before any security expert is willing to make recommendations. Certianly this rfidkills web site is the last place we can expect unbiased and objective analysis.

  • Talking Points Memo says:

    Thanks for posting that pile of vitriol, “Cypherpunk.” The security experts will get twisted into little knots, and ignore the need for a use case before a threat analysis. Our plan proceeds apace, and we’ll both get fine jobs with the contactless card industry when we retire from civil service.

  • Cypherpunk says:

    TPM, a serious appeal for objectivity is not vitriol. Maybe you need a new dictionary.
    Wired had an article on this topic yesterday, http://wired.com/news/privacy/0,1848,67025,00.html. Homeland Security is trying not to call the passport chips RFIDs, preferring to call them contactless chips. One difference is that commercial RFIDs can be read several feet away while these are designed only to be read at a distance of a few inches: “RFID manufacturers are typically making radio tags for ID documents that comply with ISO/IEC 14443, the contactless chip industry technology standard. This standard limits transmission ranges to a distance of about 4 inches. Other RFID tags can be read at distances up to 30 feet, making them easier targets for identity thieves trying to capture their data, said Broghamer.”
    “Broghamer would not admit to something engineers testing ISO/IEC 14443-compliant chips have demonstrated, however: that electronic eavesdroppers up to 30 feet away can capture data (including biometric records) while it is being sent by the chips to an authorized reader device.”
    This still requires a reader to be 4 inches from the device to feed it power, while the eavesdroppers are some distance off. But how would this play out in the passport scenario? Readers will be in customs, how could terrorists set up an antenna for eavesdropping 30 feet away? Even if they could, how much does this really gain them? They can already tell what nationality people are just from the color of their passports.
    Wired goes on, “ISO/IEC 14443-compliant chips can also be read directly over much longer distances by specially built devices, according to a Tel Aviv University study (.pdf)” and links to http://eprint.iacr.org/2005/052. But if you look at that paper it describes something completely different and still requires a reader to be 4 inches from the chip; the reader then sends a radio signal to a remote device.
    Consider the comment from Dennis Bailey at the trackback: “Seriously, if a terrorist wants to identify an American overseas, there is no need to employ a high tech scanner to eavesdrop on RFID signals at distances ranging from 10 feet to 10 inches depending upon which expert you cite. Americans stand out like sore thumbs in most foreign countries and it doesn’t take great powers of observation to detect one. Let’s give the terrorists a little credit.”
    It’s unfortunate that this is turning into another area, like Trusted Computing, where we have to choose between the whitewash of the industry supporting it and the paranoia of its rabid opponents. No middle ground seems possible. That’s forgivable in politics, but appallingly unprofessional for a supposedly truth oriented security community.

  • adam says:

    I think that Schneier’s 5 part test would be useful. What problem are these chips solving that a contact-ful or barcode system would not solve? Then we might need to evaluate if the risk that radios will work differently than designed is worth taking.

  • DM says:

    @Cypherpunk:
    The problem isn’t just customs. As you (via Bailey) point out, Americans stand out like sore thumbs in most foreign countries. It seems that it would be trivial to get someone nearby with a battery powered receiver to snarf the contents of the passport RFID. Or pay off a hotel clerk to put a reader under the desk. (Admittedly they could just as easily pay off someone to scan the passport with a swipe or contact reader, but that would probably be more obvious.)
    -DM

  • Cypherpunk says:

    There are different attacks here which aren’t being clearly distinguished. One is identity theft. But most European hotels make you leave your passport at the desk overnight, so it’s already easy for them to steal your information. The other is this claimed ability to identify Americans in a crowd. Some people have even talked about drive by shooters able to figure out which cafes have more Americans. That is not feasible, given the technological descriptions I’ve seen.
    Slashdot has picked up on the Wired article this morning, http://yro.slashdot.org/yro/05/03/31/1541257.shtml. Again we see the same kind of fear mongering and uninformed speculation.
    Why am I the only one in the security community who wishes for unbiased and objective information to be promulgated? Again and again I see this effect where supposed professionals are happy to prostitute their expertise in service of a political cause. Can’t you see the need for a place people can go to which avoids politics and just tries to answer technological questions in order to give people the information they need to make decisions? Not emphasizing worst-case or best-case scenarios, but simply being realistic and using the best knowledge available today to provide the most objective and realistic estimates of the capabilities of these technologies. Some facts would support one side, and some facts would support the other. That’s reality! That’s how the world works. It’s not black and white.
    That is the kind of information a true security professional should want to supply. What is wrong with our community, that our professional ethics are so weak that we encourage people to deploy bad arguments and mistaken interpretations, just because they are erring in a way that favors the side we like better?

Comments are closed.