In The News Security

RFID War Driving

I’ve been a critic of RFID for the purpose of identifying people from early on because the concept is inherently flawed despite the insistence of people paid to insist otherwise. Chris Paget is in a widely circulated story regarding him driving around Fisherman’s Wharf with $190 worth of gear (likely not bought with an RFID credit card) and grabbing ID’s of strangers in the area. It should be noted for anyone wondering that he didn’t break any federal laws.

The story ignores that Chris Paget also gave a talk at ShmooCon 2009 regarding RFID cloning. Of course cloning passports is nothing new, it happened in Europe just 48 hours after the passports were first issued. Don’t worry about that though, the US government says it’s passports can only be read from about 4 inches. Although as the article notes (page 3) researches from University of Tel Aviv disagree finding it can actually be read from several feet away using hobbyist gear. A student from the University of Cambridge found it can be read from 17 feet away.

While its admittedly handy you can now clone a British passport without even opening the envelope I question if this is a necessary feature.

This reminds me of that old prank where you pull the tag off a library book and sneak it onto someones belongings so when they leave the library the detector goes off repeatedly as if they tried to steal a book. Clever misuse of a pretty easy to misuse technology. Of course the other side of this is the book can now be removed without setting off the alarm. Double fail.

Putting a RFID card in a shield isn’t really a great solution since most people will never bother in a world where still only 83 percent of Americans bother to wear seat belts [NHTSA, PDF]. Besides, if the point of including RFID is to read from a distance without exposing the card to swipe it, isn’t this redundant? You can always disable by microwaving briefly though RSA Labs claims a small fire risk. I’ve heard of hammers used too, though not sure how you’d confirm it’s dead.

Can we admit this RFID stuff is half-baked now?

Leave a Reply

Your email address will not be published. Required fields are marked *