| « Cube Attacks, A Year Ago | Cube Attacks Are Finally Out! » |
Forget Encryption!
18/09/08 | by Sean O’Neil | Categories: News
Forget all the hype around the clonability of electronic passports! The US is taking it up a notch. The new US RFID-“enhanced” drivers licenses cost their legitimate users a whopping $30 more than the old ones to pay for the additional feature of allowing hackers to enter into the US by land or sea from Canada, Mexico and the Caribbean with a cloned RFID-“enhanced” drivers license now instead of a passport! Apparently, no biometrics, no personal information and no digital signatures of any kind will be stored or transmitted by the $30 chip, only an ID to replay… Forget encryption!
Far out!!! Will they ever learn???
I don’t even know how to comment on this without offending anyone.
2 comments
Comment from: Karsten Nohl [Member] 
Let's not forget that the chips in the “passcard” and the enhanced drivers licenses were never meant to be used to identify people, but rather to replace barcodes on chewing gum and other items. While the passports can only be read from a few centimetres and only when the passport is open, the UHF chips on these new drivers licenses can be read from many metres away without any user’s consent.
The introduction of UHF chips on identification documents escalates the privacy and security discussion to a whole new level. So far we have been debating whether systems provided the level of protection intended by their designers. Some systems like passports stood up to this scrutiny better than others such as subway passes. But at least some level of security was intended.
Now we are looking at a system where apparently no thought was given to security whatsoever, and where people are tagged like chewing gum, just so they can be easily recognized, sorted, and processed faster at the border or anywhere else.
The introduction of UHF chips on identification documents escalates the privacy and security discussion to a whole new level. So far we have been debating whether systems provided the level of protection intended by their designers. Some systems like passports stood up to this scrutiny better than others such as subway passes. But at least some level of security was intended.
Now we are looking at a system where apparently no thought was given to security whatsoever, and where people are tagged like chewing gum, just so they can be easily recognized, sorted, and processed faster at the border or anywhere else.
18/09/08 @ 11:13
Comment from: Mike Ahmadi [Visitor] · http://rfidsa.blogspot.com
The fundamental problem going on here is that nobody is building a threat model when they choose to implement these new technologies. Decision makers listen to marketing hype put out by RFID vendors who claim that magstripe or bar coded driver's licenses are not secure, and fail to point out that they cannot be read from or written to without PHYSICALLY HAVING THE CARD IN YOUR HAND. This, of course, is not an issue for RFID based ID Cards. Given the right tools, one can covertly read from and write to RFID Driver Licenses without detection. The claim that the RFID card simply contains a meningless number is insanity at its finest. Is my Social Security Number also meaningless? Would anyone like someone to be able to read your Social Security Number and write it to their own card?
Honestly, I cannot imagine that these people are truly this clueless about the issues here.
Honestly, I cannot imagine that these people are truly this clueless about the issues here.
18/09/08 @ 15:57
Comment feed for this post
