Back in July, I wrote about some of the privacy and security issues raised by the inclusion of RFID chips in US passports. Wired now has a report, from the DefCon 17 hackers’ conference in Las Vegas, that the RFID-equipped credentials of several attendees from the US Government were “sniffed”, and the holders photographed, by equipment on display:
But despite the fact that attendees know they should take precautions to protect their data, federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader.
The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.
The scanning device, which had a detection range of 2-3 feet, was connected to a camera; when an RFID credential was detected, the scanner recorded the data, and the camera took a photograph of whoever was in the vicinity. This was done as a security awareness exercise; needless to say, the credential holders did not know about it beforehand.
One reason this story is somewhat amusing, of course, is that many of the people attending this conference are supposed to be experts in this field:
The Meet-the-Fed panel, an annual event at DefCon, presented a target-rich environment for anyone who might have wanted to scan government RFID documents for nefarious purposes. The 22 panelists included top cybercops and officials from the FBI, Secret Service, National Security Agency, Department of Homeland Security, Defense Department, Treasury Department and U. S. Postal Inspection. And these were just the Feds who weren’t undercover.
(Incidentally, the data collected were deleted immediately afterwards, and the media destroyed. The aim was to make a point, not to create a problem.)
Although many of the credentials (such as building passes) contained only a facility number and an employee number, that did not necessarily make them more secure. Finding the facility number by inference would not be difficult; and, since employee numbers are often assigned sequentially, it might be possible to guess other valid combinations. Also, many of the people involved may have more than one credential that is susceptible to being scanned, and the union of all the data contained may reveal a great deal of information. (This is another example of a classic problem in securing data. Just restricting individual pieces of data is not enough, in general, because you have to worry about how the data might be combined or correlated as well.)
The equipment required to the scanning is small and inexpensive, easily carried in a backpack, for example. This means that data on RFID devices can be at risk just about anywhere:
For $30 to $50, the common, average person can put [a portable RFID-reading kit] together…. This is why we’re so adamant about making people aware this is very dangerous.
In fact, one company is planning to introduce a $50 kit this fall that will enable the purchaser to assemble a scanning kit that can read the most common type of RFID chip.
Many people don’t even realize that they are carrying RFID-enabled credentials right now. Given the lack of concern for security that seems to be the norm, I expect we will see quite a few nasty exploits resulting from this.