Tuesday, March 3, 2009

ShmooCon ’09: Why My Next Wallet Will Be Metal (Not To Be Confused With My Tinfoil Hat)

RFID has been next year’s technology for about, oh, a century or so. The good news is that RFID’s here to stay for lots of applications which have been well designed from an operational and security posture.

And for some that aren’t.

Chris Paget’s talk on cloning travel documents wasn’t just interesting...it was kind of scary. Lots of reports have said he’s cloning passports; he’s not, although I’m sure it’s just a matter of time until RFID-embedded passports are pwn3d, too. Paget has been researching how to compromise and clone documents which are Western Hemisphere Travel Initiative (WHTI) compliant.

Government officials are very proud of their efforts on WHTI, so much so that in early December, Colleen Manaher, WHTI director for U.S. Customs and Border Protection, stated about critics: "They said it couldn't be done. They said we're going to fight you every step of the way. Well, all the pieces are in place -- documents, technology and infrastructure -- to meet the June 1, 2009, WHTI implementation date."

Uh, okay. But what if the thing turns out to be so poorly designed that someone with a little bit of expertise and a couple hundred bucks worth of gear can readily read and clone the documents sitting in your wallet or purse?

Someone like Chris Paget, for instance.

Maybe Manaher should have said “They said it couldn’t be done securely.” I don’t think anyone would argue with that point. This isn’t some type of hysterical, theoretical attack, capable of execution on only a computing environment the size of a Google data center. This is an attack that Paget wrote, on his laptop, using readily available software, hardware, and RFID devices.

In their recap of end-of-year accomplishments for 2008, DHS took pains to point out that “technology upgrades under the WHTI were completed at land border crossings marking the start for new RFID technology deployments at 354 northern and southern border ports that account for 95 percent of all cross-border travel into the United States.” In the next sentence, they point out that “In 2008, CBP apprehended 1,020,438 individuals, including 200 individuals with serious criminal records such as murder, rape and child molestation.”

That’s awesome. But here’s the problem. With an RFID architecture enabling ready cloning of WHTI-compliant documents (including electronic drivers licenses, and cards like NEXUS, FAST, and SENTRI), have we just made it easier (rather than tougher) for the bad guys to get into the country? This isn’t rocket science, either—with an encryption-free approach using irrelevant/non-existing authentication, the limitation on access basically becomes a physical security issue. PHYSEC is great when guards, guns, and gates are involved. But, Paget has shown that he can read tags at 10 meters or more; with the right gear, he believes that he’ll be able to read tags at 60 meters or (a whole lot) more, enabling compromise/cloning at a couple hundred feet. Apologists will talk about the incongruity of building specialized devices to do this type of surveillance. These same apologists have never seen Renderman or the Bluetooth Sniper Rifle. This is a COMSEC issue—although with no communications security in the process, I guess it’s actually a lack of COMSEC issue.

Paget’s talk included a demo where he cloned a card in seconds, as well as one where he passed a bag of ~30 tags over a reader in a very quick wave; 16 of the tags were read completely. The latter part of that statement is actually beneficial to the cause—we want to get people through our land and sea crossings quickly, right? Right. But, don’t we want to make sure that we’re getting the correct people across the border quickly, while keeping out the bad guys?

We can thank our lucky stars that researchers like Chris Paget are working for the good guys, but an architecture this poorly designed simply screams to the bad guys, “Come get me”. I can only hope that common sense prevails at DHS, and that they collaborate closely with the information assurance community over the coming months to ensure that a 6/1/2009 turn-on date occurs only if the security issues are resolved—and if they’re not, that all stakeholders work together to eliminate the vulnerabilities as soon as possible. Too little risk has been mitigated in the current system.

Find Chris’ ShmooCon presentation here, as well as his and others’ work at http://www.rfidhackers.com.

No comments:

Post a Comment