Sunday, March 04, 2007

More RFID Security News

Nixed: Black Hat talk on RFID access badge risks

ACLU, Outrage Fill in the Silence at Black Hat RFID Session

I'm glad to see I'm not the only one who has grave concerns about the security of using Radio Frequency Identification (RFID) technology being used as a form of official ID. During a recent conference, IOActive, a small security firm, was to give a talk on the inherent lack of security in an RFID badge system used by the Federal Emergency Management Agency (FEMA). IOActive has its officed in the same building as FEMA and was curious about how good their security using RFID was.

The people at IOActive were quite successful in showing how vulnerable the RFID badges used are. So successful were they, that the company which developed the system used by FEMA, HID Global, threatened legal action against IOActive if they proceeded with their talk under the guise of protecting their intellectual property. IOActive, being a relatively small company which doesn't have access to legions of attorneys, were forced to skip the portion of their talk which directly illustrated the inherent weaknesses in the badge system HID Global markets, and which is used to access the FEMA offices in the building shared with IOActive.

Even the ACLU took note of this incident. They did their own experiments with RFID technology and found that the RFID standards currently planned to fulfill requirements of the Real ID Act are inherently flawed and will cause more problems than it will solve. As I have pointed out before here and here, it would be remarkably easy for someone to build an RFID reader, walk through a crowd of people carrying RFID enabled devices and gather a large amount of personal information which has the potential of enabling the "bad guys" to steal the identities of the people in that crowd.

I highly encourage everyone to educate themselves on RFID; how it works, how it's used now and how it might be mandated for use later. I believe everyone can understand enough about how it works to be as concerned as I am that it is not a good idea to use a means of personal identification.

No comments:

Post a Comment