DHS's Identification Card

EPIC has published a nice analysis of the U.S. Department of Homeland Security's new employee access card.

Posted on April 3, 2005 at 10:11 AM • 10 Comments

Comments

Adam LangleyApril 3, 2005 12:32 PM

How can a passive device be Bluetooth capable? I wasn't aware that Bluetooth devices can be vampire powered and certainly a vampire powered transmitter couldn't be picked up from "over a mile".

The recent case of fingers being stolen demonstrates that use of biometrics alone is in sufficient for high security. Observation of the entry points by an alert guard would certainly hope, but one suspects that belief in the system will replace alert people.

And the RFID tag is just plain stupid. I'm shocked that ranking people want to carry a personal bomb-trigger around with them at all times. How many assassination attempts have failed because the target was 5 minutes late? No longer a problem.


AGL

Gopi FlahertyApril 3, 2005 3:24 PM

I'm un-impressed with this article, personally. The bluetooth "security flaws" referenced, for example, were almost universally buffer-overflow exploits. Some of them were devices listening on non-standard points without advertising it - Bluetooth has a service discovery protocol that advertises which services run on various ports, but you can try to attach to a port anyway, and some phones were running services they shouldn't have been.

I guess what I'm saying is, much of the article talks about things that might be, or probably are, problems, without much evidence beyond "most people make these mistakes."

Curt SampsonApril 3, 2005 6:37 PM

But that's exactly the sort of thing a security analysis of a system should point out. "These are typical mistakes in implementation, and this system has nothing to safeguard against them."

I feel that the article is quite correct that wireless access is not desirable in a system like this.

Bruce SchneierApril 3, 2005 6:43 PM

"I feel that the article is quite correct that wireless access is not desirable in a system like this."

If I were designing a secure badge system, I would not make it wireless. Convenience be damned.

Dirk WetterApril 4, 2005 7:51 AM

Lesson number one: Restrict the number of possibilities to exploit or to read out to the ones really necessary, so implementing barcodes stripes AND RFID AND bluetooth AND smartcard chips (though the term "smartcard" is not explicity mentioned in the article) is nonsense. Only by the number of possibilities you make yourself more vulnerable. Also a multi-functional purpose (payment option, train fares) is bad design. Lesson number two: Yes, convenience and security isn't always on the same side. Choose yours wisely. Lesson number three: If it comes to wireless design issues: Unless you're sure it's not breakable for the next couple of years, forget about storing important personal information or access info with it. And the "wireless shield" tries to protect something which shouldn't exist in the first place.

A metaphor: The DAC looks to me like a modern variation of Red Hat Linux 7.3 with every service possible enabled and with know security flaws from the launch on, and with the additional use of wireless access methods. The /home/dhs directory carries information which might have probably a good value to some of the people breaking in. Note: the machine is not from a single arbitrary home user, but for a lot of federal "users" standing unprotected at the office site.

Israel TorresApril 4, 2005 8:55 AM

"The DAC is about the size of a credit card and will carry a digital copy of the cardholder's fingerprint as well as other information"
--survey says... Bzzzt. More than likely the cardholder's fingerprint is a hash of their fingerprint(s) and not the entire fingerprint itself.

"if the fingerprint identification fails, then the employee can gain access by using a 6- to 8- digit PIN."
--survey says... "wow this is lame". If the bio-hash can't provide the "PIN" and lets the user provide the "PIN" instead goes against most smartcard policies of the card locking itself after x-many invalid attempts. This should apply whether or not they use the biometric feature.

"The PIN could be coerced from the employee with the threat of violence against the employee or her/his family"
--survey says... "wow this is what a PIN of duress is for!" - use it, implement it now before someone dies!

Israel Torres

Gopi FlahertyApril 5, 2005 4:12 AM

Curt commented,
"These are typical mistakes in implementation, and this system has nothing to safeguard against them."

My point is that they did _not_ demonstrate the latter in any way. For the Bluetooth attacks, checking your buffer sizes properly is the safeguard. Looking at the code or analyzing the behaviour of the badge is the only way you can figure out if they've safeguarded against those.

The article states, "The vulnerabilities of Bluetooth technology have also been well documented."

The published vulnerabilities have been in particular implementations rather than inherent to Bluetooth in particular. Many IP stacks 10 years ago had similar buffer overflow vulnerabilities. Buffer overflows are common in an impressive variety of code.

Perhaps I'm just a bit over-sensitive, but I guess I see this as comparable to saying "The vulnerabilities of web server technology have been well documented" when what's really meant is that the vulnerabilities in, say, Microsoft's BackOffice have been documented.

I believe somebody reading their article would get the mistaken impression that the Bluetooth vulnerabilities are somehow inherent, rather than merely common mistakes. I'd prefer a phrasing like, "Many Bluetooth implementations have been shown to have significant vulnerabilities, and the use of potentially long-distance wireless communications makes any vulnerabilities easier to exploit."

The phrasing they chose makes it sound like there are guaranteed to be vulnerabilities. Pointing to implementation flaws and implying that they are protocol flaws sounds like FUD. To be clear, I think that Bluetooth in a badge like this is a ridiculous idea - even if the protocol were perfectly implemented, you could probably create a "proxy badge" and effectively extend the range - the potential intruder walks up with a special badge, his cohort points a bluesniper rifle at a legitimate badge, and the challenge/response sequence is simply proxied across the link.

BobApril 29, 2006 8:34 AM

I realize that my post is somewhat late, however, I found a company that has created an active card that authenticates the user via fingerprint ON THE CARD, cannot be passively read at all and will only transmit an appropriate code after the user matches to the card. The transmission distance has to be very short because it is says it is using smart or prox card readers as interfaces for door or computer access. This seems to be the most secure approach since it cannot be read, and any transmission follows a direct authentication over a very short distance (standard is 10cm?). Website is www.mydigitaldefense.com

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..