Schneier on Security
A blog covering security and security technology.
« Prison Shivs |
| Superman's Password »
August 11, 2006
DHS Report on US-VISIT and RFID
Department of Homeland Security, Office of the Inspector General, "Enhanced Security Controls Needed For US-VISIT's System Using RFID Technology (Redacted)," OIG-06-39, June 2006.
From the Executive Summary:
We audited the Department of Homeland Security (DHS) and select organizational components' security programs to evaluate the effectiveness of controls implemented on Radio Frequency Identification (RFID) systems. Systems employing RFID technology include a tag and reader on the front end and an application and database on the back end.
Overall, information security controls have been implemented to provide an effective level of security on the Automated Identification Management System (AIDMS). US-VISIT has implemented effective physical security controls over the RFID tags, readers, computer equipment, and database supporting the RFID system at the POEs visited. No personal information is stored on the tags used for US-VISIT. Travelers' personal information is maintained in and can be obtained only with access to the system's database. Additional security controls would need to be implemented if US-VISIT decides to store travelers' personal information on RFID-enabled forms or migrates to universally readable Generation 2 (Gen2) products.
Although these controls provide overall system security, US-VISIT has not properly configured its AIDMS database to ensure that data captured and stored is properly protected. Furthermore, while AIDMS is operating with an Authority to Operate, US-VISIT had not tested its contingency plan to ensure that critical operations could be restored in the event of a disruption. In addition, US-VISIT has not developed its own RFID policy or ensured that the standard operating procedures are properly distributed and followed at all POEs.
I wrote about US-VISIT in 2004 and again in 2006. In that second essay, I gave a price of $15B. I have since come to not believe that data, and I don't have any better information on the price. But I still think my analysis holds. I would much rather take the money spent on US-VISIT and spend it on intelligence and investigation, the kind of security that resulted in the U.K. arrests earlier this week and is likely to actually make us safer.
Posted on August 11, 2006 at 7:27 AM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
That and the RFID in passports is just plain stupid. Like demonstrated in blackhat, there will be a nice little code in the RFID telling what country you are from. So now this give terrorists the ability to set up RFID reading bombs in trashcans all over the globe having them all set to go off when an american walks by. And yes while you are not supposed to be able to read the passports unless they are opened as demonstrated having them open just a quarter of an inch will allow it to be read. So put your passport in your coat pocket loosely and just walking can open it enough. Add it to other things we put in our pockets as well something gets wedged in and this keeps your passport open to be read by any RFID sniffer around. Yeah, RFID passports sure make me feel safer.
There has never been a government program that confined itself to its initial budget. I would expect that figure to be 20-40b.
Intelligence & investigation is not a special interest group that can lock into corporate welfare, therefore it is unlikely to be expanded at the same rate.
"There has never been a government program that confined itself to its initial budget."
The construction of the Supreme Court building (1932-1935) only cost 99% of its allocated budget. But, yes, such programs are rare.
I agree with you that RFID in passports is ill conceived. However, I wonder about how serious a problem leakage is. Wouldn't a rubber band solve the problem?
I read somewhere that the building that houses the supreme court in the US actually returned money to the treasury after it was built as it came in under budget.
Ah, here's a reference: eighth paragraph on the first page of
So "never" is too harsh of a word, quincunx. :)
Yes, a rubber band would probably minimise the issue, but not eliminate it.
But, now, you have to add an additional safety measure to protect yourself. This additional safety measure was not needed before -- and it is probably not enough (what if the rubber band breaks?), so you will have to add other safety measures.
I figure a special rubber band, approved by the underwriters laboratory, etc, etc, will soon be available for a modicum.
The whole point is: you are now at risk; You were not before (for this specific risk).
The blackhat demonstration required opening the passport to visually scan the MRZ characters in order to establish BAC communications with the chip. (Note that this is separate from the RFID shielding.)
Even if the shielding fails, you can't get any data from the RFID without getting the MRZ key from the inside (at which point, you can see all of the same information in printed form). You can't determine this information passively from someone's closed passport.
The demo showed that someone with full access to an open passport could copy the (signed) data to another chip, since there is no tight binding to the chip itself (e.g. in the form of a public/private key).
There's a good number of reasons why RFID chips in passports are not a good idea. But the RFID-scanning bomb is one that I don't really understand. It's quite possible to pick out US tourists without having to resort to anything as remotely sophisticated as RFID-scanning. In a lot of cases, all you have to do is look/listen for the ones who don't speak the local language, but instead just keeps repeating things in English, louder and slower. Just a thought, from an American who's about to go on vacation abroad.
What huge problem do RFID passports solve?
As far as I can see they do nothing to speed up transit through customs and we all know how reliable computers are :-)
Automatic, reliable face recognition won't be available for years so you still need people to process passports.
The "do not travel" lists are inaccurate and incomplete.
RFID was not designed to be secret, it was designed to be reliable and cheap. Putting a faraday cage in the passport is a laughable solution to an unbelievable design decision.
If a store card reader and cards can survive for three to five years, why on earth is a contactless system required?
Am I the only one who remembers checking into European (Vienna circa 2000 in specific is quite vivid in my mind) hotels and the like, and being asked politely to leave my passport with the desk while they copy down (or photcopy) the information for their records? Specifically "for your safety, we register this with the Polizei," though I dimly recall other hotels photocopying my passport at various points.
Rubber band doesn't offer much protection there. Nor does "oh, it doesn't matter if the chip's cloned remotely - you'd need to be able to read the information printed on the passport..."
Are all the places that have relied on handling passports over the years going to be told they can't do that anymore? With the force of law?
I wouldn't hold out the current UK security operation as a positive exemplar until it has played out if I were you.
"Weapons of mass destruction deployed in 90 minutes", the execution of Jean Charles Menendez and the Forest Gate arrests (and shooting) are the model of MI5 that the British public have in their mind at the moment. I think the average Brit wants to see a lot of hard evidence before we believe the current threat to be real rather than a figment of the Security Service's collective imagination.
The night before the arrests were made the Labour party's backbenchers were getting ready to do an Edward II to Tony Blair over the Israel/Lebanon situation and that's all that was in the news. The following morning, and since, nothing more has been heard on the subject in the media - displaced by the bomb plot and airport chaos. Now the whole intelligence operation clearly couldn't have happened overnight but the arrests could have been moved up a few days to suit a political agenda.
Forgive the cynicism but on the evidence of the past few years it's justified.
As far as the Supreme Court building fund is concerned, please remember that the cost of building plunged in the depression along with prices in general. That was really a cost overrun after deflation is factored in.
I've always been puzzled about these stories of hotels demanding to keep passports. It's never happened to me, and I wouldn't legally be able to comply. My passport (from The Netherlands) has the text "The bearer of this passport may pass it to a third party only if there is a statutory obligation to do so". Hotel policies won't cut it :)
They'll probably try to tell me that yes it really is legally required. I wonder how I could check that.
Ian Mason forgets to list a couple of other bits of sheer stupidity from the British "security" services. Their rather silly panic about ricin being smeared on car door handles, and the "red mercury" nukes.
And what on earth is the reason for banning people from taking *books* on planes? It's bad enough doing my daily commute of under an hour when I forget to take a book with me, I can't imagine the torture that a book-free flight would be.
Of course, it's probably all just a plot by Eurostar to make people get on a train to Paris and fly from there instead.
There was a good presentation by Chris Paget at Defcon 14 last weekend talking about this. I wasn't at blackhat, so I didn't get to attend that one.
In the audience, there was a German fellow with the newest German passport (that has an RFID chip as required by US government). He had his passport in a small pouch that was intended to shield the signal. He stated that he had taken measurements, and that it did indeed shield his passport from any reasonably powered signal.
The worst part is, the RFID chip issue is only one of the more minor deficiencies in the US-VISIT program. The United States government should be ashamed of this silliness to the same degree they should be ashamed of that whole clipper chip nonsense.
"There's a good number of reasons why RFID chips in passports are not a good idea. But the RFID-scanning bomb is one that I don't really understand. It's quite possible to pick out US tourists without having to resort to anything as remotely sophisticated as RFID-scanning. In a lot of cases, all you have to do is look/listen for the ones who don't speak the local language, but instead just keeps repeating things in English, louder and slower. Just a thought, from an American who's about to go on vacation abroad."
Like you , I find this a hilarous concern.
Given that the average american in a foreign country can be spotted from roughly 100 yards away, the idea that a special bomb that will scan for passports is required is ridiculous.
British antiterrorism chief Peter Clarke said at a news conference that the plot was foiled because "a large number of people" had been under surveillance, with police monitoring "spending, travel and communications."
Everyone keeps talking about this is the kind of security we need to be spending money on, yet it sounds a lot like what we have been doing that most on this list seem to oppose; monitoring of money, communications and travelling. Make up your mind; you are either against it and it is a huge violation of privacy or it is a great way to track people and identify potential terrorists.
OK I'll take the bait, even if it is Troll flavoured and from someone who won't put their name to their words. (If I had a pound for every flame grilled Troll I've eaten... [FX: Looks down, sees corpulent belly])
The issue is, to use the words of European civil rights legislation, "proportionate" interference with people's privacy.
If there is prima facia evidence of wrongdoing then it is reasonable to interfere with someone's privacy. (Probable cause for our North American friends). What's not reasonable is invading the privacy of people who've done nothing to attract attention.
In the UK, without public - let alone judicial or Parliamentary oversight, the police are constructing a system that will track vehicle movements and keep those records for two years - of innocent people going about their lawful business. We didn't create this kind of extra-legal surveillence of the whole population when we needed to defeat the IRA - even Maggie Thatcher knew that it would be morally wrong.
But in the new era of soundbite politics it's OK to trample people's rights as long as it gets you the headline you want and keeps you in power.
When are we going to stop this and go back to basic human decency? Where the government leaves you in peace until you do something genuinely wrong. Where when there's bloodshed we call it out as what it is and try to stop it, rather than dicker in UN resolutions to keep our political friends happy (Yes, Tony Blair I'm talking about you - the so called Christian).
Sorry for the rant folks but I've spent the day with, amongst others, people from the British police and Home Office who are only too happy to throw away 800 years of human rights for a little bit more safety - citing each of the four horsemen of the Internet (Child pornography, Terrorism etc. etc.) as suits their immediate case. Never, at any point, do these folks talks about principles of right and wrong. They just come up with more, and finer grained, rules - each time trampling some freedom that our forefathers (literally) died for.*
It's been a long day. I feel thoroughly dishearted so I'll leave it there. I just wish people would THINK before proposing the next step backward.
*If anybody thinks this is mere rhetoric I've a list of my (late) father's comrades who died in WWII fighting a regime that took great care to make sure that they obeyed the law (cf. the Wansee Conference) as they destroyed the "enemies of society".
--"Given that the average american in a foreign country can be spotted from roughly 100 yards away, the idea that a special bomb that will scan for passports is required is ridiculous."
Required? No. But if you can automate your target search you can, well, automatically trigger the weapon. Set it in a crowded area and walk away. Less chance of get caught or injured during the attack. Make your bomb fire-and-forget, on the cheap.
What's next! I guess that thing under the skin! Beware folks we best stand together or we could fall for anything! I'm so tired of all of this crap. Things are just so out of hand that I don't see it coming back together again. Too much Big Brother goin on to suit me.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.