Wednesday, July 22, 2009

That NSA Spy in your Wallet and Purse

Microchips in ID cards raise privacy fears
Climbing into his Volvo, outfitted with a Matrics antenna and a Motorola reader he’d bought on eBay for $190, Chris Paget cruised the streets of San Francisco with this objective: To read the identity cards of strangers, wirelessly, without ever leaving his car.

It took him 20 minutes to strike hacker’s gold.

Zipping past Fisherman’s Wharf, his scanner downloaded to his laptop the unique serial numbers of two pedestrians’ electronic U.S. passport cards embedded with radio frequency identification, or RFID, tags. Within an hour, he’d “skimmed” four more of the new, microchipped PASS cards from a distance of 20 feet...

Ethical hacker Chris Paget demonstrates a low-cost mobile device that surreptitiously reads and clones RFID tags embedded in United States passport cards and enhanced drivers' licenses....

In its October 2005 Federal Register notice, the State Department reassured Americans that the e-passport’s chip would emit radio waves only within a 4-inch radius, making it tougher to hack.

But in May 2006, at the University of Tel Aviv, researchers directly skimmed an encrypted tag from several feet away. At the University of Cambridge in Britain, a student intercepted a transmission between an e-passport and a legitimate reader from 160 feet.

The State Department, according to its own records obtained under FOIA, was aware of the problem months before its Federal Register notice and more than a year before the e-passport was rolled out in August 2006.

“Do not claim that these chips can only be read at a distance of 10 cm (4 inches),” Frank Moss, deputy assistant Secretary of State for passport services, wrote in an April 22, 2005, e-mail to Randy Vanderhoof, executive director of the Smart Card Alliance. “That really has been proven to be wrong.”

I know of a friend that upon receiving a new driver's license or credit card, does two things: One, he swipes a magnet across the back of the cards where the magnetic strip is and does this repeatedly over the course of a couple of days and he also places the card(s) in a microwave and gives them short bursts of radiation.

It makes the card a little crinkly and you can't swipe the credit card thru, the clerk will have to manually punch in the numbers, but I imagine if there is an RFID chip in either, it gets fried.

Sound paranoid? If you're not a bit paranoid after 9/11, eight years of the Bush-Cheney Junta and have already lost track of the number of lies Obama has told and haven't developed a least a little concern about our government, then you must be living in Oz.


  1. I like your style. Too bad the i911 event will happen before Anonymous can destroy the lives of the elite criminals that run this planet.

  2. Nice article. I think discovering the huge risks associated with Real ID and RFID tags will do a lot to bring this technology into the public eye. Informed, people working together can limit the surveillance society.

    I'm highly concerned about NSA eavesdropping as well. Illicit domestic monitoring means what you say on the phone, where you go, and what you do on the Web can all be tracked. As a matter of fact. the NSA is building massive data warehouses, according to a James Bamford article in Salon.

    The first priority is to enlighten American about the fundamentally unAmerican process of spying on our citizens. Popular support for restraints on government intrusions is very strong here, and the privacy rights issue should focus on spreading the truth about RFID risks, expecially in light of the post-9/11 Real ID proposal, which was replaced with a lighter version when confronted by public opposition, including several states (Montana, Michigan, Vermont, others) which outlawed RFID-bearing licenses as unconstitutional under their state constititutions.

    The more the people know, the more likely they are to act to stem these abuses of power. With restraint on government, people will be less vulnerable they are to warrantless spying and identity thieves exploiting insecure RFID-bearing IDs, not to mention unscrupulous marketeers in the private sector taking advantage of the security vulnerabilities to mine data. Again, excellent work on bringing this to light.

  3. Everything I get, credit card, passport, ID and driver's license gets put in a static free bag with some very strong magnets. As for the passport, I stuck it in the microwave for about 10 seconds, so it would not ruin the cover, but enough to ruin the RFID.

    So what if everyone has to manually enter the credit card numbers? I have to do that anyway when I shop on line.

    I also have two very strong magnets that I put in my pockets as I go about my business.

  4. Cheers Greg, thanks for stopping by and I left you a comment. btw z-street posted your comment and of course the zio-jihadist owner left you a comment back LOL They are such predictable animals, are they not:)

    keep up the good fight against injustice

    all the best
    Ban Sidhe

  5. yep, the ten second in the microwave rule toasts the RFID and ends the bullshit there.

    if I cannot see that data, then I sure as hell don't want it to go to someone's database either.

  6. I agree. If you don't know what kind of data they stuck on your ID's or passport, how are you supposed to know whether or not it's legit?

  7. My friends here in Arizona are on top of this one! Check this out:

  8. Just get some copper wire mesh and make your own Faraday cage for your cards.

  9. I haven't done a thing to my new passport: When I travel, I leave it in the safe in hotel, so no one can track where I go, and when I am at my second home in Thailand, I leave it at my attorney's office.

    Perhaps in certain circumstances, it is better to have TPTB think they can track you......


  10. Wow. That's a good idea to fry the chips. It's none of their business as to what you do in this life.

  11. Well, the whole thing's a bit off. First off, the NSA couldn't care less about RFID ID cards, so the title's misleading.

    Next, Paget never claims that he can read e-passport cards. He dances around the point, IMHO, to be sure, but he never says that he's skimming passport cards. I confronted him with this over at engadget when the video first came out, and he claimed that he was being misquoted.

    What he got was the contents of PASS and EDL cards. PASS is not ePassport. PASS is a distance-read card that is intended to get you through Canadian-US customs more quickly, and is designed to be read while you're in the vehicle. It is not a passport. It's a simple serial number e-field tag. There's nothing else on there. The entire "OMG he's getting passport contents" is purest bs. PASS is, by intention, an e-field type RFID, which are designed for reading from a distance. ePassports are h-field type RFID, and there is a huge difference between the two. Mixing PASS and ePassport in the same paragraph with a "thus PASS, therefore thus ePassport" argument tells me you don't have a clue, technically.

    The paper referenced as being from the University of Tel Aviv is an interesting one - the paper basically proves that an h-field card, such as an ePassport or contactless smart card, was readable from perhaps 20 inches, but only when great effort was used, including hundreds of repeated reads correlated with a DSP and a custom built interrogator with several Amps of excitation. It doesn't really help your assertion that ePassports can be read from any meaningful distance. Although the paper is likely too technical for most readers of this blog, reading an h-field RFID from a distance involves the sixth-power-of-the-distance issue with powering them, a really terrible SNR problem with reading load signaling with large excitations, and the lambda wall issue separating near and far field radiation. That paper doesn't help your position at all unless it's essentially misquoted, which the author of your cite is doing. The UC paper cites a snipe that was done by capturing emissions from the reader, not the card.

    Your friend is probably wasting his or her time. The mag stripe isn't distance readable, and only has a small amount of info in it anyway. E-field RFID chips might be damaged by a microwave, but that's not the sort that's in RFID equipped credit cards. It's not likely that you'll do much harm to an h-field part that way, although you might. At any rate, it's not like you can read either sort from a satellite or whatnot, so I'm not sure what you gain by it.

  12. again..if you're that concened make a faraday enclosure for them


Fair Use Notice

This web site may contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance the understanding of humanity's problems and hopefully to help find solutions for those problems. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. A click on a hyperlink is a request for information. Consistent with this notice you are welcome to make 'fair use' of anything you find on this web site. However, if you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. You can read more about 'fair use' and US Copyright Law at the Legal Information Institute of Cornell Law School. This notice was modified from a similar notice at Information Clearing House.

Blog Archive