By Kim Zetter August 4, 2009 9:30 am Categories: Cybersecurity, DefCon
LAS VEGAS — It’s one of the most hostile hacker environments in the country –- the DefCon hacker conference held every summer in Las Vegas.
But despite the fact that attendees know they should take precautions to protect their data, federal agents at the conference got a scare on Friday when they were told they might have been caught in the sights of an RFID reader.
The reader, connected to a web camera, sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks as they passed a table where the equipment was stationed in full view.
It was part of a security-awareness project set up by a group of security researchers and consultants to highlight privacy issues around RFID. When the reader caught an RFID chip in its sights — embedded in a company or government agency access card, for example — it grabbed data from the card, and the camera snapped the card holder’s picture.
But the device, which had a read range of 2 to 3 feet, caught only five people carrying RFID cards before Feds attending the conference got wind of the project and were concerned they might have been scanned.
Kevin Manson, a former senior instructor at the Federal Law Enforcement Training Center in Florida, was sitting on the “Meet the Fed” panel when a DefCon staffer known as “Priest,” who prefers not to be identified by his real name, entered the room and told panelists about the reader.
“I saw a few jaws drop when he said that,” Manson told Threat Level.
“There was a lot of surprise,” Priest says. “It really was a ‘holy shit,’ we didn’t think about that [moment].”
Law enforcement and intelligence agents attend DefCon each year to garner intelligence about the latest cyber vulnerabilities and the hackers who exploit them. Some attend under their real name and affiliation, but many attend undercover.
Although corporate- and government-issued ID cards embedded with RFID chips don’t reveal a card holder’s name or company — the chip stores only a site number and unique ID number tied to a company or agency’s database where the card holder’s details are stored — it’s not impossible to deduce the company or agency from the site number. It’s possible the researchers might also have been able to identify a Fed through the photo snapped with the captured card data or through information stored on other RFID-embedded documents in his wallet. For example, badges issued to attendees at the Black Hat conference that preceded DefCon in Las Vegas were embedded with RFID chips that contained the attendee’s name and affiliation. Many of the same people attended both conferences, and some still had their Black Hat cards with them at DefCon.
But an attacker wouldn’t need the name of a card holder to cause harm. In the case of employee access cards, a chip that contained only the employee’s card number could still be cloned to allow someone to impersonate the employee and gain access to his company or government office without knowing the employee’s name.
Since employee access card numbers are generally sequential, Priest says an attacker could simply change a few digits on his cloned card to find the number of a random employee who might have higher access privileges in a facility.
“I can also make an educated guess as to what the administrator or ‘root’ cards are,” Priest says. “Usually the first card assigned out is the test card; the test card usually has access to all the doors. That’s a big threat, and that’s something [that government agencies] have actually got to address.”"
In some organizations, RFID cards aren’t just for entering doors; they’re also used to access computers. And in the case of RFID-enabled credit cards, RFID researcher Chris Paget, who gave a talk at DefCon, says the chips contain all the information someone needs to clone the card and make fraudulent charges on it — the account number, expiration date, CVV2 security code and, in the case of some older cards, the card holder’s name.
The Meet-the-Fed panel, an annual event at DefCon, presented a target-rich environment for anyone who might have wanted to scan government RFID documents for nefarious purposes. The 22 panelists included top cybercops and officials from the FBI, Secret Service, National Security Agency, Department of Homeland Security, Defense Department, Treasury Department and U. S. Postal Inspection. And these were just the Feds who weren’t undercover.
It’s not known if any Feds were caught by the reader. The group that set it up never looked closely at the captured data before it was destroyed. Priest told Threat Level that one person caught by the camera resembled a Fed he knew, but he couldn’t positively identify him.
“But it was enough for me to be concerned,” he said. “There were people here who were not supposed to be identified for what they were doing … I was [concerned] that people who didn’t want to be photographed were photographed.”
Priest asked Adam Laurie, one of the researchers behind the project, to “please do the right thing,” and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as “Major Malfunction” in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected.
The RFID project was a collaboration between Laurie and Zac Franken — co-directors of Aperture Labs in the Britain and the ones who wrote the software for capturing the RFID data and supplied the hardware — and Aries Security, which conducts security-risk assessments and runs DefCon’s annual Wall of Sheep project with other volunteers.
Each year the Wall of Sheep volunteers sniff DefCon’s wireless network for unencrypted passwords and other data attendees send in the clear and project the IP addresses, login names and truncated versions of the passwords onto a conference wall to raise awareness about using wireless networks without encryption.
This year they planned to add data collected from the RFID reader and camera (below) — to raise awareness about a privacy threat that’s becoming increasingly prevalent as RFID chips are embedded into credit cards, employee access cards, state driver’s licenses, passports and other documents.
Read Full Story at Wired.com