Hey Google –
Since Fido.ie is throwing errors at me, and since you’re probably a more searchable (and more global) database anyway — the Trovan FDX-B RFID transponder number 956000000659388 is that of “Hog Dempsey”, a small female black and white cat, whose owners can be contacted via any address on this page. Cheers!
Back in February, I wrote about some Dutch hackers remotely reading Dutch RFID passports, and my email to the Irish Passport Office enquiring about their plans.
They never bothered writing back; I guess they were too busy implementing the damn things :( Their new ‘ePassports’ are now mandatory for new Irish passports:
The chip technology allows the information stored in an Electronic Passport to be read by special chip readers at a close distance.
“special chip readers at a close distance” and/or “random criminals looking for Irish victims at a distance of 30 feet”, I guess.
Here’s the slides for Riscure’s attack on the Dutch passports. Irish passports are similarly using “Basic Access Control”. I wonder if Irish passport numbers are sequential, since that seems to be a key part of their attack?
Tags: epassports, hacking, ireland, passports, rfid, riscure
Apparently, Transport For London are planning ‘e-money’ trials based on their remotely-readable Oyster RFID cards.
Combine that with Kevin Mahaffey of Flexilis’ talk at Black Hat last year, where he demonstrated apparatus to extend RFID read range from 4-6 inches to approximately 50 feet, and things could get messy. ;)
The slides for that talk are available here (PDF); slide 20 specifically mentions the Hong Kong “Octopus” cashless-payment card.
Tags: flexilis, kevin-mahaffey, london, oyster, rfid
Greetings from sunny Dublin, Ireland! (really!)
I’m now back in taint.org’s native timezone, although precariously set up and experiencing occasional interruptions. If you’re waiting for a mail from me, it may take a little more time.
I did have time to be interviewed last week by Karlin Lillington for this Guardian story:
To make sure customs agents could read his cat’s chip to match him to his Pet Passport on return to Europe, Mason bought his own scanner at a cost of some £200. “I didn’t want to risk the cat being impounded for six months’ quarantine at Heathrow,” he sighs.
It’s true.
Happy to be back — I think. Looking forward to my first pints, in over a year, of creamy Guinness in its native habitat. I also have a couple of half-written weblog entries I wrote on the plane, too…
Tags: bubba, cat, dublin, guardian, guinness, home, meta, rfid, travel
This is what passports containing RFID chips will look like:
Note the little rectangular logo at the bottom. According to Ed Hasbrouck, that’s the ICAO standard logo indicating that this is an RFID passport, and therefore:
identity thieves, terrorists, direct marketers, data aggregators, malicious governments, or anyone else with a radio receiver within 10 meters (30+ feet) or more whenever your passport is read at a border crossing, airport, etc. can secretly and remotely track you, log your movements through the unique “collision avoidance” ID number sent by the chip, and intercept and decrypt all the data (including your digital photo and, in some countries, your digitized fingerprints) needed to “clone” a perfect copy of your passport, forge other identity credentials, or impersonate you.
Of relevance are the comments over at Bruce Schneier’s weblog entry regarding the Riscure research into the Dutch Biometric Passport’s lousy security.
Interestingly, as one commenter there notes, breaking the crypto may be overkill; the knowledge that a person is carrying a passport from a certain country, or set of countries, may be enough for certain attackers.
I asked the Irish Passport Office about their RFID plans last April:
I’m an Irish citizen and passport-holder. I have been following recent discussions in the US regarding the addition of RFID computer chips to US passports, and I note that the US Department of State is now indicating that this measure was made necessary due to recent International Civil Aviation Organization (ICAO) standards — namely ICAO Doc 9303.
As a result, since Ireland is a signatory to ICAO regulations, this raises the question as to whether Irish passports shall shortly include similar RFID or “contactless chip” technology.
Can you tell me:
if this is planned?
is there a mechanism for public comment on this process?
who could I further email to ask about this, if you do not know?
Disappointingly, I never received a reply. :( Someday I should really chase this up.
Update, Oct 17 2006: Well, they never bothered replying. They did, however, introduce RFID chips to Irish passports:
The chip technology allows the information stored in an Electronic Passport to be read by special chip readers at a close distance. The chip incorporates digital signature technology to verify the authenticity of the data stored on the chip.
So, I’ve just bought myself an RFID implant reader.
However, don’t jump to conclusions — it’s not that I’m hoping that possession will put me on the right side of the New World Order 21st-century pervasive-RFID-tracking security infrastructure or anything — it’s for my cat. Here’s why…
Many years ago, back in Ireland, we had an RFID chip implanted in our cat, as you do. Then 3 years ago, we entered the US, bringing the cat with us, and started looking into what we’d have to do to bring him back again.
Ireland and the UK are rabies-free, and have massive paranoia about pets that may harbour it; as a result, pets imported into those countries generally have to stay in a quarantine facility for 6 months. Obviously 6 months sans kitty is something that we want to avoid, and thankfully a recent innovation, the Pet Travel Scheme allows this. It allows pets to be imported into the UK from the USA, once they pass a few bureaucratic conditions, and from there they can travel easily to Ireland legally. (BTW Matt, this still applies; we checked!)
One key condition is that the pet be first microchipped with an RFID chip, then tested for rabies, with those results annotated with the chip ID number. Once the animal arrives in the UK on the way back, the customs officials there verify his RFID implant chip’s ID number against the number on the test result documentation, and (assuming they match and all is in order) he skips the 6 month sentence.
So far, it seems pretty simple; the cat’s already chipped, we just have to go to the vet, get him titred, and all should proceed simply enough from there. Right? Wrong.
We spent a while going to various vets and animal shelters; unfortunately, almost everyone who works in a vet’s office in California seem to be incompetent grandmothers who just work there because they like giving doggies a bath, couldn’t care less about funny foreign European microchips, and will pretty much say anything to shut you up. Tiring stuff, and unproductive; eventually, after many fruitless attempts to read the chip, I gave up on that angle and just researched online.
Despite what all the grannies claimed, as this page describes, the US doesn’t actually use the ISO 11784/11785 standard for pet RFID chips. Instead it uses two alternative standards, one called FECAVA, and another FECAVA-based standard called AVID-Encrypted. They are, of course, entirely incompatible with ISO 11784/11785, although, to spread confusion, the FECAVA standard appears to be colloquially referred to in parts of the US vet industry, as “European” or even “ISO standard”. I think it was originally developed in Europe, and may have been partially ISO-11784-compliant to a degree, but the readers have proven entirely incompatible with the chip we had, which is referred to as “ISO” in the UK and Ireland at least. They don’t even use the same frequencies; FECAVA/AVID are on 125 KHz, while ISO FDX-B is on 134.2 KHz.
(BTW, a useful point for others: you can also tell the difference at the data level; FECAVA/AVID use 10-digit ID numbers, while ISO numbers are 15-digit. Also, “FDX-B” seems to accurately describe the current Euro-compatible ISO-standard chip system.)
Now, a few years back, it appears that one company attempted to introduce ISO-FDX-B-format readers and chips to the FECAVA-dominated marketplace, in the form of the Banfield ‘Crystal Tag’ chip and reader system.
That attempt foundered last year, thanks to what looks a lot like some MS-style dirty tricks — patent infringement lawsuits and some ‘your-doggy-is-in-danger’ FUD:
what we have here is a different, foreign chip that’s being brought in and it’s caused a lot of confusion with pet owners, with shelters, and veterinarians.
(Note ‘foreign’ — a little petty nationalism goes a long way.) The results can be seen in this press story on the product’s withdrawal:
Although ISO FDX-B microchips are being used in some European countries and parts of Australia, acceptance of ISO FDX-B microchips is not universal and the standard on which they are based continues to generate controversy, in part due to concerns about ID code duplication.
FUD-bomb successful!
Anyway, this left us in a bad situation; our cat’s chip was unreadable in the US, and possibly even illegal given the patent litigation ;) . We had two choices: either we got the cat re-chipped with a US chip, paying for that, or we could find our own ISO-compatible reader.
We sprung for the latter; although the re-chipping and re-registration would probably cost less than the $220 the reader would cost, we’d need to buy a US reader in addition, since the readers at London Heathrow airport are ISO readers, not FECAVA/AVID-compatible. On top of that, this way gives me a little more peace of mind about compatibility issues when we eventually get the cat to Heathrow; we now know that the cat’s chip will definitely be readable there, instead of taking a risk on the obviously-quite-confusing nest of snakes that is international RFID standardisation.
Anyway, having decided to buy a reader, that wasn’t the last hurdle. Apparently due to the patent infringement lawsuit noted above, no ISO/FDX-B-compatible readers were on sale in the US! A little research found an online vendor overseas, and with a few phone calls, we bought a reader of our very own.
This arrived this morning; with a little struggling from the implantee, we tried it out, and verified that his ID number was readable. Success!
RFID: Over on Adam Shostack’s weblog, in a comment on an entry regarding the plans to mandate remotely-readable RFID passports, Martin Forssen brings up a great idea:
What I want is a device which beeps every time somebody scans me for RFID-tags. I assume this would be fairly easy to construct since the scanner must send a signal of some strength to activate the chip.
I wonder if that’d work? A keyfob, for example, something similar in size to the dinky Chrysalis Wifi Seeker I have on my keyring, would be perfect. It’d be probably pretty cheap to make, would make a great geek toy, and be quite educational too. ;)
Tags: comment, device, entry, idea, rfid, rfid-tags, scanner, somebody, time, weblog
Security: The RFID vendors are clearly on a roll, with all manner of uses being proposed. The most recent story is that VeriChip plans to implant them subdermally in hospital patients.
The company line is that it’s privacy-safe, since it doesn’t expose health records per se — just the patient’s ID number. However, that’s missing the point, in my opinion.
RFID chips will broadcast their ID whenever they are within range of a compatible scanner, and the range (in this case) is several feet – although the story notes that their readers used to track farmed salmon work from 10-12 feet, and the Schmoo Group guys I met last month had no doubts that a high-powered directional antenna like their wi-fi sniper rifle could extend that. There’s no encryption, or handshaking, in these chips, it sounds like.
There’s no mention if the chip is removed after you leave hospital; some comments about the idea behind this is that it may help if you’re involved in an accident, and want your info available to healthcare users, in which case you’d have the chip implanted and broadcasting at other times, in other places, as well.
So, if you’ve got one of these implanted, it’ll broadcast a unique code to readers in range at all times. If an attacker can scan while you’re nearby, and picks up that code, they know that it’s you, and you only. They only have to match that ID code to a visual identification once, and henceforth you can be tracked by that ID code.
There’s a possibility that they’ll fix this, by upping the CPU power and incorporating some decent public-key encryption — but then you need a PKI big enough to track every implanted citizen in the entire country, and the costs will go up and up. I’d find that doubtful. (Mind you, they seem to assume that having a centralized secure database of medical records is a fait accompli in most of the articles anyway, so…)
Tags: case, chip, code, encryption, hospital, manner, range, rfid, roll, security, story
Security: It looks like the security people are starting to take a look at RFID, and it’s not pretty.
I link-blogged this the other day — RFDump is a tool to display and modify data in RFID tags — including deployed ones, at least in some cases. (Think rewriting the price tags in a shop, scrambling the tracking numbers on a warehouse full of goods, or corrupting frequent-shopper data on a card.)
It looks like this was also discussed at USENIX Security ‘04 in an RSA presentation (those notes are swarming with typos, but the content’s there ;)
That talk has some interesting stuff — ‘blocker’ tags which spoof readers with gibberish data, or crash the collision-detection network protocol; while that’s being discussed as a security tool here, if the protocol is that hackable, and the hardware is available, I could see that having additional interesting effects in a supermarket. Of course, range is an issue — but that hasn’t stopped Bluetooth hacking, wardriving, etc.
If you ask me, it looks an awful lot like RFID is chock-full of security holes, and the features that make it so attractive (low power use, low cost, tiny size) will be the very features that militate against adding security. We could be in for interesting times here…
Tags: day, look, price, protocol, rfdump, rfid, security, shop, tool, tracking
The weblog of Justin Mason; incoherent ramblings about Apache SpamAssassin, anti-spam, perl, software development, and the web, from an Irish software developer.
The opinions expressed on this web site are my personal opinions, and do not in any way represent those of my employer.
