By Lisa Vaas  |  Posted 2007-03-01 Print this article Print

"Since IOActives offices are located in a building that uses this proximity badge technology, and also houses components of the nations critical infrastructure, IOActive launched a research and development effort to help us better understand the exposures and vulnerabilities related to this technology," IOActive officials said in a statement. "We got into this because were concerned about the security of RFID. Weve seen it used in many insecure environments. So has the ACLU."
Nicole Ozer, technology and civil liberties policy director at the ACLU of Northern California, got up after Page to turn the partial-hacking-RFID briefing into something that had grown to include the ACLUs work on RFID and ID documents. The ACLU has spent the last 2.5 years, particularly in its San Francisco office, working on issues including privacy in RFID-enabled passports, student passes, and drivers licenses. RFID-enabling drivers licenses in particular is nearing a critical turning point as technology mandates in the Real ID Act could be handed down as early as March 1, a Department of Homeland Security spokesperson confirmed to eWEEKs Renee Boucher Ferguson. As Ferguson reports:
"At the same time, as many as 38 states, under a coalition formed by Missouri Representative Jim Guest, have confirmed that they will rebel against the act through legislation in their own states. Analysts say the Real ID Act could help identity thieves. Click here to read more. "Congressman Tom Davis, a Republican from Virginia, requested Feb. 27 that the Committee on Oversight and Government Reform hold a hearing to further discuss the Real ID Act, which mandates that all states overhaul their drivers license procedures by 2008 to include machine-readable technology and a database that holds citizen data, to be connected to other state databases and to a federal database." The ACLUs reason to be concerned is that, first of all, there have been multiple breaches of RFID-enabled passports and other identification documents, including British and Dutch e-passports. "The ACLU is interested in getting out the facts," Ozer said. "For less than $100, with parts off the Internet—and thats the up number—Chris got them for about $20—[you can assemble a device] to read RFID. [That includes] RFID in identification documents, for secure buildings like the FEMA building which IOActive is in. [The government] just spent over $2 million in readers. ACLU showed compromising of that last year. "From an ACLU standpoint, [were concerned] in terms of privacy tracking, personal safety and financial security," she continued. "You can get a list of who was at what place at what time. [RFID doesnt] just transmit a number. It can transmit anything encoded: name, address, Social Security number. Dutch and British passports have already been compromised. People might not want their name and address on [RFID-enabled documents]. Think of a woman walking down the street alone—would she want her name, her address, broadcast? RFID undermines the goal of trying to improve security." Its imperative to educate the government and public about the vulnerabilities if somebodys going to use RFID in a public document, Ozer said. Given the good that can be done by open discussion, why would HID try to silence IOActive? "From a big company standpoint, I dont think they understand how much it costs a small company, from the standpoint of lawyers involved," to defend itself against a charge of patent infringement, Pennell said. "Patents cost a lot of money to go in and research." IOActive employees 23 people. "Were an itty-bitty company," Pennell said. As Paget put it, "Defense costs alone could easily put us out of business." What a shame, for the sake of small firms doing solid research, for the sake of freedom of expression, and for the sake of the safety of our citizens and the citizens of the global community. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel