[FoRK] Fwd: ACM TechNews - Wednesday, March 9, 2005

Rohit Khare rohit at commerce.net
Wed Mar 9 11:28:09 PST 2005

pentagon mall, eh? :)

Begin forwarded message:

> Some 40,000 new biometric ID cards equipped with radio frequency 
> identification (RFID) and Bluetooth technology will be distributed to 
> Homeland Security Department personnel and contractors this year, 
> beginning in May. The RFID and Bluetooth components will facilitate 
> communication ...

RFID Invades the Capital 
By Mark Baard
-------------- next part --------------

Story location: http://www.wired.com/news/privacy/0,1848,66801,00.html

02:00 AM Mar. 07, 2005 PT

WASHINGTION -- A new smartcard, the type privacy advocates fear because 
it combines biometric data with radio tags, will soon be one of the 
most common ID cards in Washington.

  Department of Homeland Security workers in May will begin using the 
new ID card, called the DAC, to gain access to secure areas, log on to 
government computers and even pay their Metro subway fares.

  The DAC, which stands for Department of Homeland Security Access Card, 
will carry a digital copy of its bearer's fingerprint and other 
personally identifiable information. It will use radio-frequency 
identification and Bluetooth technologies to communicate with reader 
devices at the department's offices.

  "The card provides one type of authentication for all forms of access 
(physical, wired and wireless)," said DHS Director of Authentication 
Technologies Joseph Broghamer, who participated in a wireless 
technology conference in Washington, D.C., last week.

  The DAC will feature a high-resolution image of its bearer and a 
hard-to-duplicate holographic image. The key identifier stored on the 
DAC, however, will be a record of the bearer's biometric data (in this 
case, a fingerprint) that can be read by special devices attached to 
DHS computers.

  For example, rather than entering a user name and password, DHS 
workers will log on to their computers by sliding their DAC into a 
special keyboard and pressing their finger on the keyboard's 
fingerprint-reader pad. The keyboard will then authorize workers by 
comparing their physical fingerprint to the card's fingerprint record.

  The DHS will issue approximately 40,000 of the new cards to its 
employees and contractors this year. The DHS is just one of many 
departments (the Department of Defense is another) responding to a 
White House directive calling for new ID cards that are "strongly 
resistant" to terrorist exploitation and "can be rapidly authenticated 

  The DAC's use of fingerprint records makes it more secure than 
previous ID card technologies, because it authenticates both the card 
and its bearer, said Broghamer, and its use of wireless communication 
makes it more convenient for DHS employees.

  DAC's RFID and Bluetooth capabilities (some DAC holders will be 
testing Bluetooth-enabled cardholders in May) will show "how wireless 
can get around the form factors," said Broghamer, referring to 
incompatibilities among devices that read ID cards by making physical 
contact with them.

  But the DAC's RFID chip and its Bluetooth-enabled holder will make it 
a target for hackers and spies with wireless readers, who could be 
lurking in commissaries, coffee shops, bars and subway stations around 
the Capitol.

  The tens of thousands of people carrying DACs around Washington this 
year will also help to prove or discredit predictions by privacy 
advocates that the RFID tags will be used to track individuals in 
public and private places.

  "We don't see any sensible and offsetting reason for using RFID 
technology instead of another technology in identification cards and 
documents," said Cedric Laurant, policy council at the Electronic 
Privacy Information Center, "except for surreptitiously tracking 
people's movements with reader devices."

  DAC carriers may also be targeted by identity thieves.

  RFID tags, the small chip-and-antenna combinations used in wireless 
toll-pay systems and payment devices such as the ExxonMobile Speedpass 
key-chain tag, can be hacked by someone "with moderate technical 
expertise," said Thomas O'Flaherty, principal associate at Input, a 
consulting firm for government contractors.

  One data security expert who has hacked into RFID chips worries that 
the government will rush to deploy RFID, and then try afterward "to 
bolt on" security measures to protect the fingerprint data.

  "The U.S. government has a short track record with broad deployments 
of RFID and biometrics," said RSA Security principal research scientist 
Ari Juels. "There are many unknowns."

  Juels and another RSA scientist helped researchers at Johns Hopkins 
University hack the RFID chips used for Speedpass tags and electronic 
vehicle immobilizers, which are a type of anti-theft device. The group 
successfully used the chips' data to purchase gas and override a car's 
anti-theft system.

  So-called Faraday cages, the metal billfolds proposed as shields for 
RFID chips in electronic passports, will also be used by the DHS to 
help guard the data on the DAC between transactions.

  But hackers will be able to eavesdrop on transmissions between the DAC 
and RFID readers every time the card is read, and at distances up to 
"tens of feet, potentially," said Juels.

  The threat of passive eavesdropping will increase with each new use 
for the DAC, part of the evolution of device functions known as 
"function creep." DAC bearers will use their cards not just for 
entering offices and logging on to computers in controlled 
environments, but for other functions, such as paying their Metro 
subway fare. (The Metro function will not be available at first, said 
the DHS' Broghamer.)

  RFID transmissions between the DAC and reader devices will be 
encrypted, to stop wireless snoops from making sense of the data, said 

  But many government workers and contractors at the wireless 
conference, who will be getting new cards similar to the DAC, worry 
that their employer plans to follow their every move, such as when they 
are riding the Metro.

  "And it's not just us (government workers)," said an employee of the 
U.S. General Services Administration, who would only give his name as 
Patrick. "Soon it will be everybody."

More information about the FoRK mailing list