[FoRK] Fwd: ACM TechNews - Wednesday, March 9, 2005
rohit at commerce.net
Wed Mar 9 11:28:09 PST 2005
pentagon mall, eh? :)
Begin forwarded message:
> Some 40,000 new biometric ID cards equipped with radio frequency
> identification (RFID) and Bluetooth technology will be distributed to
> Homeland Security Department personnel and contractors this year,
> beginning in May. The RFID and Bluetooth components will facilitate
> communication ...
RFID Invades the Capital
By Mark Baard
-------------- next part --------------
Story location: http://www.wired.com/news/privacy/0,1848,66801,00.html
02:00 AM Mar. 07, 2005 PT
WASHINGTION -- A new smartcard, the type privacy advocates fear because
it combines biometric data with radio tags, will soon be one of the
most common ID cards in Washington.
Department of Homeland Security workers in May will begin using the
new ID card, called the DAC, to gain access to secure areas, log on to
government computers and even pay their Metro subway fares.
The DAC, which stands for Department of Homeland Security Access Card,
will carry a digital copy of its bearer's fingerprint and other
personally identifiable information. It will use radio-frequency
identification and Bluetooth technologies to communicate with reader
devices at the department's offices.
"The card provides one type of authentication for all forms of access
(physical, wired and wireless)," said DHS Director of Authentication
Technologies Joseph Broghamer, who participated in a wireless
technology conference in Washington, D.C., last week.
The DAC will feature a high-resolution image of its bearer and a
hard-to-duplicate holographic image. The key identifier stored on the
DAC, however, will be a record of the bearer's biometric data (in this
case, a fingerprint) that can be read by special devices attached to
For example, rather than entering a user name and password, DHS
workers will log on to their computers by sliding their DAC into a
special keyboard and pressing their finger on the keyboard's
fingerprint-reader pad. The keyboard will then authorize workers by
comparing their physical fingerprint to the card's fingerprint record.
The DHS will issue approximately 40,000 of the new cards to its
employees and contractors this year. The DHS is just one of many
departments (the Department of Defense is another) responding to a
White House directive calling for new ID cards that are "strongly
resistant" to terrorist exploitation and "can be rapidly authenticated
The DAC's use of fingerprint records makes it more secure than
previous ID card technologies, because it authenticates both the card
and its bearer, said Broghamer, and its use of wireless communication
makes it more convenient for DHS employees.
DAC's RFID and Bluetooth capabilities (some DAC holders will be
testing Bluetooth-enabled cardholders in May) will show "how wireless
can get around the form factors," said Broghamer, referring to
incompatibilities among devices that read ID cards by making physical
contact with them.
But the DAC's RFID chip and its Bluetooth-enabled holder will make it
a target for hackers and spies with wireless readers, who could be
lurking in commissaries, coffee shops, bars and subway stations around
The tens of thousands of people carrying DACs around Washington this
year will also help to prove or discredit predictions by privacy
advocates that the RFID tags will be used to track individuals in
public and private places.
"We don't see any sensible and offsetting reason for using RFID
technology instead of another technology in identification cards and
documents," said Cedric Laurant, policy council at the Electronic
Privacy Information Center, "except for surreptitiously tracking
people's movements with reader devices."
DAC carriers may also be targeted by identity thieves.
RFID tags, the small chip-and-antenna combinations used in wireless
toll-pay systems and payment devices such as the ExxonMobile Speedpass
key-chain tag, can be hacked by someone "with moderate technical
expertise," said Thomas O'Flaherty, principal associate at Input, a
consulting firm for government contractors.
One data security expert who has hacked into RFID chips worries that
the government will rush to deploy RFID, and then try afterward "to
bolt on" security measures to protect the fingerprint data.
"The U.S. government has a short track record with broad deployments
of RFID and biometrics," said RSA Security principal research scientist
Ari Juels. "There are many unknowns."
Juels and another RSA scientist helped researchers at Johns Hopkins
University hack the RFID chips used for Speedpass tags and electronic
vehicle immobilizers, which are a type of anti-theft device. The group
successfully used the chips' data to purchase gas and override a car's
So-called Faraday cages, the metal billfolds proposed as shields for
RFID chips in electronic passports, will also be used by the DHS to
help guard the data on the DAC between transactions.
But hackers will be able to eavesdrop on transmissions between the DAC
and RFID readers every time the card is read, and at distances up to
"tens of feet, potentially," said Juels.
The threat of passive eavesdropping will increase with each new use
for the DAC, part of the evolution of device functions known as
"function creep." DAC bearers will use their cards not just for
entering offices and logging on to computers in controlled
environments, but for other functions, such as paying their Metro
subway fare. (The Metro function will not be available at first, said
the DHS' Broghamer.)
RFID transmissions between the DAC and reader devices will be
encrypted, to stop wireless snoops from making sense of the data, said
But many government workers and contractors at the wireless
conference, who will be getting new cards similar to the DAC, worry
that their employer plans to follow their every move, such as when they
are riding the Metro.
"And it's not just us (government workers)," said an employee of the
U.S. General Services Administration, who would only give his name as
Patrick. "Soon it will be everybody."
More information about the FoRK