Such watchdog organizations are vitally important for making sure that the secure-identity programs now emerging from many governments are ones we can all live with. I am staunchly in favor of holding every government security program to unyielding standards of efficiency, effectiveness and privacy.
Conversely, I am staunchly in disfavor of alarmist, pudding-headed and just plain wrong writing on the topic. Unfortunately this particular EPIC report stands proudly in the latter camp.
EPIC focuses on four specific technologies for criticism: radio frequency identification technology, Bluetooth wireless, biometrics and PIN backup. It gets all four humorously wrong.
Much of the text deals with RFID and Bluetooth. The criticism, in a nutshell, is that both RFID and Bluetooth can be remotely intercepted by unauthorized readers, posing both privacy ("Hey--that guy's an American, let's sell him something!") and security ("No, let's kidnap him!") problems.
Indeed, an ID card that uses RFID and Bluetooth is a really bad idea. Fortunately, the Access Card program, or DAC, is not such a card.
Instead of RFID, the DAC uses a standard called ISO/14443 for wireless communication between the card and reader. RFID and ISO/14443 are totally distinct technologies, and ISO/14443 is much harder to snoop. RFID is unencrypted and meant for inventory scanning at a distance of several feet. ISO/14443 is usually encrypted and has a read range of a few inches or less.
There are certainly vulnerabilities in ISO/14443, but they are much less severe than the ones in RFID, and it's either lazy or dishonest to conflate the two. The real long-term solution is to move to contactless cards with strong cryptography. These are already available in the market and will replace the current generation of ISO/14443 cards over the next few years.
EPIC has confused RFID and ISO/14443; that's annoying but perhaps forgivable. What about Bluetooth problems? Crazy talk. The DAC does not use Bluetooth. The DAC does not use anything remotely resembling Bluetooth. As far as I know, no ID card uses Bluetooth, because it is neither possible nor desirable to put a protocol designed to let cell phones talk to PCs and peripherals onto a passively powered card. Bluetooth and access cards are completely orthogonal--like life insurance and whales.
Wading into biometrics, the criticism becomes less surreal but no more valid. EPIC rehashes the standard argument that fingerprint biometrics let in too many bad guys and keep too many good guys
Biography
Phil Libin is president of CoreStreet, an ID management and access control company in Cambridge, Mass. His regular thoughts can be found at Vastly Important Notes.
18 comments
Join the conversation! Add your comment (Log in or register)
2005/04/security_risks_2.html :
Police in Malaysia are hunting for members of a violent gang who
chopped off a car owner's finger to get round the vehicle's hi-tech
security system.
The car, a Mercedes S-class, was protected by a fingerprint
recognition system.
Of course, some of the sensors out there are smart enough to distinguish a living finger and a dead one, but many criminals are very stupid and uninformed and would try it anyway. Fun, fun.
The problem with technology as it relates to security is always the same - as fast as an organization can discover a way to protect something, five others have found a way to crack the nut.
I'm not an alarmist, I'm a realist. Banks are losing personal data. Phishing steals away the secrets of hapless victims, people devise physical tricks to capture credit card information using ATMs. Is the search for another's ID suddenly going to diminish once there's a new lock on the door? I think not. Phil Libin and his company will have plenty of work in their future, and I'd bet they already know it.
But what kind of protection is that really? If an ID card, or a passport has a contactless chip in it that can be read by a device at a distance, then presumably there will be 10s of thousands, if not more, of these reading devices, each of which can read that very contactless chip, and will be able to do so for lifetime of the chip (maybe 10 years?).
What on earth is going to prevent a reasonably intelligent terrorist from stealing just ONE of those devices, and souping it up so that it can read from a considerable distance?
Or are we only worried about the incompetent terrorists, who won't figure this out?
In at least one of these components the human factor is critical to keep the security system secure. As we well know, humans are inherently insecure "devices" in the secured chain and because we can never cut the human factor away, the build up of a 100% secure system is so futile as the Perpetuum Mobile.
Any secure system should offer levels of broader access for control and administrative purposes. Here is where the human factor becomes critical, as the wrong guy(s) (terrorist, corrupted official) could do harm proportional to the number of users and importance of data depending of such system.
So again security is always going to orbit around user education and the high morale of the key persons involved in the maintenance of such systems.
Everything from impregnable databases, instantly displaying the details of wanted terroists to Homeland Security Officers (who incidentally have been found to be no more effective than the much maligned private security the airlines used to employ, and have also stated that technology will fix everything) to magic ID cards that will prevent 911 from happening again.
The flaws in these proposals are there for everyone to see. First of all there is no such thing as an uncrackable security system, secondly none of the proposed invasions on privacy would have stopped a single terroist from performing the attrocities of 911 (all of which had valid visas, and therefore would have easily obtained one of these new, techo-fix-all id cards). They didn't need to hide who they were, and several being listed in anti-terroism databases, were still able to board planes at will.
The other thing that constantly amazes me is that the US public is happy for their government to start spying on them, Nixon fashion, under the pretext that this will in some way protect them from terroism.
No doubt wiser heads than mine will explain how having national databases full of personal and biometric data will prevent people from other countries blowing up planes.
To be blunt Americans are being told that having their bank accounts monitored, their personal information stored in easily hackable, unencrypted databases, whilst at the same time carrying id cards that DO broadcast their identities well beyond the "several inches" often quoted, is in some way going to stop terroists.
All this is going to do is hand very large government contracts to this administrations friends and families, and while you may be able to prove beyond doubt who you are (yes, ofcourse, because all technology is infallible, and no one could possibly forge the identity of another person armed with a digital photograph on a plastic card, broadcasting it's data to anyone who can hack into the companies that produce said cards), terroists will be using their IT expertise (and you're a fool if you think they don't have any) to mass produce these so-called infallible id cards for their recruits to attack the US.
The worst part is that because everyone will believe these systems to be infallible two things will happen. First, when someone is wrongly listed as a person of interest, it will be impossible to get this corrected - because no one will believe that the system could be wrong, and secondly, when the system does query the id of someone using a forged card to enter the country, the very fact they're carrying one of these terroist-proof id cards will probably mean they get to pass through immigration without any problems.
surveillance/spotlight/0405response.html