5: Me, I'm Not

Parking Meters

The digital parking meters that have been adopted by a number of municipalities are open to attack. One allegedly white-hat hacker was able to work the system to modify a parking card to obtain unlimited free parking in the city of San Francisco, which adopted these meters and networked them to reduce the cost of maintenance and service.

Some problems are inherent: an electronic-based system must have a way for a user to interact with it (in this instance, a "smart card" to make a payment) and other way for workers to maintain it and retrieve data. Both are vulnerable to access.

The hacker in question purchased a number of smart cards at a convenience store (the clerk was suspicious until he said he was a sales manager buying for his team) and even used a laptop to jack into a parking meter's maintenance slot (doing so on the street is conspicuous, but the hacker joked that in San Francisco, you can tell people "it's for an art project" and no-one will think twice). It took only three days to figure out the system, and a few more to set up a fake card with an unlimited balance.

Meanwhile in Chicago, there was some calamity over the notion that parking meters in some neighborhoods charged more than those in others (which is generally true, driven by demand, but in Chicago, everything turns into an ethnic issue), along with widespread malfunctions that frustrated drivers, so there was widespread vandalism of the equipment. Under those circumstances, it was easy for hackers to take a meter off the street without raising much suspicion - the city would simply assume it to be vandalism - and it is implied that this occurred, as tapering increased sharply during the period of protest and continued even afterward.

A particularly egregious example were the Canadian-made meters in New York City, which had an infrared sensor for maintenance that could be hacked with a television remote. Aside of being able to get "free parking," a hacker can zero-out the timer (imagine someone takes "your" space and you want a little revenge). And as in other cases, the problem perpetuated, even with the knowledge of the city and the vendor, until there was a public media campaign ... and at that point, the problem was fixed in two days, demonstrating that complacency plays a significant role in perpetuating security problems.

Electronic meters that don't accept cash are an even larger concern, as it involves a credit-card transaction on an unsecured device. Between security concerns and inconvenience (you can't just drop a quarter and walk away, but must enter a PIN and wait for processing), these haven't been very successful or particularly welcomed by consumers. This also removes the anonymity of a coin-op or smart card meter, providing data by which a person's movements can be tracked.

An aside: the justification for switching to electronic meters from the mechanical ones that had been in use for over sixty years was that they are more efficient than traditional mechanical systems: harder to defraud (can't use simple slugs), less appealing to thieves (less money is stashed in the unit), and less prone to failure (fewer moving parts that might get jammed). This isn't ironclad, nor is it necessarily true: in some instances, the problems are worse with electronic systems than mechanical ones.

In spite of all the effort expended to make improvements, it's suggested that parking meters are a losing proposition for most cities. The cost of installation, monitoring, and maintenance exceeds the revenue from fares.

Transit and Security Passes

The author suggests that most transit systems are of little concern regarding privacy. While they use card readers, the cards themselves are not imprinted with personal information and have a very low maximum value, so there hasn't much allure to hackers. But the newer system that use RFID smart cards are raising some concerns.

The newer cards are no longer anonymous in some cities, such as London, where the data is used to track suspected terrorists through the underground and bus systems. The transit authority there can track movements of individuals in real-time, to be able to identify which bus a given person might be riding at any given moment.

While data on the cards are encrypted, researchers have shown how easy it is to crack the code. And while the value contained on a card is still relatively low, it's much easier to clone a card by reading a signal rather than having to get hold of a card with a physical magnetic strip. Newer card systems are available that offer stronger protection, but the cost of replacing a decade-old system is significant.

There's also a concern that RFID employee badges, aside of being able to track the movements of an employee to harass him, can be just as easily coned and breached. Dutch officials used a similar system to transit cards to secure "top government buildings" and resorted to posting a fleet of security guards at the entrances after vulnerabilities in their system were detected.

And, naturally, the firms that manufacture such cards defended the security of their systems, and chose instead to litigate against the researchers who detected the flaws in their system rather than use their findings to improve their systems.

The author also found a few cases in which the federal courts sided with the manufacturers of transit and security cards, finding against researchers who detected flaws in their systems, though the two cases presented resulted only in an injunction against publishing or presenting research that eventually expired.

Workplace Security

Aside of technical concerns, the main problem with security in workplaces is that it's not taken very seriously. Even companies that use security guards to visually inspect workers' badges. Security guards give such badges a passing glance, barely enough to notice the design of the card, before waving people inside.

The author recounts a few personal experiments in which he held his badge in such a way that his fingers covered the photo, and security passed him through. Once inside, he was able to enter card-access areas simply by following people through the door without swiping his card. On a large enough corporate campus, people assume anyone inside the building with a badge is a fellow employee.

He does report one instance in which security "worked": having left his notebook behind, he arrived early to retrieve it and was unable to get into an area he was authorized to access during normal business hours, and received a call from security asking about the incident.

Cloning an RFID access card is fairly simple: the equipment to do so is small enough to fit into a briefcase, and if you can manage to brush past someone, you can scan their card without their knowledge. It doesn't need to be a security guard or an executive, as many janitors, maintenance workers, and mail clerks have cards that give them broad access to the facility.

One researcher also suggest that most companies use one of two common formats for employee access cards - one from Texas Instruments and a second from Phillips - and there are numerous open-source scripts that will read these formats available on the Internet. The hardware to scan and write data to these cars is also fairly common and inexpensive.

Aside of wrapping the badge in a few layers of tinfoil, a person cannot prevent their access badges from broadcasting data. It can be read from a distance of a few feet, even if it is in a pocket, purse, or briefcase.

As an aside, the author notes that there are often "pranks" at security conferences that demonstrate the weakness in the devices and habits of attendees. One such conference had a "wall of sheep" displaying the images and data from attendees whose gadgets had been breached, obtain in real time. Once scenario described used a RFID scanner at a coffee station to read the data from attendees who wore their employee badges.

It may be possible to use employee badges as part of a security system, but it is not truly secure unless it is used in combination with another method of access, such as requiring an employee to enter a code on a keypad (and the code is not stored on the device). And in addition to tracking employees entering secure areas, an additional measure of security is to track them when they leave.

Contrary to his earlier fear-mongering about an employer's tracking the movements of workers inside a building, the author now suggests that it could be "very beneficial" in instances such as emergencies to know how many people are still inside a building.

Subdermal Implants

The use of implants of RFID chips the size of a grain of rice is already being used in pets and livestock to help veterinarians find lost pets and ranchers to manage their cattle. An implant this size can hold a sixteen-digit identification code that can be read with a scanner.

The author suggests that the same techniques is being used in humans. Some military personnel have been implanted with chips to enable identification. (EN: he doesn't mention which country, and I can't find corroboration online, so I'm doubtful - though I did find instances where individuals had themselves implanted with veterinary devices for their own purposes, but I find no instances of institutional use in humans.)

He also mentions a Spanish beach club that had the idea to offer this as a service to guests, as a method for them to pay for services at the resort. (EN: confirmed, but it's suggested not many guests were keen on the idea and the resort has apparently gone out of business.)

The notion of using the chops for hospital patients, as a way of ensuring they were accurately identified by caregivers, also did not go over well, and the American Medical Association has done much to discourage the practice.

While the manufacturer claims that the system is secure, very difficult to "steal" a chip out of a person, much more secure than any physical artifact that could be lost, and reading it will yield only an ID number such that the hacker would also need to gain access to a data system to reference any other information. However, it's still relatively simple to read the chip without the knowledge of the subject and clone the ID number to pose as that person, and most chips are left "open" so that they can be rewritten, effectively erasing the subject's identification. Moreover, the RFID chip will always be with the wearer - you can't leave it at home as you can with an employee badge or smart card you don't intend to use.

Credit Cards and Passports

RFID tags were introduced into credit cards as a measure of convenience and security, but they are neither convenient nor secure.

American Express readily adopted and touted the security and convenience of "ExpressPay" chips in their credit cards, but found that very few merchants were willing to upgrade their POS hardware to accept them. (EN: Another source mentions that they even tried to give away the equipment for free, but the terms of the agreement made it seem the merchant would bear the loss of unauthorized or disclaimed charges.)

Moreover, adding an RFID chip to a credit card gave it the same vulnerabilities as any other RFID implementation: it could be easily "sniffed" in passing, forged, or overwritten.

RFID chips are also used in passports in over forty counties, including the US and UK. The British government bragged about the security of its chips to assuage public concerns - but a London tabloid gave a copy of a chipped passport to a hacker, who was able to read the content of the chip in less than four hours, pulling three files: one containing the passport data, the second a scan of the passport photo, and a third with security access information.

One of the "Security" features of these passports is that they had a passive tag, that required a reader to provide power and could allegedly be used only from a short distance, but "independent studies" have reported being able to read such a chip from a distance of thirty feet.

Various attempts have been made to make the chips more secure, such as including a magnetic strip to contain an encryption key to decode the data on the RFID chip. But ironically, passports do not use the highest grade of encryption because that would violate US government restrictions on exporting that data to other countries.

Cracking an e-passport would thus require the hacker to have the physical passport and be able to scan both strip and chip, or to scan the chip and store the data for later decryption on a laptop. This is less convenient, but most uses for passport data (such as making forged documents) are not time-sensitive and require working with physical artifacts outside a public location.

Naturally, the answer is for government to make hacking passport data illegal. As if hackers care.

The problems of personal data on drivers' licenses were mentioned previously, and this is compounded by the use of RFID tags. While this has been successful in preventing teenagers from manufacturing fake ID cards to buy cigarettes and alcohol, it's not an obstacle to those with more sinister motives.

Some of the most effective means of ensuring he validity of drivers' licenses have been very low-tech. Better security of blank licenses, the use of a laminate etched with a hologram, and other physical assurances have made the document more difficult for an amateur to forge.

But on the other hand, getting the state to issue an authentic license under a false identity is still very easy because the documentation required to obtain one is very low-tech. Since a driver's license if often the only form of photo ID most people have, so the various documents that must be presented to get one have no photograph. It's easy enough to get a copy of a birth certificate, and very easy to forge one. Also, most drivers' license bureaus will accept a license from another state, even if it's expired, and even without the ability to validate it.

(EN: Personal experience with a friend who needed a license and had lost his old one from another state found that he could get one with a social security card and a family bible with his name written in it. This was some twenty years ago, but checking the DMV site, they still accept easily forged documents such as an apartment lease, utility bill, insurance card, payroll stub, and other easily-forged documents. They apparently are no longer accepting bibles, however.)

RFID in Consumer Goods

Retail stores have long used RFID tags on consumer goods for tracking and security: a security clip affixed to a high-ticket item such as a pair of jeans is detached at the register, or a cheaper tag affixed to an item would be deactivated, and an alarm installed at the door would sound if an active tag was carried past the registers. These tags could also be used for inventory, to scan a rack of items rather than having to manually count and tally them.

The author's concern is that these tags are becoming smaller and cheaper, no longer reserved only to high-risk, high-ticket items, and no longer deactivated when the product (legitimately) leaves the store. Such tags enable retailers to save labor and provide convenience to customers by enabling a touchless checkout procedure, or a "smart cart" that inventories merchandise. The adoption of these tags by retail giant Walmart (on the price tags of clothing items) creates economies of scale that makes them even cheaper to use on low-cost items.

In amusement parks, RFID tags are used in bracelets that give customers access to attractions. (EN: This goes back to Disney's ticket system, which sold five levels of ticket, A through E, at various price points to allow access to different attractions - previously the color of a ticket or bracelet was used to indicate level of access). On particular park uses them in a disturbing way: to create souvenir videos by using the park's surveillance cameras and edit together scenes of a particular patron.

To make it economically feasible to install scanners throughout a controlled environment, their range has been boosted. The newer, cheaper tags can be read at a distance of over 200 feet (not just the thirty feet suggested to quell concerns about RFID tracking), and can theoretically be boosted to a distance of 500 feet.

It's also been noticed that the scanners that read store merchandise tags can also pick up the tags in credit cards, drivers' licenses, and other personal effects, to track shoppers as well as merchandise through a store. A combination of RFID tags in merchandise can be used to identify a specific person (not know their identity, necessarily): a combination of two or more tags, such as an RFID tag embedded in a pair of shoes and another one sewn into a jacket, can be virtually unique - add a third, and it's almost certain that no two individuals would have the same RFID "signature."

(EN: The author previously stressed RFID were not sewn in or embedded, but on detachable tags or clips - but it's entirely plausible retailers and manufacturers might work together to take it to this level - and as with current use of RFID, it will likely start with high-ticket items and spread to the entire inventory.)

There is no real-world example, but the author imagines an RFID tag in a shopping loyalty card could be used to track each customer in a store, to know their habits, and even to use in-store advertising to address them by name and present offers based on their shopping habits. Some customers might welcome this as a convenience, others might find it uncomfortably intrusive.

Given that the "generation 2" tags cannot be deactivated when an item leaves a store, the potential abuses are fairly obvious: a person can be digitally followed by reading the tags in their clothing and personal effects, or identified as someone wealthy by a thief who catalogs the tags on luxury items - in which case the thief might follow the tag on the item, rather than the person, to determine if there were items in a person's home he might want to steal. If he can identify the RFID tag in a license, he might also be able to detect when the owner was away. On the flip side, police might read RFID tags from the street to locate stolen property - hopefully with accuracy.

Random Bits

(EN: Various other mentions of RFID that didn't really fit in the topics above)

Tags could be used to facilitate international travel, with the code recorded when a citizen left a country to recognize them on their return and expedite their re-entry, is too unreliable to be put into use just yet. However, their use in wallet-card-sized "mini passports" is already common and, because the tag is unique to an individual, facilitates tracking their movements within a country by unauthorized parties. One researcher noted being able to pick up "several" such tags in a metropolitan area.

Since wallets are used at a register, it would be relatively simple to install a scanner to recognize a person as they approach. The clerk might be able to address them by name, or at least ask if they'd prefer their usual order. (EN: a reasonably good clerk can recognize a "regular" and remember their usual order if they have one without technical help. It might be a bit disconcerting to be called by name by an unfamiliar clerk in a place you don't go very often, but it's hardly cause for alarm.)