Dutch RFID e-passport cracked -- US next?
A Dutch television program
"Nieuwslicht" recently worked with local security firm Riscure to successfully crack and decrypt a
Dutch-prototype RFID passport. In this case, the data exchange between the RFID reader and passport was intercepted,
stored, and then the password was cracked later in just 2 hours on a PC giving full access to the digitized
fingerprint, photograph, and all other encrypted and plain text data on the RFID tag -- just perfect for slapping
together a cloned passport, eh? The flaw, at least in part, is due to the algorithm used when generating the secret key
to protect the data. The key turns out to be predictable given that it is sequentially issued and constructed from the
passport expiry date, birth date, passport number, and checksum. But don't kick back in superior isolationism just yet
kid. Starting October 2006 the US will
issue all new passports using the same ISO 14443 RFID tag and Basic Access Control encryption scheme employed by the
Dutch e-passports (and others) and adopted by the ICAO as global standards. It's still not clear at what distance the
exchange was intercepted -- while the passive ISO 14443 tag is spec'd with a read distance of only 2-milimeters you'll
find claims of reads at several meters. This is important 'cause the greater the read distance in say, the line at
airport immigration control, the greater the chance of abuse. Regardless, the Dutch e-passport system is still under
development allowing for changes, which makes us wonder, is ours? Wouldn't be the first time we've abandoned RFID
passport plans due to technology concerns.[Via The Register and Vara (Dutch), Thanks Robin]
Filed under: Transportation, Wireless
Reader Comments (Page 1 of 1)
Jan Dev @ Feb 3rd 2006 9:32AM
This news is actually old, from July 2005!
These guyes presented this thing first at The What The Hack conference back them. This is not new.
Check those slides from What The Hack:
http://wiki.whatthehack.org/images/2/28/WTH-slides-Attacks-on-Digital-Passports-Marc-Witteman.pdf
mike @ Feb 3rd 2006 9:33AM
would it be that hard to change the encryption before they start the roll out?
jmg_bt21 @ Feb 3rd 2006 9:39AM
THey better... THO that reminds me... I must RENEW my passport BEFORE october...
Arnoud Ringoir @ Feb 3rd 2006 9:43AM
I'm Dutch and i saw the tv show where they demonstrated it. You can watch it too by clicking this link:
http://cgi.omroep.nl/cgi-bin/streams?/tv/vara/nieuwslicht/bb.20060127.asf
if you skip to 6:20 you can see how it's done.
The hacker and female voice explains they can hack it beacause the passport numbers are sequential and are linked to the expire date. That way the can narrow the range and brute force it. That way it will take 3 hours to decypher a rfid passport chip.
The Dutch goverment also noticed this and they are willing to change the numbering of the passport, but since such a decision will take some time and new RFID passports are ariving in august 2006, it will not come in time. So the new dutch passoport will be weakly encrypted/protected.
BlueLightBandit @ Feb 3rd 2006 9:47AM
Of course, but what's to prevent someone from hacking that encryption as well.
There needs to be some sort of "off" switch so that the RFID isn't broadcasting 24/7 to anybody listening. (A la one of those fancy Hallmark Cards that plays music when you open the card, the RFID "enables" itself when you open the passport book)
Again, the simple rule of encryption is that every code/password/algorythm can be hacked with enough time, software and network passwords will disable after so many failed attempts, thus restricting the access to the possible hack.
RFID is intrisically unsafe because there is no mechanism to disable itself, it just sits there like Forrest Gump at the bus stop talking to anybody who will listen.
Wonderful security there Mr. President.
Jan Dev @ Feb 3rd 2006 9:48AM
July 28, 2005:
http://www.riscure.com/news/passport.html
Jan Dev @ Feb 3rd 2006 9:50AM
This research by Riscure is actually quite old. It has been done in July 2005.
It was presented at the What The Hack conference. People have no memory.
You can download the presentation of this hack here:
http://wiki.whatthehack.org/images/2/28/WTH-slides-Attacks-on-Digital-Passports-Marc-Witteman.pdf
James @ Feb 3rd 2006 10:21AM
They will continue to go forward with the idea.
fabienne @ Feb 3rd 2006 10:35AM
also worth noting: german passports with rfid won't be reissued if the
rfid part is damaged, this may be the same with other countries as well
due to personel shortages at passport offices. paranoid? stick your
passport in the microwave for a few seconds or simply bend it gently in
your hand a few dozen times to break the rfid antenna. alternatively, wrap your rfid based passport in foil, tin foil hat style.
side
note: if you are a french citizen and were lucky enough to think of
renewing your passport before october of 2005 and you have the machine
readable two lines on the bottom edge of your passport required by the
united states, you are good to travel without a rfid passport for ten
years.
also see harald welte's research pertinent to most rfid passports:
http://openmrtd.org/about.html
https://events.ccc.de/congress/2005/fahrplan/events/769.en.html
http://gnumonks.org/~laforge/weblog/linux/mrtd/
cheers,
fbz
john c @ Feb 3rd 2006 10:36AM
"There needs to be some sort of "off" switch so that the RFID isn't broadcasting 24/7 to anybody listening."
-BlueLightBandit
This is not possible, since RFIDs do not 'broadcast'anything. That's the whole point behind them, and hence why they don't require a power supply. They simply bounce signals in a sophisticated way.
That being said, your idea has merit, and could work if there is a way to make passport books fitted with sheilding to keep the RFIDs from being detected until they are opened. Albeit, it would be expensive.
Jerry Whiting @ Feb 3rd 2006 10:38AM
Flawed math. Haven't we heard this lame-ass excuse before? Why don't the 'professionals' get it? Does 'zero defects' ring any bells?
I'm waiting for someone to rig up a backpack with a directional antenna that can read RFID passports and IDs across the room. Or airport.
Bill @ Feb 3rd 2006 10:51AM
The even scarier part is they clearly did not use even the most convenient cracking options. With one intercepted ID, they cracked in 3 hours. Even if the algorithm were improved, one could easily stand near a tourist group from a single country and intercept several. Using the commonality would also allow a reduction of cracking time even assuming the numbering scheme is eventually fixed.
This is a Bad, Bad, Bad idea promoted by the governments paranoid about their citizens in such a way to make the paranoia of citizens against government and other citizens a valid fear. Neo-Orwellian.
Ladderless @ Feb 3rd 2006 11:58AM
This is probably a stupid question, but why RFID? What's the advantage over a "Smart Card" chip? One that would require actual contact?
AH @ Feb 3rd 2006 12:01PM
#10-->
Just checked travel.state.gov and it indicates there will be shielding on all U.S. passports that will protect data from "skimming" as long as the passport remains closed. As well, all new U.S. passports (beginning 30 December 2005 in most areas!) will be "e-passports"
Mike @ Feb 3rd 2006 1:15PM
Who cares about strong encryption or zero defects - the DMCA protects our passports...
I'm sure RFID is being used instead of a SmartChip because of marketing and reduced costs due to mass production - they probably forgot to add in the cost of shielding though. A SmartChip wouldn't help much anyway, as anyone who has had their CC data dup'ed by restaurant waitstaff can attest.
I agree with the idea behind all this, that analog passports don't really offer much in the way of a guaranteed ID, but an easily duplicated digital system sure isn't going to help.
Jeff @ Feb 3rd 2006 3:30PM
I just renewed my passport so I'm safe for 10 years, at least. While I'm not exactly confident about it, I'm hopeful that they'll work out all the issues by then and will have either a) secured this system better, or b) ditched it completely. One good thing is that the US government has shown that while they may be pretty clueless about the technological issues behind this scheme, they're at least open to change when convinced of the negative aspects of it (they've made changes to alleviate concerns before). So hopefully in the 10 years I have to renew my passport again, they'll do something about this sorry system they've got planned.
Otherwise I will seriously be wrapping my next passport in tinfoil. Look for an explosion in the aftermarket "protective passport case" market, with all sorts of new materials designed to thwart identity thieves.
Jeff @ Feb 3rd 2006 3:32PM
I just renewed my passport so I'm safe for 10 years, at least. While I'm not exactly confident about it, I'm hopeful that they'll work out all the issues by then and will have either a) secured this system better, or b) ditched it completely. One good thing is that the US government has shown that while they may be pretty clueless about the technological issues behind this scheme, they're at least open to change when convinced of the negative aspects of it (they've made changes to alleviate concerns before). So hopefully in the 10 years I have to renew my passport again, they'll do something about this sorry system they've got planned.
Otherwise I will seriously be wrapping my next passport in tinfoil. Look for an explosion in
the aftermarket "protective passport case" market, with all sorts of new materials designed to thwart identity thieves.
consumer_q @ Feb 3rd 2006 5:48PM
" I just renewed my passport so I'm safe for 10 years, at least."
Are you sure? What makes you think that the gov't will not just decide in 2 years that RFID-less passports are no longer accepted? You know, in the name of fighting terrrrrists.
consumer_q @ Feb 3rd 2006 5:52PM
" I just renewed my passport so I'm safe for 10 years, at least."
Are you sure? What makes you think that the gov't will not just decide in 2 years that RFID-less passports are no longer accepted? You know, in the name of fighting terrrrrists.
Ryan @ Feb 4th 2006 10:15AM
here's a scary but realistic terrorism senario that got the US gov'ts attention:
(from dailykos; http://www.dailykos.com/story/2006/2/3/162911/3140)
To his credit, UnderSecretary of state Frank Moss came to the International Conference on Computers, Freedom, and Privacy last sporing to face the critics of the US RFID passport scheme. During his panel, the ACLU's Barry Steinhart demonstrated a reader effective at 10 inches.
Afterwards, in the hallway, photo (That's me in the background.) EFF's John Gilmore explained how the range could be extended to 10 feet. Travel writer Ed Hasbrouck then laid out a scenario in which terrorists used an off the shelf RFID reader to detect the presence of a US Passport holder on a bus in Beirut, triggering a pre-installed bomb.
This apparently impressed Moss, who delayed introduction of the chipped passports originally scheduled for last June, so that they could be made with wire mesh shielding to prevent them from being read when closed. He also directed the data be encrypted, bringing us to the flaw identified in the diary.
A Senator YOU can afford
$1 contributions only.
Masel for Senate
1214 E. Mifflin St.
Madison, WI 53703
Ross @ Feb 4th 2006 1:37PM
Instead of throwing all the data across with the RFID transfer (address, picture, etc), why don't they use a unique key that is looked up in a central database on the airport computers? That way, even if someone decodes it and gets the hash, they'll still need all the information in order to dupe a passport.
Juha-Matti Laurio @ Feb 6th 2006 6:38PM
Riscure press release link is broken due to some extra < br > tags (see comment #6). The working link is:
http://www.riscure.com/news/passport.html