Hackers crash e-passport readers -- stage set for exploits
Lukas Grunwald -- last seen cloning Germany's RFID passports -- is back with more "white hat" hackery on the world's new e-passport systems. This time, however, he's crashing RFID readers to demonstrate how a hacked passport could conceivably force approval of expired or forged passports. After all, "If you're able to crash something you are most likely able to exploit it," says Grunwald. Lukas was able to crash two passport readers made by different vendors by first cloning a passport's chip and then modding the JPEG2000 image file stored within the chip to create a buffer overflow condition -- the same vulnerabilities which make so many devices (the original Xbox, anyone?) so easily exploitable. Lukas contends that all airport readers are likely vulnerable to such an exploit as they would be using off-the-shelf libraries for decoding JPEG images. Lukas will be demonstrating his latest hack this weekend at DefCon in Vegas. Hmmm, with CES moving to RFID badges this year, we have a funny feeling that attendance is going to be way up. [Via BoingBoing]
Filed under: Misc. Gadgets, Wireless
Reader Comments (Page 1 of 1)
Bernhard @ Aug 1st 2007 5:24AM
Next thing you know, people will start running homebrew on those machines.
L. Cyphre @ Aug 1st 2007 5:50AM
Yes... But Will They Run DOOM?
AlexP @ Aug 1st 2007 5:32AM
Linux is keeping you alive. :o
Alan Partridge @ Aug 1st 2007 5:50AM
Most countries are deliberately intruducing piss poor biometric and other 'protection' so, when they inevitably fail and theres a major incedent, they can introduce even more draconian 'securty measures'.
L. Cyphre @ Aug 1st 2007 6:27AM
...Need a tinfoil hat?
pigfister @ Aug 1st 2007 12:03PM
i hear that.
http://video.google.com/videoplay?docid=7866929448192753501
Rboyett @ Aug 1st 2007 9:12AM
Everyone that saw this coming a million miles away, raise your hand.
**raises hand with every other Engadget reader**
Astrosapien @ Aug 1st 2007 10:26AM
*raises hand*
David @ Aug 1st 2007 1:47PM
Didn't Engadget already have a post to counter this?
...the Hammer picture?
bird @ Aug 1st 2007 2:33PM
I actually work in this field. The data is encrypted on the chips. I'm confused on how crashing the reader will prevent the custom agent from looking at the picture and expiration date on the badge? Also, if you think just a piece of paper is harder to fake than encrypted data, you are a fool.
theotherstevejobs @ Aug 1st 2007 3:22PM
why the hell don't they put a read on/off membrane button on these things? It would cost nearly nothing compared to all the problems with always readable rfids.
theotherstevejobs @ Aug 1st 2007 3:27PM
oh - it would also reduce the readable time from 86400 seconds/day to 2 or 3 seconds - and only when you're near a reader. It would then be simple to beat the shit out of anyone near a point of entry at an airport holding and pointing the reader right at the official reader - because it would be obvious. You'd have to have some kind of pointable antenna and it would have to be pointed right at the official reader because otherwise - the switch in the RFID in the passport would be defaulted to open - and the circuit in the RFID would be open, and render it unreadable unless the membrane button was pressed, closing the circuit between the antenna and the rest of the RFID's circuits.
a.k.a. an on/off button.
Adam @ Aug 1st 2007 3:28PM
PSP got hacked via a jpeg overflow as well...
David @ Aug 1st 2007 5:23PM
Thats hackers for ya
Matt @ Aug 3rd 2007 11:33AM
RFID is a joke. Smart Cards. It needs to be Smart Cards.
ghostinthemachine @ Aug 13th 2007 4:33PM
Um it is SmartCards. Where there is fear, there is money to be made. Lukas is a smart guy.
The trick is to make sure all drivers and applications verify the jpeg before expanding it. The jpeg image is embedded as a file inside the smart card called DG2. Alterations of the DG2 can be verified through software signitures and hash values.
Even with the above not employed, data execution protection has been around since Windows XP SP2. By default all memory allocated by applications will have non execute restrictions placed on it from a software and hardware level. Applications wishing to allocate executable memory must explicitly do this. Application memory space and the heap are separate and protected.
I believe part of what Grunwald says is true, the rest a good show and makes for good stories to print. A little more investigative journalism would go a long way here.