Slashdot Log In
RFID Passport Security "Poorly Conceived"
Posted by
kdawson
on Thu Nov 09, 2006 01:21 PM
from the we-knew-this dept.
from the we-knew-this dept.
tonk writes, "European expert researchers on identity and identity management summarize their findings from an analysis of passports with RFID and biometrics — Machine Readable Travel Documents or MRTDs — and recommend corrective measures that 'need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues... By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international MTRDs which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilizes technologies and standards that are poorly conceived for its purpose.' The European experts therefore come to similar conclusions as the Data Privacy and Integrity Advisory Committee of the US Department of Homeland Security in a draft report, which seems to be delayed."
Related Stories
[+]
Hackers Clone E-Passport 185 comments
mrops writes "I guess the skeptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'"
[+]
Technology: E-Passport In the Works 300 comments
ExE122 writes "In an attempt to curb falsification of passports, the United States has placed an order for millions of embedded ID chips. 'The chips carry an encrypted digital photograph of the passport holder. The chip is designed to be read by a special device that will be used by U.S. government workers who check passports when travelers come through border crossings. The State Department began issuing what are being called e-passports to tourists last week and will gradually increase production. State Department spokeswoman Janelle Hironimus said existing passports will remain valid until they expire but, eventually, all U.S. passports — about 13 million will be issued in 2006 — will contain such chips.'"
[+]
Your Rights Online: RFID-Reading Passport Scanners Installed 151 comments
Kozar_The_Malignant writes, "Electronic passport scanners have been installed at SFO. Ten of the scanners were received last week and have now been put in service. Various creative responses have been discussed here before."
[+]
Ask Slashdot: Would You Trust RFID-Enabled ATM Cards? 214 comments
race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?
[+]
Your Rights Online: E-Passport Cloned In Five Minutes 259 comments
Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to
clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."
[+]
Your Rights Online: Disabling the RFID in the New U.S. Passports? 294 comments
slashchuck writes "Along with the usual Jargonwatch and Wired/Tired articles, the January issue of Wired offers a drastic method for taking care of that RFID chip in your passport. They say it's legal ... if a bit blunt. From the article: 'The best approach? Hammer time. Hitting the chip with a blunt, hard object should disable it. A nonworking RFID doesn't invalidate the passport, so you can still use it.' While this seems a bit extreme, all indications seem to be these chips aren't very secure. How far will you go to protect or disable the RFID chip in your passport? Do you think such a step is necessary? Does anyone have an argument in favor of the technology's implementation here? "
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Why make them unnecessarily data rich? (Score:3, Informative)
The "machine readable" part should not need to contain anything more than a unique number (i.e. primary key) and perhaps a pki type hash to verify authenticity. The rest can be contained in a (hopefully) secure database using an international common format or schema. The id number could also be soley used as a passport serial number and not used for any finanical purposes.
The actual report (Score:4, Informative)
Unique number (Score:3, Insightful)
I said it before and I'll say it again... (Score:4, Informative)
microwaves! (Score:4, Informative)
No shit. (Score:4, Interesting)
They should talk to geeks more.
Re: I said it before and I'll say it again... (Score:1)
Is ECM Possible? (Score:3, Interesting)
and I thought, "with so many RFIDs, couldn't they interfere with each other?" and then I started wondering
Most of the approaches people are talking about are "Passive Countermeasures" such as wrapping the RFIDs in a faraday cage.
What about Active Countermeasures? Broadcast so much garbage on the carrier frequencies that the RFID can't communicate? (the start of a Personal Privacy Shield perhaps?) Yes, it lights up the broadcaster in ambient noise, but it is this even possible (and what effect would it have on other things around you?
Who designed this architecture?? (Score:1)
Re: (Score:1)
You'd think... (Score:1, Insightful)
Honestly, even with good security, the system is only going to be as good as the people who check these passports when they are used. If they just have someone scan them in and assume the right person has the passport, then it's still not secure.
All Your Data Are Belong To USA (Score:1)
Mini-EMP (Score:2)
This would very suck...
Re: Why make them unnecessarily data rich? (Score:2, Insightful)
Appropriate shielding? (Score:2)
Data Rich == Enhanced Privacy (Score:5, Informative)
In response to the poster who asked why these passports are data rich: Because it avoids the need to place all of this detailed personal information in central databases which are accessed remotely from thousands of locations around the world. How would you secure such a database?
The ICAO recommended approach is much more secure -- the problem here is that the EU has chosen not to implement the security features. The US State Dept. started down the same path, but changed course in response to public outcry.
Here's a description of how the "basic authentication" as recommended by the ICAO specifications works -- this is from memory, but it should be very close to accurate:
So, unless you can break AES or exploit some other flaw in the passport chip* the only way to retrieve the data from the chip is to look inside the passport. If you can look inside the passport, however, you really don't need to talk to the chip at all, because with the exception of some digital signatures, all of the data in the chip is printed in the passport.
What exactly is in the chip? Again from memory:
In the future, other biometrics may be added as well, like a fingerprint image.
The US State Dept. has chosen to go one step beyond the ICAO recommendations and add shielding to the passport cover, so the chip is isolated and can't be queried or detected when the cover is closed. Without that, an attacker couldn't read the data from the chip, but he could "ping" the chip and notice its presence.
*Note that these chips were not created for passports, they're standard contactless smart card chips which have decades of use as security devices behind them, and which protect billions in credit card transactions annually -- nothing's perfect, but they're darned good, having gone through many years of breaks and application of countermeasures.
Re: (Score:1)
Re: (Score:2)
Mod swillden up !! (Score:2)
here's a thought experiment... (Score:3, Informative)
a) 'Sounds interesting, but lets get some more input and make sure there is no downside for our employers, the public'.
b) 'Woot! More power and influence for me! Promotion for you, but if it goes wrong, you will get the blame!'
Way to safely use central DB (Score:3, Informative)
There is a solution:
1. ID reader queries chip to obtain nation of origin.
2. ID reader presents a certificate from the owner with the ID of the reader to the nation of origin, requesting permission to read the passport. Nation of origin authenticates request and provides signed packet with reader ID, valid authorization time range, timestamp, and certificate of nation of origin. This approves that the nation of origin recognizes the reader as a valid one for reading the passports.
3. Reader caches #2 to reduce traffic, and presents this packet to the passport. The passport verifies that the ID reader is approved to query the passport by its nation of origin.
4. Passport returns its ID, certificate, and signed permission to query with some expiration date encoded.
5. Reader presents #4 to nation of origin to query its database. This proves that the passport is physically present.
6. Nation of origin returns signed database entry.
Quick objections might be that this sounds like a lot of round trips, but all but one of these trips could be cached (the reader could be given permission to query passports for a day or more at a time). Another objection might be that every reader would need to get permission from every nation, but this is also not the case - there merely needs to be a chain of trust. So, the US could grant France access to its passports, and then France could delegate access to individual readers.
Various pros and cons exist and I think the actual-implemented solution is not a horrible one. I just wanted to show that a central DB doesn't have to be impossible-to-secure.
Encryption? (Score:1)
Data that is just "Out there" is not safe, even if you encrypted it.
I would feel much more comfortable if the RFID chip was used to identify that the Passport was valid, that's it.
They could have rotating PGP keys anytime the passport goes through a customs port. The PGP keys could then be linked to your data.
Example:
You pass through customs in France, you get assigned a key...that key (only that passport) arrives in the US
The problem with e-passports (Score:3, Insightful)
I pity the fool.. (Score:2)
middleman attack (Score:2)
Re:Data Rich != Enhanced Privacy (Score:3, Informative)
This is not correct. The EU has implemented those security features - Basic Access Control (BAC) especially is a European development, mainly brought into ICAO by German Federal Office for IT Security (BSI). BSI also proposed Extended Access Control (EAC) for additional data such as fingerprints. The study on which the Budapest declaration is based has all this analysed.
The shielding within the cover is not a complete Faraday cage, see RFID Passport Shield Failure Experimental Report [flexilis.com]
The basic problem is, that
If you have access to the MRZ, you can just decrypt the session keys. Successfull brute force attacks on eavesdropped passport-to-reader-communication is already feasible within hours, see ePassport Privacy Attack [riscure.com]. Once the MRZ is known, e.g. when you have to leave your passport in a hotel or after a successful brute force attack, the passport can be 'pinged' e.g. when going through a door and then be used as a trigger for something. Excessive eavesdropping of passport-to-reader communication e.g. at airports allows for later brute forcing and then identity theft.
The Budapest declaration and the study behind it focus in all these issues and take all your points into account. BAC and what is already known on EAC has been analysed. Still the resumee is 'poorly conceived'.
Well, as the US want to store all the data collected from the passports for 50 years, maybe they have an answer to that question?
The problem is not the chips. The problem is the RFID interface, the limited keyspace entropy, the absence of the option to change the key, well, see above.
Another problem with the passports is the use of biometrics in General, which is also covered within the study and the declaration.
The bottom line is: RF interface and biometrical identification do not increase security, but risks. These passports will cost lots of privacy, security, and tax money.
Data Rich == Enhanced Privacy (Score:3, Informative)
Thanks for that correction. That's what I get for reading only the abstract.
According to that report, the shielding is only ineffective if the passport is open. I suggest you keep your passport in a flat sleeve or put a rubber band around it if you carry it in a purse or bag where it could fall open. I carry mine in a f
I just renewed my UK passport (Score:3)
I'm trying to think of any reason why I shouldn't just smack it with a hammer a few times.
Utility (Score:1)