Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Buffer Overflow Found in RFID Passport Readers

Posted by CowboyNeal on Sat Aug 11, 2007 09:20 AM
from the never-too-careful dept.
Security Technology IT
epee1221 writes "Wired ran a story describing Lukas Grunwald's Defcon talk on an attack on airport passport readers. After extracting data from the (read-only) chip in a legitimate passport, he placed a version of the data with an altered passport photo (JPEG2000 is used in these chips) into a writable chip. The altered photo created a buffer overflow in two RFID readers he tested, causing both to crash. Grunwald suggests that vendors are typically using off-the-shelf JPEG2000 libraries, which would make the vulnerability common."

Related Stories

Firehose:Buffer Overflow in RFID Passport Readers by epee1221 (873140)
This discussion has been archived. No new comments can be posted.
Buffer Overflow Found in RFID Passport Readers | Log In/Create an Account | Top | 96 comments | Search Discussion
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • Of course they are vulnerable (Score:3, Insightful)

    by Anonymous Coward on Saturday August 11, @09:42AM (#20195235)
    These passports are full featured CPU's with up to 72KB of data. The "RFID reader" is actually a very bad name for a software system that is going to read out these passports. In most documents it will be referred to as an inspection system. It will not only read out the passport, but it will also test the biometrics, communicate with other systems etc.. This is a complicated process that will most likely take place on a full featured CPU, containing a modern OS, and a modern software stack. This allows for maximum flexibility, but it will also make the systems vulnerable for attack.

    The only thing the manufacturers of these systems can do is thoroughly test their software, and make the attack possibilities as small as possible. For instance, they should check the signature under the data before passing the data on to the next layers. Of course, for this you need the certificate of the issuing state. You should also test if the underlying libraries that do this initial check are not vulnerable.
    • 1 reply beneath your current threshold.

  • Explain to me how... (Score:3, Funny)

    by binaryspiral (784263) on Saturday August 11, @09:48AM (#20195255)
    Explain to me how this is an "attack" on passport readers?

    Passport is scanned
    Reader goes casters up
    Reader is power cycled
    Passport is scanned again
    Reader goes casters up
    Owner of said passport is hauled off to some secret room where all of their orifices are checked by an ex-prison guard with large hands.

    This does show the lack of testing and hardening, but it seems a buffer overflow situation like this would be relatively easy to patch.

  • Honestly... (Score:2, Insightful)

    by The tECHIDNA (677584) * on Saturday August 11, @09:51AM (#20195281)
    (http://www.emeraldforce.org/)
    ...if you pass a cracked RFID chip through a passport reader and then it crashes,

    #1: the guard will humanly read your inside cover photo with extra vigilance...the chip is not the only method of ID
    #2: you'll probably be detained for a bit while they re-test your passport; if it fails again, they'll tell you to get a new passport
    (#2a: or be placed on a no-fly list, because you're a terrorist)

    Plus, how exactly would a code-injection exploit work unless it's something like the GDI+ vulnerability that occurred with WMF files? (If a rogue guard is injecting evil code into the machine, the government had waaay more scary problems ahead than with some 'sploiting a passport reader).

    All that being said, there are some things (i.e. voting machines) that just should not be electronic-ized, and I feel this is one of them.
    Other than "it'll get you through faster!!", what is the point of using chips when, more than likely, the passport clerk has to humanly-read it to verify the info anyway? Especially considering that the particular RFID chip technology used in the passport is going to be obsolete or cracked in 3 years, and most passports don't expire for five or ten years?

  • FTFA: "If a reader could be compromised using Grunwald's technique, it might be reprogrammed to misreport an expired passport as a valid one, or even -- theoretically -- to attempt a compromise of the Windows-based border-screening computer to which it is connected."

    That does it. From now on I'm only travelling to countries which use OpenBSD to operate their border gateway protocols.

    And: "Additionally, the International Civil Aviation Organization recommends that issuing countries protect biometric data on the e-passport with an optional feature known as Extended Access Control, which protects the biometric data on the chip by making readers obtain a digital certificate from the country that issued the passport before the equipment can access the information."

    Sounds like in the future, the only people who'll be able to traveler with any degree of success will be those who can forge their passports...

  • Remember this /. story about RFID Passports Cloned Without Opening the Package [slashdot.org]? I'm not sure if RFID and security will ever get along at a satisfying level or if will be similar to the systematic breaking of DRM locks. Amongst other RFID stories [slashgeo.org], this "Security analysis report" paper [91 pages pdf, 967k] [bridge-project.eu] is most informative (via this blog [vector1.eu]).

  • Great! (Score:1)

    by thatskinnyguy (1129515) on Saturday August 11, @11:03AM (#20195775)
    Something else to make the experience of flying all that much more unpleasant for the rest of us!

  • the usual (Score:2, Insightful)

    by m2943 (1140797) on Saturday August 11, @11:42AM (#20196037)
    The problem is, as usual, the use of inherently unsafe and dangerous programming languages like C and C++.

    There is no reason why any modern programming language should permit accidental buffer overflows; they are easily preventable without pushing the burden onto the programmer even in programming languages with the same power as C and C++.

    • Re:the usual (Score:4, Insightful)

      by 808140 (808140) on Saturday August 11, @01:14PM (#20196755)
      Don't do much embedded programming, do you? Garbage collection, automatic bounds checking, and the vast majority of features that you think of as "modern" were available in quite a number of programming languages from the 1960s -- lisp, for example. While they were extremely popular in academic circles, and were without a doubt extremely powerful and capable, most development continued to be done in assembly, and then later C. Why was this, do you think? Because in those days, computer resources were so expensive that it was foolish to waste them. Here's a hint: garbage collection is a bad idea if you have so little memory that you're actually likely to run out of it. Automatic bounds checking on arrays is expensive if your processor is slow enough.

      Now if you're saying that there's no need to develop the vast majority of today's computer software in assembly, C, or C++, then I agree with you wholeheartedly -- but we're not talking about a computer, we're talking about an RFID reader. You know, a small device that doesn't have the latest gaming processor from AMD and Intel and 2 gigs of RAM. It has enough memory for what it needs to do and that's it; and, to be low power, it has a small, simple embedded processor.

      You can't run a JVM on this thing, and even if you wanted to, it would be a bad idea.
      [ Parent ]
      • Re:the usual by Anonymous Coward (Score:1) Saturday August 11, @02:11PM
        • Re:the usual by 808140 (Score:2) Saturday August 11, @03:25PM
          • Re:the usual by AdamInParadise (Score:2) Sunday August 12, @03:22AM
        • Re:the usual by AdamInParadise (Score:2) Sunday August 12, @03:04AM
      • Re:the usual by zefrer (Score:1) Saturday August 11, @02:58PM
        • Re:the usual by 808140 (Score:2) Saturday August 11, @03:42PM
          • Re:the usual by 808140 (Score:2) Sunday August 12, @12:23AM
          • 1 reply beneath your current threshold.
      • Re:the usual by RAMMS+EIN (Score:3) Sunday August 12, @04:11AM
      • Re:the usual by IchBinEinPenguin (Score:2) Sunday August 12, @05:49AM
      • Re:the usual by 808140 (Score:2) Sunday August 12, @12:25AM
      • 2 replies beneath your current threshold.
    • Re:the usual by The Master Control P (Score:2) Saturday August 11, @09:31PM
    • Re:the usual by owlstead (Score:2) Sunday August 12, @05:20PM
  • ``Grunwald suggests that vendors are typically using off-the-shelf JPEG2000 libraries, which would make the vulnerability common.''

    Because everybody knows that, had they written their own code, it would have been much more secure. Just like magic.

  • Why use silly RFID toys? (Score:1)

    by dsgrntlxmply (610492) on Sunday August 12, @04:46AM (#20201609)
    I for one look forward to the superior alternative of Definitive Biometric Real ID for air travel.

    Undressing in front of the uniformed agent, undergoing endoscopy with low-bid lubricant, then going through the rotating-brushes Lockheed Martin AlloScrub body wash to remove all possible caches and residues of others' DNA before having the blood draw, is the highlight of any ordinary business trip. The $635 airport security fee is a bit of a burden, though, as are the 12 hour fast and prep. enema.

    Waiting 24 hours for DNA sequencing results, in the departure hall with monopoly $3.75 bottled water, $9 greenish-ham sandwiches, Soviet-grade customer service, and incessantly repeated shrieky PA announcements, always makes me feel good because I am doing my part for national security.

    Eventually however, I might have to face the question of efficiency, and be compelled to move to some other country where I can inch through massive traffic congestion, then pay a fixer to have me waved into the squalid and grimy departure hall for a mere 2 hours, while watching the unsmiling gentlemen with the submachine guns make their frequent rounds. This followed by very close scrutiny of the rubber stamps on incomprehensible forms stamped only 45 seconds earlier by the person one floor below, as my luggage was being X-rayed to make certain that I was not trying to dodge both the stiff export tax on livestock and poultry, and the consequent opportunity to make a "facilitating payment".

  • Re:Are borders are open! (Score:2, Funny)

    by Anonymous Coward on Saturday August 11, @09:48AM (#20195263)
    You should start with studying English. Your skills our lacking.
    [ Parent ]
    • 1 reply beneath your current threshold.

  • Re:Are borders are open! (Score:2, Funny)

    by couchslug (175151) on Saturday August 11, @10:10AM (#20195409)
    "The question is : should I study Arabic or Spanish to welcome our new overlords."

    Yes. :)
    [ Parent ]

  • JPEG2000 (Score:1)

    by Presto Vivace (882157) on Saturday August 11, @10:16AM (#20195443)
    (http://technoflak.blogspot.com/ | Last Journal: Friday November 02, @10:23AM)
    Why am I not surprised?
    [ Parent ]

  • Re:This is the reason closed source is good (Score:2, Insightful)

    by MrCoke (445461) on Saturday August 11, @10:26AM (#20195499)
    There is no architecture that is secure from a passionate developer armed with time, IDA Pro and an oscilloscope (if needed).
    [ Parent ]

  • That's interesting... (Score:1)

    by shivamib (1034310) on Saturday August 11, @10:42AM (#20195623)

    It's just that they keep hiring complete morons that have no idea what they're doing to work on the systems.
    I see that where I work all the time! Must be the new trend...
    [ Parent ]
  • Chinese could probably be the most useful - you can get earworms for that, and those other two languages, from http://www.earwormslearning.com/intro.html [earwormslearning.com]
    [ Parent ]
  • Mandarin Chinese. Follow the money. (There's no monopoly on stupidity, after gutting the US manufacturing sector, Japan has also sold Japan, Inc. to the Chinese).

    RFID passports were a stupid idea in the first place. I do not want the id in my pocket broadcasting to the world "I'm an American Passport! Kidnap the holder!" (and kidnapping is an issue in places of the world I need to go, like where my in-laws and children are).
    [ Parent ]
  • 6 replies beneath your current threshold.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 SourceForge, Inc.