Airport Access IDs Hacked In Germany

teqo writes "Hackers belonging to the Chaos Computer Club have allegedly cloned digital security ID cards for some German airports successfully which then allowed them access to all airport areas. According to the Spiegel Online article (transgoogleation here), they used a 200 Euro RFID reader to scan a valid security ID card, and since the scanner was able to pretend to be that card, used it to forge that valid ID. Even the airport authorities say that the involved system from 1992 might be outdated, but I guess it might be deployed elsewhere anyway."

Theory bites back

[For a Free Internet]

As much as security "experts" want to avoid the issue, when a shared symmetric key such as the one in this device is passed in the clear to a "black box," the system is already compromised. This is just like the USB drive "encryption" debacle. It is caused by proprietary software and proprietary thinking. As Klehr wrote in Fundamentals of Cryptography (1962), "If a man drinks poison, tell him it's bad for him. Don't offer to prove it by your own example."

Re:Theory bites back

[MichaelSmith]

I couldn't work out how they cracked the cypher from the translated article. Is it possible they are listening in on the cypher processing as they feed in a challenge?

Re:Dual factor authentication

[Calinous]

Passcode is not even as secure as the RFID tag - one could usually spy the introduction of the passcode on the keyboard with a camera (if I remember correctly, there were plenty of key-based locks that were visible from the passenger area).

So YOU'RE the guy that thinks it's real security!

[Zero__Kelvin]

Of course they are in view of the public. What use is a deterrent nobody can see?

The kind that seeks to deter a terrorist rather than the general public?

"I'm fairly sure, though, that if someone air-side reported some suspicious activity that there would be a prompt response from those very same people, resulting in a very same reaction."

There was a time when that wouldn't have been possible. Thank God that they finally perfected the Wormhole!

Do you really think an actual terrorist would piss his pants the way some moron who responds with "Just a Bomb" because he is to stupid to figure out that is not a bright thing to say?

"Putting devices in baggage on a plane is not the act of a Jihadist trying to get to his virgins, so they may have slightly more interest in self preservation."

Since nobody thinks the terrorist will show up with a gun and try to force his way through security, thereby broadcasting his/her presence to all, how does that help again?

"Good to see mod points being blown on AC's, though. It saves those with reasonable points of view which some people may disagree with from being on the end of their flawed judgment."

That is great news. Clearly you are not one of those people. Can you point me to someone who is? (BTW - Read the Moderator Guidelines, since you clearly have no idea how to properly moderate on Slashdot.)

Re:Terrorrism

[maeka]

As someone who has maroon SIDA badges at multiple large airports in the USA, I think you are overly discounting the culture of challenging (asking strangers to see their badge) and missing a couple of key points.

Especially if the person you're challenging was just verified by the card-reader.

1 - A forged RFID in and of itself will not get you through any of the more sensitive doors. A PIN is also required.
2 - Even someone like me with an "all areas" badge must get prior (time limited) authorization to pass through higher-security doors. The central computer will reject my perfectly valid badge and PIN and sound an alarm at security if I so much as try a door I do not have approval for.
3 - At most airports I've worked at there is also a security officer posted at doors capable of being used to bypass TSA checkpoints (as in going downstairs then through the baggage tunnel, then back up on the other side), one who inspects each and every badge which passes his way.
4 - All RFID readers are linked to the security office. Let's say I unsuspectingly cloned Joe's card. If Joe badged in to area A but didn't badge out while meanwhile Cloned Joe badged into area F - an alarm would sound.

While I have witnessed much which I consider weaknesses in airport security - the physical badges themselves are not it.

Re:Theory bites back

[marcansoft]

There is no cipher. There is no security. These guys gave a talk on LEGIC Prime at the congress. The digest version is that LEGIC Prime is 100% obscurity and 0% security: LEGIC cards are wireless read/write memories with a tiny LFSR scrambler thrown on top to obfuscate things a bit. There are no keys. All the access controls are implemented in the reader/writer software. These cards are not only trivial to emulate, they're also trivial to modify.

Re:guess what!

[pclminion]

Statistics please. Of the most recent 100 documented terrorist attacks which actually killed anyone, how many were on airplanes? What is the probability that any given death from a terrorist attack occurred on an airplane? Thanks.