Despite the fact the US State Dept. is telling us that their new passports store important data on a chip which is protected from alteration by the latest digital signature technology and that the Department of State will not issue passports incorporating integrated circuits until privacy-related concerns have been addressed. Despite all this….
Jay Lyman writing for TechNewsWorld reports that at the Black Hat and Defcon security conferences in Las Vegas, a security consultant cracked an RFID-based ‘e-passport’ just like the ones the US goverment is planning to issue citizens in just a few months.
He also showed how the hacker cloned the RFID chip inside the passport thus giving anyone a bogus cloned US Passportthat could theoretically allow easy access into the U.S. or other nation for its holder.
That is not a good thing. You can read all about it in TechNewsWorld and special thanks to Jay for the awesome article.
Source: Technewsworld.com
Technorati Tags: passports, chip, digital signature, Department of State, Black Hat, Defcon, RFID-based, RFID
![[Most Recent Quotes from www.kitco.com]](http://www.kitconet.com/charts/metals/gold/tny_au_en_usoz_4.gif)
December 29th, 2006 at 7:47 pm
Info Update:
Industry Executives Discount Claims That E-Passports “Cracked”
Security experts in the United Kingdom and Germany claim to have extracted data from the smart card chips on electronic passports and an organization of European researchers recently claimed that the new electronic passports Europeans are being required to carry “dramatically decrease their security and privacy.” Is there a serious flaw in the chip technology that more than 50 nations are putting into their passports? The short answer from the smart card industry and government officials is: No, the technology does what it is intended to do. However, they agree that stronger security technology will be required when more confidential information, such as fingerprint biometrics, is added to the chip. That stronger technology, known as Extended Access Control—is coming soon—Germany plans to add it to its e-passports by November 2007. And it will bring its own issues, including increased costs and more complexity for the agencies responsible for border security. Meanwhile, some industry executives believe it is necessary to respond to the articles claiming the passports are not secure, lest those reports increase opposition to the use of smart cards and biometrics, not only in passports but also in ID cards.
One example of the recent claims was an article last month in the UK newspaper The Guardian. Under a headline of “Cracked it!” the author, Steve Boggan, describes how a security expert named Adam Laurie, technical director of Bunker Secure Hosting, extracted the data from three UK electronic passports using a contactless smart card reader he had purchased for 250 pounds, just under 500 U.S. dollars. The article notes that the same had been accomplished by Lukas Grunwald, founder of German consulting company DN-Systems. The article notes that once in possession of the data, it would be possible to insert it into another chip and create a duplicate passport. They concede that the data could not be changed, and that the digital photo of the original passport holder would still come up on the new chip. But they say it has been proven that human beings are not good at verifying the identity of an individual by comparing the live person to a photo and that it might well be possible for someone to pass as someone they slightly resembled by, for instance, growing a beard.
The Guardian article argued that this demonstration showed that the e-passport technology is insecure, and that personal data could be compromised. The article goes on to say that the limitations described “raise all sorts of questions about the UK’s proposed ID card scheme, which will use the same technology.” The UK government has proposed introduction of a national ID card that would incorporate smart card chips and biometrics, but the program is advancing slowly in the face of substantial opposition. Meanwhile, e-passports also came under fire last month at a gathering in Budapest of a group called Future of Identity in the Information Society, a consortium of university and private researchers that receives funding from the European Union. “Simply put, the current implementation of the European passport utilises technologies and standards that are poorly conceived for its purpose,” the group said in a statement on travel documents.
The reaction from the smart card industry and passport officials was summed up by Markus Hartmann of HJP Consulting in Germany: “What these guys are doing is pretty ordinary knowledge.” Hartmann, who is part of international working groups developing standards and test protocols for e-passports, says he and his colleagues have decided not to respond in detail to these attacks so as not to aid counterfeiters. However, he notes that what a forger or terrorist would really want to do—create a passport that would pass as legitimate with his own photo and description—has never been done with e-passports. “What counterfeiters want to do is bring another identity into a passport, and that’s never been proven,” Hartmann says.
The same point was made by a spokesperson for the Identity and Passport Service of the UK’s Home Office. “The Guardian have simply outlined a procedure to make an electronic photocopy of the chip,” he told Card Technology. “The information itself cannot be altered; the photo would still be the same, so the copy would be of no use to an impersonator trying to use it fraudulently.” He notes that just copying the data from one chip to another is only one part of creating a counterfeit passport. There are many physical security features, which, he says, “render the forgery of the complete document impractical.” While he did not specify those features, passports and other government ID cards often include such hard to duplicate elements as holograms and microprinting to make forgery difficult.
If the two sides in this debate seem to be speaking past each other, it may be because the attackers are claiming to have accomplished something that the current security features of passport chips were not designed to prevent. Most current passports use a technology called Basic Access Control that was designed in response to a different set of privacy concerns, namely that an unauthorized individual with a contactless smart card reader could get close enough to someone to read data off his passport with the knowledge of the passport holder. In theory, at least, obtaining that data could enable a terrorist to target a particular individual, or perhaps someone of a particular nationality.
Basic Access Control prevents that by making sure that the passport chip only provides data to a reader that has first scanned the machine-readable optical character line on the passport. Presumably, that would only occur when the individual had handed his or her passport to a border control agent. The agent swipes the machine-readable portion of the passport, and the reader extracts certain information: the passport number, individual’s date of birth and the passport’s expiration date. The reader uses that data to send a message to the passport, which only then sends back its data to the reader, including the digital photo of the passport holder, which can be displayed on the agent’s screen.
The Guardian article suggests the protocol is “fatally” flawed, because the information the passport demands can be readily obtained from the machine-readable zone. And a description of how the data is used to create the required code is publicly available on the Web site of the International Civil Aviation Organization (ICAO), which sets international travel document standards. But passport backers argue that misses the point, that Basic Access Control was designed to prevent surreptitious snooping of passport data. It was never designed to make it difficult for a reader to access the data. In fact, it was designed so that all 189 nations that participate in ICAO could easily access the data without a complicated exchange of secret codes among those governments.
Supporters of the current e-passport technology also point out that the information stored on the chip today is the same as that on the passport’s data page, plus a digital photo, and thus not highly confidential. Even they agree more confidential data deserves stronger protection. To that end, ICAO is working on a final specification for a technique called Extended Access Control. This includes several additional steps that would prevent the kind of “attacks” recently described. For one thing, each terminal would have its own public/private key pair that it would use to prove to the passport chip that it is authentic, a measure aimed at preventing someone from buying an off-the-shelf radio frequency identification (RFID) reader to obtain data from passports. Another part of the protocol requires the reader to send a random number to the chip, that the chip must then process using its own private key; the reader would accept the passport only if it could pass this test, which would mean that data cloned from another passport—or data sent in response to a previous challenge—would not be accepted.
These measures will not necessarily mollify critics. Laurie, the UK security expert cited in The Guardian article, says he agrees “in principle, that challenge-response mechanisms will help to combat simple cloning of documents.” However, noting that many passports are meant to last 10 years, he says in an e-mail reponse to Card Technology, “10 years is a very long time in the world of technology, and a VERY long time in the hands of a determined hacker. Again, it seems unlikely that chips being made today will be able to resist attacks being designed tomorrow.”
The European Union has made clear it believes such stronger security is necessary when confidential information, specifically fingerprint biometric data that the EU wants added to member nation passports in coming years, is stored on the travel documents. An EU directive released in June requires all member states to adopt Extended Access Control within three years of the ICAO finalizing the EAC specification. Germany says it will use the stronger security in its passports by late 2007.
If executed properly, EAC should make it impossible for an unauthorized reader to obtain any data from a passport, and for data copied from one passport chip to be used to make a working passport. However, the stronger technology also brings with it added costs and greater complexity.
For one thing, the chips on the passports will have to be more sophisticated, notes Paul Kocher, president and chief scientist at U.S.-based Cryptography Research, a company he founded that offers consulting services and products related to encryption technology. For the passport chip to respond to a challenge, he notes, it must have the processing power to respond to the reader’s by using its private key to create a digital signature based on the random number it receives. The chips on passports today do not have to create a new digital signature; they merely store a digital signature from the passport-issuing agency that verifies that the passport is legitimate. Kocher says such chipmakers as Infineon and NXP (formerly Philips), and perhaps others, have contactless chips with the necessary processing power to carry out this kind of public key encryption. While he says it is hard to know what price a large nation might negotiate for many chips, he estimates the more sophisticated chips might add $1 to the price of an e-passport.
Another complexity is that the readers would have to have their public/private key pairs to prove to the passport chip that they are authorized to read passport data. Those codes would have to have a short lifespan to minimize the risk if a reader is stolen. The EU, for instance, says the codes should be good for no more than one month. That means constantly sending new data to thousands of passport readers in scores of nations. “It might become complicated to submit all the keys to all the countries,” Hartmann says. And, he notes, some countries may not be willing to provide the confidential data to countries with which they are at odds. All in all, the world’s governments have only begun the process of creating a system of electronic passports that improves border security, protects individual privacy and works reliably. –By Don Davis (2006-12-07)
http://www.cardtechnology.com/article.html?id=2006120786EWDT7P
December 30th, 2006 at 2:36 am
How To: Disable Your Passport’s RFID Chip
All passports issued by the US State Department after January 1 will have always-on radio frequency identification chips, making it easy for officials – and hackers – to grab your personal stats. Getting paranoid about strangers slurping up your identity? Here’s what you can do about it. But be careful – tampering with a passport is punishable by 25 years in prison. Not to mention the “special” customs search, with rubber gloves. Bon voyage!
1) RFID-tagged passports have a distinctive logo on the front cover; the chip is embedded in the back.
2) Sorry, “accidentally” leaving your passport in the jeans you just put in the washer won’t work. You’re more likely to ruin the passport itself than the chip.
3) Forget about nuking it in the microwave – the chip could burst into flames, leaving telltale scorch marks. Besides, have you ever smelled burnt passport?
4) The best approach? Hammer time. Hitting the chip with a blunt, hard object should disable it. A nonworking RFID doesn’t invalidate the passport, so you can still use it.
– Jenna Wortham
http://www.wired.com/wired/archive/15.01/start.html?pg=9