Tuesday, August 08, 2006


May I see your passport, please?

Yo, dude! Got one of them cool, new, high-tech passports? The ones with the RFID chip. The ones that the government says will help them speed you through the airports. The ones that the government says are safe from prying eyes because they can only be read by the proper officials. They can't be hacked. Got one? Good.

They've been hacked.

Oh, come, now, don't tell me you're surprised.
Some of us have been telling you that all along.
We told you they could be read by the bad guys.
We told you they could be spoofed by the bad guys.
We told you they could be used to track you unless you store it in a shielded bag.

However, at the Black Hat conference in Las Vegas, US, Lukas Grunwald, of German computer security company DN-Systems, showed that RFID passports can be cloned with relative ease. He found that passports designed according to the International Civil Aviation Organization (ICAO) standard can be cloned.
"The whole passport design is totally brain damaged," Grunwald told Wired.com. "From my point of view, all of these RFID passports are a huge waste of money. They're not increasing security at all."

At the same conference, Kevin Mahaffey and John Hering of US computer security company Flexilis showed that electronic passports can be remotely spied upon despite the radio-blocking shields included in US designs. They found they could read the devices from 60 centimetres away if the passport is opened by just 1 cm.

Of course, it's not like you have a choice, except by choosing to establish citizenship in a country that's got more sense....

Update: Eric Rescorla has a much more detailed analysis on his blog, Educated Guesswork. Give it a read.

No comments: