« Checkpoint Systems lays off RFID staff | Main | »
November 3, 2006
Passport insecurity
Just when you thought the RFID security situation couldn't get any worse, it turns out there is a serious vulnerability in the new spychipped US passports. (Surprise, surprise.) British security researcher Adam Laurie has found that the cryptography used in the RFID tags can be cracked by anyone who can get near your passport, provided they have your name, date of birth, and passport number. This info would allow them to unlock your passport chip and download your digital photo and other information from the passport.
Laurie has written a program that he explains can "exchange crypto keys with the passport and read and display the contents therein, including the facial image and the personal data printed in the passport." Anyone wanting to duplicate a passport would then have complete access to your digital passport photo along with your passport's cryptographic key.
How would a hacker get your name and passport number? It's not as hard as you might think. They could pick up a discarded boarding pass at the airport, log onto British Airways website (or any of a number of equally insecure data sites on the Internet), or work for a business like a bank or hotel that routinely requires and records such information. (Heck, nowadays you have to show a passport just to check into a hotel or exchange currency in Europe --- even to log onto a computer at an Internet cafe.)
Why would our government insist on spending money on insecure technology that puts travellers at risk? A CASPIAN press release we issued last year may help explain:
CASPIAN UNCOVERS U.S. GOVERNMENT RFID PROMOTION SCHEME
Heads of Federal Agencies encouraged to "advance the industry"
http://www.spychips.com/press-releases/gsa-document.html
For more details about passport security, here are some useful links:
* Edward Hasbrouck, the Practical Nomad, explains how to tell if your passport contains a spychip.
* Security company Flexilis gives a vivid demonstration showing how the RFID shielding in passport covers fail to protect passport holders if the passport is open even 1/4", putting Americans at risk of physical harm. (And we now know, data skimming, as well.)
* Security expert Bruce Schneier discusses passports.
-Katherine Albrecht
Posted by Katherine Albrecht at November 3, 2006 6:02 AM
Comments
your concern about epassport security is backwards. the magnetic striped card has no security. yet, usa card losses are very low, under 10% from all sources. wny ?. the card system is designed to use system checks rather than technology checks. tell me what passport problem you are trying to cure and i'll tell you how to do it. rfid is a faster way of dealing with the readable media. us currency is easily counterfeited, but the handling system does an effective job of protecting currency.
Posted by: smartcarddad at November 4, 2006 7:20 PM