Crack! Security expert hacks RFID in UK passport
Successful effort pulled data off document in mailing envelope
IDG News Service - A security expert has cracked one of the U.K.'s new biometric passports, which the British government hopes will cut down on cross-border crime and illegal immigration.
The attack, which uses a common RFID (radio frequency identification) reader and customized code, siphoned data off an RFID chip from a passport in a sealed envelope, said Adam Laurie, a security consultant who has worked with RFID and Bluetooth technology. The attack would be invisible to victims, he said.
"That's the really scary thing," said Laurie, whose work was detailed in the Sunday edition of the Daily Mail newspaper. "There's no evidence of tampering. They're not going to report something has happened because they don't know."
The British government, which began issuing RFID passports about a year ago, eventually wants to incorporate fingerprints and other biometric data on the chips, although privacy activists are concerned over how data will be stored and handled.
Currently, the chip contains the printed details on the passports, the person's photograph and security technology to detect if those files have been altered.
The attack was executed while the passport was still in its original envelope used to send it from the passport service, since RFID chips can be read from a few inches away, Laurie said. He used a passport ordered by a woman affiliated with No2ID, a group that opposes the U.K.'s biometric passport and ID card programs.
The data on the passport's chip is locked until an RFID reader provides the encryption key, Laurie said. The encryption key is calculated using a combination of the person's personal data, such as date of birth, and is contained in the "machine-readable zone" (MRZ) -- the string of characters and digits on the bottom of the passport's first page.
At an immigration desk, the optical character reader scans the MRZ and gets the key. The RFID chip is unlocked, and the information on the chip is matched with that on the passport.
However, Laurie was able to do this process himself. He analyzed ICAO 9303, the standard from the International Civil Aviation Organization that been adopted worldwide for machine-readable passports, to see how the MRZ is organized.
Laurie also knew some of the woman's personal details -- used to calculate her passport's key -- and found out more through Internet research.
He then wrote what's known as a "brute force" program, which repeatedly tries different combinations of data to discover the key. After about 40,000 attempts by the program, he cracked the key.
To scan the chip, he used a common RFID reader from ACG ID, now part of Assa Abloy Identification Technology GmbH of Germany.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Exponentially Accelerate Data Protection and Recovery with Simpana 10 IntelliSnap® Snapshot Management Technology Are you making the best use of your storage array snapshot functionality? CommVault Simpana 10 IntelliSnap technology manages hardware-based snapshots across multiple vendor...
- Simpana IntelliSnap Technology Datasheet With IntelliSnap you can maximize the value of your snapshot technology while dramatically reducing management overhead and complexity.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to... All Privacy White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!