RFID passports pwned (and super slowmo's)

Tinfoil hats at the ready, it's IT Blogwatch, in which the UK's new RFID passports get hacked. Don't laugh -- you might get them soon. Not to mention a compilation of awesome slow motion movies from high speed cameras...

Angela Gunn sobers up:

Steve Boggan [has] been spending some quality time this year demonstrating the low quality of the security thinking put into Britain's new "high-tech" passports. The writeup's lengthy, but he gives a great overview of the thinking he and his merry band of experts put into hacking the system and why, whatever the Home Office says, the new systems are in fact potentially far less secure than the old piece-of-paper-examined-by-human-eyes versions. Those among us who carp about "giving the terrorists" ideas -- you crazy security-by-obscurity kids, you know you crack me up -- will most assuredly not be amused.

Cory Doctorow boings:

UK security experts have cracked the sooper sekure new UK biometric passports. It took 48 hours. With £174 worth of sniffer hardware, attackers can read all the personal information off of any of the three million new UK passports in circulation -- and if combined with demonstrated hacks for reading RFIDs at a distance, this could happen from across the room, or even farther. You can then clone the RFID and stick it in another passport (surprise! your identity is now owned by a terrorist!).

Bruce Sterling offers this hard-to-read commentary:

Oh jeez. It's as Neal Stephenson said: cryptography is like a picket fence around your house that consists of one picket ninety miles tall ... The real hell would come if the authorities didn't bother to stare at the passport but simply trusted the signal from the chip. Which was supposed to be the idea in the first place: these arphids are supposed to be making transit SAFER AND FASTER AND MORE CONVENIENT, not just introducing a new level of Rube Goldberg snafu ... Government spooks intend to do all this anyway, and they can't believe that private sector spooks and hobbyists can take the trouble. Rather like the Pentagon unable to believe that Al Qaeda can make serious mischief.


They did this, not because they want to make private citizens more secure against ID theft, but because they want to install huge databases that track the movements of civil populations generally. The point of electronic ID is to input a suspect passport number and see every place that guy's been in the last 20 years. Then you compare that the movements of other known malefactors and you've got an instant Al Qaeda winnowing-machine. Of course some individuals will suffer, but compared to the awesome imaginary benefits of Total Information Awareness.

Mike Masnick dishes the dirt:

There's been an odd rush by governments to move to RFID passports, even though there are serious concerns about how secure they really are ... It is, admittedly, a limited crack, but it could potentially be used to make a clone RFID chip for a counterfeit passport. While the UK government claims this crack is no big deal, you'd have to think that it shouldn't take long for other problems to show up as well.

Matthew Wharton wonders if the US is next:

The UK ... Identity and Passport Service ... opted to use RFID chips to store the data in accordance to standards drawn up by the International Civil Aviation Organization. The use of RFID to store the data is bad enough but the ICAO standard also directs that the key used to access the data should be comprised of , in the following order, the passport number, the holder's date of birth and the passport expiry date, all of which are contained on the printed page of the passport.


Schneier has revealed that The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has recommended against putting RFID chips in identity cards. Whether the US government heeds this advice is yet to be seen but unfortunately for us in Britain our government has already made the poor choice. The security measures in place to prevent unauthorized access to the data held on the chip work by creating a encrypted 'conversation' between the chip and the reader. Interestingly they have used the Triple DES algorithm for the encryption instead of AES which was introduced to replace Triple DES in 2002.

Andii Bowsher breaks out the tinfoil:

As I said previously; a faraday cage is needed for keeping the thing on your person or even in luggag. I gather that a LibDem spokesperson has actually called on the government to issue faraday cage passport holders to all recipients of new passports.

Jeck Crow:

What I find odd is the complete breakdown in thought process on the governmental level. Specifically that when we design a technology with a military or security purpose that pertains to a tangible object like... lets say... a tank. We consider the possibility that a tank can be captured and repurposed by someone, and used in a manner that it was not intended ... So, why then is it so difficult to apply this same logic to an intangible, like identity data? ... One would think that the implementation of such a poorly thought out use of an idea would be halted, re-evaluated, and perhaps reworked into something more practical. One would hope...

Jonathan Peterson hits a similar vein:

Before spending all that money, wouldn’t creating a prototype passport and inviting all comers to try to hack it have been a good idea? There are few things that can throw away taxpayer money faster than technology purchases.

Bradley Rhodes doesn't see what all the fuss is about:

The RFID chip contains a cryptographically signed digital copy of the main page of your passport, including a digital copy of your photograph. The idea is that this way you can't modify the name or paste your own photo into a stolen passport because the digital data won't match, and you can't modify the digital data because it has to be signed by the issuing country. After people expressed concerns that someone nearby could eavesdrop on the conversation between the passport and the RFID reader, they decided to encrypt the passport using your passport number, expiration date and date of birth, which is encoded using a barcode (or maybe a magnetic stripe). That way the customs official swiping your card can read the photo but someone eavesdropping on the RFID conversation can't.

The Tarquin hears "The deafening sound of no one being surprised":

What went wrong? ... Well, they used 3DES to encrypt the transactions, but they generate the key from information listed on the passport. Head smack. This is, needless to say, an EXTREMELY rookie mistake. It's the equivalent of locking your front door with three different locks, and then tying all three keys to a length of string hung over the doorknob.

Cyber Legionnaire sums it up:

For the last time, just leave cryptographers to deal with cryptography issues! Committee members are excellent at screwing it all up.

Buffer overflow:

Around the Net Around Computerworld Previously in IT Blogwatch

And finally... Great slowmo compilation

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richij.com. 4000th post!

Copyright © 2006 IDG Communications, Inc.

Shop Tech Products at Amazon