Thursday, August 03, 2006

(Black Hat) Cloning E-Passports Accomplished

A german computer security consultant has demonstrated the cloning of the electronic data from an E-Passport at the BlackHat convention, Las Vegas.

By the end of this year, many countries, including the U.S., Germany and Greece, will start issuing these Passports which contain an RFID (radio frequency ID) with the owners information on it. That way, they aim to make forgery a lot harder. Apparently they didn't do a great job planning this thing.

Wired News has published a very interesting article on the subject, which includes a demonstration by the guy who cracked it, Lukas Grunwald. In there, the reader will find out that the information on the chip is totally unencrypted (securely signed though) and therefore can be read and copied quite easily. Also, a worrying scenario states that an explosive device with an RFID sensor may identify a person by his E-Passport, while he is passing by, and activate. Finally, the author describes how a valid E-Passport could be overwritten so that let's say a known terrorist will go through border control uninterrupted.

You may also find an interesting video from Mahaffey and John Hering of Flexilis, security company, demonstrating the failure of the E-Passport's shielding system to prevent unauthorized scans of the RFID from malicious antennas.

I would like to quote something from the article:
Is this what the best and the brightest of the world could come up with? Or is this what happens when you do policy laundering and you get a bunch of bureaucrats making decisions about technologies they don't understand?
Which reminds me of my own blog entry titled "Exclude illiterate supervisors from e-Hierarchy?"

P.S.: Happy 3/8/6 (x86 day!)

No comments: