[LINK] Engadget: German hackers clone RFID e-passports

Sun Aug 6 14:13:02 AEST 2006

Adam

Not necessarily.

1) e-Passports are based on ISO 14443 standard. "Anti-collection" 
mechanism are part of this standard. So an ISO 14443 compliant reader, 
can read multiple tags.

2) However, if two tags are very close to each other (eg. stacked), then 
the will not read.

3) e-Passports include a metal foil inside the cover, so they cannot be 
read anyway, when they are closed.

4) I also agree with Kim's view, that this is not a "big story" there is 
nothing magical about reading e-Passports, nor writing to RFID chips. As 
mentioned, the air-interface is based on international open standards 
ISO 14443. Also the data format of the e-Passport is also well documented.
http://www.icao.int/mrtd/Home/Index.cfm 
<mailto:customercare at realestate.com.au>

5) What the ISO 14443 standard does not define, is what or how the data 
is used. E-Passports include a "digital signature" which can be verified 
via PKI. I also believe Biometric data may include digital watermarks.

6) Though the Biometric image is not encrypted, I don't see potential 
copying and falsifying documents as an issue. Not only is a new "secure" 
document introduced via the e-Passport (and visa) but also new processes 
are put in place. If you look a the ICAO documents you will notice a 
typical business process for validating e-Passports includes:
- checking digital signature
- checking other security features.
- checking watch list (biometric database)
- biometric verification.

That is checking Biometric data with the actual person, and against a 
database of both valid people and blacklists.

Assuming fraudsters can change the Biometric image and provide the 
correct Digital Signature, then their own Biometric information could 
give them away (even later).

Reg
Geoffrey Ramadan B.E.(Elec)
Chairman, Automatic Data Capture Association (www.adca.com.au)
and
Managing Director, Unique Micro Design (www.umd.com.au)

Adam Todd wrote:
>
> Ahh so the key is to copy another RFID tag and always keep it in your 
> passport so that the reader baulks when it gets back a doubled signal.
>
> Bit like having two FM transmitters operational on the same frquency 
> at the same time :)
>
> At 08:45 PM 4/08/2006, Kim Holburn wrote:
>> It's really not a big story.   You can read the rfid tag which after
>> all you have to be able to do for it to be of any use any way.  You
>> can create a copy.  Well yeah.  If you put a copy near your passport
>> the passport reader will get confused.
>>
>> But the guts of it is, that the information is encrypted so you can't
>> actually alter any of it, you can only copy.
>>
>> More on it here with some nice links to tinfoil wallets though:
>> http://www.wired.com/news/technology/0,71521-2.html
>>
>> Of course there's the danger of explosions:
>> Blackhat 2006: Explosive risks in RFID-enabled passports
>> http://www.tgdaily.com/2006/08/03/blackhat2006_rfid_passport_bomb/
>>
>> On 2006 Aug 04, at 7:52 PM, Paul B wrote:
>>
>>> http://www.engadget.com/2006/08/03/german-hackers-clone-rfid-e- 
>>> passports/
>>> _______________________________________________
>>
>>
>>
>>
>>
>> -- 
>> Kim Holburn
>> Network Consultant
>> Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
>> mailto:kim at holburn.net  aim://kimholburn
>> skype://kholburn - PGP Public Key on request
>> Cacert Root Cert: http://www.cacert.org/cacert.crt
>> Aust. Spam Act: To stop receiving mail from me: reply and let me know.
>> Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
>> datefmt.htm
>>
>> Democracy imposed from without is the severest form of tyranny.
>>                           -- Lloyd Biggle, Jr. Analog, Apr 1961
>>
>>
>>
>> _______________________________________________
>> Link mailing list
>> Link at mailman.anu.edu.au
>> http://mailman.anu.edu.au/mailman/listinfo/link
>>
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link