[LINK] RFID Passports again
Geoffrey Ramadan
gramadan at umd.com.au
Sun Nov 19 14:02:54 AEDT 2006
Kim Holburn wrote:
> Interesting discussion of the security of RFID passports. Further to
> our recent discussions. It does seem that they are readable from a
> much greater distance than is said to be officially possible.
I don't think 7.5cm read range is a "much greater distance". I would
have normally said 10cm read range would be standard. With a larger
antenna and power I would assume you could read 30cm.... which by the
way, such a reader would not be very portable.
Portable RFID readers are severely restricted by power, and 0-2cm read
range would be typical.
Much of this is also dependent on the antenna design. I don't know the
size of the antenna used on e-passports (the smaller the antenna the
shorter the read range)
> Also brings up the fact that while the digital data can't currently be
> altered, it may not need to be to make fake passports as neither
> humans nor machines can match the photo and the human all that well!!!
I would disagree on this point. Biometric reliability is about 80% and
improving.
>
> http://www.guardian.co.uk/idcards/story/0,,1950226,00.html
>> Cracked it!
>>
>> Three million Britons have been issued with the new hi-tech passport,
>> designed to frustrate terrorists and fraudsters. So why did Steve
>> Boggan and a friendly computer expert find it so easy to break the
>> security codes?
>>
>> Friday November 17, 2006
>>
>> Six months ago, with the help of a rather scary computer expert, I
>> deconstructed the life of an airline passenger simply by using
>> information garnered from a boarding-pass stub he had thrown into a
>> dustbin on the Heathrow Express. By using his British Airways
>> frequent-flyer number and buying a ticket in his name on the
>> airline's website, we were able to access his personal data, passport
>> number, date of birth and nationality. Based on this information,
>> using publicly available databases, we found out where he lived, his
>> profession, all his academic qualifications and even how much his
>> house was worth.
>
>
>> Fatally, however, the ICAO suggested that the key needed to access
>> the data on the chips should be comprised of, in the following order,
>> the passport number, the holder's date of birth and the passport
>> expiry date, all of which are contained on the printed page of the
>> passport on a "machine readable zone." When an immigration official
>> swipes the passport through a reader, this feeds in the key, which
>> allows a microchip reader to communicate with the RFID chip. The data
>> this contains, including the holder's picture, is then displayed on
>> the official's screen. The assumption at this stage is that this
>> document is as authentic as it is super-secure. And, as we shall see
>> later, this could be highly significant.
Not quite. Reading the RFID chip does not constitute authentications.
Authentication is performed on the digital signature via PKI.
>
>> "The Home Office has adopted a very high encryption technology called
>> 3DES - that is, to a military-level data-encryption standard times
>> three. So they are using strong cryptography to prevent conversations
>> between the passport and the reader being eavesdropped, but they are
>> then breaking one of the fundamental principles of encryption by
>> using non-secret information actually published in the passport to
>> create a 'secret key'. That is the equivalent of installing a solid
>> steel front door to your house and then putting the key under the mat."
There is nothing remarkable about the ability to read a RFID tag.
>>
>> Within minutes of applying the three passports to the reader, the
>> information from all of them has been copied and the holders' images
>> appear on the screen of Laurie's laptop. The passports belong to
>> Booth, and to Laurie's son, Max, and my partner, who have all given
>> their permission.
Also nothing remarkable.
>>
>> Booth is staggered. He has undercut Laurie by finding an RFID reader
>> for £174, which also works. "This is simply not supposed to happen,"
>> Booth says. "This could provide a bonanza for counterfeiters because
>> drawing the information from the chip, complete with the digital
>> signature it contains, could result in a passport being passed off as
>> the real article. You could make a perfect clone of the passport."
You can make a perfect clone of the RFID chip, not sure about the actual
passport.
>>
>> But could you - and what use would my passport be to you? A security
>> feature of the chip ensures that information cannot be added or
>> altered, so you couldn't put your picture on my chip. So is our
>> attack really so impressive?
This is a key feature of the e-passport.
>>
>> The Home Office thinks not. It correctly points out that the
>> information sucked out of the chip is only the same as that which
>> appears on the page, readable with the human eye. And to obtain the
>> key in the first place, you would need to have access to the passport
>> to read (with the naked eye) its number, expiry date and the date of
>> birth of its holder.
>>
>> "This doesn't matter," says a Home Office spokesman. "By the time you
>> have accessed the information on the chip, you have already seen it
>> on the passport. What use would my biometric image be to you? And
>> even if you had the information, you would still have to counterfeit
>> the new passport - and it has lots of new security features. If you
>> were a criminal, you might as well just steal a passport."
>
>> "If you can read the chip, then you can clone it," he says. "You
>> could use this to clone a passport that would exploit the system to
>> illegally enter another country." (We did not clone any of our
>> passport chips on the assumption that to do so would be illegal.)
>>
>> Grunwald adds: "The problems could get worse when they put
>> fingerprint biometrics on to the passports. There are established
>> ways of making forged fingerprints. In the future, the authorities
>> would like to have automated border controls, and such forged
>> fingerprints [stuck on to fingers] would probably fool them."
>>
>> But what about facial recognition systems (your biometric passport
>> contains precise measurements of key points on your face and head)?
>> "Yes," says Grunwald, "but they are not yet in operation at airports
>> and the technology throws up between 20 and 25% false negatives or
>> false positives. It isn't reliable."
>>
>> Neither is the human eye, according to research conducted by a team
>> of psychologists from the University of Westminster in 1996.
>> Remember, information - such as a new picture - cannot be added to a
>> cloned chip, so anyone using it to make a counterfeit passport would
>> have to use one that bore a reasonable resemblance to themselves.
The human eye is far worse than biometrics.
>>
>> But during Westminster University's study, which examined whether
>> putting people's images on credit cards might reduce fraud,
>> supermarket staff drafted in for tests had great difficulty matching
>> faces to pictures. The conclusion was that pictures would not improve
>> security and they were never introduced on credit cards. This means
>> that each time you hand over your passport at, say, a hotel reception
>> or car-rental office abroad to be "photocopied", it could be cloned
>> with equipment like ours. This could have been done with an old
>> passport, but since the new biometric passports are supposed to be
>> secure they are more likely to be accepted without question at borders.
But this is not how the e-passport is going to be used. Once the RFID
tag is read including digital picture, it can then be compared to an
actual picture taken of the e-passport holder and compared.
>
>
>> What about the technical difficulties? The government claims the new
>> biometric passport chips can be read over a distance of just 2cm, but
>> researchers all over the world claim to have read them from further.
>> The physics governing those in British passports says they could be
>> read over a metre, but no one has yet done that. A Dutch team claims
>> to have contacted chips at 30cm.
As mentioned, not all that remarkable.
>>
>> Laurie has, however, rigged up a piece of equipment that can connect
>> to a passport over 7.5cm. That isn't as far as the Dutch 30cm, but it
>> is enough if your target subject is sitting next to you on the London
>> Underground or crushed up against you on the Gatwick Airport
>> monorail, his pocketed passport next to the reader you have hidden in
>> a bag.
>>
>> It takes around four seconds to suck out the information with a
>> reader; then it can be relayed and unscrambled by an accomplice with
>> a laptop up to 1km away. With a Heath Robinson device we built on
>> Tuesday using a Bluetooth antenna connected to an RFID reader, Laurie
>> relayed details of his son's passport over a distance of 10 metres
>> and through two walls to a laptop.
Gee if he SMS or emails it, I can send it anywhere around the world. I
am not sure what this is suppose to prove.
>
>> "There isn't even a defence against the brute-force attack. In much
>> the same way as you are only allowed three attempts to feed in your
>> PIN number at an ATM, the passport chip could have been made to stop
>> allowing repeated incorrect attempts to contact it. As things stand,
>> a computer can keep trying until it gets the numbers right. To say
>> this doesn't matter displays a cavalier lack of concern."
That's because it actually doesn't matter.
Also everyone conveniently forgets that there is a metallic shield woven
in the page of the e-passport. So while it is closed, it cannot be read.
Regards
Geoffrey Ramadan B.E.(Elec)
Chairman, Automatic Data Capture Association (www.adca.com.au)
and
Managing Director, Unique Micro Design (www.umd.com.au)
>
>
> --
> Kim Holburn
> IT Network & Security Consultant
> Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121
> mailto:kim at holburn.net aim://kimholburn
> skype://kholburn - PGP Public Key on request
> Cacert Root Cert: http://www.cacert.org/cacert.crt
> Aust. Spam Act: To stop receiving mail from me: reply and let me know.
> Use ISO 8601 dates [YYYY-MM-DD]
> http://www.saqqara.demon.co.uk/datefmt.htm
>
> Democracy imposed from without is the severest form of tyranny.
> -- Lloyd Biggle, Jr. Analog, Apr 1961
>
>
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
More information about the Link
mailing list