[LINK] RFID Passports again

Geoffrey Ramadan gramadan at umd.com.au
Sun Nov 19 14:02:54 AEDT 2006


Kim Holburn wrote:
> Interesting discussion of the security of RFID passports.  Further to 
> our recent discussions.  It does seem that they are readable from a 
> much greater distance than is said to be officially possible.
I don't think 7.5cm read range is a "much greater distance". I would 
have normally said 10cm read range would be standard. With a larger 
antenna and power I would assume you could read 30cm.... which by the 
way, such a reader would not be very portable.

Portable RFID readers are severely restricted by power, and 0-2cm read 
range would be typical.

Much of this is also dependent on the antenna design. I don't know the 
size of the antenna used on e-passports (the smaller the antenna the 
shorter the read range)

> Also brings up the fact that while the digital data can't currently be 
> altered, it may not need to be to make fake passports as neither 
> humans nor machines can match the photo and the human all that well!!!
I would disagree on this point. Biometric reliability is about 80% and 
improving.

>
> http://www.guardian.co.uk/idcards/story/0,,1950226,00.html
>> Cracked it!
>>
>> Three million Britons have been issued with the new hi-tech passport, 
>> designed to frustrate terrorists and fraudsters. So why did Steve 
>> Boggan and a friendly computer expert find it so easy to break the 
>> security codes?
>>
>> Friday November 17, 2006
>>
>> Six months ago, with the help of a rather scary computer expert, I 
>> deconstructed the life of an airline passenger simply by using 
>> information garnered from a boarding-pass stub he had thrown into a 
>> dustbin on the Heathrow Express. By using his British Airways 
>> frequent-flyer number and buying a ticket in his name on the 
>> airline's website, we were able to access his personal data, passport 
>> number, date of birth and nationality. Based on this information, 
>> using publicly available databases, we found out where he lived, his 
>> profession, all his academic qualifications and even how much his 
>> house was worth.
>
>
>> Fatally, however, the ICAO suggested that the key needed to access 
>> the data on the chips should be comprised of, in the following order, 
>> the passport number, the holder's date of birth and the passport 
>> expiry date, all of which are contained on the printed page of the 
>> passport on a "machine readable zone." When an immigration official 
>> swipes the passport through a reader, this feeds in the key, which 
>> allows a microchip reader to communicate with the RFID chip. The data 
>> this contains, including the holder's picture, is then displayed on 
>> the official's screen. The assumption at this stage is that this 
>> document is as authentic as it is super-secure. And, as we shall see 
>> later, this could be highly significant.
Not quite. Reading the RFID chip does not constitute authentications. 
Authentication is performed on the digital signature via PKI.

>
>> "The Home Office has adopted a very high encryption technology called 
>> 3DES - that is, to a military-level data-encryption standard times 
>> three. So they are using strong cryptography to prevent conversations 
>> between the passport and the reader being eavesdropped, but they are 
>> then breaking one of the fundamental principles of encryption by 
>> using non-secret information actually published in the passport to 
>> create a 'secret key'. That is the equivalent of installing a solid 
>> steel front door to your house and then putting the key under the mat."
There is nothing remarkable about the ability to read a RFID tag.

>>
>> Within minutes of applying the three passports to the reader, the 
>> information from all of them has been copied and the holders' images 
>> appear on the screen of Laurie's laptop. The passports belong to 
>> Booth, and to Laurie's son, Max, and my partner, who have all given 
>> their permission.
Also nothing remarkable.
>>
>> Booth is staggered. He has undercut Laurie by finding an RFID reader 
>> for £174, which also works. "This is simply not supposed to happen," 
>> Booth says. "This could provide a bonanza for counterfeiters because 
>> drawing the information from the chip, complete with the digital 
>> signature it contains, could result in a passport being passed off as 
>> the real article. You could make a perfect clone of the passport."
You can make a perfect clone of the RFID chip, not sure about the actual 
passport.


>>
>> But could you - and what use would my passport be to you? A security 
>> feature of the chip ensures that information cannot be added or 
>> altered, so you couldn't put your picture on my chip. So is our 
>> attack really so impressive?
This is a key feature of the e-passport.
>>
>> The Home Office thinks not. It correctly points out that the 
>> information sucked out of the chip is only the same as that which 
>> appears on the page, readable with the human eye. And to obtain the 
>> key in the first place, you would need to have access to the passport 
>> to read (with the naked eye) its number, expiry date and the date of 
>> birth of its holder.
>>
>> "This doesn't matter," says a Home Office spokesman. "By the time you 
>> have accessed the information on the chip, you have already seen it 
>> on the passport. What use would my biometric image be to you? And 
>> even if you had the information, you would still have to counterfeit 
>> the new passport - and it has lots of new security features. If you 
>> were a criminal, you might as well just steal a passport."
>
>> "If you can read the chip, then you can clone it," he says. "You 
>> could use this to clone a passport that would exploit the system to 
>> illegally enter another country." (We did not clone any of our 
>> passport chips on the assumption that to do so would be illegal.)
>>
>> Grunwald adds: "The problems could get worse when they put 
>> fingerprint biometrics on to the passports. There are established 
>> ways of making forged fingerprints. In the future, the authorities 
>> would like to have automated border controls, and such forged 
>> fingerprints [stuck on to fingers] would probably fool them."
>>
>> But what about facial recognition systems (your biometric passport 
>> contains precise measurements of key points on your face and head)? 
>> "Yes," says Grunwald, "but they are not yet in operation at airports 
>> and the technology throws up between 20 and 25% false negatives or 
>> false positives. It isn't reliable."
>>
>> Neither is the human eye, according to research conducted by a team 
>> of psychologists from the University of Westminster in 1996. 
>> Remember, information - such as a new picture - cannot be added to a 
>> cloned chip, so anyone using it to make a counterfeit passport would 
>> have to use one that bore a reasonable resemblance to themselves.
The human eye is far worse than biometrics.
>>
>> But during Westminster University's study, which examined whether 
>> putting people's images on credit cards might reduce fraud, 
>> supermarket staff drafted in for tests had great difficulty matching 
>> faces to pictures. The conclusion was that pictures would not improve 
>> security and they were never introduced on credit cards. This means 
>> that each time you hand over your passport at, say, a hotel reception 
>> or car-rental office abroad to be "photocopied", it could be cloned 
>> with equipment like ours. This could have been done with an old 
>> passport, but since the new biometric passports are supposed to be 
>> secure they are more likely to be accepted without question at borders.
But this is not how the e-passport is going to be used. Once the RFID 
tag is read including digital picture, it can then be compared to an 
actual picture taken of the e-passport holder and compared.

>
>
>> What about the technical difficulties? The government claims the new 
>> biometric passport chips can be read over a distance of just 2cm, but 
>> researchers all over the world claim to have read them from further. 
>> The physics governing those in British passports says they could be 
>> read over a metre, but no one has yet done that. A Dutch team claims 
>> to have contacted chips at 30cm.
As mentioned, not all that remarkable.
>>
>> Laurie has, however, rigged up a piece of equipment that can connect 
>> to a passport over 7.5cm. That isn't as far as the Dutch 30cm, but it 
>> is enough if your target subject is sitting next to you on the London 
>> Underground or crushed up against you on the Gatwick Airport 
>> monorail, his pocketed passport next to the reader you have hidden in 
>> a bag.
>>
>> It takes around four seconds to suck out the information with a 
>> reader; then it can be relayed and unscrambled by an accomplice with 
>> a laptop up to 1km away. With a Heath Robinson device we built on 
>> Tuesday using a Bluetooth antenna connected to an RFID reader, Laurie 
>> relayed details of his son's passport over a distance of 10 metres 
>> and through two walls to a laptop.
Gee if he SMS or emails it, I can send it anywhere around the world. I 
am not sure what this is suppose to prove.
>
>> "There isn't even a defence against the brute-force attack. In much 
>> the same way as you are only allowed three attempts to feed in your 
>> PIN number at an ATM, the passport chip could have been made to stop 
>> allowing repeated incorrect attempts to contact it. As things stand, 
>> a computer can keep trying until it gets the numbers right. To say 
>> this doesn't matter displays a cavalier lack of concern."
That's because it actually doesn't matter.

Also everyone conveniently forgets that there is a metallic shield woven 
in the page of the e-passport. So while it is closed, it cannot be read.

Regards

Geoffrey Ramadan B.E.(Elec)
Chairman, Automatic Data Capture Association (www.adca.com.au)
and
Managing Director, Unique Micro Design (www.umd.com.au)

>
>
> -- 
> Kim Holburn
> IT Network & Security Consultant
> Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
> mailto:kim at holburn.net  aim://kimholburn
> skype://kholburn - PGP Public Key on request
> Cacert Root Cert: http://www.cacert.org/cacert.crt
> Aust. Spam Act: To stop receiving mail from me: reply and let me know.
> Use ISO 8601 dates [YYYY-MM-DD] 
> http://www.saqqara.demon.co.uk/datefmt.htm
>
> Democracy imposed from without is the severest form of tyranny.
>                           -- Lloyd Biggle, Jr. Analog, Apr 1961
>
>
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link



More information about the Link mailing list