RFID Cards and Man-in-the-Middle Attacks

Recent articles about a proposed US-Canada and US-Mexico travel document (kind of like a passport, but less useful), with an embedded RFID chip that can be read up to 25 feet away, have once again made RFID security newsworthy.

My views have not changed. The most secure solution is a smart card that only works in contact with a reader; RFID is much more risky. But if we’re stuck with RFID, the combination of shielding for the chip, basic access control security measures, and some positive action by the user to get the chip to operate is a good one. The devil is in the details, of course, but those are good starting points.

And when you start proposing chips with a 25-foot read range, you need to worry about man-in-the-middle attacks. An attacker could potentially impersonate the card of a nearby person to an official reader, just by relaying messages to and from that nearby person’s card.

Here’s how the attack would work. In this scenario, customs Agent Alice has the official card reader. Bob is the innocent traveler, in line at some border crossing. Mallory is the malicious attacker, ahead of Bob in line at the same border crossing, who is going to impersonate Bob to Alice. Mallory’s equipment includes an RFID reader and transmitter.

Assume that the card has to be activated in some way. Maybe the cover has to be opened, or the card taken out of a sleeve. Maybe the card has a button to push in order to activate it. Also assume the card has come challenge-reply security protocol and an encrypted key exchange protocol of some sort.

  1. Alice’s reader sends a message to Mallory’s RFID chip.
  2. Mallory’s reader/transmitter receives the message, and rebroadcasts it to Bob’s chip.
  3. Bob’s chip responds normally to a valid message from Alice’s reader. He has no way of knowing that Mallory relayed the message.
  4. Mallory’s reader transmitter receives Bob’s message and rebroadcasts it to Alice. Alice has no way of knowing that the message was relayed.
  5. Mallory continues to relay messages back and forth between Alice and Bob.

Defending against this attack is hard. (I talk more about the attack in Applied Cryptography, Second Edition, page 109.) Time stamps don’t help. Encryption doesn’t help. It works because Mallory is simply acting as an amplifier. Mallory might not be able to read the messages. He might not even know who Bob is. But he doesn’t care. All he knows is that Alice thinks he’s Bob.

Precise timing can catch this attack, because of the extra delay that Mallory’s relay introduces. But I don’t think this is part of the spec.

The attack can be easily countered if Alice looks at Mallory’s card and compares the information printed on it with what she’s receiving over the RFID link. But near as I can tell, the point of the 25-foot read distance is so cards can be authenticated in bulk, from a distance.

From the News.com article:

Homeland Security has said, in a government procurement notice posted in September, that “read ranges shall extend to a minimum of 25 feet” in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the proposal says, “the solution must sense up to 55 tokens.”

If Mallory is on that bus, he can impersonate any nearby Bob who activates his RFID card early. And at a crowded border crossing, the odds of some Bob doing that are pretty good.

More detail here:

If that were done, the PASS system would automatically screen the cardbearers against criminal watch lists and put the information on the border guard’s screen by the time the vehicle got to the station, Williams said.

And would predispose the guard to think that everything’s okay, even if it isn’t.

I don’t think people are thinking this one through.

Tags: , , , , , , ,

Posted on April 25, 2006 at 7:32 AM58 Comments

Comments

KMP April 25, 2006 8:08 AM

But if it’s “authentication in bulk”, the issue is going to come up where the number of tokens is not equal to the number of passengers – there’s one person more than the number of different credentials presented. That’s especially going to be easy to catch on a bus.

mark April 25, 2006 8:12 AM

Of course at a border crossing like the mexican one you might end up with more people with man in the middle machine than people with real cards. Queue endless loops of man in the middle machines relaying each others messages in desparate search of a valid card.

Paeniteo April 25, 2006 8:21 AM

Including and checking some biometric data could prevent this kind of impersonation (but would also defeat the inteded purpose of the system).

The chances of Mallory finding a Bob with an activated passport who looks suitably close to him are pretty slim (particularly as he has no way to find out whom he is going to impersonate).

stacy April 25, 2006 8:28 AM

If no one is actually looking at the card (or comparing the RFID signal with reality), why bother with anything as high tech as man in the middle? Just steal someone’s card. It will only be good for today, but if Joe Terrorist wants to get across the border undetected, he steals Granny Smith’s border corder and hops on a Greyhound going from Toronto to NewYork.

slup April 25, 2006 8:29 AM

What i don’t understand is if you are trying to catch negatives, i.e. people without legal document (i am sure that wanted criminals sometimes forget to carry around identification), why do you apply a positive identification?
The reason someone checks your passport is not to say “What a nice legal passport you have there, you may go on” but instead “You do not have a passport? Please come with me” and these chips are not the way to make these people stand out from the crowd.
There is no bell or whistle when someone fails to show a correct working chip which is what you are interested in finding.

rj April 25, 2006 8:29 AM

Not that I’m a fan of kludging a system that’s yet to be fully specified. But flagging that Bob’s information was read in twice might be used as a method to detect such an attack.

jsg_itoe April 25, 2006 8:37 AM

Encrytion will help if the public key is printed in the passport (ex. in a 2D datamatrix code).

This is nearly as good as the smart card solution (which is still better).

Bram April 25, 2006 8:48 AM

I dont understand the 25-foot range requirement. Isn’t this system meant to (more easily) check people passing the border. I assume that this check is done when somebody passes some kind of customs officer, gate, or other place. Not by some customer at 25-foot range that points something at you or so?

Nicholas Weaver April 25, 2006 8:51 AM

At some institutions, I’ve seen the prox card reader. What happens is when you swipe the card, your photo is fetched from the database and placed on the screen for reception/security.

That alone really helps against the MITM attacks, as it uses a second form of verification.

Tom April 25, 2006 9:06 AM

This man in the middle is no different than the stolen card problem. Any scheme that allows Mallory to use Bob’s card has the same failing. We’re trying to control which people go through, because we care about prople, not which cards go through. The cards need some biometric to trigger them, not a radio pulse from Alice. That way Alice knows that a person matching the card is going through.

As KMP said, bulk authentication is only triage. If the bus has 50 people and you get 50 authenticated responses, you win. If not, everybody troops off the bus to be scanned serially. When somebody scan’s twice, Alice becomes suspicious and turns off the bulk scanner and puts her handheld on each card. The second time it says “Bob”, both of them get a talking to. By this time Alice compares more data on the card to separate Bob from Mallory, who’s off to Gitmo.

Foolish Jordan April 25, 2006 9:08 AM

Wait, if they’re going to scan an entire bus in bulk without even looking at the passports, then it’s even easier than that… I just borrow my friend’s passport when I ride the bus across the border.

russm April 25, 2006 9:19 AM

an obvious attack that sprung to mind when I first saw the 25′ RFID passport mentioned – build a bomb that pings for local responses, and detonates when there’s > 5 responses, and leave it in a cafe/bar/whatever in Tel Aviv (or wherever)… you don’t care about encryption, or authentication, or anything other than the presence of US passports… as soon as there’s more than 5 US tourists within range you go off…

paul April 25, 2006 9:43 AM

Although buses are fairly well-contained venues, customs lines are not. And they don’t move particularly fast. So what are the odds of finding Mallory by the time Bob arrives at the desk and is tagged as a duplicate? The assumption at most entry points is that once you get waved through you’re free to go. So at best you’d have to search the entire road/concourse/whatever when you got a duplicate.

peter April 25, 2006 9:50 AM

I don’t get this: Alice sends message to Mallory who relays to/from Bob. How does Alice know who she is sending to? Isn’t this a broadcast? If so why doesn’t Bob answer directly?

Joe Patterson April 25, 2006 10:10 AM

“Assume that the card has to be activated in some way. […] Also assume the card has come challenge-reply security protocol and an encrypted key exchange protocol of some sort.”

I think you’re being way too optimistic with your assumptions. How about:
Assume that the card will always reply to any request from any reader, and the reply is a simple serial number.

Makes a MITM attack much easier. Now, I haven’t read the spec or anything clever like that, but my cynical soul guesses that my assumptions aren’t that far off from what will become reality.

Andrew2 April 25, 2006 11:08 AM

“I don’t get this: Alice sends message to Mallory who relays to/from Bob. How does Alice know who she is sending to? Isn’t this a broadcast? If so why doesn’t Bob answer directly?”

This depends on the environment in which the system is being used. If you’re trying to secure a customs line, 25′ would seem to be a big problem when several cards reply to each broadcast. This is part of why some sort of user-controlled deactivation is necessicary. If only open passports respond, then Mallory is hoping that someone who is in range of his RFID equipment (which doesn’t have to follow specifications and might have a longer range) but not in range of the official reader is poking around looking at his ID.

Andrew2 April 25, 2006 11:11 AM

The official reader at a customs line would probably have a directional antenna or a diminished reading range too. I expect the 25′ requirement is designed to allow other applications such as scanning an entire bus at once in the future.

JakeS April 25, 2006 11:23 AM

“the PASS system would automatically screen the cardbearers against criminal watch lists and put the information on the border guard’s screen by the time the vehicle got to the station”

With the current quality of “watch lists”, that practically guarantees at least one false positive on every bus, so they’ll be taking all the passengers off and checking passports manually every time anyway.

Oh, and picking up RFIDs will get passenger info on the guard’s screen by the time the vehicle gets to the checkpoint a few moments later?  Yeah, right.  For transatlantic flights it’s taking DHS hours to check the manifests.

nefthy April 25, 2006 11:27 AM

The scanner could use some sort of echo detection, to detect the retransmition of its own messages.

Daedala April 25, 2006 11:36 AM

The articles are talking about the cards having “only a 96-digit code.” Unless there is some kind of timestamping, though, you don’t even need to replay a card that was just activated. You can pick one up any time, and replay the card’s transmission when you need to. And unless there’s something really clever going on, then the timestamping would probably be easy enough to crack and used to transform the stolen data — and while RSA tokens are cheap, they’re probably not as cheap as these PASS thingies need to be, and I don’t know if the form factor could be made to work.

Stealing someone else’s PASS would be easy enough, but with the 25′ broadcast range, you don’t even need to steal it. You just need to listen.

Bruce Schneier April 25, 2006 12:09 PM

“But if it’s “authentication in bulk”, the issue is going to come up where the number of tokens is not equal to the number of passengers – there’s one person more than the number of different credentials presented. That’s especially going to be easy to catch on a bus.”

No. Mallory would hijack the credential of someone else, not on the bus. In the bus behind. Further away. It all depends on his equipment.

Bruce Schneier April 25, 2006 12:10 PM

“Not that I’m a fan of kludging a system that’s yet to be fully specified. But flagging that Bob’s information was read in twice might be used as a method to detect such an attack.”

Indeed. After Mallory has made it through security, Bob will probably be hassled.

Bruce Schneier April 25, 2006 12:11 PM

“I don’t get this: Alice sends message to Mallory who relays to/from Bob. How does Alice know who she is sending to? Isn’t this a broadcast? If so why doesn’t Bob answer directly?”

Bob is out of range of Alice’s equipment, but in range of Mallory’s.

Cathy April 25, 2006 1:00 PM

I suppose the border peoplefigure if RFIDs are good enough for I-94 documents, they’re good enough for smart cards. For those questioning the 25′ range requirement, I invite them to cross the border at Peace Arch, Pacific Truck Crossing, or one of the other 3 border crossings testing RFID equipment. The equipment is positioned next to the line of cars. You place your I-94 on the dashboard, and the document is scanned before you ever get to the customs agent.

(See http://www.runningbrookministries.com/USV201.pdf for a press release describing the test and for a list of locations)

Impersonating an I-94 is far worse than impersonating a smart ID card as an I-94 is a document showing legal status in the US.

For now, the workaround is to cross somewhere like Aldergrove where there is no RFID reader. I suspect some of those smaller border crossings will be closed (instead of having expensive equipment installed), hence longer lines and worse service.

Carl April 25, 2006 1:56 PM

Here’s the real question: What’s the best way to destroy an RFID tag? I’ve heard that microwaving the tags will light their packaging on fire, which would destroy the passport or other document. What about beating the tag with a hammer? You could do that without destroying the passport/document itself. I assume the tags are waterproof, so submerging them wouldn’t help. I’m being 100% serious here. How do you destroy an RFID tag?

David Donahue April 25, 2006 2:34 PM

When a system like this is proposed with such serious flaws, it makes me wonder what the REAL goal of it is.

If the goal of the system was to track the movements of only valid users and also to provide a cardholder a visible sense of being protected, then this exact system (even with it’s flaws) does it’s job well. Actual detection of those gaming the system (Malory) is not relivant.

I’m actually not that cynical, I think this system is the brainchild of a DHS bureaucrat who desperately “wants to do something” to secure the borders using technology. The problem here is that once proposed, it’s judged on it’s political merits, not it’s technical ones.

For the proposer and it’s backers, it’s benefits are political / monetary anyways and the actual security of the system is low on the list of desired traits.

In DC, it’s my understanding that those who argue about the technical merits of a system tend to have less power / influence than those people in DHS who are backed by companies who will monetarily benefit from the sale of such a system.

Admitedly those who tend to oppose it are also backed by companies that will benefit in some other way (Sales competitors for other similar systems or those who want less border controls such as farming or immigrant advocacy groups).

What we need to do is publicly make this embarrassing, thus weakening the influence of those backing it and forcing them to change their “something to do” from this flawed system to “something with less flaws”.

However the degree to which we can bring political heat and visibility to this flaw will be the determining factors in getting the system fixed or replaced, not the technical merits however bad they may be.

It’s frustrating because I’m a “argue the technical merits” kinda guy myself and playing the “gain influence and political capitol” game is something I find much harder.

When up against seasoned and well funded sales people for a governmental sale, I tend to lose regardless of the merits of my system unless I too am allied with well funded Sales people backing my alternative system.

Dan April 25, 2006 3:06 PM

Bob is out of range of Alice’s
equipment, but in range of Mallory’s.

First question, how can Mallory be sure that Bob is not in range of Alice’s reader? He takes a big risk.

I have been to a few lectures on RFID attacks, and one of the main difficulties for Mallory was apparently to power Bob’s chip.

So if Bob’s chip is not in Alice’s reader range, Mallory carries equipment to power Bob’s chip. I heard it would be quite bulky (with big batteries) and this will trigger Alice’s suspicion. She could even detect Mallory’s power signal with specific equipment.

In the case where Bob is also in range of the reader and his chip is powered by it, Alice would detect the answer from both Bob’s chip and Mallory’s chip when checking Mallory’s ID. The attack is therefore foiled.

Btw, this guy is a good lecturer on RFID:
http://cq.cx/index.pl

dr.bad April 25, 2006 3:18 PM

well well, that man in the middle thingy can probably be done remotely, unless the reader checks the response times down to the microsecond. you could link the two parts of your RFID repeater with a GSM link (or whatever). that way, you could easily choose someone who more or less looks like you in a big city, by using a moderately powerful transmitter to access his chip accross the walls. you then send signals back and forth the customs via the data link until you cross the border. oh my, this could be done with car key transmitters too…

the problem with RFID is that you don’t know where the signal comes from or where it goes to. it’s like handing logic probes to whoever asks it. as mentioned earlier, bombs exploding when the number of americans/people/whatever within range crosses a threshold are a very real possibility and a danger of RFID technologies. now we all love new cool technology but I think that RFID ubiquitousness is really dangerous, especially long-range RFID. it’s all fine for tracking containers and stuff,
but even with all the crypto of the world I don’t feel comfortable
walking with 20 radio beacons on myself, even if they are of the passive kind. now of course I’m not talking about slaves, cattle and other property. those should be tagged.

piglet April 25, 2006 4:39 PM

“The reason someone checks your passport is not to say “What a nice legal passport you have there, you may go on” but instead “You do not have a passport? Please come with me” and these chips are not the way to make these people stand out from the crowd.”

I don’t believe there is any intention of not checking travelers individually. They may be dumb but not that dumb. Pass port checking actually has two purposes: to discourage people who don’t have the required papers from crossing the border, and to monitor those who are allowed to cross the border. I don’t know whether this will apply to US citizens but all non-citizens crossing the border are stored in the database, and electronic passports of course make this easier.

piglet April 25, 2006 4:52 PM

I find it surprising that the government now openly admits to using RFID chips with long read ranges. Exactly one year ago, the government was claiming the opposite (http://www.hasbrouck.org/blog/archives/000558.html). This is more than troubling. I guess you all oughta call your representative at once, send emails and faxes and make as much noise as possible. Last chance.

roy April 25, 2006 5:11 PM

I’m not clear on the bookkeeping going on. What if a bus with Mallory, Bob, and 53 of Mallory’s friends got interrogated, and the interrogator got 55 Bobs answering back? Would the system notice that there are multiple Bobs, or would it just check ‘Bob’ 55 times and find out he’s a model citizen in each case and thus pass on the entire bus?

Bob Blabber April 25, 2006 5:16 PM

“Here’s how the attack would work. In this scenario, customs Agent Alice has the official card reader. Bob is the innocent traveler, in line at some border crossing. Mallory is the malicious attacker, ahead of Bob in line at the same border crossing, who is going to impersonate Bob to Alice. Mallory’s equipment includes an RFID reader and transmitter.”<

Isn’t this really just a “movie plot threat” scenario though?

J.J. April 25, 2006 5:45 PM

Bruce,

allow me to play devil’s advocate.

if there is a better technical solution, why don’t you and your company submit a proposal to DHS? You obviously have the necessary experience, and if your solution is so much more secure and reliable, there should be no question of the contract award, right?

I suspect that with today’s technology, there simply is no perfect solution. So what is DHS to do? nothing, because something perfect doesn’t exist? or do you implement an imperfect solution that raises the bar?

where is the boundary between practical and perfect?

Alasdair Nottingham April 25, 2006 6:01 PM

Although if I really wanted to sneak into the US would I have the resources to launch this kind of attack? Possibly but in any case wouldn’t it just be simpler to hide in the trunk of a car, or in the back of a lorry? Unless there is something that can pick up your presense without an RFID tag you’re in without bothering with any of this.

I still find this all very worrying, but not for people sneaking over the border, I just don’t like the idea that someone 25′ away knows who I am and where I am, that seems more scary than the implications to border control.

David Donahue April 25, 2006 6:54 PM

J.J let me bite on this one. To my knowledge Bruce’s company doesn’t do governmental solutions development work. That’s reason enough not to harass him about it, however the larger question I think you’re really asking is “if you’re going to complain why don’t you just fix it yourself”.

In this specialized world everyone can’t do everything and sometimes the skills and desire to find technical flaws in a public proposal are the not the same as those to cost effectively sell border control hardware and systems to the government.

I suspect that if Bruce were to devote his time to researching the current technology and had a useful definition of the problem to be solved (not trivial) he would come out with a non-flawed detailed solution and proposal. But given the way these things go, his company probably wouldn’t be able to sell it since they probably don’t have the right contacts and relationships established to do this kind of work.

OK what should he do then? He could always point out the flaw and mention publicly that better designs using contact smartcards would be more effective and not suffer from such flaws.

Of course that’s exactly what he did.

Pat Cahalan April 25, 2006 7:27 PM

@ J.J.

I suspect that with today’s technology, there simply is no perfect solution. So
what is DHS to do? nothing, because something perfect doesn’t exist? Or do
you implement an imperfect solution that raises the bar?

If the imperfect solution raises the bar in a practical way that has benefits, you go ahead and raise the bar. I don’t think RFID in passports provides much of a benefit.

The much-touted advantage of RFID in identification tokens is that it will enable more efficient queue management (because not every passport will have to be checked by hand). They certainly don’t make passports more difficult to forge than any other implantable chips.

However, this isn’t much of an advantage if you really ought to be checking the token by hand in the first place, or if the technology is error-prone enough that the queue will not benefit because you have to halt it periodically to check for false readings.

I personally think RFID in passports is a waste of money. They won’t make border queues move faster, they won’t make it much more difficult to get a fake passport, and most importantly they enable exactly this sort of NEW security hole that makes the queue actually less secure!

stacy April 25, 2006 7:32 PM

“What’s the best way to destroy an RFID tag?”

http://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN) explains how to modify the flash of a single use camera to be an EMP generator that wil destroy a passive RFID tag.

My question is, why would you want to? If you end up with an unusable document you would likely get turned away from the border and required to replace the document (I am assuming that they are not free).

RonK April 25, 2006 11:59 PM

@stacy

If you could DoS enough cards of other people using a similar technique (assuming it could be done remotely enough), the resulting chaos at the border crossing might enable you to sneak through (border guards assume their equipment is not working). Or blow up more people all at once. Or something else significant that escapes me (make the government waste even more money?).

Greg April 26, 2006 2:03 AM

think what happened with improved ignition key security for cars: car-jacking.

now you can look forward to: bus-jacking of tourist buses as they drive towards the border…

erasmus April 26, 2006 2:06 AM

“What if a bus with Mallory, Bob, and 53 of Mallory’s friends got interrogated, and the interrogator got 55 Bobs answering back?”

Or, if the cover acts as a shield, what chance is there that 55 people can flash an open document in the same direction at the same time, for long enough for the officer to count them? And if several passengers are carrying valid, but different documents…?

Steve April 26, 2006 5:12 AM

As others have already implied (by mentioning theft of cards), if you use a token-only means of identification, then you’re going to lose. A lot. Perhaps in a variety of ways.

So whoever proposed this US-Mexico document is either a fool, or else doesn’t care which Mexicans they get on any given day (provided they know how many there were), or else feels that the current system is even less secure than token-only ID.

Ale April 26, 2006 7:06 AM

“there should be no question of the contract award, right?”

Nope, completely wrong. That is the whole point: the motivator is not for better technology, but for greater expense of US taxpayer’s money in initiatives that are only for show. This is not a technology project with political overtones: it is a political project with high-tech sales points.

Daedala April 26, 2006 10:07 AM

JJ:

Bruce has said what a much more secure solution would be. It’s in this very post, in fact. “The most secure solution is a smart card that only works in contact with a reader; RFID is much more risky.”

dhasenan April 26, 2006 2:27 PM

RonK:

An EMP gun that could do that at a respectable distance would probably be rather large and have a large capacitance requirement–a model with 100V only had a range of a few inches, according to the article. Granted, putting a magnet inside the coil and wrapping it better would help, but not significantly or asymptotically.

Carl April 26, 2006 10:58 PM

“What’s the best way to destroy an RFID tag?”

http://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN) explains how to modify the flash of a single use camera to be an EMP generator that wil destroy a passive RFID tag.

My question is, why would you want to? If you end up with an unusable document you would likely get turned away from the border and required to replace the document (I am assuming that they are not free).”

======================

I appreciate the response. Some percentage of RFID tags are going to break. Some will be duds, some will get exposed to radiation, x-rays, rough treatment, etc. Any documents/passports will have to be visually readable as well as RFID readable. There is no way for the government to know whether someone intentionally broke their RFID or whether it broke naturally, so they won’t turn people away, as long as the physical document is in order.

I want to destroy any RFID equipped documents because they are the real world implementation of the tinfoil hat theory of mini tracking devices in $20 bills. I refuse to let the government track my movements.

TuxGirl April 26, 2006 10:59 PM

You give the example where you have a bus of people, and one person in there is retransmitting someone else’s messages. Unless I’m mistaken, he’s likely going to get someone else in the bus. So, technically, the system could potentially notice that there are two sets of messages with the same information.

However, as someone else mentioned, knowing that 37 people in a bus correctly idenitified themselves does nothing to stop someone from hiding in the bus someplace and just not having a passport… They’d have to count every person on the bus if they wanted to know that everyone on board had authenticated, and if they are going to do that, then they’re back where they started…

~TuxGirl

roy April 27, 2006 3:38 AM

@bob: there exists at least one system readily available, consisting of two suitcases to relay signals to passive ID tokens.
A movie-plot theat for some poor mexicans, yes, but certainly not for well-funded attackers (top-criminals or terrorists).

@paniteo: get such a system, dress as an police/DHS/.. officer at the airport, walk around and ask random people for their passport. I’m pretty sure you’ll get one to read.

The actual threat to (national?) security aren’t the RFID-capabilities, but people getting lazy and looking onto their Screen saying “everything’s allright” instead of looking at the people walking (or driving?) by.
And introducing remote readable passports is also a threat to national security, as machine-readable informations are easier to collect in databases. Who sais readers are only installed at the border or at airports?

Roger April 27, 2006 6:56 AM

@Carl:
“There is no way for the government to know whether someone intentionally broke their RFID or whether it broke naturally, so they won’t turn people away, as long as the physical document is in order.”

Sorry, that’s quite wrong. The “standard” (actually ICAO guidelines) to which everyone is supposed to be adhering, says that the physical paper part is only to be used when the border post’s electronic reader has broken down. If you turn up at a border post that has a working electronic reader, and it is your RFID chip that is not working, they will NOT let you through; instead, the passport will be seized as a mutilated document and you will be turned back until you can obtain a replacement copy from your nearest consulate. This will generally involve considerable expense and long delays, typically of weeks.

piglet April 27, 2006 7:32 AM

Passport Canada (www.ppt.gc.ca) told me the following by email:

“Please note that Passport Canada will be using a contact less chip in its e-Passport, in order to ensure the information it contains is safe and secure. [Who would’ve guessed that]

Passport Canada’s contact less chip will have to be held at least 10 centimetres to the reader or closer, in order to be read. The 10-centimetre distance is the standard adopted by the International Standards Organization (ISO).”

This is in line what I’ve been told by the German authorities. The USA going for a less secure standard than everybody else is once again remarkable. Why? Everything that has been said about remotely checking busloads of travellers won’t work because the non-US citizens won’t have long range RFID chips. It all just doesn’t make sense.

John R. Campbell April 27, 2006 10:58 AM

Yet another case where convenience and “efficiency” are at odds with “security”.

Of course the problem is that identity authentication isn’t a guarantee of security anyway, so maybe this is just “security theater”.

Clive Robinson April 27, 2006 12:00 PM

@piglet

“will have to be held at least 10 centimetres to the reader or closer”

You are looking at it the wrong way, that’s the distance to gaurenty that a very limited reader will read it. NOT the distance it’s readable by carefully designed equipment.

The range difference depending on the sensor (aproximating square law or cube law) could easily be several tens of meters for the chips in the Canadian and German Pasports…

As a comercial reader designer, I am going to make it insensitive with a well defined pickup pattern to minimise false pickups etc.

As a comparison, thing a lapel mic used in a TV studio and a gun mic used for bird watching or evesdroping.

The lapel mic is designed to have limited sensitivity and be only partialy directional (cardiod) it is going to work over a meter or two at conversational level at best.

The gun mic however is designed to be highly directional and very sensitive, so the gun mic may well act at a hundred or so meters at the same conversational level.

piglet April 27, 2006 5:40 PM

Clive, what they (both the Canadians and the Germans) claim is that it can’t be read at long distance. They justify this with the ISO14443 standard. I have had a long correspondence with the German Federal Authority for Information Security (http://www.bsi.bund.de/fachthem/epass/faq.htm). They claim that the 10-15 cm range cannot be considerably increased, even with very powerful equipment. I don’t know whether they are right but that is what they are saying. If you can point me to concusive evidence to the contrary, I’ll be grateful. We have had this discussion repeatedly on the Schneier site. Many references have also been posted. An important detail is that the signal emitted by the (legitimate) reader may be eavesdropped at longer ranges than the RFID signal itself.

Richard Ouaknine April 29, 2006 9:30 AM

A better technological approach exists that mitigates the flaws of passive card based authentication.

We have created an active biometric (fingerprint) on card authentication that cannot be passively read and will only transmit the appropriate protocol when the user has matched to the card. The user must place their finger on the embedded fingerprint sensor, then place the card in the RF field (125Khz or 13.56Mhz). After the mutual authentication takes place between the reader and the card, the card automatically wakes up, performs the match on the card and then transmits to the reader. The “on” switch is the appropriate RF field after the challenge response to prevent unauthorized RF fields from activating the card.

As far as “sniffing” is concerned, if the card is being used at a 10 centimeter distance, the user is obviously aware of the sniffing effort.

We can program the card to utilize any encryption platform, certificate authority and transmission protocol. We can encrypt the data/programs that reside(s) on the card using one approach and encrypt the actual transmission using another.

For the actual transmission, we can program the card to transmit a static bit stream (customizable length), followed by a random number or OTP. Even if a transmission were to be sniffed, they could not use it again.

The applications and card “personalities” are endless. Please feel free to contact me with questions.

http://www.mydigitaldefense.com

Andrew Sullivan May 15, 2006 12:04 PM

“I don’t think people are thinking this one through.”
Well, of course not. The point of this whole operation has nothing to do with security, but has to do with the spending of a lot of money on pointless technology in the effort to appear to do something. It is the promise of perfect security with zero cost to the U.S. in terms of inconvenience of entry, either by U.S. citizens or by foreigners travelling into the U.S. (possibly bearing the goods that the U.S. needs from those foreign lands).

People are not getting the message: security is a trade-off. Canada and the U.S. have had an undefended border practically forever, in geopolitical terms, because the lowered security turned out to be worth a great benefit to everybody on both sides. Changing that is going to be expensive; but since the U.S. political culture (the Canadian one is no better, note) now requires everything to be free of any cost or inconvenience, the political hucksters flogging this idea are essentially claiming that magic will happen, by technological wonders that we neither do nor want to understand. There’s nothing new about that, unfortunately, although this boondoggle sure looks like a more egregious example than most.

Victim of Man in the Middle Attack November 3, 2006 4:44 PM

Your description of the man-in-the-middle attack (April 2006) is exactly what happened to my cell phone calls over a 5-month period whenever I was in a certain place (at a desk with a land-line phone and computer). The attack was so surreptitious that my cell phone bills did not list any of the calls (outgoing or incoming) I had at that place, even though I conducted all calls from my cell phone handset. I never would have discovered the attacks if one of my frequent callers who I spoke to via cell phone only had not obtained her itemized land-line phone bills fortuitously. Rather than reflecting my cell phone number as the terminating number, the phone records instead itemized the number belonging to the desk phone (for over 80 calls!).

Would my frequent caller’s land-line phone company have records reflecting the number she DIALED (i.e., my cell phone’s), which also should have been the TERMINATING number itemized on her land-line bill?

Where would you look to verify such a man-in-the-middle attack under the circumstances?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.