Entries Tagged "ID cards"

Page 7 of 10

Hackers Clone RFID Passports

It was demonstrated today at the BlackHat conference.

Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country’s e-passport, since all of them will be adhering to the same ICAO standard.

In a demonstration for Wired News, Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control. He obtained the reader by ordering it from the maker — Walluf, Germany-based ACG Identification Technologies — but says someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.

He then launched a program that border patrol stations use to read the passports — called Golden Reader Tool and made by secunet Security Networks — and within four seconds, the data from the passport chip appeared on screen in the Golden Reader template.

Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader — which can also act as a writer — and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.

As the final step, he used a program that he and a partner designed two years ago, called RFDump, to program the new chip with the copied information.

The result was a blank document that looks, to electronic passport readers, like the original passport.

I’ve long been opposed (that last link is an op-ed from The International Herald-Tribune) to RFID chips in passports, although last year I — mistakenly — withdrew my objections based on the security measures the State Department was taking.

That’s silly. I’m not opposed to chips on ID cards, I am opposed to RFID chips. My fear is surreptitious access: someone could read the chip and learn your identity without your knowledge or consent.

Sure, the State Department is implementing security measures to prevent that. But as we all know, these measures won’t be perfect. And a passport has a ten-year lifetime. It’s sheer folly to believe the passport security won’t be hacked in that time. This hack took only two weeks!

The best way to solve a security problem is not to have it at all. If there’s an RFID chip on your passport, or any of your identity cards, you have to worry about securing it. If there’s no RFID chip, then the security problem is solved.

Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can’t do, I am opposed to the idea.

Crossposted to the ACLU blog.

Posted on August 3, 2006 at 3:45 PMView Comments

Comments from a Fake ID Salesman

In case you thought a hard-to-forge national ID card would solve the fake ID problem, here’s what the criminals have to say:

Luis Hernandez just laughs as he sells fake driver’s licenses and Social Security cards to illegal immigrants near a park known for shady deals. The joke — to him and others in his line of work — is the government’s promise to put people like him out of business with a tamperproof national ID card.

“One way or another, we’ll always find a way,” said Hernandez, 35, a sidewalk operator who is part of a complex counterfeiting network around MacArthur Park, where authentic-looking IDs are available for as little as $150.

Posted on June 6, 2006 at 6:33 AMView Comments

RFID Cards and Man-in-the-Middle Attacks

Recent articles about a proposed US-Canada and US-Mexico travel document (kind of like a passport, but less useful), with an embedded RFID chip that can be read up to 25 feet away, have once again made RFID security newsworthy.

My views have not changed. The most secure solution is a smart card that only works in contact with a reader; RFID is much more risky. But if we’re stuck with RFID, the combination of shielding for the chip, basic access control security measures, and some positive action by the user to get the chip to operate is a good one. The devil is in the details, of course, but those are good starting points.

And when you start proposing chips with a 25-foot read range, you need to worry about man-in-the-middle attacks. An attacker could potentially impersonate the card of a nearby person to an official reader, just by relaying messages to and from that nearby person’s card.

Here’s how the attack would work. In this scenario, customs Agent Alice has the official card reader. Bob is the innocent traveler, in line at some border crossing. Mallory is the malicious attacker, ahead of Bob in line at the same border crossing, who is going to impersonate Bob to Alice. Mallory’s equipment includes an RFID reader and transmitter.

Assume that the card has to be activated in some way. Maybe the cover has to be opened, or the card taken out of a sleeve. Maybe the card has a button to push in order to activate it. Also assume the card has come challenge-reply security protocol and an encrypted key exchange protocol of some sort.

  1. Alice’s reader sends a message to Mallory’s RFID chip.
  2. Mallory’s reader/transmitter receives the message, and rebroadcasts it to Bob’s chip.
  3. Bob’s chip responds normally to a valid message from Alice’s reader. He has no way of knowing that Mallory relayed the message.
  4. Mallory’s reader transmitter receives Bob’s message and rebroadcasts it to Alice. Alice has no way of knowing that the message was relayed.
  5. Mallory continues to relay messages back and forth between Alice and Bob.

Defending against this attack is hard. (I talk more about the attack in Applied Cryptography, Second Edition, page 109.) Time stamps don’t help. Encryption doesn’t help. It works because Mallory is simply acting as an amplifier. Mallory might not be able to read the messages. He might not even know who Bob is. But he doesn’t care. All he knows is that Alice thinks he’s Bob.

Precise timing can catch this attack, because of the extra delay that Mallory’s relay introduces. But I don’t think this is part of the spec.

The attack can be easily countered if Alice looks at Mallory’s card and compares the information printed on it with what she’s receiving over the RFID link. But near as I can tell, the point of the 25-foot read distance is so cards can be authenticated in bulk, from a distance.

From the News.com article:

Homeland Security has said, in a government procurement notice posted in September, that “read ranges shall extend to a minimum of 25 feet” in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the proposal says, “the solution must sense up to 55 tokens.”

If Mallory is on that bus, he can impersonate any nearby Bob who activates his RFID card early. And at a crowded border crossing, the odds of some Bob doing that are pretty good.

More detail here:

If that were done, the PASS system would automatically screen the cardbearers against criminal watch lists and put the information on the border guard’s screen by the time the vehicle got to the station, Williams said.

And would predispose the guard to think that everything’s okay, even if it isn’t.

I don’t think people are thinking this one through.

Posted on April 25, 2006 at 7:32 AMView Comments

The "I'm Not the Criminal You're Looking For" Card

This is a great idea:

Lawmakers in Iowa are proposing a special “passport” meant to protect victims of identity theft against false criminal action and credit charges.

The “Identity Theft Passport” will be a card or certificate that victims of identity fraud can show to police or creditors to help demonstrate their innocence, Tom Sands, a state representative of the Iowa House and supporter of the proposal, said in an e-mail interview Tuesday.

I wrote about something similar in Beyond Fear:

In Singapore, some names are so common that the police issue He’s-not-the-guy-we’re-looking-for documents exonerating innocent people with the same names as wanted criminals.

EDITED TO ADD (4/7): Of course it will be forged; all documents are forged. And yes, I’ve recently written that documents are hard to verify. This is a still good idea, even though it’s not perfect.

Posted on April 6, 2006 at 1:13 PMView Comments

Bypassing the Airport Identity Check

Here’s an article about how you can modify, and then print, you own boarding pass and get on an airplane even if you’re on the no-fly list. This isn’t news; I wrote about it in 2003.

I don’t worry about it now any more than I worried about it then:

In terms of security, this is no big deal; the photo-ID requirement doesn’t provide much security. Identification of passengers doesn’t increase security very much. All of the 9/11 terrorists presented photo-IDs, many in their real names. Others had legitimate driver’s licenses in fake names that they bought from unscrupulous people working in motor vehicle offices.

The photo-ID requirement is presented as a security measure, but business is the real reason. Airlines didn’t resist it, even though they resisted every other security measure of the past few decades, because it solved a business problem: the reselling of nonrefundable tickets. Such tickets used to be advertised regularly in newspaper classifieds. An ad might read: “Round trip, Boston to Chicago, 11/22-11/30, female, $50.” Since the airlines didn’t check IDs and could observe gender, any female could buy the ticket and fly the route. Now that won’t work. Under the guise of helping prevent terrorism, the airlines solved a business problem of their own and passed the blame for the solution on to FAA security requirements.

But the system fails. I can fly on your ticket. You can fly on my ticket. We don’t even have to be the same gender.

Posted on March 14, 2006 at 7:58 AMView Comments

Flying Without ID

According to the TSA, in the 9th Circuit Case of John Gilmore, you are allowed to fly without showing ID — you’ll just have to submit yourself to secondary screening.

The Identity Project wants you to try it out. If you have time, try to fly without showing ID.

Mr. Gilmore recommends that every traveler who is concerned with privacy or anonymity should opt to become a “selectee” rather than show an ID. We are very likely to lose the right to travel anonymously, if citizens do not exercise it. TSA and the airlines will attempt to make it inconvenient for you, by wasting your time and hassling you, but they can’t do much in that regard without compromising their avowed missions, which are to transport paying passengers, and to keep weapons off planes. If you never served in the armed services, this is a much easier way to spend some time keeping your society free. (Bring a copy of the court decision with you and point out some of the numerous places it says you can fly as a selectee rather than show ID. Paper tickets are also helpful, though not required.)

I’m curious what the results are.

EDITED TO ADD (11/25): Here’s someone who tried, and failed.

Posted on March 10, 2006 at 7:20 AMView Comments

Real Fake ID Cards

Or maybe they’re fake real ID cards. This website sells ID cards. They’re not ID cards for anything in particular, but they look official. If you need to fool someone who really doesn’t know what an ID card is supposed to look like, these are likely to work.

Posted on February 15, 2006 at 1:19 PM

Multi-Use ID Cards

My eleventh column for Wired.com is about ID cards, and why you don’t — and won’t — have a single card in your wallet for everything. It has nothing to do with security.

My airline wants a card with its logo on it in my wallet. So does my rental car company, my supermarket and everyone else I do business with. My credit card company wants me to open up my wallet and notice its card; I’m far more likely to use a physical card than a virtual one that I have to remember is attached to my driver’s license number. And I’m more likely to feel important if I have a card, especially a card that recognizes me as a frequent flier or a preferred customer.

Some years ago, when credit cards with embedded chips were new, the card manufacturers designed a secure, multi-application operating system for these smartcards. The idea was that a single physical card could be used for everything: multiple credit card accounts, airline affinity memberships, public-transportation payment cards, etc. Nobody bought into the system: not because of security concerns, but because of branding concerns. Whose logo would get to be on the card? When the manufacturers envisioned a card with multiple small logos, one for each application, everyone wanted to know: Whose logo would be first? On top? In color?

The companies give you their own card partly because they want complete control of the rules around their own system, but mostly because they want you to carry around a small piece of advertising in your wallet. An American Express Gold Card is supposed to make you feel powerful and everyone else feel green. They want you to wave it around.

Posted on February 9, 2006 at 6:39 AMView Comments

Reading RFID Cards at Yards Away

This article talks about a not-a-passport ID card that U.S. citizens could use to go back and forth between the U.S. and Canada or Mexico. Pretty basic stuff, but this paragraph jumped out:

Officials said the card would be about the size of a credit card, carry a picture of the holder and cost about $50, about half the price of a passport. It will be equipped with radio frequency identification, allowing it to be read from several yards away at border crossings.

“Several yards away”? What about inches?

Note: My previous entries on RFID passports are here, here, here, and here.

Posted on January 23, 2006 at 12:27 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.