Passport Insecurity Endangers Citizens
By Katherine Albrecht
November 03, 2006
Just when you thought the RFID security situation couldn't get any worse, it turns out there is a serious vulnerability in the new spy-chipped US passports. (Surprise, surprise.) British security researcher Adam Laurie has found that the cryptography used in the RFID tags can be cracked by anyone who can get near your passport, provided they have your name, date of birth, and passport number. This info would allow them to unlock your passport chip and download your digital photo and other information from the passport.
Laurie has written a program that he explains can "exchange crypto keys with the passport and read and display the contents therein, including the facial image and the personal data printed in the passport." Anyone wanting to duplicate a passport would then have complete access to your digital passport photo along with your passport's cryptographic key.
How would a hacker get your name and passport number? It's not as hard as you might think. They could pick up a discarded boarding pass at the airport, log onto British Airways website (or any of a number of equally insecure data sites on the Internet), or work for a business like a bank or hotel that routinely requires and records such information. (Heck, nowadays you have to show a passport just to check into a hotel or exchange currency in Europe --- even to log onto a computer at an Internet cafe.)
Why would our government insist on spending money on insecure technology that puts travelers at risk? A CASPIAN press release we issued last year may help explain:
CASPIAN Uncovers U.S. Government RFID Promotion Scheme
Heads of Federal Agencies encouraged to "advance the industry"
For more details about passport security, here are some useful links:
November 03, 2006
Just when you thought the RFID security situation couldn't get any worse, it turns out there is a serious vulnerability in the new spy-chipped US passports. (Surprise, surprise.) British security researcher Adam Laurie has found that the cryptography used in the RFID tags can be cracked by anyone who can get near your passport, provided they have your name, date of birth, and passport number. This info would allow them to unlock your passport chip and download your digital photo and other information from the passport.
Laurie has written a program that he explains can "exchange crypto keys with the passport and read and display the contents therein, including the facial image and the personal data printed in the passport." Anyone wanting to duplicate a passport would then have complete access to your digital passport photo along with your passport's cryptographic key.
How would a hacker get your name and passport number? It's not as hard as you might think. They could pick up a discarded boarding pass at the airport, log onto British Airways website (or any of a number of equally insecure data sites on the Internet), or work for a business like a bank or hotel that routinely requires and records such information. (Heck, nowadays you have to show a passport just to check into a hotel or exchange currency in Europe --- even to log onto a computer at an Internet cafe.)
Why would our government insist on spending money on insecure technology that puts travelers at risk? A CASPIAN press release we issued last year may help explain:
CASPIAN Uncovers U.S. Government RFID Promotion Scheme
Heads of Federal Agencies encouraged to "advance the industry"
For more details about passport security, here are some useful links:
- Edward Hasbrouck, the Practical Nomad, explains how to tell if your passport contains a spy chip.
- Security company Flexilis gives a vivid demonstration showing how the RFID shielding in passport covers fail to protect passport holders if the passport is open even 1/4", putting Americans at risk of physical harm. (And we now know, data skimming, as well.)
- Security expert Bruce Schneier discusses passports.
0 Comments:
Post a Comment
<< Home