Friday, February 6, 2009

Hackers clone passports in drive-by RFID heist

I have been following the progress of the RFID chip for some time. Wouldn't you know it? As Big Brother becomes more clever to control us for our safety we become less secure. All that money spent to implement systems outsmarted by a kid in a car with a cheap RFID reader. Go figure how government spends your money. Other articles on RFID and surveillance on this blog are here and here.

By Iain Thomson
4 February 2009
A British hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco.

Chris Paget, director of research and development at Seattle-based IOActive, used a US$250 Motorola RFID reader and an antenna mounted in a car’s side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration.

During the demonstration he picked up the details of two US passport cards, which are fitted with RFID chips and can be used instead of traditional passports for travel to Canada, Mexico and the Caribbean.

“I personally believe that RFID is very unsuitable for tagging people,” he said.

“I don’t believe we should have any kind of identity document with RFID tags in them. My ultimate goal here would be, my dream for this research, would be to see the entire Hemisphere Travel Initiative be scrapped.”

Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a ‘kill code’ (which can wipe the card’s data) and a ‘lock code’ that prevents the tag’s data being changed.

However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.

The ease with which the passport cards were picked up is even more worrying considering that less than a million have been issued to date.

Paget is a renowned ‘white hat’ ethical hacker and has made the study of the security failings of RFID something of a speciality.

In 2007 he was due to present a paper on the security failings of RFID at the Black Hat security conference in Washington but was forced to abandon the plans after an RFID company threatened him with legal action.

He points out that RFID tags are increasingly being used in physical security systems such as building access cards and the technology needs significant security adding before it could be considered safe for commercial use.

Copyright © 2009

No comments:


All blogs are really just small snapshots of a person's mind, heart and soul as they evolve together through life....

Small bits of the thread of life we weave together into the fabric of ourselves, in the hope we will make sense of our existence, individual and collective.

On this page, is the cloak I have fashioned from my fabric to warm myself in a universe which often makes little sense.

Inside my cloak, it is warm enough to face the blistering cold winds of the insane world in which I find myself.

If you find some a bit of 'the good stuff' here, it has been my pleasure.