August 5, 2006 3:51 PM PDT

Researchers: E-passports pose security risk

LAS VEGAS--Radio tags used in everything from building access cards to highway toll cards to passports are surprisingly easy to copy and pose a grave security risk, researchers said this week.

At a pair of security conferences here, researchers demonstrated that passports equipped with radio frequency identification (RFID) tags can be cloned with a laptop equipped with a $200 RFID reader and a similarly inexpensive smart card writer. In addition, they suggested that RFID tags embedded in travel documents could identify U.S. passports from a distance, possibly letting terrorists use them as a trigger for explosives.

At the Black Hat conference, Lukas Grunwald, a researcher with DN-Systems in Hildesheim, Germany, demonstrated that he could copy data stored in an RFID tag from his passport and write the data to a smart card equipped with an RFID chip. The copied chip could be used in a forged passport, for example. "We programmed the chip to behave like a passport," Grunwald said in an interview with CNET News.com on Friday.

Click here to Play

Video: E-passport flaws
Researchers warn of potentially serious risks.

The threat of unauthorized duplication could affect millions of Americans who are scheduled to begin receiving RFID passports in October. It also calls into question assertions by government officials--who have defended implanting RFID tags in passports despite privacy worries--that the new passports will be more difficult to forge.

Grunwald did say that he has not unearthed any flaws in the crypto that protect the integrity of the information stored in the chips in passports. In other words, while the data can be cloned merely by scanning the RFID tag, the information cannot be changed. Grunwald was able to read the data on the chip by duplicating a customs inspection station.

It took Grunwald "two weeks and $5,000 in legal fees" to complete his project, which uses RFID reading hardware and some homegrown software, he said. At Defcon on Friday, Grunwald also tested his setup with some corporate access cards, which he was also able to copy. This means an attacker could copy access cards and use the copies to open doors to secured buildings.

"You can add RFID in a secure way, but especially in electronic passports the standards are created by compromise, and by compromise you can not do it securely," Grunwald said. "You need a lot of research to do it right, and that research is not done right now." Grunwald is in the process of establishing a company focused on RFID security, he noted.

RFID hack

Around the world, governments are adding RFID tags to passports as a way to fight counterfeiting. Moving faster than the U.S., several European countries already issue passports with RFID tags. Privacy advocates and some security experts have warned about possible threats of moving to electronic passports.

Data leakage is one of those dangers. By design, RFID tags can be read by readers. In their current design, a slightly opened passport would be detectable, said Kevin Mahaffey, a researcher with wireless security company Flexilis. Although the actual data on the chip can't be read, "the simple ability for an attacker to know that someone is carrying a passport is a dangerous security breach," he said.

It may be possible to determine the nationality of a passport holder by "fingerprinting" the characteristics of the RFID chip, Mahaffey said. "Taken to an extreme, this could make it possible to craft explosives that detonate only when someone from the U.S. is nearby," he said. At Black Hat, Mahaffey showed a video that simulates just that.

Flexilis suggests a dual cover shield and a specifically designed RFID tag that will make it unreadable until the passport is fully opened. Grunwald, aware of the leakage danger, carries his passport in a pouch made of aluminum foil and noted that companies in Germany already sell specially made passport pouches to prevent the radio tag from being read.

Alternatively, Grunwald said, due to some problems with the RFID tag in the German passport, the government decided that the passport will still be valid, even with an inoperative RFID tag. The Chaos Computer Club, a German hacker club, came up with a creative solution, Grunwald said.

"The CCC is recommending to just microwave your passport," he said.

See more CNET content tagged:
RFID, passport, RFID tag, e-passport, Black Hat

9 comments

Join the conversation!
Add your comment
"The CCC is recommending to just microwave your passport,"
Surely this should not be done intentionally to destroy the RFID, but mobile phones seem to be able to do just that.
My corporate ID card has been changed more than once, after being in the same pocket as my phone.
For a passport that is supposed to last for 10 years some kind of "phone" protection should be in place.
Posted by reslfj (2 comments )
Reply Link Flag
And why not?
RFID in passports is completely useless. The technology will not be replacing security guards in any forseeable stretch of time, those same security guards would ask you to open your passport so that they can see your information anyway, and nothing can stop somebody from scanning your RFID chip at the same time that a customs official does.

Any way you try to dress it up, the RFID is a bad idea.
Posted by bourgtai (105 comments )
Link Flag
Physical button
Why don't they just add a button? The RFID chip wouldn't send out
a signal unless someone is applying pressure to close a circuit.
Posted by jgraessley (1 comment )
Reply Link Flag
Why would anything with the word Radio in it...
not be secure? Its not like every person who owns a car can push a button and listen to the information being broadcasted, right? *sarcasm*

Adding RF tags to anything is just plain stupid. It will never be secure since it was designed to be open. I don't mind this for tracking products, but it should be removed before anything is sold. For Passports, IDs and medical history, no... just plain, flat out, NO.
Posted by umbrae (1073 comments )
Reply Link Flag
This isn't News... it's Olds...
Nothing new at all about the dangers... they've been known for quite some time now.

That said... why all of a sudden News on such an old problem?
Posted by wbenton (522 comments )
Reply Link Flag
News
Well, a live demonstration (as opposed to theory) makes something newsworthy.
Posted by declan00 (848 comments )
Link Flag
Is the government finally listening?
Last month I read an article on CNN about security risks that come with using RFID tags for passports. Of course, the State Department wanted to pay no attention to the security experts' concerns (<a class="jive-link-external" href="http://www.iwantmyess.com/?p=80" target="_newWindow">http://www.iwantmyess.com/?p=80</a>).
If these chips can be cloned using a LAPTOP - imagine what kind of damage could be caused when we start having to deal with hackers that are transporting personal information?
Posted by ml_ess (71 comments )
Reply Link Flag
Nationality driven detonator?
Why detonate a bomb for just one US citizen?
Why not design the detonator to to explode the bomb when it counts many passports of a given nationality? Then a terrorist can put a bomb that only explodes when a busload of tourists of the desired nationality has arrived...
Posted by hadaso (468 comments )
Reply Link Flag
Recent Update: Dubai.

The recent (Feb 2010 newscycle) dubai attack proves this very issue. How many of those passports of the 26 spies were E-Passports from UK/Germany? Obviously E Passports are cloned. We just saw proof.
Posted by kiers93 (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.