No shock here. I'm just surprised it took this long.
Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country's e-passport, since all of them will be adhering to the same ICAO standard.Schneier gets right to the reason why RFID chips in passports is so very stupid.In a demonstration for Wired News, Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control. He obtained the reader by ordering it from the maker -- Walluf, Germany-based ACG Identification Technologies -- but says someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.
He then launched a program that border patrol stations use to read the passports -- called Golden Reader Tool and made by secunet Security Networks -- and within four seconds, the data from the passport chip appeared on screen in the Golden Reader template.
Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader -- which can also act as a writer -- and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.
I've long been opposed (that last link is an op-ed from The International Herald-Tribune) to RFID chips in passports, although last year I -- mistakenly -- withdrew my objections based on the security measures the State Department was taking.This should really make people argry. This is a complete waste of time, and money, and it opens up huge holes that allow personal information to be surreptiously stolen. Though "stolen" maybe strongly worded, since things that people want to keep secret are generally protected in some manner.That's silly. I'm not opposed to chips on ID cards, I am opposed to RFID chips. My fear is surreptitious access: someone could read the chip and learn your identity without your knowledge or consent.
Sure, the State Department is implementing security measures to prevent that. But as we all know, these measures won't be perfect. And a passport has a ten-year lifetime. It's sheer folly to believe the passport security won't be hacked in that time. This hack took only two weeks!
The best way to solve a security problem is not to have it at all. If there's an RFID chip on your passport, or any of your identity cards, you have to worry about securing it. If there's no RFID chip, then the security problem is solved.
Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can't do, I am opposed to the idea.
I wonder if anyone has thought of a Faraday wallet.
Hell, they have. Though I wonder what their legality is when you're in an airport where the TSA is supposed to have free access.
No comments:
Post a Comment