I’m always wondering about the trend to more IT in passports, government transactions and medical systems. Stuff like that has been pushed by the industry for years now, never even bothering about its usefulness or – behold – business case. In my view, this is driven purely by vendor sports.
Look at this:
“Jeroen van Beek takes the passport of a 16-month-old British boy and puts it on to a Â£40 smartcard reader the size of an iPod. He punches a code into his computer and, within seconds, the information contained in the passportâ€™s microchip appears on screen.
This is not supposed to happen, as communication between the chip and the reader uses powerful encryption, but a renowned British computer expert called Adam Laurie worked out how to crack the code 18 months ago.
On his computer, Mr van Beek alters the cloned chip and removes the image of the child, the Times photographer Michael Crabtreeâ€™s son, Thomas, and replaces it with the image of Osama bin Laden. He does the same with the passport of my partner, Suzanne Hallam, installing the image of Hiba Darghmeh, a Palestinian suicide bomber instead. And, if the chips had contained other biometric data, such as fingerprints or iris scans, he could have changed those too.”
Passports are often valid for 5 years or more. From the sales pitch until the roll-out, the technology used is probably 5 years old already.
I have spent roughly 10 years in PKI and security related topics, and I haven’t seen a single technology that could be secure over such long time periods.
My wife’s car is 100% technically ok, yet we have not been able to use it for two days now. Even worse, we’ve had to have it towed into the garage.
How is that possible, you ask?
Our daughter (7) was playing with my wifes car keys, and they dropped to the floor. The key with the electronic door opener broke open; they put the battery back in and closed it again. The car refused to start.
I arrived home a few hours later, when my wife surprised me with the usual female error description: “the car does not work anymore. It’s got all the blinkenlights!”. A quick look into the manual told me that the immobilizer refused to let the car start.
In the garage they told us that a tiny piece of the key was missing – a 5mm RFID chip that talks to the immobilizer. We sent our daughter to search on the school yard, but you now all about germans and cleanlyness, right? This was one day ago, so there was no way we could find anything. You also can’t order just the RFID chip – you have to get a completely new key, which costs EUR 70 and takes two days, in which you can’t use the car (no, we do not have a second key, thank you for the suggestion).
This is when I fondly remember my first car which was perfectly able to take me verywhere I wanted without any electronics, except for the oversized car stereo that was worth more than the car itself.
Those were the days….
Maybe I should be happy – fuel is way too expensive, anyway (for the american readers: a gallon costs $9 over here, so will you please stop complaining and start buying smaller cars? Thank you.)
Zone-H.org reports from Blackhat ’06:
“As demonstrated at Black Hat 2006 by Flexilis inc., the proposed American RFID passport might be used terrorists to identify possible targets and automatically detonate bombs…
To back up their statements, Flexilis inc. produced a worrying video in wich an unproperly shielded RFIDF American passport is used to trigger a detonating device.
This can happen when the passport has its cover opened by a fraction of inch (which is a quite common situation, especially in women’s bags… did you ever get your hand trapped by one of those?) thus allowing to be revealed by a RFID scanning device, eventually connected to a bomb-like device.”
They go on describing how this depends on decrypting the passport, but this may not even be necessary. I’m pretty sure the chips/passports will be carrying information (like country of origin) that can be accessed without encrypting the content.
Furthermore, how is this shielding used internationally? Do all RFID passports have shielding?
Thinking ahead, this is not even limited to passports: as RFID starts spreading, this can be extended to other objects with tags that allow putting a person into a certain category (like, ‘coming from Tel Aviv airport duty free store’).
Now this is a cool idea: Researchers at Vrije University in the netherlands have published a paper talking about viruses carried in RFID tags.
Surely far from being an everyday accurence, but this may get huge once we get all these RFID enabled passports and other things.
Imagine the first SQL injection to an ERP system coming through an RFID tag – scary…