Tuesday, August 08, 2006

TecH: Electronic Passports and Security Flaws

News from Black Hat Convention:
Very Scary!
In our rush to adopt New technology to thwart Terrorists,
a trial of Electronic Passports with "RFID chips"
The Helpful hackersat the recent BLACK hat security convention have demonstrated a very scary SECURITY hole to reporters at WIREd magazine.

To make it SIMPLE (Something wired doesnt always do!)
a) the proposed passport would have both the current system of a photo and personal data, as well as
b) a RFID tag that will NORMALLY contain the Exact same data as on the paper.

However,

"The Wired write-up suggests that 'a terrorist whose name is on a watch list could carry a passport with his real name and photo printed on the pages, but with an RFID chip that contains different information cloned from someone else's passport'

- but although this is possible in some circumstances, it's chancy because it oughtn't to work for reading terminals where the chip data is put onto a screen for border control."

This might not work, as initially shown, because the bearer COULD be arrested immediately for a fraudlent passport.

BUTa Hack-around COULD be done, in which the "terrorist" would take the data from someone else's passport (using a hidden 'reader') and write that data to a RFID chip {we can call this CHIP2} (but NOT the one in his passport {or chip1}), and then put the fake {chip2} chip on top of his passport so that the Immigration inspector reads the REAL passport, and the FAKE data in chip2 instead of the REAL data in chip1
{so chip1 is not equal to chip2}
And Chip1 has the terrorist's REAL information, as well as matches his passport, thererfore he CANNOT be arrested for PASSPORT fraud.

E-gads. This is ALMOST as scary as the Diebold Voting machine scandals, in which the machines can be hacked as easy as 123! See Here and HERE

Markbnj (life sucks!)

No comments: