Weakness of US Passports and Smart Cards (Jerusalem Post)

[Mike O'Dell]

sorry, but the problems with the rfid passports were demonstrated
years ago, long before they were officially mandated. the response
from the Dept. of Homely Scrutiny was essentially
"bad guys aren't smart enough to exploit this".

there are a bunch of people with really important jobs
in our gubmint that are just too stupid to be believed.
it's a miracle they haven't cut themselves on an apple
and bled to death long before now.

it's one thing for a leader to not know the details
but surround himself with people who do and can give
him good advice. it's another things entirely when
those people are either ignored or they aren't
there in the first place.

and then after the obvious comes to pass,
everyone is surprised. stupid stupid stupid

not nearly enough chlorine in the gene pool

	harumph

	-mo



On 4/25/10 6:16 PM, andre kesteloot wrote:

> 	
> TAU professor tips off US over security flaw in e-passports
> By JUDY SIEGEL-ITZKOVICH
> 25/04/2010 	
>
> Researcher realized that hackers were able to access passport data from
> afar.
>
> A Tel Aviv University researcher has enabled the US State Department to
> fix security holes in its electronic passports, and now has set his
> sights on at-risk credit, debit and “smart” cards used by hundreds of
> millions of people around the world.
>
> E-passports contain biometric data, electronic fingerprints and pictures
> of the holder, as well as a wireless radio frequency identification
> (RFID) transmitter. Although the original system was designed to operate
> at close range, Prof. Avishai Wool of TAU’s Blavatnik School of Computer
> Sciences realized that hackers were able to access data from afar.
>
> Noticing this security problem, Wool helped ensure that the computer
> chip in American e-passports could be read only when the passports were
> opened. In 2007, the State Department outfitted every new passport with
> both a security chip and conductive fibers on the back.
>
> US Embassy spokesman Kurt Hoyer acknowledged to The Jerusalem Post on
> Thursday that there had “been a problem” in the past with his country’s
> e-passports, but added that it had been dealt with. He could not say
> whether the State Department had heard about the difficulty from Wool or
> whether any damage or security breaches had resulted from the problem.
>
> Now, a new study by Wool has found serious security drawbacks in similar
> chips that are being embedded in credit, debit and smart cards. The
> vulnerabilities of this electronic approach – and of the private
> information contained in the chips – are becoming more acute, he says.
> Using simple devices constructed from $20 disposable cameras and copper
> cooking-gas pipes, Wool and his team of students have demonstrated how
> easily the cards’ radio frequency (RF) signals can be disrupted.
>
> His work will be presented later this month at the IEEE RFID conference
> in Orlando, Florida.
>
> Wool has suggested some small steps that can be taken to make smart
> cards smarter, the easiest one being to shield the card with something
> as simple as aluminium foil to insulate the e-transmission.
>
> Wool’s most recent research centers on the new electronic voting
> technology being prepared in Israel.
>
> “We show how the Israeli government’s new system based on the RFID chip
> is a very risky approach for security reasons. It allows hackers who are
> not much more than amateurs to breach the system,” he explained
> Thursday. “One way to catch hackers, criminals and terrorists is by
> thinking like one.”
>
> In his lab, Wool constructed an attack mechanism – an RFID “zapper” –
> from a disposable camera. Replacing the camera’s bulb with an RFID
> antenna, he showed how the electromagnetic pulse signal produced by the
> camera could destroy the data on nearby RFID chips such as e-passports,
> e-ballots and credit cards.
>
> “In a voting system, this would be the equivalent of burning ballots,
> but without the fire and smoke,” he said.
>
> In the case of e-voting, a ballot box could be made of conductive
> materials to overcome the security problem.
>
> The most insidious type of attack is the “relay attack.”
>
> In this scenario, the voting station assumes it is communicating with an
> RFID ballot near it, but it’s easy for a hacker or terrorist to make
> equipment that can trick it. Such an attack can be used to transfer
> votes from party to party and nullify votes for undesired parties, Wool
> demonstrated.
>
> A relay attack may also be used to allow a terrorist to cross a border
> using someone else’s e-passport.
>
> As protection in the case of e-voting, a ballot box could be made of
> conductive materials, he advises.
>
> Another attack involves jamming the radio frequencies that read the
> card. Though the card’s transmissions are designed to be read by
> antennas less than a meter away, Wool and his students demonstrated how
> the transmissions could be jammed by a battery-powered transmitter 20
> meters away. This means that an attacker can disable an entire voting
> station from across the street.
>
> Similarly, a terror group could jam e-passport systems at US border
> controls relatively easily, he suggested.
>
> “All the new technologies we have now seem really cool. But when
> anything like this first comes onto the market, it will be fraught with
> security holes,” the TAU computer expert warned. “In the US, the federal
> government poured a lot of money into e-voting, only to discover later
> that the deployed systems were vulnerable. As a result, over the last
> few years, we’ve seen a trend back toward systems with paper trails.”
>
> The State Department’s Web site on passports at www.travel.state.gov now
> provides advice to overcome the security problems that Wool has discovered.
>
> “We feel that it would be good to point out what we have done to
> diminish the known nefarious acts of ‘skimming’ data from the chip,
> ‘eavesdropping’ on communications between the chip and reader,
> ‘tracking’ passport holders and ‘cloning’ the passport chip in order to
> facilitate identity theft crimes,” says the Web site.
>
> “The State Department is using an embedded metallic element in our
> passports. One of the simplest measures for preventing unauthorized
> reading of e-passports is to add RF blocking material to the cover of an
> e-passport. Before such a passport can be read, it has to be physically
> opened. It is a simple and effective method for reducing the opportunity
> for unauthorized reading of the passport at times when the holder does
> not expect it,” the site continues.
>
> It adds that the department has adopted Basic Access Control to minimize
> the risk of skimming and eavesdropping. This requires that the initial
> interaction between the embedded microchip in the passport and the
> border control reader include protocols for setting up the secure
> communication channel. To ensure that only authorized RFID readers can
> read data, Basic Access Control stores a pair of secret cryptographic
> codes in the passport chip.
>
> When a reader attempts to scan the passport, it engages in a
> challenge-response protocol, asking questions to ensure that the person
> is authorized to access the data. If authentication is successful, the
> passport releases its data contents; otherwise, the reader is deemed
> unauthorized, and the passport refuses read access.
> print <http://www.jpost.com/LandedPages/PrintArticle.aspx?id=173841#>
>
> print
>
> About Us <http://www.jpost.com/LandedPages/aboutus.aspx> | Advertise
> with Us <http://www.jpost.com/LandedPages/adswithus.aspx> | Subscribe
> <http://www.jpost.com/LandedPages/subscribe.aspx> | RSS
> <http://www.jpost.com/Rss/Default.aspx>
> All rights reserved © 1995 - 2009 The Jerusalem Post. 	כל הזכויות שמורות
> © -2009 נט אפיקי תקשורת אינטר מדיה בע”מ
>
>
>
>
> _______________________________________________
> Tacos mailing list
> Tacos at amrad.org
> http://www.amrad.org/mailman/listinfo/tacos

-- 
"Of course it's hard!
If it was easy, we'd be buying it from somebody else!"