If You Think Your RFID Passport Is Secure, Think Again

December 8th, 2009
RFID passport identity theft made simple
Posted by Robin Harris @ 11:20 pm
http://blogs.zdnet.com/storage/?cat=5, Public policy
http://blogs.zdnet.com/storage/?cat=8, Security
http://blogs.zdnet.com/storage/?cat=7

You're confident your RFID passport is safe in its signal-blocking wallet as
you pass through immigration. What you don't know is that the man behind you
is recording the data sent by your passport's RFID chip as it is
scanned.Your name, nationality, gender, birthday, birthplace and a nicely
digitized photo is in his hands. With that info he can photoshop up a
passport, get a copy of your Social Security card and with that get credit
cards and bank accounts in your name.

*Rewarding individual enterprise*
Thanks to bureaucratic confidence in RFID technology this is a real threat.
An article in the Communications of the Association for Computing Machinery
http://cacm.acm.org/magazines/2009/12/52836-a-threat-analysis-of-rfid-passports/fulltext
goes into the details:

For successful data retrieval the perpetrator's antenna must catch
two different interactions: the forward channel, which is the signal
being sent from the RFID reader to the RFID token; and the backward
channel, which is the data being sent back from the RFID token to
the RFID reader. . . .

. . . the perpetrator would need only an antenna and an amplifier to
boost the signal capture, a radio-frequency mixer and filter, and a
computer to store the data. The amplifier itself would not even need
to be that powerful, since it would need to boost the signal over
only a short distance of three to five meters. . . . These RFID
"sniffers" can then be plugged into a laptop via a USB port.

*They've got your data, now what?*
The weak 52-bit key encryption is easily broken. Then just counterfeit the
passport, get a social security card and start shopping!

As the article notes, forging a passport can be expensive. It might be
easier just to steal it.

*The Storage Bits take*
The RFIDiocy keeps getting worse. The Feds were pwnd at DefCon
http://blogs.zdnet.com/storage/?p=565 earlier this year.

But these are just the risks we know about today. What new technologies will
appear in the next 15 years to make both eavesdropping and forgery easier?

The RFID passport is a technological sitting duck for bad guys of all
kinds - criminals and terrorists - courtesy of the US State Department. As I
noted in previous post:

The time to end this nonsense is now. There are perfectly usable
non-RF storage technologies - like 3D barcodes - that can safely
store data in hard to crack, hard to hack formats.

We can do better. And we must.

Robin HarrisRobin Harris has been messing with computers for over 30 years
and selling and marketing data storage for over 20 in companies large and
small. See his full profile http://blogs.zdnet.com/bio.php#harris and
disclosure http://blogs.zdnet.com/storage/?page_id=154 of his industry
affiliations.
http://blogs.zdnet.com/storage/?p=713&tag=nl.e550

Sancho Panza wrote:

You're confident your RFID passport is safe in its signal-blocking
wallet as you pass through immigration. What you don't know is that the
man behind you is recording the data sent by your passport's RFID chip
as it is scanned.Your name, nationality, gender, birthday, birthplace
and a nicely digitized photo is in his hands. With that info he can
photoshop up a passport, get a copy of your Social Security card and
with that get credit cards and bank accounts in your name.

Any evidence that anyone has done this yet?

I don't mean someone has done something clever in a lab, I mean a
criminal stealing an identity via a passport at an airport.


--
William Black

"Any number under six"

The answer given by Englishman Richard Peeke when asked by the Duke of
Medina Sidonia how many Spanish sword and buckler men he could beat
single handed with a quarterstaff.

"Sancho Panza" wrote in message
...
December 8th, 2009
RFID passport identity theft made simple
Posted by Robin Harris @ 11:20 pm
http://blogs.zdnet.com/storage/?cat=5, Public policy
http://blogs.zdnet.com/storage/?cat=8, Security
http://blogs.zdnet.com/storage/?cat=7

You're confident your RFID passport is safe in its signal-blocking wallet
as you pass through immigration. What you don't know is that the man
behind you is recording the data sent by your passport's RFID chip as it
is scanned.

And why should I worry about this? The only things that are broadcast are
the things that can be obtained by reading the passport,

I really don't see why anybody sees this as a problem.

Scare mongering for the sake of it

tim

"tim...." wrote in message
...

"Sancho Panza" wrote in message
...
December 8th, 2009
RFID passport identity theft made simple
Posted by Robin Harris @ 11:20 pm
http://blogs.zdnet.com/storage/?cat=5, Public policy
http://blogs.zdnet.com/storage/?cat=8, Security
http://blogs.zdnet.com/storage/?cat=7

You're confident your RFID passport is safe in its signal-blocking wallet
as you pass through immigration. What you don't know is that the man
behind you is recording the data sent by your passport's RFID chip as it
is scanned.

And why should I worry about this? The only things that are broadcast are
the things that can be obtained by reading the passport,

I really don't see why anybody sees this as a problem.

Scare mongering for the sake of it

A lot more people are victims of ID theft.

"Sancho Panza" wrote in message
...

"tim...." wrote in message
...

"Sancho Panza" wrote in message
...
December 8th, 2009
RFID passport identity theft made simple
Posted by Robin Harris @ 11:20 pm
http://blogs.zdnet.com/storage/?cat=5, Public policy
http://blogs.zdnet.com/storage/?cat=8, Security
http://blogs.zdnet.com/storage/?cat=7

You're confident your RFID passport is safe in its signal-blocking
wallet as you pass through immigration. What you don't know is that the
man behind you is recording the data sent by your passport's RFID chip
as it is scanned.

And why should I worry about this? The only things that are broadcast
are the things that can be obtained by reading the passport,

I really don't see why anybody sees this as a problem.

Scare mongering for the sake of it

A lot more people are victims of ID theft.

and just how useful is knowing someone's name and date of birth, if you
don't know their address?

tim

In article ,
"tim...." wrote:

and just how useful is knowing someone's name and date of birth, if you
don't know their address?

At least in the US, if you the date of birth it makes it a lot
easier to get addresses.

--
To find that place where the rats don't race
and the phones don't ring at all.
If once, you've slept on an island.
Scott Kirby "If once you've slept on an island"

On Dec 11, 9:45*pm, "Sancho Panza" wrote:
"tim...." wrote in message

...







"Sancho Panza" wrote in message
...
* * * December 8th, 2009
RFID passport identity theft made simple
Posted by Robin Harris @ 11:20 pm
http://blogs.zdnet.com/storage/?cat=5, Public policy
http://blogs.zdnet.com/storage/?cat=8, Security
http://blogs.zdnet.com/storage/?cat=7

You're confident your RFID passport is safe in its signal-blocking wallet
as you pass through immigration. What you don't know is that the man
behind you is recording the data sent by your passport's RFID chip as it
is scanned.

And why should I worry about this? *The only things that are broadcast are
the things that can be obtained by reading the passport,

I really don't see why anybody sees this as a problem.

Scare mongering for the sake of it

A lot more people are victims of ID theft.

I agree

"Kurt Ullman" wrote in message
...
In article ,
"tim...." wrote:

and just how useful is knowing someone's name and date of birth, if you
don't know their address?

At least in the US, if you the date of birth it makes it a lot
easier to get addresses.

This is a circular argument

If there is a publicly accessible database that enables you to find
someone's address from a name and date of birth, then there is also a
publicly accessible database that enables someone to find a date of birth
from an address and a name.

ISTM that the ID thief is far more likely to have the name and address of
the person who they wish to target than their name and date of birth. So,
it is the accessibility of this database that is the major risk factor here,
not the fact that chipped passports are potentially insecure.

tim

"tim...." wrote in message
...

"Kurt Ullman" wrote in message
...
In article ,
"tim...." wrote:

and just how useful is knowing someone's name and date of birth, if you
don't know their address?

At least in the US, if you the date of birth it makes it a lot
easier to get addresses.

This is a circular argument

If there is a publicly accessible database that enables you to find
someone's address from a name and date of birth, then there is also a
publicly accessible database that enables someone to find a date of birth
from an address and a name.

"Your name, nationality, gender, birthday, birthplace and a nicely
digitized photo is in his hands. With that info he can photoshop up a
passport, get a copy of your Social Security card and with that get credit
cards and bank accounts in your name."--Such useful databases include Nexis
and others that charge even more and provide far more information.


ISTM that the ID thief is far more likely to have the name and address of
the person who they wish to target than their name and date of birth. So,
it is the accessibility of this database that is the major risk factor
here, not the fact that chipped passports are potentially insecure.

Such databases are available to the public through workplaces, libraries
and even anyone's home computer., if the price is paid.

In article ,
"tim...." wrote:

"Kurt Ullman" wrote in message
...
In article ,
"tim...." wrote:

and just how useful is knowing someone's name and date of birth, if you
don't know their address?

At least in the US, if you the date of birth it makes it a lot
easier to get addresses.

This is a circular argument

Nonsense. You asked how useful it was to get the name and date of birth
if you did not have an address. I said, that at least in the US, name
and dob made finding the address easier.


If there is a publicly accessible database that enables you to find
someone's address from a name and date of birth, then there is also a
publicly accessible database that enables someone to find a date of birth
from an address and a name.
Yeah, but as I outlined that is not my interpretation of the
original statement you made. You seemed to be suggesting that if
someone had a name and dob (from the passport) it would be less than
useful unless they had an address. My suggestion was that what was
available from the passport, made finding the missing piece easier.

ISTM that the ID thief is far more likely to have the name and address of
the person who they wish to target than their name and date of birth. So,
it is the accessibility of this database that is the major risk factor here,
not the fact that chipped passports are potentially insecure.

The two go together. You need the chipped passport to start
the process by allowing you to get the first two bits of information.
Now how real any of this, don't know, don't care/

--
To find that place where the rats don't race
and the phones don't ring at all.
If once, you've slept on an island.
Scott Kirby "If once you've slept on an island"