[ISN] Gaping security hole found in RFID chips

From: InfoSec News <alerts_at_private>
Date: Fri, 3 Oct 2008 01:31:24 -0500 (CDT)

By Jeremy Kirk
IDG news service
02 October 2008

Data on radio chips can be cloned and modified without detection, 
according to a security researcher, raising question marks over the use 
of so-called e-passports that use RFID chips.

Upwards of 50 countries are rolling out passports with embedded RFID 
(radio frequency identification) chips containing biometric and personal 
data. The move is intended to cut down on fraudulent passports and 
strengthen border screenings, but security experts say the systems have 
several weaknesses.

Dutch researcher Jeroen van Beek has released a software toolkit that 
can be used to encode RFID chips with false information. In a 
demonstration video, van Beek shows how a scanner at Amsterdam's airport 
reads a passport chip he encoded with Elvis Presley's information and 

It means that a fraudster could potentially create a fake passport with 
an RFID chip that would appear legitimate. The reason the data looks 
legitimate is due to a fundamental problem in how governments are 
setting up systems to handle e-passports, said Adam Laurie, a freelance 
security researcher who worked with van Beek on the demonstration.

Passport data on RFID chips is signed with a digital certificate 
belonging to the country to which the passport was issued. E-passport 
systems are supposed to verify that certificate when scanning a 
passport, Laurie said.

All countries issuing e-passports are supposed to upload their digital 
certificate to the Public Key Directory (PKD), a database that should be 
queried to ensure the certificate is correct, Laurie said.

But only 10 of the 50 or so countries have agreed to upload those 
certificates to the PKD, Laurie said. Only five countries are 
contributing to the database, he said.

"Basically, the whole thing falls down," Laurie said. The e-passport 
system's security is rooted in the back-end database checks of those 
certificates, he said.

In van Beek's demonstration, the passport chip containing fraudulent 
data presents its own certificate that appears to be from a legitimate 
authority but isn't. Since the Netherlands doesn't use PKD to verify 
passport certificates, the certificate is accepted, Laurie said.

Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
Received on Thu Oct 02 2008 - 23:31:24 PDT

This archive was generated by hypermail 2.2.0 : Thu Oct 02 2008 - 23:45:53 PDT