Friday, March 09, 2007

Biometrics: Biometric passport with RFID is hacked remotely

A regular reader pointed me to the Daily Mail (a UK tabloid) article describing how they had a security expert "hack" one of the new biometric passports with an electronic Radio Frequency IDentification (RFID) microchip to extract all of the digital data. They arranged to simulate intercepting the passport being mailed from the government to the citizen. Because the passport had this RFID chip, it could be remotely interrogated, they were able to do this without even opening the postal envelope containing the passport. Of course, the data was encrypted, so then the security expert had to break that (and he succeeded). The only apriori information he needed was the citizen's date of birth, which he obtained through searching the Internet. The entire process took four days, but in the end, he was able to recover all of the passport's digital data, which even included the citizen's digital picture.

It seems pretty obvious that they either didn't bother to do a proper independent security analysis before they developed and deployed the system or the managers discounted the results of any one that was done. Because of that lapse, now it seems that they need to rethink their encryption scheme at the very least. When they do, it might make sense to add some type of limit to the number of times a passport can be interrogated with an incorrect password, either in a certain time window or an accumulated number over the life cycle of the passport.

3 comments:

Anonymous said...

"When they do, it might make sense to add some type of limit to the number of times a passport can be interrogated with an incorrect password, either in a certain time window or an accumulated number over the life cycle of the passport."

That would introduce the vulnerability of a mass Denial of Service attack - just send random passwords via the standard, unlicensed Industrial Scientific Medical radio band, and all the ICAO standard contactless chip Passports within range will have been disabled !

This could happen deliberately or even by accident on the ISM 13.56 MHz unlicensed band, which is shared by so many other devices and systems.

Anonymous said...

Isn't it 4 hours, not days?

Watching-them-watching-us, good point about the DoS attack
-a.a

Keith said...

You raise an interesting issue with the DoS attack. My experience with RFID tags thus far has been limited, but I did try an experiment with one to see how far away it could be from the interrogator (in this case an access control system) and still work. I found that if the RFID tag was further away than about a centimeter that it would not work at all. I suspect that this was partly due to the designed in low transmission strength of the interrogator but also due to the level of interrogation signal necessary to "energize" the tag and get it to transmit back.

The reason I went into all of that is because it is a practical data point about the relative distances and strengths necessary to activate one of these RFID tags.

On top of that, if they designed their interrogate/response algorithm well, they could pretty much ensure that random RF transmissions would not activate the system. Whether they did or not is an open question, of course. Do you or any other reader have more insight into how they actually implemented these systems?
Thanks for the comment!
regards,
Keith