By Iain Thomson
4 February 2009 03:55PM
A British hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco.
Chris Paget, director of research and development at Seattle-based IOActive, used a US$250 Motorola RFID reader and an antenna mounted in a car’s side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration.
During the demonstration he picked up the details of two US passport cards, which are fitted with RFID chips and can be used instead of traditional passports for travel to Canada, Mexico and the Caribbean.
“I personally believe that RFID is very unsuitable for tagging people,” he said.
“I don’t believe we should have any kind of identity document with RFID tags in them. My ultimate goal here would be, my dream for this research, would be to see the entire Western Hemisphere Travel Initiative be scrapped.”
Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a ‘kill code’ (which can wipe the card’s data) and a ‘lock code’ that prevents the tag’s data being changed.
However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.
The ease with which the passport cards were picked up is even more worrying considering that less than a million have been issued to date.
Paget is a renowned ‘white hat’ ethical hacker and has made the study of the security failings of RFID something of a speciality.
In 2007 he was due to present a paper on the security failings of RFID at the Black Hat security conference in Washington but was forced to abandon the plans after an RFID company threatened him with legal action.
He points out that RFID tags are increasingly being used in physical security systems such as building access cards and the technology needs significant security adding before it could be considered safe for commercial use.
http://www.itnews.com.au/News/95588%2Chackers-clone-passports-in-driveby-rfid-heist.aspx
Related Articles
RFID maker gags security researcher
RFID passports raise security fears
RFID 'out of the lab': Deloitte
Symantec shifts focus to data security
Unencrypted networks threaten data security
China puts RFID tags in a billion ID cards
New York Offers “Enhanced” RFID Driver’s Licenses
New RFID Technology Allows You to be Tracked WITHOUT Your Knowledge
Big Brother’s Plan to Put RFID on Americans
Enhanced Tracking Technology May Propel Adoption of RFID
VeriChip Corp. Takes Downturn in Wake of RFID Caner-Link
Passports will be needed to buy mobile phones in UK
U.S. School District to Begin Microchipping Students
British travellers could be banned from flying to America
Microsoft wants to get under your skin
Rupert Murdoch Firm Hired Hackers To Sabotage Rival, Lawsuit Alleges
Cyber Security Expert: Hackers Planning To Steal Election For McCain
No comments:
Post a Comment