Monday, September 29. 2008The Risk of ePassports and RFID
Today vonJeek/THC released his tool and a video how to duplicate (clone) and modify
a Passport with RFID chip. http://freeworld.thc.org/thc-epassport/ The weakness is in the way the system has been rolled out. The terminal accepts self-signed data. This attack is different to the grunwald attack. VonJeek's attack makes it possible to copy, forge and modify the data so that it is still accepted as a genuine valid passport by the terminal. Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors: 1. The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good. Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key. 2. The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter. 3. Multiple CA's would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A's CA key. The terminal will validate and display the information as data from Country B. This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak. Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected. Note: The last item received some comments. Some readers suggested that this can be fixed. Yes, of course, any system can be fixed. Indeed it would be a first good step by the terminal to check that a passport from country A is also signed with the CA key of country A and not by the CA key of country B. The current implementation and plans make it unlikely that this will be implemented securely. In the end we are trusted those people who gave out ePassports that can be read by anyone and not just authorized terminals. We are trusting those people who say that good security practice to verify the validity of a passport is optional and not mandatory. So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart. Never let a computer do a job that can be done by a human. Let's take a look at a few other things now possible with ePassports: ePassports aid Data Theft: The 3 meter barrier has recently been broken for reading RFID data (e.g. your ePassport data) from a distance 3 meters away. Attacks always get better. They never get worse. The next barrier is 5, 10 and 20 meters. An attacker can read the data from your ePassport (while you walk in the street!) and can use your credentials to authenticate himself or duplicate your passport. ePassports aid Terrorism: Thanks to the ePassports is it now possible to build Smart-IED's. A Smart-IED waits until a specific person passes by before detonating or let's say until there are more than 10 americans in the room. Boom. Do ePassports make you feel more safe now as the government says they would do? Dont get me wrong. Here at THC we love technology but we dont trust it. Interesting times, The Ministry Of Truth http://www.thc.org Comments
Display comments as
(Linear | Threaded)
You say: Multiple CA's would not work either. Any country could use its own CA to create a valid
passport of any other country. While I don't know the details of the passport-system, this sounds wrong. Why isn't it possible to have a different CA for each Country? If the Country-CA and the Passport-Country doesn't match, its obviously faked. Sorry if my english is hard to understand 
I don't really get this either, and the same doubts came out here:
http://www.schneier.com/blog/archives/2008/09/how_to_clone_an.html#comments Would you please go a bit further into details?
This is explained in the entry - CA's are single-points-of-failure, or in laymen's terms, it only takes a single failure to compromise the system. For something as critical as individual identity, the faults inherent in a system based on CA's alone make the system a far simpler hack/crack than one based on multiple levels of security.
Love your site!
You still have the other problems - CAs are a suddenly a lucrative and smaller target set, and much easier to surreptitiously gain access to and use. Nonetheless, if the measures are used in addition to and not in place of traditional authentication measures, they can significantly increase the ability to properly authenticate a passport.
Its inevitable that someone is going to forge documents because there is so much money to be made in the black market, so the process has to be bettered continuously to try and stay one step ahead.
Please come visit my site Local Business Directory Of Washington U.S.A. when you got time
"Humans are good at Border Control. "I like this sentence.
This option also multiplies the number of 'juicy' targets.
Interesting thoughts.
Regards, Terms Free MMORPG Gamer, Student, and Libertarian. I also like to listen to Video Game OSTs. I also like Game Wallpapers
"Never let a computer do a job that can be done by a human. "
This seems wrong. Shouldn't it be "Never let a computer do a job that /is better/ done by a human." ?
IS EVERY GOOD IDEAL TO EVERY BODY TO KNOW THE KNOWLEDGE I NEED VALID CREDIT CARDS AND I WANT TO NOW ABOUT THE HACKER CAN I
To verify that something is signed by a CA you do not need the CA signing key itself, all you need is its public key. Otherwise SSL would not work -- we would need the private key of Verisign to determine a site is signed with Verisign.
Multiple countries can provide their CA certs and if you want to verify a UK password, use the UK signing key. Easy. You're right that it makes the CA private keys high value targets. One would surely be compromised, so only trust your own country's to prove passports authentic.
I re-downloaded and then re-installed (from the link above) instead of from within Firefox's "Check for Updates" popup ... and it appears to working now. Prior to doing the new re-download, I copied the original Mozilla Firefox folder, just in case. This update was not seamless or as easy as previous updates have been. I do not know what all http://www.charmingirl-china.com the contributors were, and don't have time to investigate further right now. If/when I get a chance I will re-post here.
Your criticism of Multiple CAs is fundamentally flawed - just because you trust CA1 to sign Country1's passports, it doesn't mean you trust it to sign Country2's.
Of course, you still have the other problems - CAs are a suddenly a lucrative and smaller target set, and much easier to surreptitiously gain access to and use. Nonetheless, if the measures are used in addition to and not in place of traditional authentication measures, they can significantly increase the ability to properly authenticate a passport. Your latter points about remote access are completely legit and a side effect of people making decisions based on what technology is sexiest rather than what technology is best for a task. Embedded smart cards (or other technologies requiring physical contact) could provide as much security if not more without allowing unintentional access without physical access.
Please give a reference to the claim of "3m barrier reading being broken for ISO 14443 tags".
The power output of passive ISO 14443 comms on the sidebands is 1/r^3. Since at a distance of 1m the power levels are already at the same level as background radio noise, I would be very interested in hearing how exactly you read at 3 meters something where the SNR is so bad. It could revolutionize radio communications as we know it.
3m reading? They got an award for it:
http://www.mmdt.cc/MDTi/index.php?option=com_content&task=view&id=88&Itemid=2
But that is for 2.4 GHz, not the 13.56 MHz which is used in the passports. They are both called "RFID", but there is a huge difference otherwise.
Lumping the large range of one technology and crypto of another technology is just scaremongering, which does nothing to help anybody. It's as if you were saying that because Windows has security bugs, and Linux does not have games, the entire computer game industry is doomed and cannot work. Let's get real with RFID
You are right to be sceptical, but since the S/N ratio needed for reception is proportional to the frequency used, what works for a 2.4GHz chip will definitely work for a 13MHz chip, and will work at a longer range.
Not necessarily. Remember that near-field (13.56 MHz) uses inductive coupling, but most 2.4 GHz systems use back-scatter or capacitive coupling.
Inductive coupling drops off at 1/r^3, which makes it extremely difficult to discern from background radiation beyond a certain range. Pumping enough energy into a 13.56MHz ISO 14443 tag to make it readable at three meters would probably fry it and anything in its path... Would be cool to try though 
Dual diagnosis and co occurring treatment programs are the focus of the I abused drugs and alcohol for over years until my life was consumed by them.
kral oyunlar
Glad to see such a thing come out. This is a prime example where pointing out the emperor has no clothes will have an affect on the perceived value of the technology as a security measure.
ePassports were never meant to use the RFID as the only authentication method. It was meant to augment the existing counterfeit protections (special inks, holograms, watermarks, etc). The idea was to add another layer. The physical passport info and picture has to match the person presenting it, and now both of those have to match the digital version on the passport (not counting biometrics like fingerprints on the chip, etc). Basically, another step for a forger to go through. The problem becomes that people trust technology far too much and any passport that passes digital muster will not be scrutinized as well as a traditional, non ePassport. It is still another step to get all 3 authentication factors (face, picture, digi-pic) to line up to pass through a border, but it's not something I see taking too long.
Is there any working revoke implementation, if a passport isn't valid any more? Otherwise from my perspective it is hard to get why exactly this weakness exists.
I think it's important to determine how a real secure digital passport system should be designed, and to open those thoughts. That may help bettering up the situation.
What would it take to "blow" the RFID chip in a UK passport. I mean would a commercial bulk magnetic tape eraser do it, or maybe the big electromagnet at a scrapyard?
thank you for giving us a comment place.
i support your idea.hope you everying goes well.1
I believe some of you who balked at the claim: "Country A can create a passport data set of Country B and sign it with Country A's CA key", missed the point; which is easy to miss since the author left it to be inferred. Here is the missing piece: The validation software that "checks" the validity of the signed data set, will only care that SOME CA cert in its store will validate the data. As long as it finds a CA cert that works, it reports a validated passport. Think about it... this is exactly our experience with our desktop software that validates the certificates provided by various websites during SSL/https sessions. We the user don't know WHICH CA cert validated the received cert... we only know that ONE of them did.
Yes, it can be fixed, but the point is that it is currently broke.
Quite right. This also introduces another problem - The security of loading CA public keys into the ID validator. Since PC's are easily hacked these days it is not that difficult to load a fake CA cert that can be used to validate fake websites. In the case of a hacked passport reader/validator this could allow ANY fake ID to be accepted. Compromise of a CA signing key is the worst case of course as it allows ANY fake ID to be accepted at ANY reader. However the CA signing is generally protected in highly secure facilities (often in bunkers under mountains!)whereas the readers are much easier to attack.
亮剑集团专业从事注册香港公司、海外公司注册、注册国内外商标、注册国际书刊号、大额验资款、投资移民、海外形象代言人、外国商务签证邀请函、外国人签证续期、港澳商务通行证、香港生子计划、香港条形码、代开信用证、摆帐、境外融资、律师公证、资信证明、协助香港本地开户等系列配套服务。进一步咨询请与罗鸿汇先生联系0755-82991035 82948360 www.hkbusiness.net亮剑,创出你我新天地!
[url=http://www.hkbusiness.net]香港商务网/注册香港公司/注册香港商标/香港投资移民/香港配套服务、香港银行开户[/url] [url=http://www.place.net.cn/se.asp?nowmenuid=502135]注册香港公司好处、注册香港公司、香港公司注册[/url] [url=http://www.hkbusiness.net/html/list_12_1.html]注册香港公司好处、注册香港公司、香港公司注册[/url]
Offers registry cleaners for fix registry errors in windows operating system.
hello find [url=http://www.mmogcart.com/cheap-wow-powerleveling/]Wow Power Leveling[/url]click here [url=http://www.powerleveling-wow.com/siteMap.asp]Wow Power Leveling[/url] tks
We have revolutionized the exchange of cheap wow gold and wow power leveling with fast delivery. we sell world of warcraft gold. Welcome to our website about cheapest wow gold,delivery in 24 hours,7/24 service.
We also have revolutionized the exchange of cheap wow gold and also offer wow power leveling with fast delivery.sincerly Welcome to our website about cheap wow gold,delivery in 7/24 service.
Good Day. I like to play blackjack. I'm not addicted to gambling, I'm addicted to sitting in a semi-circle.
I am from Lithuania and too bad know English, tell me right I wrote the following sentence: "Sign up with ebay australia and begin buying and." Regards  Alissa.
Wowspa.com is the best website buy wow gold , fast and cheap, buy wow gold and wow power leveling to wowspa.com the best!
WCG offer the cheapest wow gold Games and Powerleveling Service,Feel free to contact us 24 hours a day, 7 days a week live chat and email.Your world of warcraft gold also will be delivered to you in less than 45 minutes! We strive to offer the fastest and most reliable service on the web for your wow power leveling game needs. We are a group of dedicated players who have come together to provide world of warcraft powerleveling services for the community. So that you, our fellow players, will be able to enjoy your play time to the fullest. We work hard with our suppliers to offer the lowest prices we can. We keep our wow powerleveling prices as competitive as we can afford.buy wow goldjerryxia2009303
www.wow-power-lvl.com is the professional website for Wow power leveling. We have been in wow power leveling service for over 3 years and made so many customers be our friends. Professional wow power leveling cheap , fast, and secure service. We power level your character according to your special requirements with no extra charges or hidden fees. Help you get your favor is our goal. And we are so happy that customers trust us because we upgrade your toons by experience levelers only. Enjoy World of Warcraft, Enjoy our service of World of Warcraft power leveling.
We provide a cheap WoW Power Leveling service for any level to level 80 (wow power leveling 1 80). The price of WoW Power leveling for the two new races is as the same as the original races. We are sure that you will get a satisfaction with our outstanding World Of Warcraft 12 Power Leveling service. http://www.wow-power-lvl.com http://www.wow-power-lvl.com http://www.cheap-powerleveling.com http://www.wowpower-level.com http://www.cheap-powerleveling.com
http://www.wow-cheapgold.com is an professional WoW Gold Store,You Can Buy Cheap World of Warcraft Gold,WoW Powerleveling at WoW-Cheapgold.com ,24/7 Online Service!
I am glad to talk with you and you give me great help! Thanks for that, I am wonderring if i can contact you via email when i meet problems?
Wholesale jewelry, http://www.aypearl.com supply vast kinds of styles handmade jewelry,mainly engage in wholesale handmade jewelry such as wholesale crystal ,wholesale pearl ,wholesale gemstone,wholesale costume jewelry,also wholesale fashion jewelry like wholesale swarovski crystal,wholesale beads,wholesale turquoise,wholesale coral,costume jewelry,shell jewelry and discount jewelry, jewelry wholesale, just on AYpearl jewelry store.Unlimited selection of jewelry at Great prices!
Enclosing asterisks marks text as bold (*word*), underscore are made via word.
Standard emoticons like and are converted to images.
Gold key link for( wow power leveling )the law by( wow power leveling )all, such as bubble( power leveling )shadow dream hallucinations, such( wow gold )as exposed as well( wow powerleveling )as electricity, should be the case
Of the thirteen companions of the great Thorin Oakenshield, Dori was often responsible for keeping an eye out for the Company’s burglar, the hobbit Bilbo Baggins. Now Dori acts as an emissary to the dwarf-mines of Othrikar in the North Downs. Learn more about this famous dwarf in this week’s content update!
Dori and his brothers, Nori and Ori, were among the thirteen companions of the great Thorin Oakenshield on the Quest of Erebor. Dori was often responsible on that journey for keeping an eye out for the Company’s burglar, the hobbit Bilbo Baggins. He proved quite dissatisfied with the task, but nonetheless tried his best. http://www.lotro-shop.com http://www.cheap-msmesos.com http://www.allgametrade.com
An ePassport is not a good thing i dontthink. Beacsue of the natre of the internet you are likely to get many hackers trying to gain access to many peoples personal information which can never be a good thing
Free DSi Free Nintendo DSi Free PSP Free PS3 Free Xbox 360 Free Xbox 360 Elite
[url=http://www.belrion.com]wow gold[/url]
[url=http://www.igamehub.com/wowgold/buy-wow-gold.htm]wow gold [/url]
Wholesale jewelry Fashion jewelry Pandora jewelry Titanium jewelry Trendy jewelry Pearl jewelry
http://www.towholesalejewelry.com wholesale jewelry from China
akoya pearl,sea shell pearl,our company specialize in Chinese Turquoise beads and coral beads wholesale, Chinese turquoise wholesale, necklace wholesale,pendants wholesale, bracelets wholesale, freshwater pearl wholesale, We stock all these goods in quantities. With tons of gemstone beads, pearl beads, coral beads,turquoise beads,necklace, pendants and bracelets in stock, on the wholesale cheap price.
http://www.aypearl.com wholesale jewelry online store, It offers a wide variety of handmade jewelry products – wholesale pearl,wholesale crystal,wholesale gemstone,wholesale turquoise,wholesale coral,wholesale shell,wholesale swarovski and other accessories.
A nice topic to share with realistic and interesting ideas to present.
Salutations, Druids. As is probably obvious, we're going to take a detour out of Ulduar class strategy this week, because I'm going to shoot myself if I have to write about another boss I haven't been able to smack around since the PTR. We'll be back for Freya, Thorim, and assorted vaguely Norse-sounding entitites wow gold wishing to destroy the world for some unspecified reason but they drop phat lewtz so who cares next week.
cheap wow account,sell wow account,WoW account,buy WoW account,more World of Warcraft account on our website!jackwalk1985
Hi everyone. Better by far you should forget and smile than you should remember and be sad. Help me! Help to find sites on the: alcoholic treatment centers. I found only this - alcohol abuse treatment centers. Dual diagnosis and co occurring treatment programs are the focus of the I abused drugs and alcohol for over years until my life was consumed by them. Alcohol addiction drug alcohol addiction rehab treatment. THX :eek:, Chika from Colombia.
I welcome you. I have to you a message. That we name drugs it is simple poisons. The effect depends on accepted quantity. Drugs in small doses render "stimulating influence". Drugs in большем quantity suppress activity of an organism. In even большем quantity drugs operate as poison and can lead to the fatal end.
Better by far you should forget and smile than you should remember and be sad. Help me! Help to find sites on the: alcoholic treatment centers. I found only this - alcohol abuse
alcoholic treatment centers. I found only this - alcohol abuse
everyday you can watch free online and download movie Welcome to
VeryMovie.net [url=http://www.verymovie.net] everyday you can watch free online and download movie Welcome to VeryMovie.net[/url] dota rapidshare ,dota replay illusion replay report [url=http://www.2naibaby.cn]dota rapidshare ,dota replay illusion replay report[/url]
you still have the other problems - CAs are a suddenly a lucrative and smaller target set, and much easier to surreptitiously gain access to and use. Nonetheless, if the measures are used in addition to and not in place of traditional authentication measures, they can significantly increase the ability to properly authenticate a passport
Looking for Tiffany Bracelets, Necklaces,Earrings Jewelry ? ShoppingTiffany.com is your best Tiffany & Co sliver jewelry provider.
If the measures are used in addition to and not in place of traditional authentication measures, they can significantly increase the ability to properly authenticate a passport
Thanks for this info - quite unnerving but it's interesting to know how easily things like this can be. Cheers - George
Very nice information. Thanks for this. Please come visit my site Local Business Directory Of Washington U.S.A. when you got time.
Its a fact if there is money to be made from forgery then it doesn't matter how full proof a passport is made, fraudsters will get around the process. The trick is to keep one step ahead of them.
Best Quality Guarantee, Cheap Price,Rolex-
Rolex Replica- Replica Rolex- Replica Watches- 网站优化-,good time!
Correct such type of risk is not at all wise to even think of.
THC Blog. I just got my new ePassport, and now I'm wondering how I can shield it from prying eyes.
hello, this is my first time i visit here. I found so many interesting in your blog especially its discussion. keep up the good work.
you still have the other problems - CAs are a suddenly a lucrative and smaller target set, and much easier to surreptitiously gain access to and use. Nonetheless, if the measures are used in addition to and not in place of traditional authentication measures, they can significantly increase the ability to properly authenticate a passport.
Your latter points about remote access are completely legit and a side effect of people making decisions based on what technology is sexiest rather than what technology is best for a task.
you still have the other problems - CAs are a suddenly a lucrative and smaller target set, and much easier to surreptitiously gain access to and use. Nonetheless, if the measures are used in addition to and not in place of traditional authentication measures, they can significantly increase the ability to properly authenticate a passport.
Your latter points about remote access are completely legit and a side effect of people making decisions based on what technology is sexiest rather than what technology is best for a task
what a coincidence.links of londonTo tell you the truth (that…) Honestly….So disgusting.links of londonYou just don't appreciate it. A: You don't know when a good thing's right in front of you. You just don't appreciate it.Mutual understanding.You'll be sorry. You'll regret it.Off base! I predict that we'll finish this project in 2 days. You're way off base! That's impossible.Tiffany JewelleryIt's all your fault.If you're not happy say it.I wouldn't if I were you.Can you spot me?You're kidding right!
You're way off base! That's impossible.Tiffany JewelleryIt's all your fault.If you're not happy say it.I wouldn't if I were you.Can you spot me?You're kidding right!
Thanks for writing this truely cracking blog post, I enjoyed reading it.
ePassports were never meant to use the RFID as the only authentication method. It was meant to augment the existing counterfeit protections (special inks, holograms, watermarks, etc). The idea was to add another layer. The physical passport info and picture has to match the person presenting it, and now both of those have to match the digital version on the passport (not counting biometrics like fingerprints on the chip, etc). Basically, another step for a forger to go through.
Guide Shoes
Funs blog collect bag Ho jewelry Blog pick your shoes
Passport Fraud is big business which is why the Government always try and stay one step ahead.
they are high quality timepieces which is attractive,Rolex -
Replica Rolex - Replica Watches - Rolex - Replica Breitling - Rolex - Rolex ,good time!
Hope to be better. Better means more features
ed hardy abercrombie and fitch, tiffany jewellery
The soldiers interposed their bayonets, for they thought that he was about to attack the inspector, and the latter recoiled two or three steps[URL=http://www.tbcgold.com]
|
Calendar
QuicksearchCategoriesSyndicate This BlogBlog AdministrationPowered by
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Die Hacker-Gruppe THC (The Hacker's Choice) zeigt wie man biometrische Reisepässe mit RFID-Chip, die ePassports, klonen und verändern kann. Damit sind die Dinger praktisch wertlos geworden.
Tracked: Sep 30, 13:07
Das Problem mit den ePässen ist offenbar, dass die Terminals selbstsignierte Daten akzeptieren. (Siehe auch: heise-Meldung.) Das lässt sich leicht ändern, in dem man Signaturen zwingend verlangt. Doch der Beitrag über den schon erwähnten Hack des elekt
Tracked: Sep 30, 14:16