I recently got a new ePassport with an RFID chip installed. I would have gotten a legacy passport sooner had I been actively following Ireland's rollout schedule for ePassports. As I only provided the minimum amount of information e.g. old passport, photos and basic identity information, I am not currently deeply worried, however the potential to:
a) read my information
b) write new information
c) clone my identity
d) at some future time add more biometric information
e) remotely fingerprint the passport nationality
led me to re-read some work being carried out on RFID security and the encryption algorithms and key material being used or not used as the case may be. The term PKI ( Public Key Infrastructure ) has been bandied about, however who owns and controls the root key(s) and how is the local key derived. What is the key strength, who owns or controls them? Can I read my own info? How secure is their BAC ( Basic Access Control ), not very it seems? Issues abound in passports, credit cards and building or system access cards whereby proximity readers are employed.
Right now I would like to disable the chip completely, but I believe this to be a crime. Maybe I can coax it to gently fail? What is the MTBF ( Mean Time Between Failures ) for the RFID chips in Irish passports? The UK ones seem to be fairly short. http://www.theregister.co.uk/2007/02/07/nao_epassport_report/
Passports cloned at BlackHat : http://www.wired.com/science/discoveries/news/2006/08/71521
Bruce Shneier commentary http://www.schneier.com/crypto-gram-0610.html#3
Tools and Information from RFIdiot http://www.rfidiot.org/
NO2ID.net http://www.no2id.net/
Electronic Frontier Foundation http://www.eff.org/Privacy/
RFID Security and Privacy http://www.rfid-cusp.org/ Also, 1G Vulnerabilities in Credit Cards
Potential misuse via a targetted IED ( Improvised Explosive Device ) http://www.youtube.com/watch?v=-XXaqraF7pI
Paper on RFID card security : http://www.riscure.com/2_news/200604%20CardsAsiaSing%20ePassport%20Privacy.pdf
Basic countermeasures !
( Thinking about reducing skimming attempts through shielding! )
RFID SHIELD http://www.rfid-shield.com/
DIFRwear http://difrwear.com/
3 comments:
Reading you loud and clear.
Get it?
Some other shielding options - see for a list:
http://rfidprotection.blogspot.com/
Donal,
Check out our July 2006 presentation on this at http://www.security-assessment.com/publications/index.html
DD
Post a Comment