Thursday, March 29, 2007

Spring has sprung, the grass has riz, I wonder where the RFID ...

I recently got a new ePassport with an RFID chip installed. I would have gotten a legacy passport sooner had I been actively following Ireland's rollout schedule for ePassports. As I only provided the minimum amount of information e.g. old passport, photos and basic identity information, I am not currently deeply worried, however the potential to:

a) read my information
b) write new information
c) clone my identity
d) at some future time add more biometric information
e) remotely fingerprint the passport nationality

led me to re-read some work being carried out on RFID security and the encryption algorithms and key material being used or not used as the case may be. The term PKI ( Public Key Infrastructure ) has been bandied about, however who owns and controls the root key(s) and how is the local key derived. What is the key strength, who owns or controls them? Can I read my own info? How secure is their BAC ( Basic Access Control ), not very it seems? Issues abound in passports, credit cards and building or system access cards whereby proximity readers are employed.

Right now I would like to disable the chip completely, but I believe this to be a crime. Maybe I can coax it to gently fail? What is the MTBF ( Mean Time Between Failures ) for the RFID chips in Irish passports? The UK ones seem to be fairly short.

Passports cloned at BlackHat :

Bruce Shneier commentary

Tools and Information from RFIdiot

Electronic Frontier Foundation

RFID Security and Privacy Also, 1G Vulnerabilities in Credit Cards

Potential misuse via a targetted IED ( Improvised Explosive Device )

Paper on RFID card security :

Basic countermeasures !
( Thinking about reducing skimming attempts through shielding! )


George said...

Reading you loud and clear.

Get it?

rfid said...

Some other shielding options - see for a list:

Drazen Drazic said...


Check out our July 2006 presentation on this at