Thursday, March 29, 2007

Spring has sprung, the grass has riz, I wonder where the RFID ...

I recently got a new ePassport with an RFID chip installed. I would have gotten a legacy passport sooner had I been actively following Ireland's rollout schedule for ePassports. As I only provided the minimum amount of information e.g. old passport, photos and basic identity information, I am not currently deeply worried, however the potential to:

a) read my information
b) write new information
c) clone my identity
d) at some future time add more biometric information
e) remotely fingerprint the passport nationality

led me to re-read some work being carried out on RFID security and the encryption algorithms and key material being used or not used as the case may be. The term PKI ( Public Key Infrastructure ) has been bandied about, however who owns and controls the root key(s) and how is the local key derived. What is the key strength, who owns or controls them? Can I read my own info? How secure is their BAC ( Basic Access Control ), not very it seems? Issues abound in passports, credit cards and building or system access cards whereby proximity readers are employed.

Right now I would like to disable the chip completely, but I believe this to be a crime. Maybe I can coax it to gently fail? What is the MTBF ( Mean Time Between Failures ) for the RFID chips in Irish passports? The UK ones seem to be fairly short. http://www.theregister.co.uk/2007/02/07/nao_epassport_report/

Passports cloned at BlackHat : http://www.wired.com/science/discoveries/news/2006/08/71521

Bruce Shneier commentary http://www.schneier.com/crypto-gram-0610.html#3

Tools and Information from RFIdiot http://www.rfidiot.org/

NO2ID.net http://www.no2id.net/

Electronic Frontier Foundation http://www.eff.org/Privacy/

RFID Security and Privacy http://www.rfid-cusp.org/ Also, 1G Vulnerabilities in Credit Cards

Potential misuse via a targetted IED ( Improvised Explosive Device ) http://www.youtube.com/watch?v=-XXaqraF7pI

Paper on RFID card security : http://www.riscure.com/2_news/200604%20CardsAsiaSing%20ePassport%20Privacy.pdf

Basic countermeasures !
( Thinking about reducing skimming attempts through shielding! )
RFID SHIELD http://www.rfid-shield.com/
DIFRwear http://difrwear.com/

3 comments:

George said...

Reading you loud and clear.

Get it?

rfid said...

Some other shielding options - see for a list:
http://rfidprotection.blogspot.com/

Drazen Drazic said...

Donal,

Check out our July 2006 presentation on this at http://www.security-assessment.com/publications/index.html

DD