Bill’s Security Blog

Britain has not chosen to have RF shielding added to their passports, and the result is devastating.

The article linked below describes how the information stored on the RFID card can be read by just about anyone.

Other weaknesses in the system of creating and delivering passports are also identified.

This article raises a series of good points.

Suppose it is possible to implement a truly secure RFID passport scheme. That scheme must consider more than the passport itself, but everything that could ever happen to the passport:

• delivery mechanisms
• access to apply, receive, use a passport
• direct, physical brute force attacks against a passport
• blah blah blah.

Basically, you’d need to consider the full scope of physical and technological security paradigms.

Just pondering the types of questions I’d want considered if I was in charge of making decisions about implementing an RFID enabled access control system:

1. Is there any possibility that a perfectly determined, highly funded attacker can fake this system?
2. If we can produce such a device, will staff rely too heavily in the technology and abandon traditional gut-level trust/lack of trust in the holder?
3. If a device is compromised, what are the costs to the holder, or to the organization as a whole?
4. Given 1, 2, 3, is it worth the cost to implement?

In my head, a passport is just like any physical or virtual access device, similar to:

• an RSA passcode device
• a session ID stored in a browser
• a key for the lock in my office door.
• a password on a sticky under my keyboard.

A single access device can and will be compromised.

To raise the stakes, we must make it more challenging to compromise the system based on the compromise of one or more of its access devices.

How about 2 factor authentication?

Suppose the passport agency holds a retinal scan, or thumb print database of the legal passport holders?

A passport coupled with a thumb print scan performed at the embarkation/debarkation point is slightly more secure (I say slightly because the passport should always be assumed to be forged, since anyone can do it.)

In any event. RFID passports is the government saying, “look, we are doing something good.”

The problem is people like me. We see them saying, “look, we are spending millions on something that is useless, allows easier access for attackers, and provides 1-stop shopping for someone wishing to steal your identity!”

Sweet.

Please read the article from “This is London”

Bill

Snip from:
http://www.infoworld.com/article/07/02/27/HNioactiverfid_1.html

By Paul F. Roberts
February 27, 2007

A planned talk on RFID security by a security researcher has been pulled from this week’s Black Hat Federal security conference after secure card maker HID claimed the talk violated the company’s patent rights and threatened to take legal action against Chris Paget, the researcher, and IOActive, Paget’s employer, if the talk went forward.

The company decided to cancel the talk after all-night negotiations with HID collapsed, said Josh Pennell, CEO of IOActive. In response, Black Hat organizers were forced to tear materials out of printed show proceedings and will instead present a discussion by a representative of the ACLU on the criticality of RFID security, said Jeff Moss, founder and director of Black Hat.

We’ve seen this before.

Sad.  Truly sad.

Though I think HID has a right to try to protect it’s brand, the fact of the matter is that attacks against RFID are pretty much vendor neutral.

In any event.  The sad reality for HID is that this incident alone will be enough to draw the attention of researchers who are not subject to threat under US patent law.

RFID vendors are scared out of their minds about this kind of information getting out because there is very little that can be done to secure RFID systems.

Companies like HID are making millions selling these chips as cure-alls, when the best they can be is one (small, fragile) link in the chain of defense in depth.

Bill