DefCon RFID Demonstration Proves Nothing

Filed in archive Privacy and Security on August 4, 2006

It's 2006 and another DefCon conference is here.

As expected, this year's Agenda contained RFID demonstrations.

In one of them, German security consultant, Lukas Grunwald, cloned an RFID chip from a German e-passport.

OK, so he cloned an RFID tag. That means he created a second tag, exactly like the first tag, by copying it electronically.

The question is, what does that really mean? And how insecure does it make these new RFID-chipped passports?

Through injudicious editing, many of the media reports give a disingenuous and skewed report and make it sound like the RFID passports are a complete waste of time. But are they?

Well, here is what Wired Magazine has to say:

Although he can clone the tag, Grunwald says it's not possible, as far as he can tell, to change data on the chip, such as the name or birth date, without being detected. That's because the passport uses cryptographic hashes to authenticate the data.

When he was done, he went on to clone the same passport data onto an ordinary smartcard -- such as the kind used by corporations for access keys -- after formatting the card's chip to the ICAO standard. He then showed how he could trick a reader into reading the cloned chip instead of a passport chip by placing the smartcard inside the passport between the reader and the passport chip. Because the reader is designed to read only one chip at a time, it read the chip nearest to it -- in the smartcard -- rather than the one embedded in the passport.

The demonstration means a terrorist whose name is on a watch list could carry a passport with his real name and photo printed on the pages, but with an RFID chip that contains different information cloned from someone else's passport. Any border-screening computers that rely on the electronic information -- instead of what's printed on the passport -- would wind up checking the wrong name.

Grunwald acknowledges, however, that such a plot could be easily thwarted by a screener who physically examines the passport to make sure the name and picture printed on it match the data read from the chip. Machine-readable OCR text printed at the bottom of the passport would also fail to match the RFID data.

Frank Moss, deputy Assistant Secretary of state for passport services at the State Department, says that designers of the e-passport have long known that the chips can be cloned and that other security safeguards in the passport design -- such as a digital photograph of the passport holder embedded in the data page -- would still prevent someone from using a forged or modified passport to gain entry into the United States and other countries.

"What this person has done is neither unexpected nor really all that remarkable," Moss says. "(T)he chip is not in and of itself a silver bullet .... It's an additional means of verifying that the person who is carrying the passport is the person to whom that passport was issued by the relevant government."

It doesn't sound as if the RFID-enabled passports are as insecure as some would have us believe. Perfect they may not be -- but what system is?

It is clear that cooking a passport is going to be decidedly harder under the new RFID systems.