It Turns Out Those RFID Passports are Not So Insecure After All
Filed in archive Privacy and Security by Anita Campbell on August 11, 2006
A German security consultant, Lukas Grunwald, was the latest challenger. He threw down the gauntlet at the 2006 DefCon conference last week. He cloned an RFID tag.
Note that he did not clone a passport -- just the information on the tag.
Note also that he could not figure out a way to change the data, such as by adding a fictitious name or modifying personal details. He simply copied existing data.
Of course, from reading some of the media reports, you'd never know that his actions were limited to simply copying an existing electronic piece of information. Most of the initial news and blog reports were selective and disingenuously unclear in what they reported. They gave the erroneous impression that he had managed to cook up an utterly fake passport -- faster and easier than whippin' up a Betty Crocker cake mix.
As I reported last week, you had to read the full Wired.com news report to understand exactly what did -- and did NOT -- occur.
As usual with these kinds of demonstrations, we go through a dance-like ritual:
Step 1: Someone comes out with a hacking demonstration or an announcement supposedly showing how insecure RFID is.
Step 2: Wildly sensational and incorrect media reports come out right away, blowing it out of proportion.
Step 3: Calmer heads come along and take the time to debunk and refute the claims or put them into proper perspective.
The sad part is, there is usually a grain of truth and probably some valuable lessons that could be learned from the hacking demonstration.
But instead, the announcements are sensationalized, leading business and governmental organizations to feel under attack and that they must defend against the claim. Naturally all their attention goes toward debunking the original claim, instead of studying what really happened and what could be learned from it. And they come off as appearing defensive -- never a good thing where the public is concerned.
And, of course, the later debunking of the initial claims never gets the same level of media and blogger attention (I wonder why?). So the public is left with the erroneous impression that the technology is insecure.
And so it goes.
We had this familiar hacking/debunking dance once again with the Grunwald DefCon demonstration.
A week's time has passed since the initial claims, and now the latest news is that several industry experts, including industry association The Smart Card Alliance, have come out and put the claims into perspective.
The RFID Journal has a thorough story of the industry response to the Grunwald demonstration. Read the whole RFID Journal article for the details.
Sheesh.
Permalink: It Turns Out Those RFID Passports are Not So Insecure After All
Tags:
rfid passport passports insecure after rfid+passports insecure+after passports+insecure
Trackback: http://www.creative-weblogging.com/cgi-bin/mt-tb.pl/31685
