Filed in archive
Privacy and Security
by Anita Campbell on August 11, 2006
A German security consultant, Lukas Grunwald, was the latest challenger. He threw down the gauntlet at the 2006 DefCon conference last week. He cloned an RFID tag.
Note that he did not clone a passport -- just the information on the tag.
Note also that he could not figure out a way to change the data, such as by adding a fictitious name or modifying personal details. He simply copied existing data.
Of course, from reading some of the media reports, you'd never know that his actions were limited to simply copying an existing electronic piece of information. Most of the initial news and blog reports were selective and disingenuously unclear in what they reported. They gave the erroneous impression that he had managed to cook up an utterly fake passport -- faster and easier than whippin' up a Betty Crocker cake mix.
As I reported last week, you had to read the full Wired.com news report to understand exactly what did -- and did NOT -- occur.
As usual with these kinds of demonstrations, we go through a dance-like ritual:
Step 1: Someone comes out with a hacking demonstration or an announcement supposedly showing how insecure RFID is.
Step 2: Wildly sensational and incorrect media reports come out right away, blowing it out of proportion.
Step 3: Calmer heads come along and take the time to debunk and refute the claims or put them into proper perspective.
The sad part is, there is usually a grain of truth and probably some valuable lessons that could be learned from the hacking demonstration.
But instead, the announcements are sensationalized, leading business and governmental organizations to feel under attack and that they must defend against the claim. Naturally all their attention goes toward debunking the original claim, instead of studying what really happened and what could be learned from it. And they come off as appearing defensive -- never a good thing where the public is concerned.
And, of course, the later debunking of the initial claims never gets the same level of media and blogger attention (I wonder why?). So the public is left with the erroneous impression that the technology is insecure.
And so it goes.
We had this familiar hacking/debunking dance once again with the Grunwald DefCon demonstration.
A week's time has passed since the initial claims, and now the latest news is that several industry experts, including industry association The Smart Card Alliance, have come out and put the claims into perspective.
The RFID Journal has a thorough story of the industry response to the Grunwald demonstration. Read the whole RFID Journal article for the details.
Sheesh.
Trackback: http://publish.creative-weblogging.com/publish/mt-tb.pl/31685
Addthis
Ask
Blinklist
del.icio.us
Digg
Fark
Facebook
Google
Lycos
Ma.gnolia
Mr Wong
Netscape
Netvousz
Newsvine
Reddit
StumbleUpon
Slashdot
Tailrank
Technorati
Wink
Yahoo
Vote for It Turns Out Those RFID Passports are Not So Insecure After All:
|
Rating: 9.75 out of 4 vote(s) cast.
|
Response from:
Stephan E
(08/12/06 11:10am)
Response from:
Steve Chrysostom
(08/12/06 5:55pm)
While I agree that media reports on this event were -- unsurprisingly -- sensational and inaccurate, your article does no better as it carefully steps around the elephant in the conference room. If Grunwald was able to skim the data on the passport, allowing him to later create a new passport with the SAME information, that's the story, and that's the source of concern. The ability to change the name is of far less significance. As far as creating an "utterly fake" passport, I'd argue that if my information is stolen and later illegally duplicated onto a passport, that passport's a fake.
(paragraph)
This blog loses credibility when it sets up and knocks down such straw men. Please do your readers, who are here to learn, the service of acknowledging the negatives and security concerns that this technology has. Addressing those issues honestly and creatively will help us all.
(paragraph)
This blog loses credibility when it sets up and knocks down such straw men. Please do your readers, who are here to learn, the service of acknowledging the negatives and security concerns that this technology has. Addressing those issues honestly and creatively will help us all.
Response from:
what steve says
(08/13/06 7:01am)
You are the one posting the misleading opinions.
Hmm...hacker copies confidential info off rfid.
Hmm...hacker places info on new rfid, cloning passport.
Yes that seems plenty secure (not).
RFID weblog credibility -zero.
Hmm...hacker copies confidential info off rfid.
Hmm...hacker places info on new rfid, cloning passport.
Yes that seems plenty secure (not).
RFID weblog credibility -zero.
Response from:
Chris Kapsambelis
(08/13/06 10:33am)
In addition to the above let make the following points:
1. The calmer heads and industry experts you refer to, have a stake in the acceptance of RFID and are therefore biased.
2. The scheme claims the data is locked and cannot be changed. Locks can be opened with a key. If the key is ever lost, all the passports would be worthless.
3. IMOPRTANT! In this expert’s opinion, the reliability will never exceed 80%. Any one whose passport fails to read will have to be evaluated on other criteria. A phony passport can be made with the copied data and a broken RFID chip. I say this because RFID and OCR have been shown to be unreliable and together they would be worse.
1. The calmer heads and industry experts you refer to, have a stake in the acceptance of RFID and are therefore biased.
2. The scheme claims the data is locked and cannot be changed. Locks can be opened with a key. If the key is ever lost, all the passports would be worthless.
3. IMOPRTANT! In this expert’s opinion, the reliability will never exceed 80%. Any one whose passport fails to read will have to be evaluated on other criteria. A phony passport can be made with the copied data and a broken RFID chip. I say this because RFID and OCR have been shown to be unreliable and together they would be worse.
Response from:
Anita Campbell
(08/14/06 8:11pm)
This blog is highly credible. I put my name and professional reputation behind it. That is more than two of our commenters (Steve Chrysostom and what steve says) have done. Oh, and by the way, they are both from the same IP address, meaning they are really one and the same person.
It is easy to take pot shots and hide behind semi-anonymous comments. What is hard is to take a position that rankles people and have the guts to say it publicly.
While I may hold strong opinions, no one can contest that I have given equal air time to those with differing opinions. Chris Kapsambelis is one such person who has received air time here, although I do not necessarily agree with his viewpoints. But I respect them and him -- a big difference.
Uncredible? I don't think so.
It is easy to take pot shots and hide behind semi-anonymous comments. What is hard is to take a position that rankles people and have the guts to say it publicly.
While I may hold strong opinions, no one can contest that I have given equal air time to those with differing opinions. Chris Kapsambelis is one such person who has received air time here, although I do not necessarily agree with his viewpoints. But I respect them and him -- a big difference.
Uncredible? I don't think so.
Response from:
Steve Chrysostom
(08/14/06 10:53pm)
Ms. Campbell, I was so surprised by your response that I'm almost at a loss for words. Oh wait, here they come ---
First of all, I put my (real) name on my comment. I'm not sure why you would suggest otherwise.
Secondly, I did not post as "what steve says". I don't pretend to know enough about IP tracking to refute your accusation, but that person's comment is not my style of writing or thought. Nor would I stoop to praising myself in hopes of garnering more attention. I'm more confused by that posting than pleased with its agreement. I'm not even sure s/he DOES agree with me!
Regarding "pot shots and semi-anonymous comments," I did my best to make what I considered a thoughtful and worthwhile comment, and the name attached to it is my own. I welcome learning more -- that's why I read this and other sources -- but didn't expect this type of reply.
Finally, you can't say, "This blog is highly credible" about your own work. Only others can say that about it. I can claim all the trustworthiness I want, but unless others agree with me it's a hollow boast. Far from trying to tear it down, my comment was urging you to include other facts which would INCREASE this blog's credibility.
It's fine if you don't agree with me; but I do hope you see my point.
First of all, I put my (real) name on my comment. I'm not sure why you would suggest otherwise.
Secondly, I did not post as "what steve says". I don't pretend to know enough about IP tracking to refute your accusation, but that person's comment is not my style of writing or thought. Nor would I stoop to praising myself in hopes of garnering more attention. I'm more confused by that posting than pleased with its agreement. I'm not even sure s/he DOES agree with me!
Regarding "pot shots and semi-anonymous comments," I did my best to make what I considered a thoughtful and worthwhile comment, and the name attached to it is my own. I welcome learning more -- that's why I read this and other sources -- but didn't expect this type of reply.
Finally, you can't say, "This blog is highly credible" about your own work. Only others can say that about it. I can claim all the trustworthiness I want, but unless others agree with me it's a hollow boast. Far from trying to tear it down, my comment was urging you to include other facts which would INCREASE this blog's credibility.
It's fine if you don't agree with me; but I do hope you see my point.
Response from:
Chris Kapsambelis
(08/15/06 10:58am)
I can testify that Chrysostom is a venerable name of Byzantine Greek extraction.
Response from:
Anita Campbell
(08/16/06 8:21pm)
Thanks, everyone, for all your input.
I'm glad you read this blog -- whatever opinions you hold. I appreciate that you care enough to read and comment.
Best,
Anita
I'm glad you read this blog -- whatever opinions you hold. I appreciate that you care enough to read and comment.
Best,
Anita
Subscribe
Use the search to look for other interesting posts
| RSS |  See all blog subscribe options |
 What is RSS? | |
| Yahoo! |
|
| Addthis |
|
| Bloglines |
|
| Newsletter | |
| Follow us on Twitter! |
But claimming that biometric passports are secure is wrong.
The industry argument is correct in the sense that you cannot from reading an RFID fake a certificate and such make a fake identity. But this is missing the fundamental problem that it makes it easier to do identity theft.
Getting access to biometric certificates from the unsecured RFID is worsened by combining it with the fact that biometric are mere physcial constants and as such can always be faked.
This lead to problems such as "perfect" Identity theft, permenent loss of identity for the wictim since he cannot geet new biometrics and of course massive loss of data security.
So the basic fact is that the new passports are indeed worsening security in a situation where we need to improve it.