A while back I posted a blog about [my opinion of] the supposed weakness’s of the UK ID Card scheme – looks like I was mostly right.
The precursor to ID Cards are RFID enabled passports – these are passports containing an RFID chip which contains “information”, and we can suppose in the future will contain some kind of biometric component. These passports can be read electronically using contactless reading devices – so in theory all you have to do is wave the passport near the reader for the passport data to be read.
Well, these shiny new passports have arrived, although at the moment they don’t contain any biometric information, the passport office says they contain only information which is also printed within the passport document.
The bad news is they’ve already been cracked – and it wasn’t that difficult or expensive apparently, read this article for the full details.
The problem is a simple and fundamental mistake, no one involved in IT security would make – which kind of says that this system was cobbled together in the “design by committee” fashion, one would presume by highly paid “consultants” who know nothing about designing secure systems.
Anyway I digress, the problem is that the information contained on the RFID chip, is not encrypted. While this sounds bad, it isn’t neccsarily, because the chip won’t yield up it’s information without the reader establishing a secure conversation with the chip first. Part of this process involves the reader providing an key with which the reader <-> chip communication is encrypted – and the key is derived from clear text information printed on the passport;
I.e passport number, date of birth and expiry date
Oh dear, but then they proudly exclaim that they are using military grade encryption, so thats alright then? Well actually no, they’re using 3DES, while it’s pretty strong, if you’re designing a new secure system why not use a modern, cryptograhpic cipher with proven [by real life honest to goodness actual cryptographers] strength like AES.
It gets worse, Passport office spokes persons actually start to counter these citicisms with missives beginning with statements such as “…This doesn’t matter, by the time you have accessed the information on the chip, you have already seen it on the passport……..If you were a criminal, you might as well just steal a passport”. This just highlights their naivety and doesn’t bode well for the future of biometric passports, especially given the governments track record on implementing any kind of IT system.
Yeah, I nearly forgot, given that the key source material is in the clear, you could argue that an attacker needs sight of the passport to get the passport number, DOB and expiry date, from which to derive the key.
Not so, consider the dodgy postman scenario, or come to that the dodgy passport agency employee, or indeed anyone who comes into contacts with passports before they are dispatched;
The expiry date is known to be 10 years hence from when it is delivered give or take a day or 2, the DOB is readily available information, but the passport number is only 9 digits long, roughly a set of 3.5 trillion numbers, so it’s subject to brute force attacks, which is unfortunate, because the RFID chip offers no defence against brute force attacks, nothing not even a limited number of key authentication attempts before the chip locks for a period of time. WTF, even when you enter you PIN in an ATM machine you only get 3 or so attempts – what were they thinking?
So what does this all mean?
- Targeted terrorist activities for one, consider an RFID reader with sufficient strength to read the passport at a distance in excess of the maximum distance claimed by the passport office, about 2cm, such a device could read the passport and do things like explode bombs when british citizens walks by – a dutch group claims to be able to read FRID chips at a distance of up to 30cm.
- Perhaps worst, is that the ID card or the RFID passport will become the standard accepted means of proving your identity, government and private agencies will accept this a) because the government spin it that way, and b) because they are electronic and described as being secured with encryption the generally accepted view that they are secure will be pervasive.
- Your identity details are now easier to forge/steal without your knowledge than previously, and reproducable in a form that is/will be accepted as being the trusted form of identification and more, enabling someone to travel across borders for nefarious purposes using your identity.
Whats a person to do, since we’re all going to be forced to take an ID card at some point – well, if you apply for an RFID passport now, you won’t be obliged to take an ID card untill that passport expires, which is currently 10 years. So at least if you do this, you can be sure that your passport doesn’t contain any real personal data for the next 10 years before you have to take on an ID card.
Oh yes, having got your RFID passport, when you carry it around, wrap it in tin foil, this will prevent it being read at a distance without your knowledge.
The full article can be found here [http://www.guardian.co.uk/idcards/story/0,,1950226,00.html]