logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 96 days ago
Via: http://lists.jammed.com | Tags: isn gaping security hole rfid chips comments Discuss  






From: InfoSec News <alerts_at_private>




Date: Fri, 3 Oct 2008 01:31:24 -0500 (CDT)






http://www.techworld.com/security/news/index.cfm?newsID=105167



By Jeremy Kirk

IDG news service

02 October 2008



Data on radio chips can be cloned and modified without detection, 

according to a security researcher, raising question marks over the use 

of so-called e-passports that use RFID chips.



Upwards of 50 countries are rolling out passports with embedded RFID 

(radio frequency identification) chips containing biometric and personal 

data. The move is intended to cut down on fraudulent passports and 

strengthen border screenings, but security experts say the systems have 

several weaknesses.



Dutch researcher Jeroen van Beek has released a software toolkit that 

can be used to encode RFID chips with false information. In a 

demonstration video, van Beek shows how a scanner at Amsterdam's airport 

reads a passport chip he encoded with Elvis Presley's information and 

photograph.



It means that a fraudster could potentially create a fake passport with 

an RFID chip that would appear legitimate. The reason the data looks 

legitimate is due to a fundamental problem in how governments are 

setting up systems to handle e-passports, said Adam Laurie, a freelance 

security researcher who worked with van Beek on the demonstration.



Passport data on RFID chips is signed with a digital certificate 

belonging to the country to which the passport was issued. E-passport 

systems are supposed to verify that certificate when scanning a 

passport, Laurie said.



All countries issuing e-passports are supposed to upload their digital 

certificate to the Public Key Directory (PKD), a database that should be 

queried to ensure the certificate is correct, Laurie said.



But only 10 of the 50 or so countries have agreed to upload those 

certificates to the PKD, Laurie said. Only five countries are 

contributing to the database, he said.



"Basically, the whole thing falls down," Laurie said. The e-passport 

system's security is rooted in the back-end database checks of those 

certificates, he said.



In van Beek's demonstration, the passport chip containing fraudulent 

data presents its own certificate that appears to be from a legitimate 

authority but isn't. Since the Netherlands doesn't use PKD to verify 

passport certificates, the certificate is accepted, Laurie said.





__________________________________________________      

Register now for HITBSecConf2008 - Malaysia! With 

a new triple-track conference featuring 4 keynote 

speakers and over 35 international experts, this 

is the largest network security event in Asia and 

the Middle East! 

http://conference.hackinthebox.org/hitbsecconf2008kl/



Received on Thu Oct 02 2008 - 23:31:24 PDT
addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security