All the latest UK technology news, reviews and analysis
|
|
|
03 Feb 2009
A British hacker has shown how easy it is to clone US passport cards that use Radio Frequency ID chips by conducting a drive-by test on the streets of San Francisco.
Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration.
Paget picked up the details of two US passport cards, which are fitted with RFID chips and can be used instead of traditional passports for travel to Canada, Mexico and the Caribbean.
"I believe that RFID is very unsuitable for tagging people," he said. "I do not believe we should have any kind of identity document with RFID tags in them. My ultimate goal would be to see the entire Western Hemisphere Travel Initiative scrapped."
Paget claimed that it would be relatively simple to make cloned passport cards from the information he had gathered.
Genuine passport cards support a 'kill code' which can wipe the card's data, and a 'lock code' that prevents the tag's data being changed. But Paget believes that these protections are not being used and that, even if they were, the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.
The ease with which the passport cards were picked up is even more worrying considering that fewer than a million have been issued to date.
Paget is a renowned 'white hat' ethical hacker, and has made the study of the security failings of RFID something of a speciality.
In 2007 he was due to present a paper on the subject at the Black Hat security conference in Washington, but was forced to abandon the plans after an RFID company threatened him with legal action.
Paget points out that RFID tags are increasingly being used in physical security systems such as building access cards, and that the technology needs significant extra security before it can be considered safe for commercial use.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Desktop Deployment Support Analyst (Worksite, SQL...
Project Manager is required by Bank in Germany Suitable...
Mobile & Social Media Application Web Developer...
CCVP Consultant - Telecoms Cisco Certified Voice Professional...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
People should keep their Passport Cards in the Secure Sleeve that ships with the card
All US Passport cards are shipped with a RFID shielding sleeve from Identity Stronghold. The contained paperwork urges people to keep the card in the Secure Sleeve when not being used at the border. These same sleeves can block the new RFID enabled contactless credit cards from being read remotely as well. If you are interested you can see them or buy them at www.idstronghold.com
Posted by: Walt Augustinowicz 04 Feb 2009