Dave Bullock / eecue

photographer, engineering leader, nerd

Major Flaw in Proposed RFID Passports

The guys from a wireless research company called Flexilis who happen to be based a block and a half from my loft, just showed me their proof of concept demo of a serious flaw in the upcoming RFID embedded Passports, scheduled to be released in October. The RFID passports incorporate a shielding mechanism to prevent rogue readers from picking up the sensitive information contained in your US passport, but as it turns out if the passport is slightly open it can be read. This may not seem like much of a big deal until you watch the following video where they created a proof of concept Improvised Explosive Device that detects the presence of a US passport and detonates a charge (or in their test case, some model rocket engines).

This hack could also be used to identify to unique individual and then detonate a device or track them. Because the RFID technology works at only close distances this attack is especially dangerous. I talked to them about the possibilities of attacking the RFID chip even if the passport is closed and it is possibly that with a very strong electromagnetic field, the data could be read on a subcarrier, but they still have more research to do in that area. Here is their abstract about the demo:
The FLX[2006‐0605] video security brief demonstrates a real‐world vulnerability associated with the failure of the shielding component in the current proposed electronic passport design. When partially open, as could be the case when in a pocket, purse, or briefcase, the currently proposed passport can be detected by a nearby inquiring RFID reader. The security brief also demonstrates an improved shield design that requires a passport to be significantly open before reading is possible.

You can read the full RFID Passport Technical Analysis (84K PDF) or the RFID Passport Shield Failure Demonstration (120 KB). The good news is they have proposed a fix for the problem, John Hering told me he had discovered the vulnerability 2 years ago, but didn't want to release knowledge of the problem until he had a fix to go with it.

Digg This Article

UPDATE Well it looks like the Department of State decided not to wait until October to begin issuing these dangerous passports. Here is their press release.