e-Passports get hacked in new security threat

Researcher finds another vulnerability in RFID-passports, analysts see potential for trouble.

By Chris Zappone, CNNMoney.com staff writer

NEW YORK (CNNMoney.com) -- As the nation grapples with difficulties getting new passports, a technology researcher has found another problem with the radio frequency ID technology the new documents carry.

Computer security expert Lukas Grunwald cloned and manipulated the content of an RFID passport, then used the hacked e-Passport to crash the machine needed to read it.

retail_rfid_tag_upc.03.gif
darington_forbes.03.jpg
Lukas Grunwald of DN-Systems Enterprise Internet Solutions

Grunwald says that although the passport wasn't American the threat certainly extends to American passports, which use similar technology.

RFID technology combines silicon chips with antennas to make data accessible via radio waves. It's already a $650 million industry, according to ABI Research, which expects the market to more than triple by 2011.

Technologists, however, have insisted that RFID technology as implemented in the U.S. Passport is not secure and cannot assure privacy.

The U.S. government began rolling out RFID-chipped E-passports last year over the objections of numerous security experts.

The RFID passport is "fundamentally insecure by design," Grunwald said. The vulnerability could enable a person "to crash the reading machine at an airport or to manipulate it in a nasty way so that a forged passport could be accepted," he said.

Industry representatives disputed the conclusion of the work.

"I don't know if there is any credibility in this story," said Randy Vanderhoof, executive director of the Smart Card Alliance, who said he would hold off any judgment until he was more familiar with the claims.

Vanderhoof did point out, however, that Grunwalk was using a German passport with a fingerprint biometric.

"In the U.S. we're not using a fingerprint biometric," he said.

The State Department did not respond to a request for comment.

The U.S. e-Passport uses a digital image of the passport photograph as the biometric identifier, according to the State Department Web site.

Paul Proctor of technology research group Gartner said the vulnerability that Grunwald discovered is, like many exploits of RFID technology, "low probability but high impact."

The problems with securing information on RFID are "real" and "well-known," Proctor said, who called Grunwald's work "sound."

"If the government discovers a cloned passport, it will be stuck with millions of insecure passports. RFID will be in there but just ignored," he said.

But in order for the government to act, it "will have to catch someone cloning it in a nefarious way." Then Proctor predicts the whole RFID infrastructure (passports, readers, etc) would become null and void for the government.

"Governments aren't going to respond to a researcher but to a baddie," Proctor said.

Grunwald is undaunted. He says he is "shocked at how naive the industry - specifically the security document industry is - going into this field and trying to implement security that puts us at risk."

Grunwald will discuss the vulnerability Saturday at the DefCon 15 hacker convention in Las Vegas this weekend.

DefCon is an annual convention attended by hackers, corporate IT security professionals and federal authorities from around the world. Top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer.

Morningstar: © 2014 Morningstar, Inc. All Rights Reserved.

Factset: FactSet Research Systems Inc. 2014. All rights reserved.

Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved.

Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor’s Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2014 and/or its affiliates.

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer.

Morningstar: © 2014 Morningstar, Inc. All Rights Reserved.

Factset: FactSet Research Systems Inc. 2014. All rights reserved.

Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved.

Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor’s Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2014 and/or its affiliates.