Sunday, August 06, 2006

Good job, C-Net writers Evers and McCullagh

Researchers: E-passports pose security risk by Joris Evers and Declan McCullagh
LAS VEGAS--Radio tags used in everything from building access cards to highway toll cards to passports are surprisingly easy to copy and pose a grave security risk, researchers said this week.

At a pair of security conferences here, researchers demonstrated that passports equipped with radio frequency identification (RFID) tags can be cloned with a laptop equipped with a $200 RFID reader and a similarly inexpensive smart card writer. In addition, they suggested that RFID tags embedded in travel documents could identify U.S. passports from a distance, possibly letting terrorists use them as a trigger for explosives.

I applaud these writers for . . .

  • . . . correctly using the term "radio tag" or "RFID tag." Many writers (who I criticize for this only because as writers they should know better) refer to these things as "computer chips" or something equally stupid.

  • . . . pointing out that these tags are not secure, can easily be copied (even from hundreds of feet away!), and present lots of privacy issues.
However, later on in the article they do display a small hint of incompetence, but only because one of their experts is not being careful with his words.
At the Black Hat conference, Lukas Grunwald, a researcher with DN-Systems in Hildesheim, Germany, demonstrated that he could copy data stored in an RFID tag from his passport and write the data to a smart card equipped with an RFID chip. The copied chip could be used in a forged passport, for example. "We programmed the chip to behave like a passport," Grunwald said in an interview with CNET News.com on Friday.

As you can see in Meriam-Webster's definition of "chip" . . .
6 a : INTEGRATED CIRCUIT b : a small wafer of semiconductor material that forms the base for an integrated circuit

Now, an RFID tag itself doesn't qualify as a "chip" under this definition. There's no semiconductor involved. There's no integrated circuit. It's just a piece of metal. It's pretty dumb. It's passive. It has no power source. It's the RF equivalent of a bar code.

However, a commercially available programmable RFID tag definitely has integration with circuits sitting in silicon. (in fact, an RFID "chip" may not have a conventional RFID as a part of it at all)

And so here "RFID chip" is acceptable.

But if they were to claim that a passport has an "RFID chip" in it, then I'd have to squeeze my stress ball and count to ten and then hit someone or something. I shake a little bit when people refer to "electronic passports" as is done later in the article. However, if I breath deeply, I realize that that's acceptable.

In the future I think they may have some secure "RFID tag like" solution to this "problem" that will involve integrated electronics. For now though, it's just a super unsecure barcode. Nice job, government.

At the end of the article:
Alternatively, Grunwald said, due to some problems with the RFID tag in the German passport, the government decided that the passport will still be valid, even with an inoperative RFID tag. The Chaos Computer Club, a German hacker club, came up with a creative solution, Grunwald said.

"The CCC is recommending to just microwave your passport," he said.

That's my kind of recommendation.

No comments: