Kevin Mahaffey, a 21-year old electrical engineer, set off an explosive with an RFID-enabled passport mockup. But he had no nefarious intent. In fact, he was asked by tech security analysts at Flexilis to set up the demonstration. Thi was done to show the potential hazards of using the new RFID-enabled e-passports that the US government is planning on issuing later this year, and which has raised privacy concerns.
Flexilis analysts, speaking at the Blackhat 2006 conference in Nevada, said that the foil mesh inside the cover of the new US e-passports are not secure enough to shield from being read by unauthorized devices.
While I'm no fan of using RFID as an attempted human tracking technology, I make a few exceptions, especially in the case of RFID-tagging luggage for airport check-in/ out. However, the scenario painted Flexilis has nothing to do with luggage. They suggested that an RFID e-passport could be used to set off explosives hidden in a trash bin at an airport. Something about this, in my opinion, seems flawed.
Firstly, if trash-bin device uses short-range RFID, the person setting it off is endangered as well. If the device is long-range, then security sweeps of an airport, using an RFID reader is likely to reveal it. So given good security methods and thorough sweeps, it's unlikely to remain hidden.
Secondly, if a trash bin is metal and blocks security readers, an e-passport will be no more successful setting off a hidden device. Alternately, each airport trash bin could be lined with a Faraday Cage, to shield against RF signals. While possibly costly, it would deter the success of such scenarios.
Thirdly, you don't need an RFID-passport to activate the hidden device. The person assigned as activator could carry an RFID keyfob. In other words, it's not the passport that's the problem, but the methodology (or lack of) used to prevent such scenarios.
On the other hand, if the criminal intent is to harm the person carrying the passport, this is a bit more chilling, as the theory put forth by Flexilis is that a specific person's passport could unwittingly activate the hidden device. As proof, Flexilis set up model rocket engines in a trashcan (albeit rubber), attached to an RFID reader. When they swung a e-passport-carrying mannequin, on pulleys, near the trashcan, the rocket engines were fired off directly at the mannequin.
Apparently it's not just the US passports that are considered a risk. In Germany, a computer security consultant, Lukas Grunwald, demonstrated how to clone a specific RFID chip. Grunwald tested his method on an EU German passport, but says that it'll work for all e-passports using the ICAO standard. Earlier this year, a Dutch security firm cracked a prototype e-passport, based on the ICAO standard, within two hours, while being filmed for a TV program.
In light of this information, these RFID e-passports don't seem all that secure. So it makes me wonder how and why they are being enforced, in so many countries. Of course, these flaws could just as well be utilized by government spies as by criminals. (But then, some people think that they're synonymous anyway.) However, who gainsays what a government does, and how?
--
Did you enjoy this post?
« RFID Roundup - Fri Aug 04/06 | Main | Fastlinks For Mon Jul 31 - Fri Aug 4, 2006 »