Friday, November 24, 2006

RFIDIOts mandating insecure RFID passports

Nice proof of concept code that can read passport data posted to BUGTRAQ. The "key" is comprised of data on the passport itself so you can remotely decrypt someone's data only if you know this information, or can brute-force it since it is a small keyspace:

The Passport number

The Date Of Birth of the holder

The Expiry Date of the Passport

The latest version of RFIDIOt, the open-source python library for RFID
exploration/manipulation, contains code that implements the ICAO 9303
standard for Machine Readable Travel Documents in the form of a test
program called 'mrpkey.py'.

This program will exchange crypto keys with the passport and read and
display the contents therein, including the facial image and the
personal data printed in the passport.
Bruce Schneier advises US passport holders to renew your passport NOW before the RFID requirement goes into effect so you can avoid being tracked or hunted down in our country or a foreign country. Otherwise, how will you still be able to claim you're a Canadian in foreign countries?

Also see this news story.


No comments:

Post a Comment