Expert: German E-Passports Not Secure
August 7, 2006
So-called radio frequency identification (RFID) tags, which have also been used to track live stock and store merchandise, are currently being imbedded in all new German passports. The United States plans to start issuing passports with RFID tags in October.
At a Defcon computer security conference in Las Vegas over the weekend, German expert Lukas Grunwald demonstrated how a hacker could duplicate an RFID information chip, for example from a passport, with an inexpensive RFID reader and smart card writer.
"If there is an automatic inspection system, I can use this card to enter any country," said Grunwald, the founder of an Internet and e-commerce consulting firm.
In a project that he said took "two weeks and $5,000 (3,900 euros) in legal fees" to complete, Grunwald confirmed that data stored on RFID tags can be copied -- but not altered.
Radio tags for more than e-passports
RFID tags are not only found in passports in many countries including Germany, but have been used for over 10 years to track cattle and wild animals. Descendents of the barcode, they are also imbedded in some cash cards and access cards for entry into secure buildings.
Tickets to the recent World Cup in Germany contained traceable RFID tags and the European Central Bank has talked of imbedding the chips in the euro currency, reported AFP.
Lukas Grunwald and other experts warn that criminals could illegally enter the country of their choice by copying the data tags. Some also worry that terrorists may try to hack into RFID chips in passports to carry out selective acts of terror.
The tags can be read from a distance and, theoretically, a terrorist could identify if someone nearby is holding an American or other passport and carry out an attack based on that information.
Peter Schaar, Germany's federal commissioner for data protection, made an appeal last week for new regulations on imbedding the tiny RFID chips. If the chip producers can't properly deal with the security risks, the lawmakers will have to step in and protect the consumers, Schaar told news agency AFP.
Aluminum pouch can foil hackers
Aware of the insecurity associated with the RFID chips, Grunwald carries his own passport in a pouch lined with aluminum foil so that it cannot be read by unauthorized parties. These passport holders are already on the market in Germany, he said.
Now that they've been dubbed insecure, are RFID tags already obsolete? Grunwald indicated the chips have untapped potential.
"You can add RFID in a secure way, but especially in electronic passports the standards are created by compromise, and by compromise you cannot do it securely," Grunwald said. "You need a lot of research to do it right, and that research is not done right now."