RFID enabled e-passport skimming proof of concept code released (RFIDIOt)

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
From: Adam Laurie <adam.laurie@xxxxxxxxxxxxx>
Date: Fri, 27 Oct 2006 17:35:43 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.7 (X11/20060922)

The latest version of RFIDIOt, the open-source python library for RFIDexploration/manipulation, contains code that implements the ICAO 9303standard for Machine Readable Travel Documents in the form of a testprogram called 'mrpkey.py'.

This program will exchange crypto keys with the passport and read anddisplay the contents therein, including the facial image and thepersonal data printed in the passport. Currently the data read islimited to the following objects:


    Data Group:  61 (EF.DG1 Data Recorded in MRZ)
    Data Group:  75 (EF.DG2 Encoded Identification Features - FACE)

Other Data Groups will be implemented as and when examples come to theauthor's attention.

The ICAO standard relies on a 'secret' key to protect the RFID chip fromcasual reading, which is derived from data printed inside the passport.However, this data is also potentially available by other means, so thekey for a specific passport could be derived without physical access tothe passport. The information required is as follows:


  The Passport number

  The Date Of Birth of the holder

  The Expiry Date of the Passport

(Each of the fields also has a check digit which can be calculated bythe software if not otherwise available).

The author has previously shown that this data can be obtained throughother channels, such as poorly secured websites, as it is a subset ofthe data that is required by the US Homeland Security for AdvancePassenger Information, and is therefore commonly collected by airlinesand other associated organisations.

This article, from the UK national newspaper The Guardian, gives moredetails of one of the techniques used:


  http://www.guardian.co.uk/idcards/story/0,,1766266,00.html

Others have also highlighted the possibility of bruteforcing the keys,given that the components are largely predictable, giving a much smallerkeyspace than might otherwise be supposed:


  http://www.riscure.com/2_news/passport.html

The demonstration code (RFIDIOt.py version 0.1g) can be found here:

  http://rfidiot.org

The ICAO 9303 standard documents can be found here:

  http://www.icao.int/mrtd/publications/doc.cfm

Enjoy!
Adam
--
Adam Laurie                         Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd.      Fax: +44 (0) 1304 814899
Ash Radar Station                   http://www.thebunker.net
Marshborough Road
Sandwich                            mailto:adam@xxxxxxxxxxxxx
Kent
CT13 0PL
UNITED KINGDOM                      PGP key on keyservers

Prev by Date: GestArt <= vbeta 1 Remote File Include Vulnerabilities
Next by Date: PLS-Bannieres 1.21 (bannieres.php) File Include
Previous by thread: GestArt <= vbeta 1 Remote File Include Vulnerabilities
Next by thread: PLS-Bannieres 1.21 (bannieres.php) File Include
Index(es):
- Date
- Thread