Expert picks out loopholes in US e-passports
By IANSFriday, April 16, 2010
WASHINGTON - Every new US passport issued since 2007 has been outfitted with a computer chip, embedded on its back cover. Till recently hackers were able to access it from afar, but now such e-passports can only be read when they are opened.
The “e-passport” contains biometric data, electronic fingerprints and pictures of the holder, and a wireless radio frequency identification (RFID) transmitter.
Avishai Wool, professor at Tel Aviv University’s (TAU) School of Electrical Engineering in Israel, has helped ensure that the chip in such e-passports can only be read when the passport is opened.
Now, a new study by Wool finds serious security drawbacks in similar chips that are being embedded in credit, debit and “smart” cards.
The vulnerabilities of this electronic approach - and the vulnerability of the private information contained in the chips - are becoming more acute.
Using simple devices constructed from $20 disposable cameras and copper cooking-gas pipes, Wool and his pupils Yossi Oren and Dvir Schirman have demonstrated how easily the cards’ radio frequency (RF) signals can be disrupted.
Wool’s latest research centres on the new “e-voting” technology being implemented in Israel. “We show how the Israeli government’s new system based on the RFID chip is a very risky approach for security reasons,” explains Wool.
“It allows hackers who are not much more than amateurs to break the system,” Wool explains.
“One way to catch hackers, criminals and terrorists is by thinking like one.”
In his lab, Wool constructed an attack mechanism - an RFID “zapper” - from a disposable camera. Replacing the camera’s bulb with an RFID antenna, he showed how the EMP (electro-magnetic pulse) signal produced by the camera could destroy the data on nearby RFID chips such as ballots, credit cards or passports.
“In a voting system, this would be the equivalent of burning ballots - but without the fire and smoke,” he says.
But there are some small steps that can be taken to make smart cards smarter, says Wool.
The easiest one is to shield the card with something as simple as aluminium foil to insulate the e-transmission. In the case of e-voting, a ballot box could be made of conductive materials.
The US State Department has already taken Wool’s advice: since 2007, they’ve also added conductive fibres to the back of every American passport.
The work will be presented at the IEEE RFID conference in Orlando, Florida this month.