[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4542355F.9080505@thebunker.net>
Date: Fri, 27 Oct 2006 17:35:43 +0100
From: Adam Laurie <adam.laurie@...bunker.net>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: RFID enabled e-passport skimming proof of concept
code released (RFIDIOt)
The latest version of RFIDIOt, the open-source python library for RFID
exploration/manipulation, contains code that implements the ICAO 9303
standard for Machine Readable Travel Documents in the form of a test
program called 'mrpkey.py'.
This program will exchange crypto keys with the passport and read and
display the contents therein, including the facial image and the
personal data printed in the passport. Currently the data read is
limited to the following objects:
Data Group: 61 (EF.DG1 Data Recorded in MRZ)
Data Group: 75 (EF.DG2 Encoded Identification Features - FACE)
Other Data Groups will be implemented as and when examples come to the
author's attention.
The ICAO standard relies on a 'secret' key to protect the RFID chip from
casual reading, which is derived from data printed inside the passport.
However, this data is also potentially available by other means, so the
key for a specific passport could be derived without physical access to
the passport. The information required is as follows:
The Passport number
The Date Of Birth of the holder
The Expiry Date of the Passport
(Each of the fields also has a check digit which can be calculated by
the software if not otherwise available).
The author has previously shown that this data can be obtained through
other channels, such as poorly secured websites, as it is a subset of
the data that is required by the US Homeland Security for Advance
Passenger Information, and is therefore commonly collected by airlines
and other associated organisations.
This article, from the UK national newspaper The Guardian, gives more
details of one of the techniques used:
http://www.guardian.co.uk/idcards/story/0,,1766266,00.html
Others have also highlighted the possibility of bruteforcing the keys,
given that the components are largely predictable, giving a much smaller
keyspace than might otherwise be supposed:
http://www.riscure.com/2_news/passport.html
The demonstration code (RFIDIOt.py version 0.1g) can be found here:
http://rfidiot.org
The ICAO 9303 standard documents can be found here:
http://www.icao.int/mrtd/publications/doc.cfm
Enjoy!
Adam
--
Adam Laurie Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899
Ash Radar Station http://www.thebunker.net
Marshborough Road
Sandwich mailto:adam@...bunker.net
Kent
CT13 0PL
UNITED KINGDOM PGP key on keyservers
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists