lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4542355F.9080505@thebunker.net>
Date: Fri, 27 Oct 2006 17:35:43 +0100
From: Adam Laurie <adam.laurie@...bunker.net>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: RFID enabled e-passport skimming proof of concept
	code released (RFIDIOt)


The latest version of RFIDIOt, the open-source python library for RFID 
exploration/manipulation, contains code that implements the ICAO 9303 
standard for Machine Readable Travel Documents in the form of a test 
program called 'mrpkey.py'.

This program will exchange crypto keys with the passport and read and 
display the contents therein, including the facial image and the 
personal data printed in the passport.  Currently the data read is 
limited to the following objects:

     Data Group:  61 (EF.DG1 Data Recorded in MRZ)
     Data Group:  75 (EF.DG2 Encoded Identification Features - FACE)

Other Data Groups will be implemented as and when examples come to the 
author's attention.

The ICAO standard relies on a 'secret' key to protect the RFID chip from 
casual reading, which is derived from data printed inside the passport. 
However, this data is also potentially available by other means, so the 
key for a specific passport could be derived without physical access to 
the passport. The information required is as follows:

   The Passport number

   The Date Of Birth of the holder

   The Expiry Date of the Passport

   (Each of the fields also has a check digit which can be calculated by 
the software if not otherwise available).

The author has previously shown that this data can be obtained through 
other channels, such as poorly secured websites, as it is a subset of 
the data that is required by the US Homeland Security for Advance 
Passenger Information, and is therefore commonly collected by airlines 
and other associated organisations.

This article, from the UK national newspaper The Guardian, gives more 
details of one of the techniques used:

   http://www.guardian.co.uk/idcards/story/0,,1766266,00.html

Others have also highlighted the possibility of bruteforcing the keys, 
given that the components are largely predictable, giving a much smaller 
keyspace than might otherwise be supposed:

   http://www.riscure.com/2_news/passport.html

The demonstration code (RFIDIOt.py version 0.1g) can be found here:

   http://rfidiot.org

The ICAO 9303 standard documents can be found here:

   http://www.icao.int/mrtd/publications/doc.cfm

Enjoy!
Adam
-- 
Adam Laurie                         Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd.      Fax: +44 (0) 1304 814899
Ash Radar Station                   http://www.thebunker.net
Marshborough Road
Sandwich                            mailto:adam@...bunker.net
Kent
CT13 0PL
UNITED KINGDOM                      PGP key on keyservers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ