lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080929220955.GC30277@segfault.net>
Date: Mon, 29 Sep 2008 22:09:55 +0000
From: rm@...fault.net
To: full-disclosure@...ts.grok.org.uk
Subject: THC releases video and tool to create fake
	ePassports


http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html
http://freeworld.thc.org/thc-epassport/

29th September 2008

THC/vonJeek proudly presents an ePassport emulator. This emulator applet 
allows you to create a backup of your own passport chip(s).

A video demonstrating the weakness is available at
http://freeworld.thc.org/thc-epassport/

The government plans to use ePassports at Immigration and Border
Control. The information is electronically read from the Passport
and displayed to a Border Control Officer or used by an automated
setup. THC has discovered weaknesses in the system to (by)pass the
security checks. The detection of fake passport chips is no longer
working. Test setups do not raise alerts when a modified chip
is used. This enables an attacker to create a Passport with an
altered Picture, Name, DoB, Nationality and other credentials.

This manipulated information is displayed without any alarms going off.
The exploitation of this loophole is trivial and can be verified using
thc-epassport.

Regardless how good the intention of the government might have been, the
facts are that tested implementations of the ePassports Inspection System
are not secure.

ePassports give us a false sense of security: We are made to believe
that they make use more secure. I'm afraid that's not true: current
ePassport implementations don't add security at all.

Yours sincerely,

vonjeek [at] thc dot org
The Hackers Choice
http://www.thc.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ