It's designed to detect counterfeit and cloned RFID chips and prevent an attacker from injecting malware into a back-end system with a rogue RFID chip. The box can be loaded with virus signatures to detect known types of attacks and uses heuristics to detect other malicious activity, such as generic SQL-injection attacks such as the one that appears in the screenshot above right.
The device can be restricted to read only RFID cards that have specific serial numbers and reject all others. It also can be used to digitally sign chips so that any chips that are altered after being issued are rejected by the RFID reader. The system uses the HMAC algorithm for the digital signature. Last year Grunwald revealed that he'd been able to sabotage the e-passport readers of two unnamed manufacturers by embedding a buffer overrun exploit in the JPEG file of a cloned passport chip.
It's sheer folly to believe the passport security won't be hacked in that time. This hack took only two weeks! The best way to solve a security problem is not to have it at all. If there's an RFID chip on your passport, or any of your identity cards, you have to worry about securing it. If there's no RFID chip, then the security problem is solved. Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can't do, I am opposed to the idea.
The United States has led the charge for global e-passports because authorities say the chip, which is digitally signed by the issuing country, will help them distinguish between official documents and forged ones.
The United States plans to begin issuing e-passports to U. Germany has already started issuing the documents. Although countries have talked about encrypting data that's stored on passport chips, this would require that a complicated infrastructure be built first, so currently the data is not encrypted. The cloning news is confirmation for many e-passport critics that RFID chips won't make the documents more secure. Or is this what happens when you do policy laundering and you get a bunch of bureaucrats making decisions about technologies they don't understand?
Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country's e-passport, since all of them will be adhering to the same ICAO standard.
In a demonstration for Wired News, Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control. He then launched a program that border patrol stations use to read the passports — called Golden Reader Tool and made by secunet Security Networks — and within four seconds, the data from the passport chip appeared on screen in the Golden Reader template. Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader — which can also act as a writer — and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.
As the final step, he used a program that he and a partner designed two years ago, called RFDump, to program the new chip with the copied information. The result was a blank document that looks, to electronic passport readers, like the original passport. Although he can clone the tag, Grunwald says it's not possible, as far as he can tell, to change data on the chip, such as the name or birth date, without being detected.
That's because the passport uses cryptographic hashes to authenticate the data. When he was done, he went on to clone the same passport data onto an ordinary smartcard — such as the kind used by corporations for access keys — after formatting the card's chip to the ICAO standard. You agree to receive updates, promotions, and alerts from ZDNet.
You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter s which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy. What are you looking for?
0コメント