Passports and other ID cards incorporating radio chips can be remotely spied on, jammed and even copied, computer experts revealed at a major conference that ended on Sunday.
Radio frequency identification (RFID) technology uses a chip about the size of a grain of rice to send short range radio signals to scanners. It has been touted as a highly secure, simple way of to authenticate people and track objects.
However, at the Black Hat conference in Las Vegas, US, Lukas Grunwald, of German computer security company DN-Systems, showed that RFID passports can be cloned with relative ease. He found that passports designed according to the International Civil Aviation Organization (ICAO) standard can be cloned.
Advertisement
Such passports are already issued in the UK and other European countries and will be introduced in the US in October 2006. But Grunwald concedes that the content of an RFID passport cannot be altered without detection because it is signed cryptographically.
Waste of money
鈥淭he whole passport design is totally brain damaged,鈥 Grunwald told Wired.com. 鈥淔rom my point of view, all of these RFID passports are a huge waste of money. They鈥檙e not increasing security at all.鈥
At the same conference, Kevin Mahaffey and John Hering of US computer security company Flexilis showed that electronic passports can be remotely spied upon despite the radio-blocking shields included in US designs. They found they could read the devices from 60 centimetres away if the passport is opened by just 1 cm.
The conference also featured a demonstration of a device, called the RFID Guardian, which can be used to hijack radio signals. It can emulate other readers and also to block legitimate RFID signals, claims its creator Melanie Rieback, a researcher from Vrije University in the Netherlands.
鈥淚 spend most of my time making the RFID industry鈥檚 life miserable,鈥 Rieback admits. 鈥淚 am not anti-RFID. It has the potential to make people鈥檚 lives easier, but it needs to be used responsibly.鈥
Free code
Rieback and colleagues expect to have a portable version of their device finished in six months. Although they have 鈥渘o plans to immediately mass-produce these things鈥, they announced at the conference that the schematics and computer code for the device would be made public.
The researchers previously developed a 鈥減roof-of-concept鈥 computer virus designed to spread via RFID tags. 鈥淭he industry and government needs to not be scared of us,鈥 Rieback said. 鈥淭hey need to talk with us and to work with us.鈥
RFID technology is already widely used. For example, retail giant Wal-Mart embarked on a campaign to use RFID to track inventories and shipments in 2004. The European Central Bank has talked of putting RFID technology in European currency, and the tags were also used to track World Cup 2006 Soccer tickets.