Of course RFID passports are clonable

| Comments (2) |
Lukas Grunwald's demonstration at Black Hat that RFID passports are clonable is getting plenty of press. Really, this isn't at all a surprising result; it was apparent as soon as you understood how the system was constructed.

It's useful to start from first principles and ask what the threat model for a system like this is. When you show up at Immigration with your passport, the inspector wants to know that:

  1. There's a person with some set of attributes (citizenship, criminal record or lack thereof, etc.)
  2. That that's the person standing in front of them.

Now, in the case of physical passports, these security properties are ensured via the following features (hopefully):

  1. Convincing passports are hard to manufacture.
  2. Passports are hard to alter without leaving evidence
  3. There's a backend database which you can look up from the passport number.
  4. Passports contain biometric information (photographs for current generation passports) which the inspector can match to the person in front of them.

Features 1-3 correspond roughly to our first goal. They bind the user's identity and attributes to the physical passport. The biometric matches the second goal, binding the physical person to the passport. Putting these together allows you to bind the physical person to the back-end attributes, which is what you want if you are trying to decide whether to let someone into the country.

Now let's talk about electronic passports. The natural design, and the one that seems to be being used here is to have the passport be effectively a digital certificate: a biometric, a record locator, some attributes, all signed by some national CA (i.e., the US state department). The inspector scans the passport, his terminal verifies the digital signature and displays the biometric which somehow gets verified against the user. If the biometric is a photograph, then this comparison is typically done manually. If it's something else like a fingerprint or an irisprint, then it's done automatically.

In an ideal world, this system works perfectly well. There's no need to conceal the information on the passport because the only person who can use it is the person with the right physical characteristics--i.e., the passport holder. So, even if you have a copy of the passport it's no good to you if you're not the right person.1 Unfortunately, we don't live in an ideal world.

The first problem is that this absolutely depends on using the signed biometric, not the one printed on the passport. Otherwise, you're just using the physical document again. Thus, in order to get the security of the electronic passport, you need to have a pretty substantial scanner—one with a big enough video screen to compare to people's faces. At some level, it would be better if the passports were blank so you had to use the scanner. (Consider what you do if you can't get the scanner to work... We badly need a human factors stufy here.)

The second problem is that the biometric comparisons aren't very good. People's ability to match faces to photographs is better than computer's but it's still not very good, especially when the photos are up to 10 years old and the verifier is in a a rush, which they often are. In the case of physical passports, the (alleged) difficulty in manufacturing a totally new passport provides a kind of defense in depth: whoever is being admitted needs to have a passport, even if it's not theirs. Obviously, however, this situation doesn't obtain if the passport is all electronic and the data is easily copied.

This brings us back to Grunwald's attack. The new RFID passports contain a signed biometric stored in an RFID chip. When the chip is read it just returns the stored value. Obviously, if you can capture that signal then it's not particularly hard to make a second device that generates the same signal (what's called a replay attack). The only question here is whether that device can be made from commodity components or whether you'd have to custom-build it Grunwald's work shows that you can build it from commodity components. But the general feasibility of this attack has been well known for a long time.

There are, of course, ways to prevent a replay attack. The standard technique is to make the authenticator do something dynamic. For instance, you could make the data stored in the passport chip include a public key--i.e., be a certificate. The reader would provide the passport with a challenge, which the passport signs. At this point, capturing a single response doesn't do the attacker any good because you can't sign a new challenge. Of course, you can still clone a passport if you have physical possession and extract the key (there are hardening techniques, but none secure enough to stop a dedicated attacker and economical enough to use on every passport). You can't do it merely from observing its communications.

The major drawback of this scheme is that it requires doing some processing on the passport, which the current scheme does not. That may be a dealbreaker--my impression is that current RFID tokens can't do any significant amount of processing, and probably not enough to do a public key operation.2 As far as I know, however, there's no scheme which isn't sensitive to replay attacks which doesn't involve doing some processing on the token.

1. There's a direct analogy to public key certificates, which also don't need to be kept secret.
2. It's possible you could use a symmetric key printed on the passport and then use a MAC rather than a signature. The drawback of this is that you can't remote read securely. On the other hand, if you only want to do remote read for tracking but local read for authentication...

2 Comments

"Enhanced Access Control", once they finish writing the standards document, is supposed to fix this problem, though by replacing it with another one (making it easier to skim data from other people's passports).

Some of the advanced "RFID tokens" are more properly called contactless smart cards, and they certainly can do public key operations. While they're too expensive to put on every milk carton in supermarkets, passports could have used them -- but didn't.

Leave a comment