Re: [Full-disclosure] RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
That article focuses on Dutch passports, but in the US it's essentially the same. The Passport number a 10 digit number (I don't know where they start, but it certainly wasn't 01). The Date Of Birth of the holder about 32,000 possibilities (assuming 90yrs old) The Expiry Date of the Passport Passports are vaild for 10 years (for an adult in the US), and expiration is just MM/ .. so that's only 120 possibilities. A very small dictionary for brute force indeed, and I'd be happy to code such a routine. Does anyone know if the chips in the latest passports (USA issue) prevent this sort of thing, or can you try keys as fast as the RF interface will permit? Cheers, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
Michael Holstein wrote: That article focuses on Dutch passports, but in the US it's essentially the same. The Passport number a 10 digit number (I don't know where they start, but it certainly wasn't 01). If they're sequential, we only need to know where they start once the chips are installed, assuming you get a new passport number when you renew (as you do in th UK). The Date Of Birth of the holder about 32,000 possibilities (assuming 90yrs old) The Expiry Date of the Passport Passports are vaild for 10 years (for an adult in the US), and expiration is just MM/ .. so that's only 120 possibilities. Currently even less, since, again, it will expire 10 years from the date chips were first installed, so here in the UK there is only one valid year so far, so only 12 possibilities. A very small dictionary for brute force indeed, and I'd be happy to code such a routine. Thanks for the offer, but I'm already pretty much there... It'll be in the next release... :) Does anyone know if the chips in the latest passports (USA issue) prevent this sort of thing, or can you try keys as fast as the RF interface will permit? There is nothing in the standard to require anti-bruteforcing mechanisms such as timing backoffs etc., and although I haven't done exhaustive tests on this, trying multiple wrong keys doesn't seem to have any bad effect on a UK passport. Using my python library I get about 3 tries per second, but I expect that speed could be improved... cheers, Adam -- Adam Laurie Tel: +44 (0) 1304 814800 The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899 Ash Radar Station http://www.thebunker.net Marshborough Road Sandwichmailto:[EMAIL PROTECTED] Kent CT13 0PL UNITED KINGDOM PGP key on keyservers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
Michael Holstein wrote: The Expiry Date of the Passport Passports are vaild for 10 years (for an adult in the US), and expiration is just MM/ .. so that's only 120 possibilities. Note that here in the UK expiry is YY/MM/DD, so numbers will actually be much larger, but in terms of bruteforcing, still pretty small... cheers, Adam -- Adam Laurie Tel: +44 (0) 1304 814800 The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899 Ash Radar Station http://www.thebunker.net Marshborough Road Sandwichmailto:[EMAIL PROTECTED] Kent CT13 0PL UNITED KINGDOM PGP key on keyservers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
On Mon, 30 Oct 2006 10:10:26 EST, Michael Holstein said: The Date Of Birth of the holder about 32,000 possibilities (assuming 90yrs old) And easily optimized by starting with a guess at the person's age - are they 20, or 45, or 70? Take 5 years either side, and you're down to 3,650 or so guesses. pgp8jiG5Udbvt.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
And easily optimized by starting with a guess at the person's age - are they 20, or 45, or 70? Take 5 years either side, and you're down to 3,650 or so guesses. I was thinking more along the lines of hanging around just outside security or immigration with my long range antenna and laptop carefully concealed in my roll-on. I'm sure it's only a matter of time before somebody exposes the embarrassment of this 'nifty technology' by publishing a list of everybody that visited the airport on a given day. Why dumpster-dive when you can sip coffee at the airport? ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
The latest version of RFIDIOt, the open-source python library for RFID exploration/manipulation, contains code that implements the ICAO 9303 standard for Machine Readable Travel Documents in the form of a test program called 'mrpkey.py'. This program will exchange crypto keys with the passport and read and display the contents therein, including the facial image and the personal data printed in the passport. Currently the data read is limited to the following objects: Data Group: 61 (EF.DG1 Data Recorded in MRZ) Data Group: 75 (EF.DG2 Encoded Identification Features - FACE) Other Data Groups will be implemented as and when examples come to the author's attention. The ICAO standard relies on a 'secret' key to protect the RFID chip from casual reading, which is derived from data printed inside the passport. However, this data is also potentially available by other means, so the key for a specific passport could be derived without physical access to the passport. The information required is as follows: The Passport number The Date Of Birth of the holder The Expiry Date of the Passport (Each of the fields also has a check digit which can be calculated by the software if not otherwise available). The author has previously shown that this data can be obtained through other channels, such as poorly secured websites, as it is a subset of the data that is required by the US Homeland Security for Advance Passenger Information, and is therefore commonly collected by airlines and other associated organisations. This article, from the UK national newspaper The Guardian, gives more details of one of the techniques used: http://www.guardian.co.uk/idcards/story/0,,1766266,00.html Others have also highlighted the possibility of bruteforcing the keys, given that the components are largely predictable, giving a much smaller keyspace than might otherwise be supposed: http://www.riscure.com/2_news/passport.html The demonstration code (RFIDIOt.py version 0.1g) can be found here: http://rfidiot.org The ICAO 9303 standard documents can be found here: http://www.icao.int/mrtd/publications/doc.cfm Enjoy! Adam -- Adam Laurie Tel: +44 (0) 1304 814800 The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899 Ash Radar Station http://www.thebunker.net Marshborough Road Sandwichmailto:[EMAIL PROTECTED] Kent CT13 0PL UNITED KINGDOM PGP key on keyservers ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/