Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
From: Adam Laurie <adam.laurie () thebunker net>
Date: Fri, 27 Oct 2006 17:35:43 +0100


The latest version of RFIDIOt, the open-source python library for RFID 
exploration/manipulation, contains code that implements the ICAO 9303 
standard for Machine Readable Travel Documents in the form of a test 
program called 'mrpkey.py'.

This program will exchange crypto keys with the passport and read and 
display the contents therein, including the facial image and the 
personal data printed in the passport.  Currently the data read is 
limited to the following objects:

     Data Group:  61 (EF.DG1 Data Recorded in MRZ)
     Data Group:  75 (EF.DG2 Encoded Identification Features - FACE)

Other Data Groups will be implemented as and when examples come to the 
author's attention.

The ICAO standard relies on a 'secret' key to protect the RFID chip from 
casual reading, which is derived from data printed inside the passport. 
However, this data is also potentially available by other means, so the 
key for a specific passport could be derived without physical access to 
the passport. The information required is as follows:

   The Passport number

   The Date Of Birth of the holder

   The Expiry Date of the Passport

   (Each of the fields also has a check digit which can be calculated by 
the software if not otherwise available).

The author has previously shown that this data can be obtained through 
other channels, such as poorly secured websites, as it is a subset of 
the data that is required by the US Homeland Security for Advance 
Passenger Information, and is therefore commonly collected by airlines 
and other associated organisations.

This article, from the UK national newspaper The Guardian, gives more 
details of one of the techniques used:

   http://www.guardian.co.uk/idcards/story/0,,1766266,00.html

Others have also highlighted the possibility of bruteforcing the keys, 
given that the components are largely predictable, giving a much smaller 
keyspace than might otherwise be supposed:

   http://www.riscure.com/2_news/passport.html

The demonstration code (RFIDIOt.py version 0.1g) can be found here:

   http://rfidiot.org

The ICAO 9303 standard documents can be found here:

   http://www.icao.int/mrtd/publications/doc.cfm

Enjoy!
Adam
-- 
Adam Laurie                         Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd.      Fax: +44 (0) 1304 814899
Ash Radar Station                   http://www.thebunker.net
Marshborough Road
Sandwich                            mailto:adam () thebunker net
Kent
CT13 0PL
UNITED KINGDOM                      PGP key on keyservers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]