RFID, e-passport security at risk: Aus govt

RFID, e-passport security at risk: Aus govt

Summary: Government security advisor admits radio frequency identification-enabled passports and credit cards are at risk from wireless skimming devices, posing a threat to information security.

SHARE:

A senior cybersecurity advisor with the Department of Prime Minister and Cabinet has acknowledged that radio frequency identification (RFID) enabled passports and credit cards pose a risk to information security, and stressed that the government is currently looking into ways to make them more secure.

Speaking at the annual Biometrics Institute Australia conference in Sydney last week, Dr Helen Cartledge said that RFID chips, including those located within banking cards and e-Passports issued by the government, are at risk from wireless skimming devices.

"e-Passport utilizes basic access control (BAC) to prevent personal information being extracted without actually handing over the document. Extended Access Control is used to protect other information such as fingerprint [data]. Credit cards, however, do not have the same type of safeguards and some of the information they contain may be vulnerable if attackers are nearby with a transceiver [reader] at the same frequency range as your e-tag or cards--they may get access to some of your information," Cartledge added.

While the data in a passport requires an encrypted key to use, researchers in the Netherlands have found a way to read some stored information remotely.

Cartledge works as a senior security advisor within the National Security Science and Technology (NSST) branch of the Department of Prime Minister and Cabinet, and works to apply innovations in science to aid national security priorities.

Cartledge said that the NSST branch has funded a review and research program into the RFID technology, looking for holes and vulnerabilities in the system.

The NSST is set to publish the results in coming months.

"There's a lot research need to be done in relation to encryption of our biometric or personal information in storage and transition," Dr Cartledge said.

Carteledge said that, in the meantime, everyone should take an interest in protecting their own security when it comes to RFID chips.

"There are some ways we can protect of our cards by using Faraday Cage theory [metal foil wallet]. This is one of the methods we can use."

Vulnerabilities in BAC chips and proximity technology is not a new concern for the government, however.

At the Cards and Payments Australasia conference in March, Centrelink's director of internal systems provisioning, Glenn Mitchell, told delegates how easy it was to procure proximity card skimmers on eBay and use them to scoop up unencrypted data from someone's card whilst on public transport, for example.

The devices that Centrelink tested could be concealed in a briefcase, bag or even in a jacket pocket, and served to activate unencrypted proximity cards at a distance of up to 40cm away. Once the card had been activated, the unique ID number is stored by the device and later downloaded onto a fresh proximity card.

"What an attacker can do with that is go back to their office and put the code on a digital card to have a way of getting in and out of [a target] building," Mitchell said.

This article was first published at ZDNet Australia.

Topics: IT Employment, Apps, Data Management, Government, Government Asia, Mobility, Networking, Security, Wi-Fi

Luke Hopewell

About Luke Hopewell

A fresh recruit onto the tech journalism battlefield, Luke Hopewell is eager to see some action. After a tour of duty in the belly of the Telstra beast, he is keen to report big stories on the enterprise beat. Drawing on past experience in radio, print and magazine, he plans to ask all the tough questions you want answered.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • There is no credible risk to the security of e-passports.
    The e-passport data are encrypted, and even if the RF signal is intercepted (difficult) it is not a trivial matter to decode it. No-one has demonstrated this in a real situation. The researchers in the Netherlands were only able to identify the chip's software platform (of limited use when a manufacturer's chips are supplied to many countries, or a country uses different chips), and that only in a pristine lab environment. They did not show that this could be done in real life. Nor were they able to read any of the stored information.
    Mike TF3