RFID, e-Passport security at risk: govt

RFID, e-Passport security at risk: govt

Summary: A senior cybersecurity advisor with the Department of Prime Minister and Cabinet has acknowledged that radio frequency identification (RFID) enabled passports and credit cards pose a risk to information security, and stressed that the government is currently looking into ways to make them more secure.

SHARE:

A senior cybersecurity advisor with the Department of Prime Minister and Cabinet has acknowledged that radio frequency identification (RFID) enabled passports and credit cards pose a risk to information security, and stressed that the government is currently looking into ways to make them more secure.

Magnifying glass

(Magnifying glass image by Casey Fleser, CC BY 2.0)

Speaking at the annual Biometrics Institute Australia conference in Sydney last week, Dr Helen Cartledge said that RFID chips, including those located within banking cards and e-Passports issued by the government, are at risk from wireless skimming devices.

"e-Passport utilises basic access control (BAC) to prevent personal information being extracted without actually handing over the document. Extended Access Control is used to protect other information such as fingerprint [data]. Credit cards, however, do not have the same type of safeguards and some of the information they contain may be vulnerable if attackers are nearby with a transceiver [reader] at the same frequency range as your e-tag or cards — they may get access to some of your information," Cartledge added.

While the data in a passport requires an encrypted key to use, researchers in the Netherlands have found a way to read some stored information remotely.

Cartledge works as a senior security advisor within the National Security Science and Technology (NSST) branch of the Department of Prime Minister and Cabinet, and works to apply innovations in science to aid national security priorities.

Cartledge said that the NSST branch has funded a review and research program into the RFID technology, looking for holes and vulnerabilities in the system.

The NSST is set to publish the results in coming months.

"There's a lot research need to be done in relation to encryption of our biometric or personal information in storage and transition," Dr Cartledge said.

Carteledge said that, in the meantime, everyone should take an interest in protecting their own security when it comes to RFID chips.

"There are some ways we can protect of our cards by using Faraday Cage theory [metal foil wallet]. This is one of the methods we can use."

Vulnerabilities in BAC chips and proximity technology is not a new concern for the government, however.

At the Cards and Payments Australasia conference in March, Centrelink's director of internal systems provisioning, Glenn Mitchell, told delegates how easy it was to procure proximity card skimmers on eBay and use them to scoop up unencrypted data from someone's card whilst on public transport, for example.

The devices that Centrelink tested could be concealed in a briefcase, bag or even in a jacket pocket, and served to activate unencrypted proximity cards at a distance of up to 40cm away. Once the card had been activated, the unique ID number is stored by the device and later downloaded onto a fresh proximity card.

"What an attacker can do with that is go back to their office and put the code on a digital card to have a way of getting in and out of [a target] building," Mitchell said.

Topics: Government, Emerging Tech, Government AU, Health, Security

Luke Hopewell

About Luke Hopewell

A fresh recruit onto the tech journalism battlefield, Luke Hopewell is eager to see some action. After a tour of duty in the belly of the Telstra beast, he is keen to report big stories on the enterprise beat. Drawing on past experience in radio, print and magazine, he plans to ask all the tough questions you want answered.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • There is a Cheap, quick and simple way to block these new, portable RFID scanners that the electronic pick pockets now have! And it's in your kitchen!! What is it? How do I block them? I hear you ask! It's so VERY easy!! Your cut out one side of a 1 litre milk carton (and after you've wash it of course, hehe) cut it again into two 4" X 2" rectangles, then take a A4 size aluminium foil and wrap it around the two milk carton sides that you've just cut out and place it into the open notes section of a man's wallet!! When the wallet is closed like when it's in your pocket, if a electronic pick pocket with one of those portable RFID scanners, tries to scan your wallet, the foil will block the scanner!! This method will also work for Ladies purses and passports in bum bags!!
    jhudson2049
  • Also in the Netherlands, back in 2005, a demonstration how easy it was to break the key to that enhanced security thingy in RFID passport chips. The derivation of the encryption key for the rest of the data from the passport number (not encrypted, so trackable) turned out to be weak. Despite knowing this roll-out continued with vague hopes aired that "real soon now" that tidbit would be fixed. No such thing happened that I noticed.

    In the USoA, passports come with tin foil built right in, to thwart exactly this snooping. Everyone else's passports don't come with any such. Though better than nothing, even if they did it wouldn't be a panacea. Open the passport a couple centimetres and it becomes wirelessly snoopable again. On a hot summer day, while waiting for a border checkpoint, I dropped some passports on a dashboard and noticed that within minutes the card board would heat up and warp. The gap was more than the "half inch" a scientific study determined as the maximum gap allowed to thwart snooping.

    Besides all that's wrong with it, I do feel that RFID was rushed through without due concern nevermind proper consideration that it was and still is immature technology, easily breakable (see mifare classic), and, well, not something you'd want in a passport if you care about privacy and government transparency. In short, that chip is not to the benefit of the holder of the passport. Why did we get tagged with it anyway?
    anonymous