E-passport security leaves something to be desired

LAS VEGAS'Two years ago, Lukas Grunwald demonstrated at the Black Hat Briefings how RFID tags could be read and manipulated in a supermarket. The tags have not yet caught on as a replacement for bar codes in the retail sector, but they now are being used in passports.

On Thursday, Grunwald, chief technology officer at DN Systems Enterprise Internet Solutions GmbH of Germany, returned to Black Hat to demonstrate how data on the passports could be accessed, manipulated and copied.

RFID is the use of radio frequency to remotely read and write data to embedded computer chips. The data on the chips can range from a static ID number to personal and biometric data. The United States now is requiring this technology on passports of persons entering the country.

A number of nations have begun issuing the e-Passports, but as Grunwald showed, access controls on many commonly used sophisticated chips leave something to be desired. Default encryption keys for one type of card are available on the Web with a littler clever searching.

'We got a whole lot of keys,' Grunwald said. 'It's publicly available through a Google search.'

He said that a test of a number of cards using the chips showed that 75 percent used the default keys.

During his briefing, Grunwald used his German passport to demonstrate security weaknesses. He was able to read the card using commercially available hardware and software, copy the data to another chip and replace the data on his own passport.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected