Black Hat demo ruffles feathers
According to an observer of trends in homeland security, whose expertise and opinions we trust and value above others, a demonstration at last week's Black Hat Briefings in Las Vegas has set off something of a controversy. Actually, the controversy has always been there, but according to this observer, "in some quarters it has not really been simmering, but rather boiling over."
Last week a German security expert demonstrated how data could be hacked from electronic passports
. GCN's senior writer William Jackson was there to see it.
This week, the demo brought a flurry of responses, one of which arrived yesterday from the Smart Card Alliance, an industry group. Here's what executive director Randy Vanderhoof had to say, and it's representative of the Black Hat demo's critics:
"People do not need to be concerned about the security or privacy protection features of the new e-passport program," Vanderhoof said in his statement. "Recent reports that there is a 'major vulnerability' that criminals could use to 'enter countries illegally' are untrue and demonstrate a lack of understanding of how the multiple security layers in place at the U.S. border work in the new e-passport system."
Vanderhoof continued, "Even if someone could copy the information on your e-passport chip, it doesn't achieve anything, because all of the information is locked together in such a way that it can't be changed. It's no different than someone stealing your electronic passport and trying to use it. No one else can use it because your photo is on the chip and they're not you."
He concluded, "People need to be cautious about some claims made by so called 'experts' when it comes to RF-enabled applications. There is too much misleading and inaccurate information being reported, simply because fear gets people's attention."
Fair enough. This blog has taken the position that fear-mongering has limited the progress of RFID-based solutions
, but it would never go so far as to say, as Vanderhoof has, that people "do not need to be concerned about the security or privacy protection features" of e-passports. Just as we'd never say that the Veterans Affairs Department doesn't have to be concerned about the privacy protection of data stored on a desktop computer
in a secure environment at a VA contractor's offices.
The German security expert, Lukas Grunwald, has a vested interest in vulnerabilities because his company
is in the security consulting business. The Smart Card Alliance has a vested interest in e-passport adoption because its members
make and sell the technology behind them.
Somewhere there's a middleground, where engineers working on behalf of the government must be analyzing it from both ends of the argument, evaluating the security risks of the new technology as well as its strengths/limitations.Posted by Brad Grimes
Posted by Brad Grimes, Joab Jackson on Aug 09, 2006 at 9:39 AM