GCN Tech Blog

By GCN Staff

Blog archive

Black Hat demo ruffles feathers

According to an observer of trends in homeland security, whose expertise and opinions we trust and value above others, a demonstration at last week's Black Hat Briefings in Las Vegas has set off something of a controversy. Actually, the controversy has always been there, but according to this observer, "in some quarters it has not really been simmering, but rather boiling over."

Last week a German security expert demonstrated how data could be hacked from electronic passports. GCN's senior writer William Jackson was there to see it.

This week, the demo brought a flurry of responses, one of which arrived yesterday from the Smart Card Alliance, an industry group. Here's what executive director Randy Vanderhoof had to say, and it's representative of the Black Hat demo's critics:

"People do not need to be concerned about the security or privacy protection features of the new e-passport program," Vanderhoof said in his statement. "Recent reports that there is a 'major vulnerability' that criminals could use to 'enter countries illegally' are untrue and demonstrate a lack of understanding of how the multiple security layers in place at the U.S. border work in the new e-passport system."

Vanderhoof continued, "Even if someone could copy the information on your e-passport chip, it doesn't achieve anything, because all of the information is locked together in such a way that it can't be changed. It's no different than someone stealing your electronic passport and trying to use it. No one else can use it because your photo is on the chip and they're not you."

He concluded, "People need to be cautious about some claims made by so called 'experts' when it comes to RF-enabled applications. There is too much misleading and inaccurate information being reported, simply because fear gets people's attention."

Fair enough. This blog has taken the position that fear-mongering has limited the progress of RFID-based solutions, but it would never go so far as to say, as Vanderhoof has, that people "do not need to be concerned about the security or privacy protection features" of e-passports. Just as we'd never say that the Veterans Affairs Department doesn't have to be concerned about the privacy protection of data stored on a desktop computer in a secure environment at a VA contractor's offices.

The German security expert, Lukas Grunwald, has a vested interest in vulnerabilities because his company is in the security consulting business. The Smart Card Alliance has a vested interest in e-passport adoption because its members make and sell the technology behind them.

Somewhere there's a middleground, where engineers working on behalf of the government must be analyzing it from both ends of the argument, evaluating the security risks of the new technology as well as its strengths/limitations.

Posted by Brad Grimes

Posted by Brad Grimes, Joab Jackson on Aug 09, 2006 at 9:39 AM


Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.