GCN Tech Blog

By GCN Staff

Blog archive

Black Hat demo ruffles feathers

According to an observer of trends in homeland security, whose expertise and opinions we trust and value above others, a demonstration at last week's Black Hat Briefings in Las Vegas has set off something of a controversy. Actually, the controversy has always been there, but according to this observer, "in some quarters it has not really been simmering, but rather boiling over."

Last week a German security expert demonstrated how data could be hacked from electronic passports. GCN's senior writer William Jackson was there to see it.

This week, the demo brought a flurry of responses, one of which arrived yesterday from the Smart Card Alliance, an industry group. Here's what executive director Randy Vanderhoof had to say, and it's representative of the Black Hat demo's critics:

"People do not need to be concerned about the security or privacy protection features of the new e-passport program," Vanderhoof said in his statement. "Recent reports that there is a 'major vulnerability' that criminals could use to 'enter countries illegally' are untrue and demonstrate a lack of understanding of how the multiple security layers in place at the U.S. border work in the new e-passport system."

Vanderhoof continued, "Even if someone could copy the information on your e-passport chip, it doesn't achieve anything, because all of the information is locked together in such a way that it can't be changed. It's no different than someone stealing your electronic passport and trying to use it. No one else can use it because your photo is on the chip and they're not you."

He concluded, "People need to be cautious about some claims made by so called 'experts' when it comes to RF-enabled applications. There is too much misleading and inaccurate information being reported, simply because fear gets people's attention."

Fair enough. This blog has taken the position that fear-mongering has limited the progress of RFID-based solutions, but it would never go so far as to say, as Vanderhoof has, that people "do not need to be concerned about the security or privacy protection features" of e-passports. Just as we'd never say that the Veterans Affairs Department doesn't have to be concerned about the privacy protection of data stored on a desktop computer in a secure environment at a VA contractor's offices.

The German security expert, Lukas Grunwald, has a vested interest in vulnerabilities because his company is in the security consulting business. The Smart Card Alliance has a vested interest in e-passport adoption because its members make and sell the technology behind them.

Somewhere there's a middleground, where engineers working on behalf of the government must be analyzing it from both ends of the argument, evaluating the security risks of the new technology as well as its strengths/limitations.

Posted by Brad Grimes

Posted by Brad Grimes, Joab Jackson on Aug 09, 2006 at 9:39 AM


  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

Stay Connected