perpetrator would need only to record
the data passed between the RFID and
receiver on location, and then could
perform the time-consuming signal-processing operations at home. A large
part of data recovery is extracting the
data from the electrical noise of the environment, which is simplified by taking a noise profile of the environment.
The same Web sites that provide schematics for readers also provide code
for decoding the data, although the effectiveness of their programs on new
passports has yet to be tested.
Once the signal has been recovered, it must be interpreted as data.
The difficulty of this step depends
entirely on whether and how well the
data is encrypted. The encryption key
is generated from information on the
passport—specifically, the name, date
of birth, and passport number. There
are reports that this key can be easily
cracked (for example, http://www.mo-
bilemag.com/2006/02/03/global-rfid-
passport-encryption-standard-cracked-
in-2-hours/) because the algorithm
used to produce the key is predictable.
An analysis published by the International Association of Cryptologic Research indicates that the entropy of the
resulting key is on the order of 52 bits,
which, while something of a challenge,
is not impossible to crack.
4 We assume
here that decryption is practical; if it
is not, then the possibility of these attacks is minimized.
After recovering the data, the perpetrator would have everything necessary to make a new passport with the
captured information. The steps required for this are beyond the scope of
this article, but since counterfeiting of
passports has been demonstrated and
documented, it is enough to say that
this is feasible.
Costs to the Perpetrator
What we have shown so far is that with
the right equipment and skill, a perpetrator can intercept the signal between
a passport and RFID reader, then forge
the passport to use for identity theft.
The more important question, however, is whether the cost of doing this can
be justified by the return.
This question is predicated on the
assumption that the encryption of the
information held in the passport’s
RFID tag can be broken. While there
is some evidence this has been true
in the past, stronger encryption could
increase the cost of the attack considerably, to the point of making it either
economically unattractive or technically impossible.
In our airport scenario, a perpetrator would have to cover several costs
before reaching the ultimate goal of
financial gain. To begin with, there are
the hardware costs. The combined cost
of the antenna, amplifier, radio mixer, filter, USB connection, and laptop
would be on the order of $1,000. These
are all fixed costs, and the perpetrator
would presumably amortize these by
using the hardware to execute numerous attacks over a period of time.
There is also cost associated with
access to the passport reader. It is reasonable to assume that the perpetrator would have to purchase an airline
ticket to enter the area where passports
are scanned.
The cost of being caught must be
factored in. Compared with other technologically intensive (for example, on-line) fraudulent attacks, theft of passport RFID data might involve greater
risk because of the physical proximity required to eavesdrop on the RFID
communication. The risk-adjusted
cost of being caught is quite significant
when you consider the prevalence of
security officers within airports and
the severity of the crime.
Presuming that the attacker manages to escape with the raw data from
an eavesdropping operation, it still
EasyPass, a new automated border control system at Frankfurt international airport, scans passenger biometric data and compares it
to data from the person’s e-passport.
