Encrypted RFID passport data intercepted and cracked

A Dutch television news program has commissioned experiments by security research firm Riscure in which radio communications between the RFID chip in a prototype Dutch passport (using the same technology and encryption scheme recently adopted as an international standard and being deployed in USA passports) were intercepted, stored for analysis later at leisure, the password cracked in about 2 hours on a PC, and the digitized fingerprint, photograph, and all other encrypted and plain text data on the RFID chip in the password recovered.

Like the RFID passports scheduled for deployment in the USA by the end of this year (although the date seems to keep slipping due to technical, manufacturaing, and relaibility problems), the Dutch passports use ISO 14443 chips and the "Basic Access Control" encryption scheme, both of which have been adopted by ICAO as global standards and, through laws mandating "compliance" with ICAO standards, incorporated by reference into national laws in the USA and many other countries.

Under the "Basic Access Control" (BAC) scheme, the decryption key is derived from the subset of passport data printed in optically-readable type in the "Machine Readable Zone" (MRZ) at the bottom of the "data page" of the passport. The theory is that the exchange between the reader and the chip in the passport, even if intercepted, can't be decrypted without access to this data (which, unlike the RFID data, would be hard to obtain remotely). The newly-reported Dutch experiment shows that this isn't true: anyone who can eavesdrop on the radio conversation between a "basic access control" RFID passport chip and a legitimate reader can later decrypt it and recover the data.

The attack was made somewhat easier and quicker, in the Dutch case, by patterns in the assignment of passport numbers that form part of the MRZ data and thus the basis of the BAC decryption key. But since the passport cracking and decryption can be performed at leisure, once the encrypted data stream is captured and stored, this would only effect the time required to crack each passport with a given computer, not the basic possibility of doing so.

Neither the "Nieuwslicht" (Newslight) television report (as translated by my Dutch colleague), nor the press release on the Riscure Web site, specify the range at which the radio exchange between the chip in the passport and a reader (such as would be deployed at an immigration checkpoint or airline check-in counter) was intercepted. But another Dutch rearch presentation cited in The Register (UK) suggests that it could be up to 10 meters (30+ feet).

That's far more range than what's necessary for a slight variant of the threat scenario I presented to Frank Moss, director of the the USA State Department's Passport Office, last year at CFP -- and to which he has yet to respond:

Pick out someone who looks similar to the person for whom you want a new identity, follow them up to the counter where their passport's RFID chip is interrogated by a reader, intercept (with e.g. a radio receiver you wheel around in a nondescript suitcase) and store the radio traffic, and use it (once decrypted) to produce a cloned passport or some other forged identity credential. (Strictly speaking, decrypting the data on the RFID chip isn't even essential to making a perfect bitwise clone, although it would help greatly in forging the photo.)

Ironically, in the USA it's diplomats, some of whom were already supposed to have been issued RFID passports by now, who are the first people being placed in danger of remote identification, targetting, identity theft, and impersonation by anyone who intercepts and decrypts their RFID passport data.

The USA government has staked a lot on its push for the ICAO standards, and their incorporation into law in the USA. Willingly or not, many other countries have gone along. The big question now is whether the USA and its allies in ICAO and elsewhere will withdraw their RFID passport plans as fatally flawed, or will make an attempt to salvage them with ineffectual minor repairs -- as the USA already did when it agreed to use BAC, after first proposing to deploy RFID passports that transmit biometric and other data in the clear.

On a related note, I've gotten a lot of e-mail from readers wanting to know how to tell if their new passports have embedded RFID chips. I neglected, unfortunately, to take pictures of the sample RFID passports Moss passed around at CFP. All of them included a distinctive and fairly prominent (but not intuitively obvious as meaning "contains an RFID chip") logo on the cover. The odd thing is that I can't find an image of this logo anywhere on the Passport Office Web site (the only image of the RFID passport is of the inside data page, which contains no RFID indicia, not the outer cover with the RFID logo) or in any of the ICAO documents discussing the proposals for a standard RFID logo. (It's needed so that border guards, immigration officers, and other government agents can distinguish a passport with a defective or disabled RFID chip from a passport that never contained an RFID chip.) The only way for me to interpret the reluctance to have this logo publicized is that the government fears that people who already identify RFID chip numbers as the Satanic "mark of the beast" in the Christian Bible would identify the RFID logo itself as an even more literal "mark" of the beast. But if anyone got a picture of the logo on the cover of Moss' RFID passport at CFP, or can find any other image of the RFID passport logo, please send me a copy, and I'll post it.

(Thanks to Katherine Allbrecht of Spychips.com for being the first to bring the Dutch news to my attention. See her excellent new blog with Liz McIntyre, co-author of the Spychips book, for more news about RFID chips.)

[Addendum, 1 February 2006: See my follow-up article with the RFID passport logo.]

Government subsidies to airlines

There's a discussion on Dave Farber's Interesting-People mailing list about the ways that governments subsidize commercial passenger airlines.

As I've been writing about for years, airlines whine about "regulations" and "freedom of the skies", but it in fact they receive a wide range of subsidies, tax preferences, and other forms of special treatment from Federal, state, and local governments in the USA. (The phenomenon is widespread elsewhere in the world, even if the details vary from country to country.)

How? Let me count the ways (in no particular order):

1. Airports and air trafffic control infrastructure are built and operated by tax-exempt government entities (consider the real estate and other taxes that would be paid by privately owned airports on huge tracts of land in prime urban and suburban locations) with below-market capital costs (tax-exempt government bonds).
   
   
2. Employee training for pilots, mechanics, etc. is provided by the military at no cost to airlines. (Ex-military pilots and mechanics may require additional training and certification for specific civilian aircraft types, but they've already logged thousands of very expensive hours of jet aircraft experience.)
   
   
3. Air traffic control and other services to airlines are provided by the government. (Airlines will claim that they pay for this in user fees, but that ignores the taxes that would be paid on private ATC infrastructure, and the artificially depressed labor costs: As government employees, air traffic controllers and many other civil aviation workers are forbidden to strike, enabling the government unilaterally to impose below-market wages.)
   
   
4. Airlines are paid all the time, even when their aircraft aren't being used, for agreeing to make their planes available on demand to the government as part of the Reserve Air Fleet . But the times when they are needed -- times of war -- are generally times of reduced civilian air travel, when they would otherwise be idle. And when the "Reserve Air Fleet" is used, airlines are paid market rates for government charters.
   
   
5. Government funding for military aircraft subsidizes production and operation of civilian aircraft: Manufacturers of aircraft and associated equipment pay nothing for knowledge transfers from government-funded military aircraft research and development, prototyping, testing, maintenance experience, etc. to civilian aircraft. Military aviation provides critical support for economies of scale and continuity of operations for manufacturers of aircraft, support equipment, and related services during cyclical declines in civilian aircraft demand. Many civilian aircraft types are sold directly to the military, and these sales are often essential to enlarging production runs to the break-even point.
   
   
6. Airlines have a statutory exemption from Federal anti-trust law to allow them to participate in IATA "traffic conferences" to fix standard "industry fares".
   
   
7. Under the preemption clause of the Airline Deregulation Act of 1978, airlines are exempt from state and local truth-in-advertising and other consumer protection laws. (This wouldn't matter if the Federal government enforced similar rules, But, as state Attorneys General have pointed out , the Feds allow many practices that enhance airline profits but would be forbidden under state and local fraud laws.)
   
   
8. Airlines based in the USA are protected by Federal law from all foreign competition: No airline based anywhere else in the world is allowed to carry passengers between points in the USA, and no foreign entity is allowed to own more than 25% of the voting stock in any airline based in the USA. This applies even to US colonies: It's illegal to buy a through ticket on a foreign airline between Guam and the mainland USA via e.g. Seoul, Taipei, or Tokyo (even though travel agents occasionally issue such tickets by mistake), no matter how much cheaper that would be than a ticket on Continental Micronesia, the only USA airline with service between those places. You have to buy 2 separate tickets, and claim and re-check your luggage at the transfer point.
   
   
9. Under "Buy American" rules, all travel funded, even in part, by the US government must be on a US-flag airline, no matter how much more it costs than a foreign-flag competitor. Where, as is often the case, there is often only one US-flag airline serving a given destination, this gives them a de facto monopoloy on government-funded travel, a large and often high-revenue (last minute business travel by government contractors, etc.) portion of the traffic on some routes.

If airlines really want to be free of government regulation and oversight, they first should have to agree to give up their government subsidies and special privileges and protections.