Students from the Radboud University in the Netherlands and the Lausitz University of Applied Sciences in Germany have shown more vulnerabilities with RFID technology. In a previous post I mentioned the problems with the new ticket system with embedded RFID chips for use by frequent travellers in the Netherlands, and the possibility to hack into the passes used to enter government buildings and other important locations. Now it is shown by Henning Richter, Wojciech Mostowski, and Erik Poll that there is a way to remotely detect the presence of an e-passport (a passport with an embedded RFID chip that carries digitally signed biometric information) and to determine its nationality. With quite a few foreigners working or studying in their university departments, the researchers managed to test passports from 10 different countries: Australia, Belgium, France, Germany, Greece, Italy, the Netherlands, Poland, Spain, and Sweden.
‘While not an immediate security threat to the passport itself, it could be a concern to the passport holder: this functionality is clearly useful for passport thieves. It strengthens the case for metal shielding in the passport to prevent any communication with the RFID smartcard when the passport is closed (as used in US passport, where it is used instead of Basic Access Control). More generally, it demonstrates the problems associated with making communication wireless, esp. with something as sensitive as an identification document. ‘
Henning et al. have written a paper about their findings which will be presented at the NLUUG Conference on Security.