Wednesday, August 01, 2007

Follow-up to RFID post

For those still following my last post "RFID, DHS, DOS, ICAO... F.U.C.K.U.!" about RFID chips in passports, I found Wired Magazine's "Scan This Guy's E-Passport and Watch Your System Crash" article a little too disturbing. Remember when I referred to this article about them not testing Basic Access Control. It may have helped and hindsight is now clearly right here: "...[T]he International Civil Aviation Organization recommends that issuing countries protect biometric data on the e-passport with an optional feature known as Extended Access Control, which protects the biometric data on the chip by making readers obtain a digital certificate from the country that issued the passport before the equipment can access the information.

"That certificate is only valid for a short period of time, but the chips contain no onboard clock to handle the digital certificate's expiration, which makes them vulnerable as well," says Grunwald. "It's a basic mistake," he says.