Lukas Grunwald, a German security consultant, made an announcement at the Defcon security conference in Las Vegas that is bound to get some attention from on high. He has successfully cracked
the new RFID inserts for the passports issued jointly by the US and EU...and he did it in less than two weeks, with total expenditures of about $200 USD.
The passports, improperly dubbed 'biometric,' contain a small RFID chip hidden within them that contains a backup of all the written data they contain. The idea is to prevent the alteration or duplication of stolen (or sold) documents, which are then passed to less-than-desirables. No matter what the passport says
, the RFID tag will give away its original, unedited text, which contains official verification signatures from the government.
Though there was initially talk of encryption of the data, the idea was ruled out because of further costs and delays in setting up the encryption scheme backbone. The passports have been in use since March in the UK.
Mr. Grunwald invested very little time or money and found that he could clone the RFID tags perfectly, allowing them to then be inserted into fraudulent passports. Since the tags do not contain photographic information and are not encrypted, duplicating them and installing into fake documents with new pictures simply makes it that much harder to catch
a fake. "The whole passport design is totally brain damaged,"
Grunwald said. "From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all."
If the project is a waste of money, it sure is a big one...the project weighed in at over 415 million quid in the UK alone. But it's not all
bad: Grunwald says that despite his best efforts, he is unable to actually alter the data in any way without detection, only duplicate it.
Do you feel more secure with the new RFID passports? Tell us your thoughts in our forums