Buffer Overflow Found in RFID Passport Readers

← Back to Stories (view on slashdot.org)

Buffer Overflow Found in RFID Passport Readers

Posted by CowboyNeal on Saturday August 11, 2007 @02:20AM from the never-too-careful dept.

epee1221 writes "Wired ran a story describing Lukas Grunwald's Defcon talk on an attack on airport passport readers. After extracting data from the (read-only) chip in a legitimate passport, he placed a version of the data with an altered passport photo (JPEG2000 is used in these chips) into a writable chip. The altered photo created a buffer overflow in two RFID readers he tested, causing both to crash. Grunwald suggests that vendors are typically using off-the-shelf JPEG2000 libraries, which would make the vulnerability common."

20 of 96 comments (clear)

Min score:

Reason:

Sort:

Of course they are vulnerable by Anonymous Coward · 2007-08-11 02:42 · Score: 3, Insightful

These passports are full featured CPU's with up to 72KB of data. The "RFID reader" is actually a very bad name for a software system that is going to read out these passports. In most documents it will be referred to as an inspection system. It will not only read out the passport, but it will also test the biometrics, communicate with other systems etc.. This is a complicated process that will most likely take place on a full featured CPU, containing a modern OS, and a modern software stack. This allows for maximum flexibility, but it will also make the systems vulnerable for attack.

The only thing the manufacturers of these systems can do is thoroughly test their software, and make the attack possibilities as small as possible. For instance, they should check the signature under the data before passing the data on to the next layers. Of course, for this you need the certificate of the issuing state. You should also test if the underlying libraries that do this initial check are not vulnerable.
Explain to me how... by binaryspiral · 2007-08-11 02:48 · Score: 2, Funny

Explain to me how this is an "attack" on passport readers?

Passport is scanned
Reader goes casters up
Reader is power cycled
Passport is scanned again
Reader goes casters up
Owner of said passport is hauled off to some secret room where all of their orifices are checked by an ex-prison guard with large hands.

This does show the lack of testing and hardening, but it seems a buffer overflow situation like this would be relatively easy to patch.
1. Re:Explain to me how... by zolf13 · 2007-08-11 02:53 · Score: 2, Funny
  
  Orifice overflow requires orifice patching.
2. Re:Explain to me how... by Zerth · 2007-08-11 02:54 · Score: 5, Insightful
  
  Because the way it will actually go is like this:
  
  Passport is scanned
  Reader goes casters up
  Reader is power cycled
  Passport is scanned again
  Reader goes casters up
  
  Security Goon say "Shit, that's wierd. But the paper passport looks fine. Go on through."
  
  Owner of said passport traipses past security, making the E-passport no better than a regular one.
3. Re:Explain to me how... by Nazlfrag · 2007-08-11 02:57 · Score: 4, Insightful
  
  At the moment it crashes. With the right sequence of bytes it looks like:
  
  Hacker crafts jpeg with exploit code
  Passport is scanned
  Exploit code is injected
  Reader silently executes exploit code
  Reader continues operation with nobody any the wiser
  
  A compromised reader lets you bypass the biometrics.
4. Re:Explain to me how... by SagSaw · 2007-08-11 02:58 · Score: 3, Insightful
  
  Explain to me how this is an "attack" on passport readers?
  
  It might be possible for an attacker to exploit the buffer overflow in order to cause the reader to execute software chosen by the attacker. For example, the attacker might insert code that recognizes his forged passport as valid, or that recognizes somebody else's passport (who may have flew in on the same flight) as invalid.
  
  --
  Come test your mettle in the world of Alter Aeon!
5. Re:Explain to me how... by cgenman · 2007-08-11 02:58 · Score: 4, Informative
  
  In a buffer overflow situation, a system may crash because it attempts to run the overflow data as code and fails. However, 99% of the time you can use buffer overflows to inject your own code to run. You just need to know what system it will be running on.
  
  A buffer overflow is a serious vulnerability, in that finding one is the biggest step towards cracking a system open.
  
  --
  The ______ Agenda
6. Re:Explain to me how... by shivamib · 2007-08-11 03:50 · Score: 2, Funny
  
  Here, I corrected it for you.
  1. Passport is scanned
  2. Bufferoverflow runs handcrafted code
  3. RFID reader claims that this is indeed John Smith, and this is his picture, nonwithstaning the fact that there is
  [...]
  4. Profit!!
  
  Amsterdam, here we go!
7. Re:Explain to me how... by h2g2bob · 2007-08-11 04:54 · Score: 4, Informative
  
  A buffer overflow can do a lot more than just crash systems. Done right they can cause the machine to run ANY code the hacker wants while the computer owner is none the wiser. TFA suggests changing the picture generated, which probably wouldn't be too hard considering it looks like it's the JPEG2000 libraries which are affected anyway.
8. Re:Explain to me how... by Anonymous Coward · 2007-08-11 05:05 · Score: 2, Interesting
  
  I'm envisioning:
  *passport is scanned*
  *reader does something weird [because it's being hijacked by buffer overflow exploit code], gives error message*
  *passport is re-scanned*
  *reader says, "Joe C. Terrorist is OK. His name does not appear in no-fly list. SSN# 666-69-6969 is valid."*
  -os
9. Re:Explain to me how... by solevita · 2007-08-11 05:12 · Score: 2, Funny
  
  I just hope that it's my face that contains the exploit code.
  
  Blackhat? No sir! I've just got an unfortunate face!"
Re:Are borders are open! by Anonymous Coward · 2007-08-11 02:48 · Score: 2, Funny

You should start with studying English. Your skills our lacking.
Honestly... by The+tECHIDNA · 2007-08-11 02:51 · Score: 2, Insightful

...if you pass a cracked RFID chip through a passport reader and then it crashes,

#1: the guard will humanly read your inside cover photo with extra vigilance...the chip is not the only method of ID
#2: you'll probably be detained for a bit while they re-test your passport; if it fails again, they'll tell you to get a new passport
(#2a: or be placed on a no-fly list, because you're a terrorist)

Plus, how exactly would a code-injection exploit work unless it's something like the GDI+ vulnerability that occurred with WMF files? (If a rogue guard is injecting evil code into the machine, the government had waaay more scary problems ahead than with some 'sploiting a passport reader).

All that being said, there are some things (i.e. voting machines) that just should not be electronic-ized, and I feel this is one of them.
Other than "it'll get you through faster!!", what is the point of using chips when, more than likely, the passport clerk has to humanly-read it to verify the info anyway? Especially considering that the particular RFID chip technology used in the passport is going to be obsolete or cracked in 3 years, and most passports don't expire for five or ten years?
"..the Windows-based border-screening computer.." by adnonsense · 2007-08-11 02:55 · Score: 2, Funny

FTFA: "If a reader could be compromised using Grunwald's technique, it might be reprogrammed to misreport an expired passport as a valid one, or even -- theoretically -- to attempt a compromise of the Windows-based border-screening computer to which it is connected."

That does it. From now on I'm only travelling to countries which use OpenBSD to operate their border gateway protocols.

And: "Additionally, the International Civil Aviation Organization recommends that issuing countries protect biometric data on the e-passport with an optional feature known as Extended Access Control, which protects the biometric data on the chip by making readers obtain a digital certificate from the country that issued the passport before the equipment can access the information."

Sounds like in the future, the only people who'll be able to traveler with any degree of success will be those who can forge their passports...
Lost faith on RFID security long ago? by Lord+Satri · 2007-08-11 03:03 · Score: 2, Insightful

Remember this /. story about RFID Passports Cloned Without Opening the Package? I'm not sure if RFID and security will ever get along at a satisfying level or if will be similar to the systematic breaking of DRM locks. Amongst other RFID stories, this "Security analysis report" paper [91 pages pdf, 967k] is most informative (via this blog).

--
Animoog.org
Re:This is the reason closed source is good by MrCoke · 2007-08-11 03:26 · Score: 2, Insightful

There is no architecture that is secure from a passionate developer armed with time, IDA Pro and an oscilloscope (if needed).
the usual by m2943 · 2007-08-11 04:42 · Score: 2, Insightful

The problem is, as usual, the use of inherently unsafe and dangerous programming languages like C and C++.

There is no reason why any modern programming language should permit accidental buffer overflows; they are easily preventable without pushing the burden onto the programmer even in programming languages with the same power as C and C++.
1. Re:the usual by 808140 · 2007-08-11 06:14 · Score: 3, Insightful
  
  Don't do much embedded programming, do you? Garbage collection, automatic bounds checking, and the vast majority of features that you think of as "modern" were available in quite a number of programming languages from the 1960s -- lisp, for example. While they were extremely popular in academic circles, and were without a doubt extremely powerful and capable, most development continued to be done in assembly, and then later C. Why was this, do you think? Because in those days, computer resources were so expensive that it was foolish to waste them. Here's a hint: garbage collection is a bad idea if you have so little memory that you're actually likely to run out of it. Automatic bounds checking on arrays is expensive if your processor is slow enough.
  
  Now if you're saying that there's no need to develop the vast majority of today's computer software in assembly, C, or C++, then I agree with you wholeheartedly -- but we're not talking about a computer, we're talking about an RFID reader. You know, a small device that doesn't have the latest gaming processor from AMD and Intel and 2 gigs of RAM. It has enough memory for what it needs to do and that's it; and, to be low power, it has a small, simple embedded processor.
  
  You can't run a JVM on this thing, and even if you wanted to, it would be a bad idea.
2. Re:the usual by RAMMS+EIN · 2007-08-11 21:11 · Score: 2, Informative
  
  While I appreciate your attempt to correct your parent's somewhat narrow view of programming (as you correctly point out, not all systems are equally powerful), I feel compelled to point out some flaws in your argument.
  
  Your argumentation suggests that a type-safe language will necessarily lead to more cpu-intensive code. This is simply not the case. For the most part, type-safety can be enforced at compile time. The result is a program that is type-safe by construction, without requiring any run-time checks.
  
  There is one case that deserves particular attention: array access. Theoretically, it is possible to construct a static type checker that will refuse to accept array accesses that it cannot prove are within bounds, and yet accept enough of them to make the language usable. However, this is difficult, so many languages take a more pragmatic approach. Lone array accesses incur a run-time check, but common patterns of accessing arrays (such as iterating over every element of the array) are implemented in the language in ways that are both safe and efficient.
  
  Now, to give all this more substance, I will point interested readers to the OCaml programming language. OCaml is just one language that is type-safe, yet has an implementation that generates efficient code. A well written OCaml program should be on par with a well written C program in terms of speed and memory usage. At the same time, OCaml provides many conveniences to the programmer that C doesn't. Polymorphism, namespaces, pattern matching, an object system, the list goes on. Also, it plays well with existing systems. Interfaces to the standard Unix system calls are provided, and the compiler can generate stand-alone executables (i.e. no need to install a runtime on target systems).
  
  --
  Please correct me if I got my facts wrong.
Re:"..the Windows-based border-screening computer. by adnonsense · 2007-08-11 05:03 · Score: 2, Funny

'k, I'm staying at home from now on...