Slashdot Mirror
Buffer Overflow Found in RFID Passport Readers
epee1221 writes "Wired ran a story describing Lukas Grunwald's Defcon talk on an attack on airport passport readers. After extracting data from the (read-only) chip in a legitimate passport, he placed a version of the data with an altered passport photo (JPEG2000 is used in these chips) into a writable chip. The altered photo created a buffer overflow in two RFID readers he tested, causing both to crash. Grunwald suggests that vendors are typically using off-the-shelf JPEG2000 libraries, which would make the vulnerability common."
Because the way it will actually go is like this:
Passport is scanned
Reader goes casters up
Reader is power cycled
Passport is scanned again
Reader goes casters up
Security Goon say "Shit, that's wierd. But the paper passport looks fine. Go on through."
Owner of said passport traipses past security, making the E-passport no better than a regular one.
At the moment it crashes. With the right sequence of bytes it looks like:
Hacker crafts jpeg with exploit code
Passport is scanned
Exploit code is injected
Reader silently executes exploit code
Reader continues operation with nobody any the wiser
A compromised reader lets you bypass the biometrics.
In a buffer overflow situation, a system may crash because it attempts to run the overflow data as code and fails. However, 99% of the time you can use buffer overflows to inject your own code to run. You just need to know what system it will be running on.
A buffer overflow is a serious vulnerability, in that finding one is the biggest step towards cracking a system open.
The ______ Agenda
A buffer overflow can do a lot more than just crash systems. Done right they can cause the machine to run ANY code the hacker wants while the computer owner is none the wiser. TFA suggests changing the picture generated, which probably wouldn't be too hard considering it looks like it's the JPEG2000 libraries which are affected anyway.