Slashdot Mirror
Airport Access IDs Hacked In Germany
teqo writes "Hackers belonging to the Chaos Computer Club have allegedly cloned digital security ID cards for some German airports successfully which then allowed them access to all airport areas. According to the Spiegel Online article (transgoogleation here), they used a 200 Euro RFID reader to scan a valid security ID card, and since the scanner was able to pretend to be that card, used it to forge that valid ID. Even the airport authorities say that the involved system from 1992 might be outdated, but I guess it might be deployed elsewhere anyway."
Too expensive hack
As much as security "experts" want to avoid the issue, when a shared symmetric key such as the one in this device is passed in the clear to a "black box," the system is already compromised. This is just like the USB drive "encryption" debacle. It is caused by proprietary software and proprietary thinking. As Klehr wrote in Fundamentals of Cryptography (1962), "If a man drinks poison, tell him it's bad for him. Don't offer to prove it by your own example."
UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
Last I looked it was 24 bits of binary data and that's it. Even simple number collisions are likely to occur if a facility does not watch out with card orders. With 1992 in the market date, I doubt its much more than that. It has no place securing anything important.
The comments so far incredibly miss the points : one of the main fear of airport authorities is that an unknown individual could access restricted zone where plenty of bomb-planting occasions can occur. With this badge you can apparently access the luggage compartment of a plane without being checked for explosives.
At a time where authorities try to impose ridiculous devices like the body scanner and that waiting lines become so long that trains become a viable option to national flights, it is good to point out that they have so many flaws left.
Clearly, "anti-terrorism" is not handled by competent people who think they will have to stop competent terrorists.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
They aught to be using more than one factor of authentication if they expect their system to be secure. Facial recognition (by a human guard) and the card, passcode and the card, or some other factor to prevent a stolen or forged card from being a security risk.
TFS: "but I guess it might be deployed elsewhere anyways"
The 'news' here (Germany) yesterday said that the same system is used at several other German airports.
CC.
TaijiQuan (Huang, 5 loosenings)
You're right. And I wonder why.
Here we are, creating security theater after security theater, invading flyer's privacy from background checks to real physical intimate invasions, but we don't care that someone could easily access all restricted areas of an airport.
Ever thought that it would, from a terrorist's point of view, be much more interesting to blow up Heathrow, CDG or Kennedy airport than some petty little plane? Can you imagine the possibilities of having access to the airport's fuel tanks (and I'm not even thinking of such unimportant things like simply causing an explosion there. Think big! How about filling planes with fuel that clogs the engines so they come down unexpectedly. 3 planes hitting some towers? How about 300?), or how about access to the catering pool (I think we all saw the catstrophy movies from the 70s where spoiled food knocked out the pilots)?
And that's something I've been thinking up within the 5 minutes of writing this posting, with no intent to actually strike against an airport. Now think of the possibilities of a terrorist with his mind set on something like that and a few months of planning time.
If that whole scenario shows something, then that we are NOT adequately protected. And no, that doesn't mean we need more security theater. It means that the whole shit is worth jack! You cannot secure a system that is inherently insecure. There are way too many ways to attack to secure them all.
I'm also wondering why they're so worried about airports. There are way more much easier ways to execute acts of terror than in such a limited environment. But maybe it's just that we want to protect people rich enough to actually fly. Tells you something 'bout who's important and who's not.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You already giving up? TALK about it!
If you want to know the insights http://media.ccc.de/browse/congress/2009/26c3-3709-en-legic_prime_obscurity_in_depth.html
How do I uncompress my MD5 archive?
Takes a lot of arrogance, to decide that some people are so important that they should be entitled to bypass security, and so in order to achieve that, you create a method to bypass security.
The arrogance lies in making the assumption that no terrorist group will ask themselves the question: "How do we bypass their security?" and fail to arrive at the answer: "Why, the same way they do!".
(P.S. I'm a good guy [albeit with the caveat that the term is relative], Carnivore/Altivore/Echelon. The timing of this Der Spiegal article and the fact that I've recently said the same thing as I did above elsewhere is purely coincidental. I happen to work with the stuff, so such conversations pique my curiosity. There's no need to waste gasoline coming to see me.)
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
if this were to happen it would be a simple case of setting fire to the runway so planes could land using the flames as landing lights.
its been done before, in washington.
I would give everything i own for a little bit more.
They build false fears in our minds and use cheap solution to tell us we are protected. But in the end we don't gain any real security while we lose our privacy at every step.
Today the highest life hazard are our cars. How much money is invested in road security?
Love many, trust a few, do harm to none.
The kind that seeks to deter a terrorist rather than the general public?
There was a time when that wouldn't have been possible. Thank God that they finally perfected the Wormhole!
Do you really think an actual terrorist would piss his pants the way some moron who responds with "Just a Bomb" because he is to stupid to figure out that is not a bright thing to say?
Since nobody thinks the terrorist will show up with a gun and try to force his way through security, thereby broadcasting his/her presence to all, how does that help again?
That is great news. Clearly you are not one of those people. Can you point me to someone who is? (BTW - Read the Moderator Guidelines, since you clearly have no idea how to properly moderate on Slashdot.)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I'm also wondering why they're so worried about airports. There are way more much easier ways to execute acts of terror than in such a limited environment. But maybe it's just that we want to protect people rich enough to actually fly. Tells you something 'bout who's important and who's not.
Its not about securing those people its about having a security theatre that disrupts as few people as possible. If you had similar measures on trains, or subways, etc. it would cause chaos to millions and the people wouldn't put up with it in the long run. For the most part air travel is something people do occasionally so don't really mind a little extra delay for their safety. The only people it hits hard are the rich, or folk who have to travel for work. The general public can sneer at them complaining because they deserve it for being able to fly that often.
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
It's good to know that Jack Bauer is out there to protect us! (uuhmm, wait...)
I'm also wondering why they're so worried about airports. There are way more much easier ways to execute acts of terror than in such a limited environment. But maybe it's just that we want to protect people rich enough to actually fly.
I think that misses the point. Governments aren't disproportionately obsessed with defending airplanes; it's the *terrorists* who are disproportionately obsessed with bombing/hijacking airplanes (rather than other targets which might cause more public fear or kill more people).
Why are terrorists so obsessed with airplanes? It might just be a failure of imagination. But I think it's because it's all about symbolism. The jet plane symbolises the "jet age"; images of jet planes taking off or touching down used to be the defining iconic images of our civilization from the 60s, especially in movies. It's only recently and for a small (non-terrorist) minority of the world that flying on a jet plane has switched from "defining icon of our civilization" to "boring tedious humdrum routine nuisance".
Could I use one of these hacked cards to get access to the naked-scanner room and steal photos of nude passengers?
(Capcha: scabrous. Ew.)
The German people are lucky to have the CCC. And to have a press that are happy to spread the word about the CCC's discoveries.
http://ihatehate.wordpress.com
They x-ray your bags before you can get on a long-distance train in Spain. They don't yet make you walk through a metal detector, though.
The only people it hits hard are the rich, or folk who have to travel for work. The general public can sneer at them complaining because they deserve it for being able to fly that often.
Having to travel for work is often far from a privilege, although I suppose that people who haven't done it may think it's glamorous.
You have posted today's best comment.
"I'm also wondering why they're so worried about airports." Ali G noted that you could just as easily hijack a train and smash it into the white house.
Do not worry about Newark Liberty airport. Just a card will not get you access. a pin is also required. consecutive wrong pins and the card is out of the system. Cards access only the doors the holder of the card is allowed . Biometrics may replace pins. Controlled access is not security. It only records who was allowed access and when.
Looking at the recent terrorist attacks in Britain, I'm not so sure. The 7/7 attack was on three different Tube (Subway) trains and a bus. The targets were four tube trains, but the Northern Line was closed due to engineering problems that morning.
They failed copycat 21/7 attack was also on three tubes and a bus. This time the bus was targeted directly.
The failed Glasgow Airport attack took place outside the airport, and was targeting people who were waiting to go through security.
Terrorists aren't obsessed with that.
They've blown up buses, trains, hotels, embassies, etc, etc.
9/11 saw planes used as a force magnifier by hitting buildings with them - but that's unlikely to succeed again.
What planes give you, that justifies some attempt from terrorists to get through the tighter security, is that a small bomb can kill everyone on board - the same size bomb elsewhere (even in the middle of a crowd - like at a security checkpoint at an airport) won't kill the same number.
I Guess these new security measures don't really work after all.
Wow, you have really given the terrorists a lot to think about , and some pretty good ideas,
if they had not thought of it themselves....you must be a terrorist too!
Nothing hurts more then 300 planes landing on your head
The Swiss vendor selling the system never marketed it (even 1992) for security relevant access control, it's just meant as a comfortable access for entertainment parks or similar customers, where comfort and low price are the selling points, not security.
(so basically, it was never ever meant to be used for airport security)
Security cards SHOULD only be one part of a key and should never be used as a primary means of authentication.
You have your card to initialise the authentication, then you use something else as the second key, like something as simple as a PIN code.
A security card is ALOT simpler to snatch then trying to figure our your PIN code. And together, it's a shit load of work, even for the most experienced intruder.
Aircraft are high profile. The slightest mishap is in the newspapers (e.g.: a month or so ago a lengthy article about flight disruptions due to clogged aircraft toilets causing problems for Cathay Pacific - no casualties, just inconvenience and a couple flights got delayed).
People are naturally afraid of flying: it's after all unnatural. Driving is more natural, you remain on the ground. You can just stop the vehicle and get out, you can't just stop and leave an aircraft halfway the trip. And that I think is what makes it a great target to spread terror.
Flying is a necessary evil - I have to fly fairly regularly, and don't like it most of the time. Always happy to get off that darn plane. But the views sometimes are stunning, and they are mighty efficient to travel larger distances.
I'd just like to point out that, once in Europe, many flights are cheap.
The only people it hits hard are the rich,
The rich all fly private, so they don't have to put up with any of the delay.
that's why airport security is useless, it makes life hell for travelers, but is totally incapable of fulfilling its purpose of keeping criminals away.
if someone has the will and resources, infiltrating any public place is peace of cake. short of haxoring the security system, i imagine even climbing the fence will let you circumvent the security check. having a man inside is useful and so on. against someone who really wants to get in, there really isn't much you can do. and lets be honest, has all this security hype really prevented anything?
Statistics please. Of the most recent 100 documented terrorist attacks which actually killed anyone, how many were on airplanes? What is the probability that any given death from a terrorist attack occurred on an airplane? Thanks.
The two of you just gave me a brilliant idea for an experiment...
Get 301 planes and meet me at LAX!
Any role player could come up with that in 5 minutes or less. It's the usual problem you're facing when playing RPGs. You have a certain set of skills and equipment and a given task. Apply the former to the latter.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Unless you have ONLY been to airports in EU member countries please stop referring to Europe as the EU!
The EU is NOT synonymous with Europe, it never has and never will be. It is NOT the "federal" government of Europe!!!
The EU is a group of countries, 27 out of 50, the continent is STILL called Europe.
You managed to write "Der Spiegal" in italics, yet you failed to spell it correctly? Der Spiegel, thank you.
You do realize when i said Wow, i meant, as in Wow, that is something,
and not WoW as in world of warcraft...???
Who's talking about WoW, I was talking about RPGs. You do realize that when I am talking about RPGs I mean the P&P variant?
If not, hand in your geek card at the door please on your way out, thank you. :)
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
P & P, or did u mean D & D