Slashdot Mirror

← Back to Stories (view on slashdot.org)

Airport Access IDs Hacked In Germany

Posted by timothy on from the wilkommen-sie-herr-aktentasche dept.

teqo writes "Hackers belonging to the Chaos Computer Club have allegedly cloned digital security ID cards for some German airports successfully which then allowed them access to all airport areas. According to the Spiegel Online article (transgoogleation here), they used a 200 Euro RFID reader to scan a valid security ID card, and since the scanner was able to pretend to be that card, used it to forge that valid ID. Even the airport authorities say that the involved system from 1992 might be outdated, but I guess it might be deployed elsewhere anyway."

102 comments

  1. Really by Anonymous Coward · · Score: 0

    Too expensive hack

    1. Re:Really by Shadow_139 · · Score: 5, Informative

      The kit used, a Proxmark 3 cost ~$470 before P&P but they were been sold at 26c3 for 200 cash-in-hand.

      Sounds like somebody who was at the conference has an hour or two to kill in the airport and decided to play with their new toy.....

      And to anybody saying you could not get it past security, I got my Netbook, Proxmark3, SIM simulator, a few FON and a big of random USB,wireless & BT dongles past them it no issues {except some of the stuff was removed from my carry-on bay and was double x-rays}.

    2. Re:Really by Anonymous Coward · · Score: 4, Informative

      Sounds like somebody who was at the conference has an hour or two to kill in the airport and decided to play with their new toy.....

      The guy who did it is Karsten Nohl, the same guy who deciphered GSM encryption lately. He also reverse engineered the "secret" MIFARE Classic cipher some time ago.

    3. Re:Really by Hurricane78 · · Score: 1

      I know you probably did not intend to, but:
      Please don’t give anyone the impression, that more airport “security” (think TSA), like not getting those things past security, would be of any help in preventing this. :)

      What I wonder is, how they got that original airport access ID in the first place, to be able to clone it?
      I guess just walking past a security guy outside the building should suffice, right? :)

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    4. Re:Really by Ltap · · Score: 1

      They wouldn't need to actually be holding it, it was mentioned that it was RFID (or RFID-style), so they could have scanned it from several metres away.

      --
      Yet Another Tech Blog
      (but so much more, including game and movie reviews)
      http://yanteb.peasantoid.org
  2. guess what! by Anonymous Coward · · Score: -1, Troll

    nobody cares!

    1. Re:guess what! by Opportunist · · Score: 5, Insightful

      You're right. And I wonder why.

      Here we are, creating security theater after security theater, invading flyer's privacy from background checks to real physical intimate invasions, but we don't care that someone could easily access all restricted areas of an airport.

      Ever thought that it would, from a terrorist's point of view, be much more interesting to blow up Heathrow, CDG or Kennedy airport than some petty little plane? Can you imagine the possibilities of having access to the airport's fuel tanks (and I'm not even thinking of such unimportant things like simply causing an explosion there. Think big! How about filling planes with fuel that clogs the engines so they come down unexpectedly. 3 planes hitting some towers? How about 300?), or how about access to the catering pool (I think we all saw the catstrophy movies from the 70s where spoiled food knocked out the pilots)?

      And that's something I've been thinking up within the 5 minutes of writing this posting, with no intent to actually strike against an airport. Now think of the possibilities of a terrorist with his mind set on something like that and a few months of planning time.

      If that whole scenario shows something, then that we are NOT adequately protected. And no, that doesn't mean we need more security theater. It means that the whole shit is worth jack! You cannot secure a system that is inherently insecure. There are way too many ways to attack to secure them all.

      I'm also wondering why they're so worried about airports. There are way more much easier ways to execute acts of terror than in such a limited environment. But maybe it's just that we want to protect people rich enough to actually fly. Tells you something 'bout who's important and who's not.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:guess what! by MrCoke · · Score: 1

      You already giving up? TALK about it!

    3. Re:guess what! by Krneki · · Score: 4, Insightful

      They build false fears in our minds and use cheap solution to tell us we are protected. But in the end we don't gain any real security while we lose our privacy at every step.

      Today the highest life hazard are our cars. How much money is invested in road security?

      --
      Love many, trust a few, do harm to none.
    4. Re:guess what! by MrMickS · · Score: 2, Insightful

      I'm also wondering why they're so worried about airports. There are way more much easier ways to execute acts of terror than in such a limited environment. But maybe it's just that we want to protect people rich enough to actually fly. Tells you something 'bout who's important and who's not.

      Its not about securing those people its about having a security theatre that disrupts as few people as possible. If you had similar measures on trains, or subways, etc. it would cause chaos to millions and the people wouldn't put up with it in the long run. For the most part air travel is something people do occasionally so don't really mind a little extra delay for their safety. The only people it hits hard are the rich, or folk who have to travel for work. The general public can sneer at them complaining because they deserve it for being able to fly that often.

      --
      You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
    5. Re:guess what! by sim82 · · Score: 1

      It's good to know that Jack Bauer is out there to protect us! (uuhmm, wait...)

    6. Re:guess what! by ljw1004 · · Score: 2, Insightful

      I'm also wondering why they're so worried about airports. There are way more much easier ways to execute acts of terror than in such a limited environment. But maybe it's just that we want to protect people rich enough to actually fly.

      I think that misses the point. Governments aren't disproportionately obsessed with defending airplanes; it's the *terrorists* who are disproportionately obsessed with bombing/hijacking airplanes (rather than other targets which might cause more public fear or kill more people).

      Why are terrorists so obsessed with airplanes? It might just be a failure of imagination. But I think it's because it's all about symbolism. The jet plane symbolises the "jet age"; images of jet planes taking off or touching down used to be the defining iconic images of our civilization from the 60s, especially in movies. It's only recently and for a small (non-terrorist) minority of the world that flying on a jet plane has switched from "defining icon of our civilization" to "boring tedious humdrum routine nuisance".

    7. Re:guess what! by pjt33 · · Score: 4, Insightful

      They x-ray your bags before you can get on a long-distance train in Spain. They don't yet make you walk through a metal detector, though.

      The only people it hits hard are the rich, or folk who have to travel for work. The general public can sneer at them complaining because they deserve it for being able to fly that often.

      Having to travel for work is often far from a privilege, although I suppose that people who haven't done it may think it's glamorous.

    8. Re:guess what! by mevets · · Score: 1

      "I'm also wondering why they're so worried about airports." Ali G noted that you could just as easily hijack a train and smash it into the white house.

    9. Re:guess what! by swale44 · · Score: 1

      Do not worry about Newark Liberty airport. Just a card will not get you access. a pin is also required. consecutive wrong pins and the card is out of the system. Cards access only the doors the holder of the card is allowed . Biometrics may replace pins. Controlled access is not security. It only records who was allowed access and when.

    10. Re:guess what! by jonbryce · · Score: 2, Informative

      Looking at the recent terrorist attacks in Britain, I'm not so sure. The 7/7 attack was on three different Tube (Subway) trains and a bus. The targets were four tube trains, but the Northern Line was closed due to engineering problems that morning.

      They failed copycat 21/7 attack was also on three tubes and a bus. This time the bus was targeted directly.

      The failed Glasgow Airport attack took place outside the airport, and was targeting people who were waiting to go through security.

    11. Re:guess what! by nedlohs · · Score: 1

      Terrorists aren't obsessed with that.

      They've blown up buses, trains, hotels, embassies, etc, etc.

      9/11 saw planes used as a force magnifier by hitting buildings with them - but that's unlikely to succeed again.

      What planes give you, that justifies some attempt from terrorists to get through the tighter security, is that a small bomb can kill everyone on board - the same size bomb elsewhere (even in the middle of a crowd - like at a security checkpoint at an airport) won't kill the same number.

    12. Re:guess what! by maratumba · · Score: 1
      I came back from a trip from Istanbul to Los Angeles. I got passed many security checkpoints in Frankfurt and Istanbul. I've been in a camping trip prior to my flight. When I was unpacking my bag in LA, I realized I had two radios and a pocket knife in my carry-on the whole time.

      I Guess these new security measures don't really work after all.

    13. Re:guess what! by hesaigo999ca · · Score: 1

      Wow, you have really given the terrorists a lot to think about , and some pretty good ideas,
      if they had not thought of it themselves....you must be a terrorist too!

      Nothing hurts more then 300 planes landing on your head

    14. Re:guess what! by wvmarle · · Score: 1

      Aircraft are high profile. The slightest mishap is in the newspapers (e.g.: a month or so ago a lengthy article about flight disruptions due to clogged aircraft toilets causing problems for Cathay Pacific - no casualties, just inconvenience and a couple flights got delayed).

      People are naturally afraid of flying: it's after all unnatural. Driving is more natural, you remain on the ground. You can just stop the vehicle and get out, you can't just stop and leave an aircraft halfway the trip. And that I think is what makes it a great target to spread terror.

      Flying is a necessary evil - I have to fly fairly regularly, and don't like it most of the time. Always happy to get off that darn plane. But the views sometimes are stunning, and they are mighty efficient to travel larger distances.

    15. Re:guess what! by chuckwilson · · Score: 1

      I'd just like to point out that, once in Europe, many flights are cheap.

    16. Re:guess what! by GeckoAddict · · Score: 1

      The only people it hits hard are the rich,

      The rich all fly private, so they don't have to put up with any of the delay.

    17. Re:guess what! by pclminion · · Score: 2, Interesting

      Statistics please. Of the most recent 100 documented terrorist attacks which actually killed anyone, how many were on airplanes? What is the probability that any given death from a terrorist attack occurred on an airplane? Thanks.

    18. Re:guess what! by Anonymous Coward · · Score: 0

      The two of you just gave me a brilliant idea for an experiment...
      Get 301 planes and meet me at LAX!

    19. Re:guess what! by Opportunist · · Score: 1

      Any role player could come up with that in 5 minutes or less. It's the usual problem you're facing when playing RPGs. You have a certain set of skills and equipment and a given task. Apply the former to the latter.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    20. Re:guess what! by hesaigo999ca · · Score: 1

      You do realize when i said Wow, i meant, as in Wow, that is something,
      and not WoW as in world of warcraft...???

    21. Re:guess what! by Opportunist · · Score: 1

      Who's talking about WoW, I was talking about RPGs. You do realize that when I am talking about RPGs I mean the P&P variant?

      If not, hand in your geek card at the door please on your way out, thank you. :)

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    22. Re:guess what! by hesaigo999ca · · Score: 1

      P & P, or did u mean D & D

  3. Theory bites back by For+a+Free+Internet · · Score: 1, Interesting

    As much as security "experts" want to avoid the issue, when a shared symmetric key such as the one in this device is passed in the clear to a "black box," the system is already compromised. This is just like the USB drive "encryption" debacle. It is caused by proprietary software and proprietary thinking. As Klehr wrote in Fundamentals of Cryptography (1962), "If a man drinks poison, tell him it's bad for him. Don't offer to prove it by your own example."

    --
    UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
    1. Re:Theory bites back by MichaelSmith · · Score: 3, Interesting

      I couldn't work out how they cracked the cypher from the translated article. Is it possible they are listening in on the cypher processing as they feed in a challenge?

      --
      http://michaelsmith.id.au
    2. Re:Theory bites back by Shadow_139 · · Score: 3, Funny

      They used double XOR for added security.....

    3. Re:Theory bites back by Ihmhi · · Score: 1

      And just to be safe, they ran it through ROT13 a few times, as well as a revolutionary new version of that encryption called ROT39.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    4. Re:Theory bites back by CisJokey · · Score: 1

      PM me if you need a good translation, or if you have specific questions.

    5. Re:Theory bites back by Splab · · Score: 2, Funny

      Some of us has more than 26 letters in our alphabet you insensitive clot.

    6. Re:Theory bites back by Jesus_666 · · Score: 2, Informative

      In a TV report they said that there simply was no cypher. From what they said in the interview it sounds like a simple replay attack. The rest of the report made it look like a bog-standard RFID system that just checks the serial number of the tag - although that might of course be the reporters oversimplifying things.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
    7. Re:Theory bites back by marcansoft · · Score: 2, Interesting

      There is no cipher. There is no security. These guys gave a talk on LEGIC Prime at the congress. The digest version is that LEGIC Prime is 100% obscurity and 0% security: LEGIC cards are wireless read/write memories with a tiny LFSR scrambler thrown on top to obfuscate things a bit. There are no keys. All the access controls are implemented in the reader/writer software. These cards are not only trivial to emulate, they're also trivial to modify.

    8. Re:Theory bites back by RobertLTux · · Score: 0, Redundant

      well first off
      WHOOSH!!!!

      okay now that thats done any cypher of the type rotY(N/2) is useless for anything more than proof of intent type things
      (Y being the multiplier and N being the number of letters in the alphabet in use) and anybody that suggests one for a SECURITY SYSTEM should be minimum reprimanded and possibly shot for being criminally stupid

      and in fact any kind of rotX cypher is only good for spoiler protection or similar use

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
    9. Re:Theory bites back by SharpFang · · Score: 1

      Look. It's RFID. A CPU powered by radio waves.

      How much computational power does it have to perform some advanced encryption while you wave it in front of the reader?

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    10. Re:Theory bites back by Splab · · Score: 1

      Well whoosh to you too sir, since you obviously totally failed the point of my post.

    11. Re:Theory bites back by Puppet+Master · · Score: 1

      You sure it wasn't ROT13?

      --
      The day Microsoft creates a product that doesn't suck, it will be known as the Microsoft Vaccuum Cleaner!
  4. Sounds quite dangerous by badevlad · · Score: -1, Redundant

    Wow... I do not want hackers to control a plane when I will be in it... Imagine the situation, when hackers will take control over airport control center.

    --
    Hide your files and folders from others!
    1. Re:Sounds quite dangerous by jaggeh · · Score: 1

      if this were to happen it would be a simple case of setting fire to the runway so planes could land using the flames as landing lights.

      its been done before, in washington.

      --
      I would give everything i own for a little bit more.
  5. RFID by AlexiaDeath · · Score: 3, Informative

    Last I looked it was 24 bits of binary data and that's it. Even simple number collisions are likely to occur if a facility does not watch out with card orders. With 1992 in the market date, I doubt its much more than that. It has no place securing anything important.

    1. Re:RFID by Anonymous Coward · · Score: 3, Insightful

      Well, it wasn't designed, even in 1992, for real security... The designed market for this was low-security, cheap, but somewhat scalable access control for doors in schools, supermarkets and such...

      The guy that should be fired is the one that selected it for a real security application like an airport.... No doubt because it was cheaper...

    2. Re:RFID by Jesus_666 · · Score: 1

      Until the CCC reveal and the subsequent media coverage, the manufacturer sold the system as a high-security access control system for use in sensitive areas (now they'te replaced the word "high" with "basic"). Short of ordering an explame installation and reverse-engineering it, the person responsible for buying it had no way to tell it wasn't a high-security system.

      The company even told reporters that the system was very secure because the transmissions were encrypted. Cut to the CCC hackers simply saying: "There is no encryption involved; he's lying there."

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
  6. Terrorrism by Yvanhoe · · Score: 5, Insightful

    The comments so far incredibly miss the points : one of the main fear of airport authorities is that an unknown individual could access restricted zone where plenty of bomb-planting occasions can occur. With this badge you can apparently access the luggage compartment of a plane without being checked for explosives.

    At a time where authorities try to impose ridiculous devices like the body scanner and that waiting lines become so long that trains become a viable option to national flights, it is good to point out that they have so many flaws left.

    Clearly, "anti-terrorism" is not handled by competent people who think they will have to stop competent terrorists.

    --
    The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    1. Re:Terrorrism by MichaelSmith · · Score: 3, Informative

      I have some direct experience of airport security. While it varies a lot from place to place it never relies entirely on RFID.

      --
      http://michaelsmith.id.au
    2. Re:Terrorrism by nacturation · · Score: 2, Informative

      At a time where authorities try to impose ridiculous devices like the body scanner and that waiting lines become so long that trains become a viable option to national flights, it is good to point out that they have so many flaws left.

      That reminds me... one thing to add to this article: http://www.youtube.com/watch?v=yZfbTlYpKYo

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    3. Re:Terrorrism by CharlieThePilot · · Score: 5, Insightful

      In all the EU airports that I know of, airport workers of all sorts (including crew, baggage handlers ect) are screened in the same way as passengers. Even using the same equipment in many cases. So, while it's not good that it's this easy to defeat the ID card system, it doesn't in itself mean that anyone can get in to the baggage hold with a bomb.

    4. Re:Terrorrism by d7415 · · Score: 1

      Ditto. They do it to counter just this sort of problem. Mod parent up.

    5. Re:Terrorrism by L4t3r4lu5 · · Score: 1

      Indeed. One of the biggest deterrents at my local airport for would-be ne'erdowells is the large quantity of firearms-trained police officers on site.

      An interesting piece of TMI: Passengers who answer the question (paraphrased) "Do you have anything in your baggage which is known to not be allowed on the aircraft?" with "Only a bomb." more often than not lose control of their bladder when faced with several large gentlemen carrying automatic weapons.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    6. Re:Terrorrism by Anonymous Coward · · Score: 3, Informative

      the large quantity of firearms-trained police officers on site

      who are in the areas where the public are, you fsckin' moron, not behind the wire in the secure areas. Please engage your brain before touching the keyboard next time you revive.

    7. Re:Terrorrism by L4t3r4lu5 · · Score: 0, Flamebait

      Of course they are in view of the public. What use is a deterrent nobody can see? I'm fairly sure, though, that if someone air-side reported some suspicious activity that there would be a prompt response from those very same people, resulting in a very same reaction. Putting devices in baggage on a plane is not the act of a Jihadist trying to get to his virgins, so they may have slightly more interest in self preservation.

      Good to see mod points being blown on AC's, though. It saves those with reasonable points of view which some people may disagree with from being on the end of their flawed judgment.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    8. Re:Terrorrism by Dr.+Evil · · Score: 4, Insightful

      Unless you have trained guards at every door, it's very hard to promote a culture of badge-checking. Especially if the person you're challenging was just verified by the card-reader.

      If you *do* have a guard at every door, what good is the card-reader except to deter the guards from doing their jobs?

      I'd really like to know what else you're depending on really, if photo IDs can be forged, and people come and go from all over the world on an hourly basis, and your procedures can't be assumed secret, what's left?

      I've never bought into this "layered" model of security. The trouble is that it promotes purchasing crap from vendors which can just be used to add layers. Security is more like a chain, the whole system fails on its weakest link. The more layers you add, the more likely you are to accidentally depend on something you thought the other guy was taking care of...

      E.g., go ask the guards if *they* think the card readers are malfunctioning.

    9. Re:Terrorrism by Ash-Fox · · Score: 5, Insightful

      What use is a deterrent nobody can see?

      A pretty good one, if you look at most religions.

      --
      Change is certain; progress is not obligatory.
    10. Re:Terrorrism by Anonymous Coward · · Score: 0

      This is only true at some more modern or security-concious airports. In others, anyone with a pass can circumvent the normal screening and passport areas and get airside without ever being searched.

      However there are sometimes different levels of pass that can be used to restrict access to just the terminal building but not the apron, for example.

    11. Re:Terrorrism by Anonymous Coward · · Score: 0

      I can confirm this. I even know of airport workers not using the security boots just because they set off a lot of alarms, and BTW risking their toes.

    12. Re:Terrorrism by Yvanhoe · · Score: 1

      As a passenger, I have at several occasions seen airport personnel bypass the security screening of passengers by a simple RFID badge. It is easy to imagine a person giving a bomb to a passenger through this way.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    13. Re:Terrorrism by pjt33 · · Score: 1

      So what you're saying is that in the right situation it's very easy to get a large number of people with guns past security?

    14. Re:Terrorrism by timmarhy · · Score: 0, Troll
      security understanding fail.

      your saying we should only have one line of defence? 1944 called hilter wants you to run his army!!

      --
      If you mod me down, I will become more powerful than you can imagine....
    15. Re:Terrorrism by Jesus_666 · · Score: 1

      Except some airports decide it's too expensive to guard all entrances. This thing is all over the media at the moment and one airport (was it Hamburg?) told the media that they can't afford to guard all entrances or to outright replace the system. For safety reasons they didn't disclose their strategy but I assume they're going to gradually replace the system with a better one and guard the entrances not yet switched over.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
    16. Re:Terrorrism by Jesus_666 · · Score: 1

      One of the reasons why one of our police trade unions is asking for legislation that hands over airport security to the police. Their justification is that they'd do occasional checks to ensure that nothing was tampered with.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
    17. Re:Terrorrism by maeka · · Score: 4, Interesting

      As someone who has maroon SIDA badges at multiple large airports in the USA, I think you are overly discounting the culture of challenging (asking strangers to see their badge) and missing a couple of key points.

      Especially if the person you're challenging was just verified by the card-reader.

      1 - A forged RFID in and of itself will not get you through any of the more sensitive doors. A PIN is also required.
      2 - Even someone like me with an "all areas" badge must get prior (time limited) authorization to pass through higher-security doors. The central computer will reject my perfectly valid badge and PIN and sound an alarm at security if I so much as try a door I do not have approval for.
      3 - At most airports I've worked at there is also a security officer posted at doors capable of being used to bypass TSA checkpoints (as in going downstairs then through the baggage tunnel, then back up on the other side), one who inspects each and every badge which passes his way.
      4 - All RFID readers are linked to the security office. Let's say I unsuspectingly cloned Joe's card. If Joe badged in to area A but didn't badge out while meanwhile Cloned Joe badged into area F - an alarm would sound.

      While I have witnessed much which I consider weaknesses in airport security - the physical badges themselves are not it.

    18. Re:Terrorrism by jaggeh · · Score: 1

      /thread

      Godwins Law

      --
      I would give everything i own for a little bit more.
    19. Re:Terrorrism by sconeu · · Score: 2, Informative

      Badge checking is encouraged in many corporate subcultures.

      I used to work in a closed area (escort required for those without clearance and access list).

      Once, the company president came in to look around. A friend of mine, who didn't know who the prez was, asked him who he was, and if he was on the list. She got complimented on her security awareness.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    20. Re:Terrorrism by Dr.+Evil · · Score: 1

      It's a good example. You're depending deeply, very deeply on the underlying technology. You may have no choice and as long as it is well understood, that's probably a much lower risk than depending on humans or other systems... but unless you've done the deeep, deeeep inspection of the system, all you've done is outsource human lives to a company with limited liability.

      I'm torn as to what kind of testing and understanding is necessary to adequately trust an electronic security system for that kind of application. Is it possible that simply the existence of corporations make it impossible to trust the security of manufactured goods? Are these systems engineered like bridges, where the "engineer" is held criminally liable for failures in the system, or is it just a lot of passing the buck until everyone makes money and nobody goes to jail?

      Do you "certify" it? Is it like many "certification" processes, where only the conformance to a standard is tested, but no real-world intelligence is applied to the system as a whole? Again, just passing the buck because the guys earning six and seven figures can't handle the thought of being responsible for human lives, unlike the guys working the floors at the airports?

      Does anyone go to jail if a certified, tested system fails to meet its own requirements in the field? does anyone go to jail if they neglected to include a requirement in the certification and testing of the environment? Does anyone go to jail if they missed an "obvious" requirement?

      Are the requirements so complex or dependent on secrecy that you don't feel comfortable commenting on them without a lawyer? If so, is it because you're afraid for the public? Afraid for your job?

      I know... I worry too much.

    21. Re:Terrorrism by Dr.+Evil · · Score: 1

      I hate to reply to my own post... I just want to add that I don't mean to be hard about it, it sounds like you've got a really good system there... Security comes down to risks, and the stuff I'm talking about here is considered fringe and theoretical by many people.

      And maybe there is personal liability in place. If so, I really would like to know about it.

    22. Re:Terrorrism by Jah-Wren+Ryel · · Score: 1

      That reminds me... one thing to add to this article: http://www.youtube.com/watch?v=yZfbTlYpKYo

      Don't forget the classic: TSA Gangstaz.

      --
      When information is power, privacy is freedom.
    23. Re:Terrorrism by maeka · · Score: 1

      Is this final question directed to me or to the wind? For as interesting as I find your above comment I don't see the relevance to the discussion I thought we were having.

    24. Re:Terrorrism by maeka · · Score: 1

      (bah, no "edit" button, so I continue here)

      For the topic at hand was Airport Security, and I was addressing your premise that a forged badge (the topic of the story) was a grave security hole, that it was the weak link which causes a chain to fail.

      My point was that the badge is a known weak link and that policies and procedures (and not just liabilityless vendor-supplied turn-key "solutions", but structural elements) are in place (at least in American airports) to mitigate risk of a broken link leading to all-out chain failure.

      The analogy of security being a chain is a flawed one, as it is nothing so linear in typical implementations.
       

    25. Re:Terrorrism by Dr.+Evil · · Score: 1

      Agreed.. I've been spending too much time thinking about security problems on a mostly unrelated issue.

      No offense intended. I would have deleted the reply if I could, it's waay too off on a tangent and a bit soapbox-confrontational, which is bad form. Sorry about that.

    26. Re:Terrorrism by maeka · · Score: 1

      Not a problem - I had taken no offense.

    27. Re:Terrorrism by Anonymous Coward · · Score: 0

      Most people miss the point. None of this is about stopping terrorism. It might succeed in keeping some planes from being blown up (obviously a good thing), but the main purpose is to get people used to the idea that they must give up all notions of personal privacy or rights in the name of fighting terrorism. I would expect a terrorist to be from the airline service people, not the passengers. It is the obvious way to do things. Body cavity searches of grandma are not a productive method of fighting terrorism, the threat of which has been exaggerated out of all proportion.

  7. Dual factor authentication by Logic+Worshipper · · Score: 3, Insightful

    They aught to be using more than one factor of authentication if they expect their system to be secure. Facial recognition (by a human guard) and the card, passcode and the card, or some other factor to prevent a stolen or forged card from being a security risk.

    1. Re:Dual factor authentication by Anonymous Coward · · Score: 0

      Even better, a true challenge/response system which newer HID cards provide. I like how some HID cards combine the contactless RFID system with a smart card. This way, for entryways where security examines a card and the person, the card is validated there. Then, inside the business/airport/secured area, the contactless part does the rest of the authentication of what doors open.

    2. Re:Dual factor authentication by Calinous · · Score: 2, Interesting

      Passcode is not even as secure as the RFID tag - one could usually spy the introduction of the passcode on the keyboard with a camera (if I remember correctly, there were plenty of key-based locks that were visible from the passenger area).

    3. Re:Dual factor authentication by coinreturn · · Score: 1

      Passcode is not even as secure as the RFID tag - one could usually spy the introduction of the passcode on the keyboard with a camera (if I remember correctly, there were plenty of key-based locks that were visible from the passenger area).

      Sure, but with DUAL-FACTOR authentication, you need the PIN that goes with the corresponding RFID, not just any old pass code.

    4. Re:Dual factor authentication by Calinous · · Score: 1

      If you can record the RFID code, it's probable that you can videorecord (or record using the eyeballs Mark I) the PIN when entered in some keyboard or another...

    5. Re:Dual factor authentication by coinreturn · · Score: 1

      If you can record the RFID code, it's probable that you can videorecord (or record using the eyeballs Mark I) the PIN when entered in some keyboard or another...

      Yeah, no kidding. The point is that dual-factor makes you have to do both, which means that access to the card (employee asleep in lobby, taking a shit, etc) does not mean you necessarily see them use the card.

  8. It IS used at other airports ... by foobsr · · Score: 2, Informative

    TFS: "but I guess it might be deployed elsewhere anyways"

    The 'news' here (Germany) yesterday said that the same system is used at several other German airports.

    CC.

    --
    TaijiQuan (Huang, 5 loosenings)
  9. "Panties" by Anonymous Coward · · Score: -1, Troll

    White with a streak of yellow reek
    A shitty pink
    A most unladylike stink
    From a fragant lubricated leak.

  10. Two Factor Authentication is good by Anonymous Coward · · Score: -1, Troll

    They aught to be using more than one factor of authentication if they expect their system to be secure.

    But they baught that system in 1992 and it uses aughnly one factor authentication.

    Facial recognition (by a human guard) a and the card, passcode and the card, or some other factor to prevent a stolen or forged card from being a security risk.

    You seem to have forgaughtten to use a verb in that sentence, but that's probably to confuse the terrorists and prevent them from finding out about your clever security measures. What you said seems laughgical to me, beside that part about facial and creampie recognition, but you aught to know that they had a passphrase in place, it was set in 1992 and they still haven't changed it, it's still "Karl-Heinz Rummenigge".

  11. Link to the complete (english) talk at 26C3 by gmthor · · Score: 3, Informative

    If you want to know the insights http://media.ccc.de/browse/congress/2009/26c3-3709-en-legic_prime_obscurity_in_depth.html

    --
    How do I uncompress my MD5 archive?
  12. 'Tis a commentary on the arrogance of power by ibsteve2u · · Score: 2, Informative

    Takes a lot of arrogance, to decide that some people are so important that they should be entitled to bypass security, and so in order to achieve that, you create a method to bypass security.

    The arrogance lies in making the assumption that no terrorist group will ask themselves the question: "How do we bypass their security?" and fail to arrive at the answer: "Why, the same way they do!".

    (P.S. I'm a good guy [albeit with the caveat that the term is relative], Carnivore/Altivore/Echelon. The timing of this Der Spiegal article and the fact that I've recently said the same thing as I did above elsewhere is purely coincidental. I happen to work with the stuff, so such conversations pique my curiosity. There's no need to waste gasoline coming to see me.)

    --
    Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
    1. Re:'Tis a commentary on the arrogance of power by pclminion · · Score: 1

      How can a security official "bypass" security? Security, by definition, is wherever they happen to be. There is no reason an authorized person should be made to jump through unnecessary hoops (note I said said "unnecessary," not all hoops). What if there is an emergency behind the checkpoint, and the only way for security to actual reach the emergency is to wait in line? That's completely stupid.

      The problem is that the METHOD used to allow authorized persons to move quickly is not good enough.

    2. Re:'Tis a commentary on the arrogance of power by harl · · Score: 1

      More or less arrogance than thinking you're important enough for the government to be watching you even though you're one of the "good" people?

      You're post indicates a flaw in thinking. You don't bypass security. I think you mean bypass baggage screening check points. There's nothing wrong with having a method to allow people to bypass baggage screening check points as long as that method is secure and part of the security plan as a whole. For example you should know who's going to bypass the check point before they arrive at the check point. Screeners should not have the authority to remove security.

      --
      I find being offended by me offensive.
    3. Re:'Tis a commentary on the arrogance of power by ibsteve2u · · Score: 1

      I would observe that - beyond the potential for the counterfeiting of smart cards that are used some places both for airport personnel assets and for people who deem themselves to be too important for delays at the screening stations - there is the possibility that you have handed "the keys to the kingdom", as it were, to a deep cover mole.

      As you see this person that you know has been cleared (or assume has been cleared because a screen grants authorization or the door opens) wave a smartcard at the RFID scanner and cruise into sensitive areas without physical inspection, if you are a thinking person at all you should wonder if this IS the day that his or her lunch or tool box - that they have each and every day, and so most think nothing of it - goes boom.

      FYI: If the proper keywords are there, they alone trigger alerts for further review by an analyst; I am not the arrogant one.

      --
      Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
    4. Re:'Tis a commentary on the arrogance of power by ibsteve2u · · Score: 1

      My point is that security considerations should identify each and every person, area, and item as to whether they are secure or insecure.

      100% inspection each and every time an item or individual transitions from an insecure area to a secure area gives you the greatest chance at security. The smartcards blur that line by permitting people and items to cross without inspection between secure and insecure, transforming the safety of the nation and the traveling public into a matter of faith.

      Arrogance, that.

      There was this doctor at a military base recently...he wore all of the right accoutrements and carried the right ID - and military ID is also a smartcard, these days - to be designated as no security threat by any official who observed him...

      --
      Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
    5. Re:'Tis a commentary on the arrogance of power by harl · · Score: 1

      "FYI: If the proper keywords are there, they alone trigger alerts for further review by an analyst; I am not the arrogant one."

      That's quite simply impossible. The amount of data your suggesting is both effectively 100% false positive and so large in size that we can never review it by hand.

      I'm worried about your paranoia. Please seek professional help.

      --
      I find being offended by me offensive.
    6. Re:'Tis a commentary on the arrogance of power by ibsteve2u · · Score: 1

      That's quite simply impossible. The amount of data your suggesting is both effectively 100% false positive and so large in size that we can never review it by hand.

      lollll....yes, reviewing it by hand would be quite the chore, wouldn't it? I do so hope that somebody invents computers someday.

      Perhaps you might enjoy this Slashdot story? You might take note of the following quote from the linked article:

      And what is the puerile approach taken by not only the politicians but also by the clueless amateurs who now lead the intelligence community: No problem, they say. Technology permits us to build a database of one billion names....easy!

      There is no little information out there in "the public domain" that is entertaining, at least. As to the possibility that I am personally paranoid...let us just say that my "life experience" leaves no doubt in my mind as to what can be done when you transition between the red and the black. I doubt not the available capabilities; I remember how stunned I was when I found out how...primitive...civilian technology was.

      --
      Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
  13. So YOU'RE the guy that thinks it's real security! by Zero__Kelvin · · Score: 3, Interesting

    Of course they are in view of the public. What use is a deterrent nobody can see?

    The kind that seeks to deter a terrorist rather than the general public?

    "I'm fairly sure, though, that if someone air-side reported some suspicious activity that there would be a prompt response from those very same people, resulting in a very same reaction."

    There was a time when that wouldn't have been possible. Thank God that they finally perfected the Wormhole!

    Do you really think an actual terrorist would piss his pants the way some moron who responds with "Just a Bomb" because he is to stupid to figure out that is not a bright thing to say?

    "Putting devices in baggage on a plane is not the act of a Jihadist trying to get to his virgins, so they may have slightly more interest in self preservation."

    Since nobody thinks the terrorist will show up with a gun and try to force his way through security, thereby broadcasting his/her presence to all, how does that help again?

    "Good to see mod points being blown on AC's, though. It saves those with reasonable points of view which some people may disagree with from being on the end of their flawed judgment."

    That is great news. Clearly you are not one of those people. Can you point me to someone who is? (BTW - Read the Moderator Guidelines, since you clearly have no idea how to properly moderate on Slashdot.)

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  14. Nefarious uses by Anonymous Coward · · Score: 0

    Could I use one of these hacked cards to get access to the naked-scanner room and steal photos of nude passengers?

    (Capcha: scabrous. Ew.)

  15. Germans are so lucky... and so unlucky... by t0p · · Score: 3, Insightful

    The German people are lucky to have the CCC. And to have a press that are happy to spread the word about the CCC's discoveries.

    --
    http://ihatehate.wordpress.com
    1. Re:Germans are so lucky... and so unlucky... by bsDaemon · · Score: 1

      Yeah, but do you know who had awesome security? The CCCP...

  16. Mod parent up by coinreturn · · Score: 1

    You have posted today's best comment.

  17. It's not outdated, it's the wrong system. by yacc143 · · Score: 2, Informative

    The Swiss vendor selling the system never marketed it (even 1992) for security relevant access control, it's just meant as a comfortable access for entertainment parks or similar customers, where comfort and low price are the selling points, not security.

    (so basically, it was never ever meant to be used for airport security)

    1. Re:It's not outdated, it's the wrong system. by kju · · Score: 1

      The Swiss vendor selling the system never marketed it (even 1992) for security relevant access control, it's just meant as a comfortable access for entertainment parks or similar customers, where comfort and low price are the selling points, not security.

      Untrue. Until they changed the webpage yesterday (or so) they claimed that the system has "high security".

    2. Re:It's not outdated, it's the wrong system. by yacc143 · · Score: 1

      url in archive.org?

  18. Security cards SHOULD only be one part of a key by f0rk · · Score: 2, Insightful

    Security cards SHOULD only be one part of a key and should never be used as a primary means of authentication.
    You have your card to initialise the authentication, then you use something else as the second key, like something as simple as a PIN code.

    A security card is ALOT simpler to snatch then trying to figure our your PIN code. And together, it's a shit load of work, even for the most experienced intruder.

  19. false security by Anonymous Coward · · Score: 0

    that's why airport security is useless, it makes life hell for travelers, but is totally incapable of fulfilling its purpose of keeping criminals away.
    if someone has the will and resources, infiltrating any public place is peace of cake. short of haxoring the security system, i imagine even climbing the fence will let you circumvent the security check. having a man inside is useful and so on. against someone who really wants to get in, there really isn't much you can do. and lets be honest, has all this security hype really prevented anything?

  20. EU? Europe, please. by Anonymous Coward · · Score: 0

    Unless you have ONLY been to airports in EU member countries please stop referring to Europe as the EU!

    The EU is NOT synonymous with Europe, it never has and never will be. It is NOT the "federal" government of Europe!!!

    The EU is a group of countries, 27 out of 50, the continent is STILL called Europe.

  21. Look in the mirror by Anonymous Coward · · Score: 0

    You managed to write "Der Spiegal" in italics, yet you failed to spell it correctly? Der Spiegel, thank you.