Slashdot Mirror

← Back to Stories (view on slashdot.org)

Airport Access IDs Hacked In Germany

Posted by timothy on from the wilkommen-sie-herr-aktentasche dept.

teqo writes "Hackers belonging to the Chaos Computer Club have allegedly cloned digital security ID cards for some German airports successfully which then allowed them access to all airport areas. According to the Spiegel Online article (transgoogleation here), they used a 200 Euro RFID reader to scan a valid security ID card, and since the scanner was able to pretend to be that card, used it to forge that valid ID. Even the airport authorities say that the involved system from 1992 might be outdated, but I guess it might be deployed elsewhere anyway."

20 of 102 comments (clear)

  1. Re:Really by Shadow_139 · · Score: 5, Informative

    The kit used, a Proxmark 3 cost ~$470 before P&P but they were been sold at 26c3 for 200 cash-in-hand.

    Sounds like somebody who was at the conference has an hour or two to kill in the airport and decided to play with their new toy.....

    And to anybody saying you could not get it past security, I got my Netbook, Proxmark3, SIM simulator, a few FON and a big of random USB,wireless & BT dongles past them it no issues {except some of the stuff was removed from my carry-on bay and was double x-rays}.

  2. RFID by AlexiaDeath · · Score: 3, Informative

    Last I looked it was 24 bits of binary data and that's it. Even simple number collisions are likely to occur if a facility does not watch out with card orders. With 1992 in the market date, I doubt its much more than that. It has no place securing anything important.

    1. Re:RFID by Anonymous Coward · · Score: 3, Insightful

      Well, it wasn't designed, even in 1992, for real security... The designed market for this was low-security, cheap, but somewhat scalable access control for doors in schools, supermarkets and such...

      The guy that should be fired is the one that selected it for a real security application like an airport.... No doubt because it was cheaper...

  3. Re:Theory bites back by MichaelSmith · · Score: 3, Interesting

    I couldn't work out how they cracked the cypher from the translated article. Is it possible they are listening in on the cypher processing as they feed in a challenge?

    --
    http://michaelsmith.id.au
  4. Re:Theory bites back by Shadow_139 · · Score: 3, Funny

    They used double XOR for added security.....

  5. Terrorrism by Yvanhoe · · Score: 5, Insightful

    The comments so far incredibly miss the points : one of the main fear of airport authorities is that an unknown individual could access restricted zone where plenty of bomb-planting occasions can occur. With this badge you can apparently access the luggage compartment of a plane without being checked for explosives.

    At a time where authorities try to impose ridiculous devices like the body scanner and that waiting lines become so long that trains become a viable option to national flights, it is good to point out that they have so many flaws left.

    Clearly, "anti-terrorism" is not handled by competent people who think they will have to stop competent terrorists.

    --
    The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    1. Re:Terrorrism by MichaelSmith · · Score: 3, Informative

      I have some direct experience of airport security. While it varies a lot from place to place it never relies entirely on RFID.

      --
      http://michaelsmith.id.au
    2. Re:Terrorrism by CharlieThePilot · · Score: 5, Insightful

      In all the EU airports that I know of, airport workers of all sorts (including crew, baggage handlers ect) are screened in the same way as passengers. Even using the same equipment in many cases. So, while it's not good that it's this easy to defeat the ID card system, it doesn't in itself mean that anyone can get in to the baggage hold with a bomb.

    3. Re:Terrorrism by Anonymous Coward · · Score: 3, Informative

      the large quantity of firearms-trained police officers on site

      who are in the areas where the public are, you fsckin' moron, not behind the wire in the secure areas. Please engage your brain before touching the keyboard next time you revive.

    4. Re:Terrorrism by Dr.+Evil · · Score: 4, Insightful

      Unless you have trained guards at every door, it's very hard to promote a culture of badge-checking. Especially if the person you're challenging was just verified by the card-reader.

      If you *do* have a guard at every door, what good is the card-reader except to deter the guards from doing their jobs?

      I'd really like to know what else you're depending on really, if photo IDs can be forged, and people come and go from all over the world on an hourly basis, and your procedures can't be assumed secret, what's left?

      I've never bought into this "layered" model of security. The trouble is that it promotes purchasing crap from vendors which can just be used to add layers. Security is more like a chain, the whole system fails on its weakest link. The more layers you add, the more likely you are to accidentally depend on something you thought the other guy was taking care of...

      E.g., go ask the guards if *they* think the card readers are malfunctioning.

    5. Re:Terrorrism by Ash-Fox · · Score: 5, Insightful

      What use is a deterrent nobody can see?

      A pretty good one, if you look at most religions.

      --
      Change is certain; progress is not obligatory.
    6. Re:Terrorrism by maeka · · Score: 4, Interesting

      As someone who has maroon SIDA badges at multiple large airports in the USA, I think you are overly discounting the culture of challenging (asking strangers to see their badge) and missing a couple of key points.

      Especially if the person you're challenging was just verified by the card-reader.

      1 - A forged RFID in and of itself will not get you through any of the more sensitive doors. A PIN is also required.
      2 - Even someone like me with an "all areas" badge must get prior (time limited) authorization to pass through higher-security doors. The central computer will reject my perfectly valid badge and PIN and sound an alarm at security if I so much as try a door I do not have approval for.
      3 - At most airports I've worked at there is also a security officer posted at doors capable of being used to bypass TSA checkpoints (as in going downstairs then through the baggage tunnel, then back up on the other side), one who inspects each and every badge which passes his way.
      4 - All RFID readers are linked to the security office. Let's say I unsuspectingly cloned Joe's card. If Joe badged in to area A but didn't badge out while meanwhile Cloned Joe badged into area F - an alarm would sound.

      While I have witnessed much which I consider weaknesses in airport security - the physical badges themselves are not it.

  6. Dual factor authentication by Logic+Worshipper · · Score: 3, Insightful

    They aught to be using more than one factor of authentication if they expect their system to be secure. Facial recognition (by a human guard) and the card, passcode and the card, or some other factor to prevent a stolen or forged card from being a security risk.

  7. Re:guess what! by Opportunist · · Score: 5, Insightful

    You're right. And I wonder why.

    Here we are, creating security theater after security theater, invading flyer's privacy from background checks to real physical intimate invasions, but we don't care that someone could easily access all restricted areas of an airport.

    Ever thought that it would, from a terrorist's point of view, be much more interesting to blow up Heathrow, CDG or Kennedy airport than some petty little plane? Can you imagine the possibilities of having access to the airport's fuel tanks (and I'm not even thinking of such unimportant things like simply causing an explosion there. Think big! How about filling planes with fuel that clogs the engines so they come down unexpectedly. 3 planes hitting some towers? How about 300?), or how about access to the catering pool (I think we all saw the catstrophy movies from the 70s where spoiled food knocked out the pilots)?

    And that's something I've been thinking up within the 5 minutes of writing this posting, with no intent to actually strike against an airport. Now think of the possibilities of a terrorist with his mind set on something like that and a few months of planning time.

    If that whole scenario shows something, then that we are NOT adequately protected. And no, that doesn't mean we need more security theater. It means that the whole shit is worth jack! You cannot secure a system that is inherently insecure. There are way too many ways to attack to secure them all.

    I'm also wondering why they're so worried about airports. There are way more much easier ways to execute acts of terror than in such a limited environment. But maybe it's just that we want to protect people rich enough to actually fly. Tells you something 'bout who's important and who's not.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Link to the complete (english) talk at 26C3 by gmthor · · Score: 3, Informative

    If you want to know the insights http://media.ccc.de/browse/congress/2009/26c3-3709-en-legic_prime_obscurity_in_depth.html

    --
    How do I uncompress my MD5 archive?
  9. Re:Really by Anonymous Coward · · Score: 4, Informative

    Sounds like somebody who was at the conference has an hour or two to kill in the airport and decided to play with their new toy.....

    The guy who did it is Karsten Nohl, the same guy who deciphered GSM encryption lately. He also reverse engineered the "secret" MIFARE Classic cipher some time ago.

  10. Re:guess what! by Krneki · · Score: 4, Insightful

    They build false fears in our minds and use cheap solution to tell us we are protected. But in the end we don't gain any real security while we lose our privacy at every step.

    Today the highest life hazard are our cars. How much money is invested in road security?

    --
    Love many, trust a few, do harm to none.
  11. So YOU'RE the guy that thinks it's real security! by Zero__Kelvin · · Score: 3, Interesting

    Of course they are in view of the public. What use is a deterrent nobody can see?

    The kind that seeks to deter a terrorist rather than the general public?

    "I'm fairly sure, though, that if someone air-side reported some suspicious activity that there would be a prompt response from those very same people, resulting in a very same reaction."

    There was a time when that wouldn't have been possible. Thank God that they finally perfected the Wormhole!

    Do you really think an actual terrorist would piss his pants the way some moron who responds with "Just a Bomb" because he is to stupid to figure out that is not a bright thing to say?

    "Putting devices in baggage on a plane is not the act of a Jihadist trying to get to his virgins, so they may have slightly more interest in self preservation."

    Since nobody thinks the terrorist will show up with a gun and try to force his way through security, thereby broadcasting his/her presence to all, how does that help again?

    "Good to see mod points being blown on AC's, though. It saves those with reasonable points of view which some people may disagree with from being on the end of their flawed judgment."

    That is great news. Clearly you are not one of those people. Can you point me to someone who is? (BTW - Read the Moderator Guidelines, since you clearly have no idea how to properly moderate on Slashdot.)

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  12. Germans are so lucky... and so unlucky... by t0p · · Score: 3, Insightful

    The German people are lucky to have the CCC. And to have a press that are happy to spread the word about the CCC's discoveries.

    --
    http://ihatehate.wordpress.com
  13. Re:guess what! by pjt33 · · Score: 4, Insightful

    They x-ray your bags before you can get on a long-distance train in Spain. They don't yet make you walk through a metal detector, though.

    The only people it hits hard are the rich, or folk who have to travel for work. The general public can sneer at them complaining because they deserve it for being able to fly that often.

    Having to travel for work is often far from a privilege, although I suppose that people who haven't done it may think it's glamorous.