Slashdot Mirror

← Back to Stories (view on slashdot.org)

Airport Access IDs Hacked In Germany

Posted by timothy on from the wilkommen-sie-herr-aktentasche dept.

teqo writes "Hackers belonging to the Chaos Computer Club have allegedly cloned digital security ID cards for some German airports successfully which then allowed them access to all airport areas. According to the Spiegel Online article (transgoogleation here), they used a 200 Euro RFID reader to scan a valid security ID card, and since the scanner was able to pretend to be that card, used it to forge that valid ID. Even the airport authorities say that the involved system from 1992 might be outdated, but I guess it might be deployed elsewhere anyway."

10 of 102 comments (clear)

  1. Re:Really by Shadow_139 · · Score: 5, Informative

    The kit used, a Proxmark 3 cost ~$470 before P&P but they were been sold at 26c3 for 200 cash-in-hand.

    Sounds like somebody who was at the conference has an hour or two to kill in the airport and decided to play with their new toy.....

    And to anybody saying you could not get it past security, I got my Netbook, Proxmark3, SIM simulator, a few FON and a big of random USB,wireless & BT dongles past them it no issues {except some of the stuff was removed from my carry-on bay and was double x-rays}.

  2. Terrorrism by Yvanhoe · · Score: 5, Insightful

    The comments so far incredibly miss the points : one of the main fear of airport authorities is that an unknown individual could access restricted zone where plenty of bomb-planting occasions can occur. With this badge you can apparently access the luggage compartment of a plane without being checked for explosives.

    At a time where authorities try to impose ridiculous devices like the body scanner and that waiting lines become so long that trains become a viable option to national flights, it is good to point out that they have so many flaws left.

    Clearly, "anti-terrorism" is not handled by competent people who think they will have to stop competent terrorists.

    --
    The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    1. Re:Terrorrism by CharlieThePilot · · Score: 5, Insightful

      In all the EU airports that I know of, airport workers of all sorts (including crew, baggage handlers ect) are screened in the same way as passengers. Even using the same equipment in many cases. So, while it's not good that it's this easy to defeat the ID card system, it doesn't in itself mean that anyone can get in to the baggage hold with a bomb.

    2. Re:Terrorrism by Dr.+Evil · · Score: 4, Insightful

      Unless you have trained guards at every door, it's very hard to promote a culture of badge-checking. Especially if the person you're challenging was just verified by the card-reader.

      If you *do* have a guard at every door, what good is the card-reader except to deter the guards from doing their jobs?

      I'd really like to know what else you're depending on really, if photo IDs can be forged, and people come and go from all over the world on an hourly basis, and your procedures can't be assumed secret, what's left?

      I've never bought into this "layered" model of security. The trouble is that it promotes purchasing crap from vendors which can just be used to add layers. Security is more like a chain, the whole system fails on its weakest link. The more layers you add, the more likely you are to accidentally depend on something you thought the other guy was taking care of...

      E.g., go ask the guards if *they* think the card readers are malfunctioning.

    3. Re:Terrorrism by Ash-Fox · · Score: 5, Insightful

      What use is a deterrent nobody can see?

      A pretty good one, if you look at most religions.

      --
      Change is certain; progress is not obligatory.
    4. Re:Terrorrism by maeka · · Score: 4, Interesting

      As someone who has maroon SIDA badges at multiple large airports in the USA, I think you are overly discounting the culture of challenging (asking strangers to see their badge) and missing a couple of key points.

      Especially if the person you're challenging was just verified by the card-reader.

      1 - A forged RFID in and of itself will not get you through any of the more sensitive doors. A PIN is also required.
      2 - Even someone like me with an "all areas" badge must get prior (time limited) authorization to pass through higher-security doors. The central computer will reject my perfectly valid badge and PIN and sound an alarm at security if I so much as try a door I do not have approval for.
      3 - At most airports I've worked at there is also a security officer posted at doors capable of being used to bypass TSA checkpoints (as in going downstairs then through the baggage tunnel, then back up on the other side), one who inspects each and every badge which passes his way.
      4 - All RFID readers are linked to the security office. Let's say I unsuspectingly cloned Joe's card. If Joe badged in to area A but didn't badge out while meanwhile Cloned Joe badged into area F - an alarm would sound.

      While I have witnessed much which I consider weaknesses in airport security - the physical badges themselves are not it.

  3. Re:guess what! by Opportunist · · Score: 5, Insightful

    You're right. And I wonder why.

    Here we are, creating security theater after security theater, invading flyer's privacy from background checks to real physical intimate invasions, but we don't care that someone could easily access all restricted areas of an airport.

    Ever thought that it would, from a terrorist's point of view, be much more interesting to blow up Heathrow, CDG or Kennedy airport than some petty little plane? Can you imagine the possibilities of having access to the airport's fuel tanks (and I'm not even thinking of such unimportant things like simply causing an explosion there. Think big! How about filling planes with fuel that clogs the engines so they come down unexpectedly. 3 planes hitting some towers? How about 300?), or how about access to the catering pool (I think we all saw the catstrophy movies from the 70s where spoiled food knocked out the pilots)?

    And that's something I've been thinking up within the 5 minutes of writing this posting, with no intent to actually strike against an airport. Now think of the possibilities of a terrorist with his mind set on something like that and a few months of planning time.

    If that whole scenario shows something, then that we are NOT adequately protected. And no, that doesn't mean we need more security theater. It means that the whole shit is worth jack! You cannot secure a system that is inherently insecure. There are way too many ways to attack to secure them all.

    I'm also wondering why they're so worried about airports. There are way more much easier ways to execute acts of terror than in such a limited environment. But maybe it's just that we want to protect people rich enough to actually fly. Tells you something 'bout who's important and who's not.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:Really by Anonymous Coward · · Score: 4, Informative

    Sounds like somebody who was at the conference has an hour or two to kill in the airport and decided to play with their new toy.....

    The guy who did it is Karsten Nohl, the same guy who deciphered GSM encryption lately. He also reverse engineered the "secret" MIFARE Classic cipher some time ago.

  5. Re:guess what! by Krneki · · Score: 4, Insightful

    They build false fears in our minds and use cheap solution to tell us we are protected. But in the end we don't gain any real security while we lose our privacy at every step.

    Today the highest life hazard are our cars. How much money is invested in road security?

    --
    Love many, trust a few, do harm to none.
  6. Re:guess what! by pjt33 · · Score: 4, Insightful

    They x-ray your bags before you can get on a long-distance train in Spain. They don't yet make you walk through a metal detector, though.

    The only people it hits hard are the rich, or folk who have to travel for work. The general public can sneer at them complaining because they deserve it for being able to fly that often.

    Having to travel for work is often far from a privilege, although I suppose that people who haven't done it may think it's glamorous.