Some thoughts about RFID and passports

Last week, I discussed with a well known cryptographer: JJQ. We were exchanging about RFID security, last mifare hack, and security of RFID-based passports. During the discussion, we went through a new threat.
Let us now assume that the RFID passport is largely used, and even that one country requires RFID-based passport for entering. We assume that forging a RFID-based passport is extremely difficult (it will never be impossible, law 1). We may assume that forging the paper part of the passport will be easier (else why replacing them with more expensive passports). But the forgery would be detected by mismatch between the information in the passport and the RFID.
The obvious attack would be to blast the RFID of the passport. Then the border guard would check only the paper part. Nevertheless, this may not be sufficient because we may assume that the border guard will be watchful because he faces an exceptional case.
Let us now assume that the attacker was able to build a gimmick that blasts all the RFID of every passports in a plane before leaving it. You will have several hundreds of exceptional cases. In other words, the border guards will be overwhelmed by the situation. Furthermore, if the attacker will present itself among the last ones, then his probability to go through with the forged passport will significantly raise.
Here it is a nice example of combined attacks: technique to blast the RFID and social engineering by creating an exceptional situation to stress the border guards.
Thus, for such type of applications, Denial of Services attacks should be carefully studied and prevented.

Leave a Reply

Your email address will not be published. Required fields are marked *