RFID expert, Lukas Grunwald, has managed to create buffer overflows in new passports that utilize RFID, which leaves the passports open to sabotage.  Grunwald proved last year that he could clone an RFID chip and has now revealed that, by simply removing the photo and replacing it with an altered one, he can make the system crash.

Grunwald says he’s succeeded in sabotaging two passport readers made by different vendors by cloning a passport chip, then modifying the JPEG2000 image file containing the passport photo. Reading the modified image crashed the readers, which suggests they could be vulnerable to a code-injection exploit that might, for example, reprogram a reader to approve expired or forged passports.

“If you’re able to crash something you are most likely able to exploit it,” says Grunwald, who’s scheduled to discuss the vulnerabilities this weekend at the annual DefCon hacker conference in Las Vegas.

While I have documented that before that this is a possibility, Grunwald has actually done it.

He conducted the attack by embedding a buffer-overrun exploit inside the JPEG2000 file on the cloned chip that contains the passport photo. Grunwald says he tested his exploit on two passport readers that were on display at a security conference he attended.

Buffer-overrun vulnerabilities occur when coding errors in software allow an attacker to overflow a section of memory dedicated to storing a fixed amount of data. Carefully exploited, they often permit the hacker to execute his own instructions on the vulnerable computer, essentially taking over the device — though Grunwald has not attempted that level of compromise on e-passport readers.

If a reader could be compromised using Grunwald’s technique, it might be reprogrammed to misreport an expired passport as a valid one, or even — theoretically — to attempt a compromise of the Windows-based border-screening computer to which it is connected.

He won’t name the vendors that make the readers he crashed, but says the readers are currently in use at some airport entry points. He says there’s no reason to believe that readers made by other vendors would be any more secure.

Most anyone with a little tech knowledge can figure this out too.  All you need to do is spent a little bit of time reading the manuals, posted for you on the International Civil Aviation Organization‘s website.  ICAO is part of the United Nations and developed the technology.  Within a couple of weeks, you’ll have all the necessary knowledge to build your RFID own reader and clone a passport.

Creating a buffer overflow, however, can do more than just crash the system.  One could also execute their own code onto the machine, with no one the wiser.  All you need to know is what system is running on the machine.

Over a year ago, Grunwald basically agreed with me that RFID in passports are worthless.

“The whole passport design is totally brain damaged,” Grunwald says. “From my point of view all of these RFID passports are a huge waste of money. They’re not increasing security at all.”

Now, you may believe that, if a passport causes a system to crash then the passport holder will be detained to verify their identity.  In reality, one of two things will happen:

1. The immigration official will look at your passport a little closer, think, “yep, it looks alright to me,” and let you pass, or

2. That particular station will shut down and everyone in that line will go to another line, whereby the passports cause the same problem as in example #1 and the passports are checked via humans.

Either way, the RFID passports will prove, yet again, that they’re useless; that is, unless you want to broadcast to the world that you’re an American and a target.