Safer swiping while voting and globetrotting

Apr 15, 2010
This is a home-made, extended-range RFID antenna made from cooking gas copper pipes in Professor Wool's lab. Credit: AFTAU

Since 2007, every new U.S. passport has been outfitted with a computer chip. Embedded in the back cover of the passport, the "e-passport" contains biometric data, electronic fingerprints and pictures of the holder, and a wireless radio frequency identification (RFID) transmitter.

Although the system was designed to operate at close range, were able to access it from afar — until research by Prof. Avishai Wool of Tel Aviv University's Blavatnik School of Computer Sciences helped ensure that the computer chip in American e-passports could be read only when the passport is opened. The research has been cited by organizations including the Electronic Frontier Foundation.

Now, a new study from Prof. Wool finds serious security drawbacks in similar chips that are being embedded in credit, debit and "smart" cards. The vulnerabilities of this electronic approach ― and the of the private information contained in the chips ― are becoming more acute. Using simple devices constructed from $20 disposable cameras and copper cooking-gas pipes, Prof. Wool and his students have demonstrated how easily the cards' radio frequency (RF) signals can be disrupted. The work will be presented at the IEEE RFID conference in Orlando, FL, this month.

More than one way to hack a chip

Prof. Wool's most recent research centers on the new "e-voting" technology being implemented in Israel. "We show how the Israeli government's new system based on the RFID is a very risky approach for security reasons. It allows hackers who are not much more than amateurs to break the system," Prof. Wool explains. "One way to catch hackers, criminals and terrorists is by thinking like one."

In his lab, Prof. Wool constructed an attack mechanism -- an RFID "zapper"― from a disposable camera. Replacing the camera's bulb with an RFID antenna, he showed how the EMP (electro-magnetic pulse) signal produced by the camera could destroy the data on nearby RFID chips such as ballots, credit cards or passports. "In a voting system, this would be the equivalent of burning ballots ― but without the fire and smoke," he says.

Another attack involves jamming the radio frequencies that read the card. Though the card's transmissions are designed to be read by antennae no more than two feet distant, Prof. Wool and his students demonstrated how the transmissions can be jammed by a battery-powered transmitter 20 yards away. This means that an attacker can disable an entire voting station from across the street. Similarly, a terror group could "jam" passport systems at U.S. border controls relatively easily, he suggests.

The most insidious type of attack is the "relay attack." In this scenario, the voting station assumes it is communicating with an RFID ballot near it ― but it's easy for a hacker or terrorist to make equipment that can trick it. Such an attack can be used to transfer votes from party to party and nullify votes to undesired parties, Prof. Wool demonstrates. A relay attack may also be used to allow a terrorist to cross a border using someone else's e-passport.

How to make "smart cards" smarter

"All the new technologies we have now seem really cool. But when anything like this first comes onto the market, it will be fraught with security holes," Prof. Wool warns. "In America the Federal government poured a lot of money into e-voting, only to discover later that the deployed systems were vulnerable. Over the last few years we've seen a trend back towards systems with paper trails as a result."

But there are some small steps that can be taken to make smart cards smarter, says Prof. Wool. The easiest one is to shield the card with something as simple as aluminium foil to insulate the e-transmission. In the case of e-voting, a ballot box could be made of conductive materials. The State Department has already taken Prof. Wool's advice: since 2007, they've also added conductive fibres to the back of every American .

Explore further: Lifting the brakes on fuel efficiency

Related Stories

Biometric Passport Control: No Place To Hide

Sep 25, 2007

Siemens is making border crossings in Europe more secure through biometric systems that store individual characteristics such as fingerprints and facial photos on a chip integrated into a passport.

Special alloy sleeves urged to block hackers?

Jul 12, 2009

(AP) -- To protect against skimming and eavesdropping attacks, federal and state officials recommend that Americans keep their e-passports tightly shut and store their RFID-tagged passport cards and enhanced ...

Researchers to Boost 'Smart Tag' Security

Sep 26, 2006

Johns Hopkins researchers will take part in a new multi-institution project to improve the security of "smart tags," the wireless devices that allow drivers to zip through automatic tollbooths and let workers enter a secured ...

Recommended for you

Lifting the brakes on fuel efficiency

Apr 18, 2014

The work of a research leader at Michigan Technological University is attracting attention from Michigan's Governor as well as automotive companies around the world. Xiaodi "Scott" Huang of Michigan Tech's ...

Large streams of data warn cars, banks and oil drillers

Apr 16, 2014

Better warning systems that alert motorists to a collision, make banks aware of the risk of losses on bad customers, and tell oil companies about potential problems with new drilling. This is the aim of AMIDST, the EU project ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

THoKling
not rated yet Apr 15, 2010
My bank recently issued me a new chip card, and I have had no intention to activate it until issues such as these have been dealt with effectively and permanently. Feedback response is still pending from the institution at this point.
stealthc
not rated yet Apr 16, 2010
I have every intention of disabling any RFID device that I run into, they are bugs that broadcast what they are and where they are. Disable them all, buy a neon sign transformer and just give them a quick zap with 6,000+ volts; That will fix it so it's no longer a threat to your privacy.

More news stories

Growing app industry has developers racing to keep up

Smartphone application developers say they are challenged by the glut of apps as well as the need to update their software to keep up with evolving phone technology, making creative pricing strategies essential to finding ...

Making graphene in your kitchen

Graphene has been touted as a wonder material—the world's thinnest substance, but super-strong. Now scientists say it is so easy to make you could produce some in your kitchen.