[tt] h4x0ring e-passport readers by evil jpeg2000s

[Eugen Leitl]

(I can't believe those clowns did no code audit. This is beyond embarassing)

http://www.wired.com/print/politics/security/news/2007/08/epassport

Scan This Guy's E-Passport and Watch Your System Crash

By Kim Zetter Email 08.01.07 | 2:00 AM

RFID expert Lukas Grunwald says e-passport readers are vulnerable to
sabotage.

photo: Courtesy of Kim Zetter

A German security researcher who demonstrated last year that he could clone
the computer chip in an electronic passport has revealed additional
vulnerabilities in the design of the new documents and the inspection systems
used to read them.

Lukas Grunwald, an RFID expert who has served as an e-passport consultant to
the German parliament, says the security flaws allow someone to seize and
clone the fingerprint image stored on the biometric e-passport, and to create
a specially coded chip that attacks e-passport readers that attempt to scan
it.

Grunwald says he's succeeded in sabotaging two passport readers made by
different vendors by cloning a passport chip, then modifying the JPEG2000
image file containing the passport photo. Reading the modified image crashed
the readers, which suggests they could be vulnerable to a code-injection
exploit that might, for example, reprogram a reader to approve expired or
forged passports.

"If you're able to crash something you are most likely able to exploit it,"
says Grunwald, who's scheduled to discuss the vulnerabilities this weekend at
the annual DefCon hacker conference in Las Vegas.

E-passports contain radio frequency ID, or RFID, chips that are supposed to
help thwart document forgery and speed processing of travelers at U.S. entry
points. The United States led the charge for global e-passports because
authorities said the chip, which is digitally signed by each issuing country,
would help distinguish official documents from forged ones.

But Grunwald demonstrated last year at the BlackHat security conference how
he could extract the data on a passport chip, which is read-only, and clone
it to a read-write chip that appears the same to an e-passport reader. Now
Grunwald says he was able to add data to the cloned chip that would allow
someone to attack the passport reader.

He conducted the attack by embedding a buffer-overrun exploit inside the
JPEG2000 file on the cloned chip that contains the passport photo. Grunwald
says he tested his exploit on two passport readers that were on display at a
security conference he attended.

Buffer-overrun vulnerabilities occur when coding errors in software allow an
attacker to overflow a section of memory dedicated to storing a fixed amount
of data. Carefully exploited, they often permit the hacker to execute his own
instructions on the vulnerable computer, essentially taking over the device
-- though Grunwald has not attempted that level of compromise on e-passport
readers.

If a reader could be compromised using Grunwald's technique, it might be
reprogrammed to misreport an expired passport as a valid one, or even --
theoretically -- to attempt a compromise of the Windows-based
border-screening computer to which it is connected.

He won't name the vendors that make the readers he crashed, but says the
readers are currently in use at some airport entry points. He says there's no
reason to believe that readers made by other vendors would be any more
secure.

"I predict that most of the vendors are using off-the-shelf (software)
libraries for decoding the JPEG2000 images (on passports)," which means they
would all be vulnerable to exploit in a similar manner.

A second vulnerability in the design of the passport chip would allow someone
to access and clone a passport holder's fingerprint.

The International Civil Aviation Organization, the United Nations body that
developed the standards for e-passports, opted to store travelers'
fingerprints as a digital photo, no different than if you were to press the
tabs of your fingers against a flatbed scanner. As a result, it's possible to
seize the image and use it to impersonate a passport holder by essentially
hijacking their fingerprints. Japanese researchers several years ago
demonstrated the ability to make false fingerprints using gelatin material
that could be placed over a finger.

To access any data on the passport, the attacker would need to unlock it
using a machine-readable code printed on the passport's face. Additionally,
the International Civil Aviation Organization recommends that issuing
countries protect biometric data on the e-passport with an optional feature
known as Extended Access Control, which protects the biometric data on the
chip by making readers obtain a digital certificate from the country that
issued the passport before the equipment can access the information.

That certificate is only valid for a short period of time, but the chips
contain no onboard clock to handle the digital certificate's expiration,
which makes them vulnerable as well, says Grunwald. "It's a basic mistake,"
he says.

The U.S. State Department had no immediate comment Tuesday. Grunwald's DefCon
talk, "First We Break Your Tag, Then We Break Your Systems," is scheduled for
Friday.