Buffer Overflow Found in RFID Passport Readers

epee1221 writes "Wired ran a story describing Lukas Grunwald's Defcon talk on an attack on airport passport readers. After extracting data from the (read-only) chip in a legitimate passport, he placed a version of the data with an altered passport photo (JPEG2000 is used in these chips) into a writable chip. The altered photo created a buffer overflow in two RFID readers he tested, causing both to crash. Grunwald suggests that vendors are typically using off-the-shelf JPEG2000 libraries, which would make the vulnerability common."

Re:

[MrCoke]

There is no architecture that is secure from a passionate developer armed with time, IDA Pro and an oscilloscope (if needed).

Re:

[cianduffy]

And possibly an electron microscope - lack of easy supply of these is probably the only reason DVB VideoGuard is still mostly unhacked after 9 years of use. Its been molested (smartcard sharing, CAM emulation) but there's no way to make clone cards or software patch boxes yet...

Re:

[ehrichweiss]

You must not follow the sat hacking community at all. CAM emulation is the thing that most of the people seem to be waiting on since an emulated CAM means that any ECMs won't affect a real card that would then have to be replaced. Nobody wants Black Sunday all over again afterall. And as far as I'm aware there haven't really been any recent systems where one could patch the *box* and get free tv. Those days are long, long gone.

Re:

[cianduffy]

I follow it closely enough, although as all I want to get via satellite is unencrypted anyway, not as much as I used to. You might not, as it seems you're getting stuff mixed up...

NDS CAMs can be emulated but they still need a real Videoguard card. This means you can use cards in unapproved units (Dreamboxes, or anything with a CI slot using a Dragon or TRex) but it doesn't mean you can get anything you've not paid for. Nobody has come close to extracting the keys from the card yet.

Box patching is CAM emula

Re:

[ehrichweiss]

I think you're the one that's a bit mixed up. Using a card in an unapproved box is a hack, not emulation. See the definition of "emulate" for more details.

Re:

[cianduffy]

Its emulating the legitimate CAM - have you got a more appropriate word? Doubt it.

Re:

[ehrichweiss]

If they could emulate the CAM they wouldn't need the card as a backup. They're not emulating the CAM, they're emulating the legit *receiver*. What you're describing is called "auxing" the card and they only use it because they haven't managed to get a bin dump/disassembly of the card. The device/computer simply mimics the correct box so they can send data to the card to get the correct keys for decryption and then send those to the actual receiver. And for the record they call that a HACK, not emulation.

Re:

[cianduffy]

I don't know if encryption systems work entirely different wherever you're from (DSS and 4DTV != DVB), but what you're proposing there makes absolutely no sense with DVB.

Its entirely irrelevant what receiver I use, for instance, my Conax CAM - what is a PCMCIA card sized card reader - in. I can take it + the MTV Unlimited card in it out of my Technomate and put it in to my Humax and it'll work fine - as the CAM handles the entirity of the decoding. Now, a Dreambox or a Dragon/T-Rex CAM "mimics" (hey, guess

JPEG2000

[Presto Vivace]

Why am I not surprised?

Of course they are vulnerable

[Anonymous Coward]

These passports are full featured CPU's with up to 72KB of data. The "RFID reader" is actually a very bad name for a software system that is going to read out these passports. In most documents it will be referred to as an inspection system. It will not only read out the passport, but it will also test the biometrics, communicate with other systems etc.. This is a complicated process that will most likely take place on a full featured CPU, containing a modern OS, and a modern software stack. This allows for maximum flexibility, but it will also make the systems vulnerable for attack.

The only thing the manufacturers of these systems can do is thoroughly test their software, and make the attack possibilities as small as possible. For instance, they should check the signature under the data before passing the data on to the next layers. Of course, for this you need the certificate of the issuing state. You should also test if the underlying libraries that do this initial check are not vulnerable.

Re:

[Anonymous Coward]

You should start with studying English. Your skills our lacking.

Re:

[couchslug]

"The question is : should I study Arabic or Spanish to welcome our new overlords."

Yes. :)

Re:

[MCraigW]

They got better looking girls

You never know, under those burkas...

Re:

[morari]

I'm still hoping that Latin will make a comeback, personally. I want a job where I can go out and catch Christians for the Colosseum games.

Re:

[photomonkey]

You forgot Mandarin/Szechuan/Cantonese.

Re:

[Larry Lightbulb]

Chinese could probably be the most useful - you can get earworms for that, and those other two languages, from http://www.earwormslearning.com/intro.html [earwormslearning.com]

Re:

[SL Baur]

Mandarin Chinese. Follow the money. (There's no monopoly on stupidity, after gutting the US manufacturing sector, Japan has also sold Japan, Inc. to the Chinese).

RFID passports were a stupid idea in the first place. I do not want the id in my pocket broadcasting to the world "I'm an American Passport! Kidnap the holder!" (and kidnapping is an issue in places of the world I need to go, like where my in-laws and children are).

Explain to me how...

[binaryspiral]

Explain to me how this is an "attack" on passport readers?

Passport is scanned
Reader goes casters up
Reader is power cycled
Passport is scanned again
Reader goes casters up
Owner of said passport is hauled off to some secret room where all of their orifices are checked by an ex-prison guard with large hands.

This does show the lack of testing and hardening, but it seems a buffer overflow situation like this would be relatively easy to patch.

Re:

[zolf13]

Orifice overflow requires orifice patching.

Re:Explain to me how...

[Zerth]

Because the way it will actually go is like this:

Passport is scanned
Reader goes casters up
Reader is power cycled
Passport is scanned again
Reader goes casters up

Security Goon say "Shit, that's wierd. But the paper passport looks fine. Go on through."

Owner of said passport traipses past security, making the E-passport no better than a regular one.

Re:

[westlake]

Because the way it will actually go is like this:
Security Goon say "Shit, that's wierd. But the paper passport looks fine. Go on through."

"Insightful," eh?

A show of hands, please, from anyone willing to test this theory out.

"Weird" is not a word I want to hear from the airport security guard when I am trying to board a plane for New York.

Re:

[Tony Hoyle]

Exactly this happens with the 'secure' chip-on-pin credit cards. I have an old one and it's a bit wonky. Also the signature long since faded into nonexistance.

Hand card to cashier.
Scan card. Won't scan.
Scan card again. Won't scan.
"That's wierd. It won't scan. Sign here instead."

I then walk out with the goods. No valid security check was made. This has happened multiple times at multiple shops.

Re:Explain to me how...

[h2g2bob]

A buffer overflow [wikipedia.org] can do a lot more than just crash systems. Done right they can cause the machine to run ANY code the hacker wants while the computer owner is none the wiser. TFA suggests changing the picture generated, which probably wouldn't be too hard considering it looks like it's the JPEG2000 libraries which are affected anyway.

Re:

[Anonymous Coward]

I'm envisioning:
*passport is scanned*
*reader does something weird [because it's being hijacked by buffer overflow exploit code], gives error message*
*passport is re-scanned*
*reader says, "Joe C. Terrorist is OK. His name does not appear in no-fly list. SSN# 666-69-6969 is valid."*
-os

Re:

[swillden]

Owner of said passport traipses past security, making the E-passport no better than a regular one.

Nonsense. What would actually happen is exactly what would happen if you just broke the contactless smart card chip in your passport -- since your passport isn't fully functional, you get routed out of the expedited "normal" flow, and into the "exceptional case" flow, which results in greater scrutiny of you and your passport. Assuming the alterations you made to the paper passport are undetectable, and assuming you manage to keep your cool and not give yourself away, and assuming the immigration agents

Re:Explain to me how...

[Nazlfrag]

At the moment it crashes. With the right sequence of bytes it looks like:

Hacker crafts jpeg with exploit code
Passport is scanned
Exploit code is injected
Reader silently executes exploit code
Reader continues operation with nobody any the wiser

A compromised reader lets you bypass the biometrics.

Re:

[Dachannien]

One would hope that a reader would run from firmware, but you never know.

Re:

[Anonymous Coward]

It makes no difference at all. Unless the reader's MMU is set to trap when executing from non-firmware memory, it doesn't matter. A buffer overflow is not saving this code to disk or anything; it's just executing it.

Re:

[TheAverageGuy]

How exactly does "running from firmware" affect whether it is exploitable or not?

Re:

[DDLKermit007]

Yeah I'm wondering that too. Those without a clue seem to be multiplying.

Re:

[Dachannien]

It permits separating the address space for running code from the address space for data, so you couldn't get it to run code in the RFID address space. It also makes it more difficult to overwrite the running code (since it's firmware and not software), even if the address spaces weren't kept separate, which would mean that after you crash the device and reboot it, the original software is running again.

Re:

[solevita]

I just hope that it's my face that contains the exploit code.

Blackhat? No sir! I've just got an unfortunate face!"

Re:

[swokm]

(Hooded figure waves passport.)
Hooded: "I am not the terrorist you're looking for."
(Guard 1 glances at hacked scanner and turns to Guard 2.)
Guard 1: "Ahh... yeah, this isn't the terrorist we're looking for. Move along, move along..."

Re:

[SagSaw]

Explain to me how this is an "attack" on passport readers?

It might be possible for an attacker to exploit the buffer overflow in order to cause the reader to execute software chosen by the attacker. For example, the attacker might insert code that recognizes his forged passport as valid, or that recognizes somebody else's passport (who may have flew in on the same flight) as invalid.

Re:

[mpe]

It might be possible for an attacker to exploit the buffer overflow in order to cause the reader to execute software chosen by the attacker. For example, the attacker might insert code that recognizes his forged passport as valid,

Or other forged passports as valid.

or that recognizes somebody else's passport (who may have flew in on the same flight) as invalid.

They need not be on the same flight. Possibly not even on the same day, depending how the system might be hackable.
If their intention were disru

Re:

[shivamib]

Here, I corrected it for you.

1. Passport is scanned
2. Bufferoverflow runs handcrafted code
3. RFID reader claims that this is indeed John Smith, and this is his picture, nonwithstaning the fact that there is
[...]
4. Profit!!

Amsterdam, here we go!

hardly a profitable business ...

[freaker_TuC]

... if you are being so open about it.

Re:Explain to me how...

[cgenman]

In a buffer overflow situation, a system may crash because it attempts to run the overflow data as code and fails. However, 99% of the time you can use buffer overflows to inject your own code to run. You just need to know what system it will be running on.

A buffer overflow is a serious vulnerability, in that finding one is the biggest step towards cracking a system open.

Re:

[Warbothong]

I know another way to screw up the readers. Smile: http://news.bbc.co.uk/1/hi/uk_politics/3541444.stm [bbc.co.uk] (of course the government is working on this as it is a very serious problem. Yep, in a few years time they'll manage to piss off everyone enough that nobody will be smiling, thus fixing the bug)

Re:

[Antique Geekmeister]

It's a denial-of-service attack. By sending a few innocent sacrifical lambs with modified passports, it's possible to take out an entire security station's set of scanners and clob the entire security theatre operation of a small airport, and make fake passports much easier to get through the systems in the interim, especially if this becomes a common occurrence for a few days.

Better yet, modify the passports of people you don't like to delay their passages through security and get them arrested. There are

Re:

[DrSkwid]

I recommend "The Shellcoders Handbook"

Re:

[tomhudson]

"Owner of said passport is hauled off to some secret room where all of their orifices are checked by an ex-prison guard with large hands."

And if this [trolltalk.com] (Warning: NSA - Not Safe Anywhere) or any of these [trolltalk] (also NSA - Not Safe Anywhere) was the passport photo, pity the poor guard ...

The revised scenario:

Passport is scanned
Reader goes casters up
Reader is power cycled
Passport is scanned again
Reader goes casters up
Guard looks at passport photo
Guard throws up, as do the next dozen who try to inter

Honestly...

[The tECHIDNA]

...if you pass a cracked RFID chip through a passport reader and then it crashes,

#1: the guard will humanly read your inside cover photo with extra vigilance...the chip is not the only method of ID
#2: you'll probably be detained for a bit while they re-test your passport; if it fails again, they'll tell you to get a new passport
(#2a: or be placed on a no-fly list, because you're a terrorist)

Plus, how exactly would a code-injection exploit work unless it's something like the GDI+ vulnerability that

Re:

[nneonneo]

Plus, how exactly would a code-injection exploit work unless it's something like the GDI+ vulnerability that occurred with WMF files? (If a rogue guard is injecting evil code into the machine, the government had waaay more scary problems ahead than with some 'sploiting a passport reader).

As TFA mentions, this is a buffer overflow problem. Most buffer overflows can be exploited easily unless additional OS safeguards are in place -- StackGuard, Address Space Randomization, etc., and even then, a determined hacker may still find his way in.

There are a few existing [secunia.com] examples [securitytracker.com] of buffer overflows against JPEG2000, and they can be exploited much in the same way the WMF exploit is -- malformed file is read into reader, causes buffer overflow in JPEG2000 library, causing the execution of arbitrary

30 more years of buffer overflows?

[Futurepower(R)]

Buffer overflows are so 90s. Isn't there a way to prevent them entirely, like using only good libraries?

Re:

[FireFlie]

If it this was not a current problem we wouldn't be having this discussion. Buffer overflows can be a result of bad programming regardless of what libraries are being used. Choosing vulnerable libraries or functions is just one way of creating such problems.

Doesn't everyone check all inputs before using?

[Futurepower(R)]

I always check all inputs before using the data. Don't other people do that?

Re:

[karmatic]

Validating all input can help, but it doesn't help when you have things like off-by-one [wikipedia.org] errors. Remember people, null-terminated strings are 1 byte bigger than the number of characters in the string.

Re:

[MCraigW]

The company that I work for has mainframes that disallow the execution of data, and this is, or has been, prevented by hardware. It just isn't possible to execute data. Oh... it has been this way ever since I've worked at this company, over 25 years.

Even Microsoft now has, in XP and I'm guessing later OSes, Data Execution Prevention (DEP). Most people don't turn it on because it does have a slight effect on performance. You can find the option by going to My Computer, Properties, Advanced Tab; Click "Se

Computers help voters not vote counters.

[jbn-o]

All that being said, there are some things (i.e. voting machines) that just should not be electronic-ized, and I feel this is one of them.

When it comes to counting voter-verified paper ballots, I would agree with you that this task should not be done electronically. Humans can (and do in many elections around the world) manually count voter-verified paper ballots.

But when it comes to preparing the voter-verified paper ballot, I don't see the harm with electronic assistance: electronic preparation

Re:

[proxy318]

there are some things (i.e. voting machines) that just should not be electronic-ized

I think voting machines can be computerized, but it would have to work like this:
1. the machines are sealed with something other than a furniture key
2. they're prefereably open source
3. After you're done voting, it prints a copy of the ballot for you to verify. It doesn't count the ballot until you press the verify button. If it's wrong, you throw the ballot into a convenient paper shredder, and make your corrections.

That's interesting...

[shivamib]

It's just that they keep hiring complete morons that have no idea what they're doing to work on the systems.

I see that where I work all the time! Must be the new trend...

"..the Windows-based border-screening computer.."

[adnonsense]

FTFA: "If a reader could be compromised using Grunwald's technique, it might be reprogrammed to misreport an expired passport as a valid one, or even -- theoretically -- to attempt a compromise of the Windows-based border-screening computer to which it is connected."

That does it. From now on I'm only travelling to countries which use OpenBSD to operate their border gateway protocols.

And: "Additionally, the International Civil Aviation Organization recommends that issuing countries protect biometric data on the e-passport with an optional feature known as Extended Access Control, which protects the biometric data on the chip by making readers obtain a digital certificate from the country that issued the passport before the equipment can access the information."

Sounds like in the future, the only people who'll be able to traveler with any degree of success will be those who can forge their passports...

Re:

[Anonymous Coward]

"That does it. From now on I'm only travelling to countries which use OpenBSD to operate their border gateway protocols." - by adnonsense (826530) on Saturday August 11, @10:55AM (#20195319)

Cambridge Researcher Breaks OpenBSD Systrace:

http://it.slashdot.org/it/07/08/09/138224.shtml [slashdot.org]

Nothing's "completely invulnerable"...

Re:

[adnonsense]

'k, I'm staying at home from now on...

Lost faith on RFID security long ago?

[Lord Satri]

Remember this /. story about RFID Passports Cloned Without Opening the Package [slashdot.org]? I'm not sure if RFID and security will ever get along at a satisfying level or if will be similar to the systematic breaking of DRM locks. Amongst other RFID stories [slashgeo.org], this "Security analysis report" paper [91 pages pdf, 967k] [bridge-project.eu] is most informative (via this blog [vector1.eu]).

Great!

[thatskinnyguy]

Something else to make the experience of flying all that much more unpleasant for the rest of us!

the usual

[m2943]

The problem is, as usual, the use of inherently unsafe and dangerous programming languages like C and C++.

There is no reason why any modern programming language should permit accidental buffer overflows; they are easily preventable without pushing the burden onto the programmer even in programming languages with the same power as C and C++.

Re:the usual

[808140]

Don't do much embedded programming, do you? Garbage collection, automatic bounds checking, and the vast majority of features that you think of as "modern" were available in quite a number of programming languages from the 1960s -- lisp, for example. While they were extremely popular in academic circles, and were without a doubt extremely powerful and capable, most development continued to be done in assembly, and then later C. Why was this, do you think? Because in those days, computer resources were so expensive that it was foolish to waste them. Here's a hint: garbage collection is a bad idea if you have so little memory that you're actually likely to run out of it. Automatic bounds checking on arrays is expensive if your processor is slow enough.

Now if you're saying that there's no need to develop the vast majority of today's computer software in assembly, C, or C++, then I agree with you wholeheartedly -- but we're not talking about a computer, we're talking about an RFID reader. You know, a small device that doesn't have the latest gaming processor from AMD and Intel and 2 gigs of RAM. It has enough memory for what it needs to do and that's it; and, to be low power, it has a small, simple embedded processor.

You can't run a JVM on this thing, and even if you wanted to, it would be a bad idea.

Re:

[Anonymous Coward]

This is not 1990 anymore. Embedded systems are not underpowered. Embedded systems today are quite literally THOUSANDS of times more powerful than the supercomputers that you and I grew up with. Here's one example of an RFID reader [adazonusa.com]. 64MB of RAM. Windows Mobile 2003. Here's another one [arm.com] with an XScale processor. XSCALE. DO YOU HAVE ANY IDEA HOW POWERFUL AN XSCALE PROCESSOR IS? When I first was working with garbage collection and automatic bounds checking, I dreamed for something even a fraction as powerful as

Re:

[808140]

I am indeed aware that most cell phones run a JVM, but I guess I don't think of cell phones as being "embedded" (not saying they aren't, just that I feel like they've long since ceased to be appliances and have started becoming small, hand-held computers in both capability and application).

I will admit that I assumed that an RFID reader would not be as powerful as they appear to be. I guess we have hardware bloat these days, huh? Well, in light of the evidence, I withdraw my critique. I don't see why we'

Re:

[AdamInParadise]

Now, here is a funny thing: an exploitable buffer overflow [sun.com] was recently found in the native library handling images in Sun's JVM. This is one of the most significant security bug found in this JVM for the past few years.

Programs in Java are more secure than programs in native code, but only as long as they don't rely on native libraries ...

Re:

[AdamInParadise]

Hint: most cell phones run their software almost exclusively on a JVM.

Hum, no. Many cell phones can run Midlets, but the main firmware (user interface, call handling, SMS, picture processor...) is programmed in native code. On Symbian and Windows Mobile cell phones, you can actually install additional native appliations. Midlets are only used for user-downloaded applications programmed in Java, which is a really small market. Blackberries are the only cell phones that run every program in Java, including the user interface, but even them rely on significant portions of nativ

Re:

[zefrer]

Exactly, and besides that fact, how is it the language's fault if the programmer doesn't do proper checking? _Because_ C is not a type safe language is why programmers need to be extra careful in making proper checks when dealing with buffers _especially_ on a f***** passport reader...

Re:

[808140]

Right, I don't think anyone here really disagrees with you. However, the fact is, many programmers are not as careful as they think they are, nor are they as leet as they consider themselves to be -- even well-written software like the Linux kernel, Samba, and OpenBSD, whose hackers are a million times more competent than you, I, or indeed, 99.9% of programmers out there, have had bugs resulting from simple buffer overruns, sign overflow errors, and memory leaks.

It most certainly is not the fault of C tha

Re:

[808140]

But in business, rapid development is important. Higher level languages, in general, make for more rapid time-to-market than low level languages, precisely because there's less bug-chasing.

Re:

[808140]

Why was this moderated troll? Just because of the juvenile ad homniem in the last sentence?

Re:

[m2943]

Just because of the juvenile ad homniem in the last sentence?

It's not a "juvenile ad hominem".

We get a story about security-relevant buffer overflows in important C programs almost daily. These are serious problems. To address those, either we need better programmers or we need better tools. Since we can't educate the programmers any more than we already do, obviously it's the tools that aren't working, and that means that the people who are choosing the tools are making the wrong choice, and the GGP pos

Re:

[RAMMS+EIN]

While I appreciate your attempt to correct your parent's somewhat narrow view of programming (as you correctly point out, not all systems are equally powerful), I feel compelled to point out some flaws in your argument.

Your argumentation suggests that a type-safe language will necessarily lead to more cpu-intensive code. This is simply not the case. For the most part, type-safety can be enforced at compile time. The result is a program that is type-safe by construction, without requiring any run-time checks

Re:

[808140]

Thanks for the correction. Actually, an earlier poster pointed out to me that these machines are embarrassingly overpowered for what they do, and so my criticism was pretty much moot anyway.

As for type-safety, I actually know what you mean -- I do most of my programming is in Haskell these days, which has a very powerful type system. Runtime errors are relatively infrequent as a result, but when they do occur, it's often because I'm trying to take the head of an empty list, or something similar, a proble

Re:

[IchBinEinPenguin]

So write the reader in C for efficiency if you must, but DO NOT LET THE READER INTERPRET THE DATA!!

The reader simply passes the data to the PC, which is powerful enough to use a 'safe' language (with bounds checking, garbage collection, VM-sandboxing etc. etc.). Data obtained from the card is untrusted and should be treated as such until proven otherwise.

The problem here is not the reader, but the JPEG library running on the host.

Re:

[The Master Control P]

I've worked with high and low level programming languages, and they all have uses. I once wrote a machine language program to draw rectangles on my 24 year old laptop by poking about 20 bytes into memory; It did in one second what took BASIC one minute. I also made a mistake before that and had to salvage my data by dumping the machine's memory through a serial port. That doesn't mean I should stick with BASIC because it's overflow-proof, or never use assembly because it's dangerous.

I'm also learning SVG

Re:

[owlstead]

Yeah, they should have used Java. Then again, the underlying JPEG libraries are still written in C++, if my information is still correct. So the wait is on for a rewrite in Java or maybe C#. You would not want a scripting language to do the JPEG decoding I suppose, that would bring the system performance down too much.

Security Through Obscurity

[RAMMS+EIN]

``Grunwald suggests that vendors are typically using off-the-shelf JPEG2000 libraries, which would make the vulnerability common.''

Because everybody knows that, had they written their own code, it would have been much more secure. Just like magic.

Re:

[Aetuneo]

No; if they had written their own code, the vulnerabilities would have varied between systems, making the effectiveness of an attack less than it is in a monoculture. Of course, had they done that, there would have been a slew of new and exiting vulnerabilities, which might be much more major.

Why use silly RFID toys?

[dsgrntlxmply]

I for one look forward to the superior alternative of Definitive Biometric Real ID for air travel.

Undressing in front of the uniformed agent, undergoing endoscopy with low-bid lubricant, then going through the rotating-brushes Lockheed Martin AlloScrub body wash to remove all possible caches and residues of others' DNA before having the blood draw, is the highlight of any ordinary business trip. The $635 airport security fee is a bit of a burden, though, as are the 12 hour fast and prep. enema.

Waiting