Shostack + Friends Blog Archive



Is that enough acronyms yet? In Adam’s previous post, Justin Mason commented:

There’s another danger of this — even if the number is an opaque ID, the *presence* of the RFID chip means than an attacker can remotely detect the presence of an I-94, therefore a foreign passport, therefore a tourist ripe for a mugging (or whatever the attacker may have in mind).

This brings me back to my post from yesterday about RFIDs in passports. As our friends at Flexilis have shown us, this can get even more insidious. To wit:

Additionally, it may be possible to determine the nationality of a passport holder by “fingerprinting” the characteristics inherent in each country’s RFID chips. Taken to a logical extreme, this security vulnerability could make it possible for terrorists to craft explosives that detonate only when someone from the U.S. is nearby.

Check out their video of the risk of an unshielded RFID…