Global RFID Passport Encryption standard cracked in 2 hours

Global RFID Passport Encryption standard cracked in 2 hours


One big hit to the public confidence in RFID has come from the Netherlands, where a security firm partnered with a TV program to successfully decrypt a Dutch-prototype RFID passport.

In just two hours, officials from Riscure and “Nieuwslicht” intercepted, stored, and cracked the password encrypted on an RFID-tagged passport. The result was the virtual “undressing” of the passport, allowing the “hackers” access to the digitized fingerprint, the photograph, and all other encrypted and plain text data on the passport.

Why did this happen? What’s wrong with RFID? Well, the second question has an answer for another article. The answer to the first question is this: The algorithm used to generate the secret key was eminently predictable. Turns out that the manufacturer issued keys sequentially and produced the encryption using only the person’s birthdate and the passport number, expiration date and checksum.

Dutch officials will be going back to the drawing board in efforts to make the RFID passport encryptions more difficult to break. Clearly, officials in the U.S. should listen as well, since a massive plan this fall calls for all new American passports to have the exact same RFID tag and encryption scheme (which, by the way, is the current sorry excuse for a global standard).