Adam Laurie out of the UK, is yesterday reported by Computerworld as having cracked the RFID chip contained in new UK Passports. The story "Crack! Security expert hacks RFID in UK passport" documents how using a brute force technique with information gleaned about the user from the internet, Adam was able to crack the code with his program after 40,000 attempts.
While this may seem like a lot of attempts, computers are able to deliver thousands or tens of thousands of attempts per minute or even more. Therefore, the program is very quick.
Adam didn't even take the passport out of the wrapper it was delivered in.
The story quotes the British Government as responding:
""The key point ... is that the information on the chip cannot by changed, rendering the procedure described by Adam Laurie pretty pointless," wrote Peter Wilson, senior press officer, in an e-mail."
"Further, a cloned chip would have to be inserted into a forged passport, and new security measures in the passports make that "virtually impossible," the Home Office said, quoting a report released last month by the National Audit Office."
To which the story then quotes Adam "But Laurie said the new passports were marketed as enhancing security, "but so far I don't see anything about it that increases my security.""
"The greatest weakness with the passports is using relatively easy-to-find data to compose the encrypted key, Laurie said. It would be better to include more random elements that would render brute-force style programs nearly useless, he said."
Bottom line: RFID is breakable depending on the encryption scheme used. In this case, the encryption algorithm user key was poorly designed and open to brute force attacks.