It looks like the Chaos Computer Club are at it again and recently revealed during a German TV programme entitled “Data theft via wireless – security risks at German airports” that their airports have a massive security hole. The threat is a very old one, it involves forging credentials in order to bypass segments of security that are left deliberately weak for employees.

In this case, it involves faking RFID signals from employee access cards. Bblfish from Oracle’s blog reports on how the trick goes down,

The trick is simple. Employees at many airports use badges that are read wirelessly by scanners. Using a trick similar to that described by Chris Paget’s RFID cloning presentation—a massive security scandal in the US—it is possible to capture the signals emitted by these cards and use that to produce fake ones. Having created one such card, the CCC members were able to gain access to secure parts of the Hamburg airports without going through any of the security checks imposed on the passengers.

Those who follow my security philosophy probably already know my answer to this: Security is not a single-layer exercise. A single-factor bypass for a “special class” of security will always be easily exploitable and leave critical areas open to attack—for example, you don’t just let someone through a secure area simply because they’re wearing the right uniform (uniforms are easily duplicated).

And in this case, RFID has become almost as trivial as the social engineering aspect of duplicating a uniform. Good security approach: require an input keycode along with the RFID in the badge; better security approach: train personnel to recognize one another and proper badges so that if someone steals the keycode and duplicates the badge, intruders get queried.

Even better, if you really want to secure your behind-the-lines critical areas in an airport: Don’t allow anyone to bypass primary security such as scanners, X-ray, and etc. Employees should be treated to the exact same sanity check as everyone else when they’re outside the critical area. Allowing any sort of bypass means that a determined attacker can easily begin to pose as an employee, gain a bypass to the scanning equipment, and then traffic in whatever.

Part of the problem here is that much of the scanning and security equipment at airports is barely a deterrent anyway and serves mostly as an inconvenience. As the last-line of defense before the critical area it will catch the criminally stupid and employees are not exempt from this sort of sanity check in real life, why exempt them at the airport?

We’ve seen the Chaos Computer Club in action a few times now and they’re starting to make a name for themselves in the security sphere revealing how bad policies make everyone less safe. In October, they dissected a German law enforcement Trojan called Bundestrojaner; the Trojan is legal in Germany to use to obtain information, but its use has some reckless disregard to the damage it does to the target’s privacy. Due to the nature of the Trojan—and espionage Trojans in general—it opens the victim up for others to easily also tap into their information.

It looks like the establishment of security and policy might need an overhaul in Germany and the Chaos Computer Club are nipping at their heels to fix it.