‘Undo Control’ – The CCC and airport access controls

Title inspired by ‘Dark Tranquility’


So this is an interesting one; the CCC (Chaos Computer Club), well known to probably anyone who can spell ‘hacking’, did a field exercize at the Hamburg airport following a talk which took place at the 26C3. The focus of their attention was the Legic Prime RFID based access control system which is the method of choice, not only for Hamburg airport, to control sensitive areas of the area. Originally reported by Kontraste and later on picked up by other news media the two CCC members, Karsten and Henryk, used a close proximity RFID device (likely Proxmark 3) to read and replay security badges of staff members. Surprised how easy it was Karsten stated “It was easy to annul the system which surprised us a bit as it is marketed as security system and widely used. We were simply shocked that there were no further obstacles we had to overcome.” From the sound of it seems that this was as easy as standing close to airport staff (around 15 cm distance) to read the badge and then just walk past the security checkpoint waving the copied tag.

Statements about this incident from the Airport spokes person are a bit unclear, but baseline seems to be ‘Yeah we know, its an old system but we will not be able to replace it too soon due to budget constrains. Sensitive areas will be guarded by staff members. ” Brilliant, i’m sure staff is much cheaper than technology – especially in Germany. I bet that goes down nicely in times where half the planet is in heated discussions about ‘Naked scanners‘ and airport security in general.