Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Clone E-Passport

Posted by ryuzaki0 on from the thank-heavens-for-black-hat dept.

mrops writes "I guess the skeptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'"

6 of 185 comments (clear)

  1. I've got one by Spad · · Score: 4, Interesting

    I just renewed my passport, hoping to get in before the "biometric" passports became mandatory in the UK (Not that there's actually *any* biometric data on them), but sadly I've ended up with a RFID chip embedded in the back page of my new one.

    The booklet that comes with it helpfully suggests ways to damage the chip, such as microwaving it, but doing so will render the passport useless, unfortunately. Anyone know where I can get a good tinfoil wallet from?

  2. At least it won't work for a drive-by cloning by plover · · Score: 4, Interesting
    According to TFA, in order to read the data from the passport you have to enter a key printed in the passport itself. This will at least prevent a surrepetitious cloning while sitting in an airport chair (like the guys who cloned the Mobil SpeedPass keytags.)

    Of course, that won't stop the mad bombers with their IEDs from detonating their bombs in the presense of an ePassport. The video from TFA shows yet another weakness in this crappily designed (i.e. vendor driven) system.

    --
    John
  3. Re:And this helps... how? by Dare+nMc · · Score: 4, Interesting

    >Ah yes, so he could clone someone else's chip, if he can steal their passport, and place it on his own passport.

    Except that 2 major stated purposes of RFID in passports is nullified by his actions.

    IE:
    RFID passports are more secure/no the digital portion can be copied easier than the paper.
    RFID passports will speed customs/no the RFID download can't be trusted, without thourgh comparison to the paper.

    also Identity theft occurs within families. So if I were 18 year old George W Bush Jr, I snag W Bush Sr's passport, make a copy of the chip, return it. Unless a photo is on the RFID chip, their are only 3 differences in our passports, 1) Age, 2) a additional roman numeral (ie III instead of II) 3) SSN

    not to mention their are 3 unrelatead Jim Jones within 5 miles of my house, all within 5 years of age to me, likely at least 2 have the first 3 digits of their SSN the same as me (most SSN's issued in my home state, of simular issue dates started with number in the range of 478 to 480)
    So if I were to become a felon on Parol with a travel ban,
    1) have my name legaly changed to Jim Jones
    2) Break into Jim Jones' houses, cloan digital chip, Jim never knows.
    3) I now have 4 passable unique ID's to use anywhere I want, 1 piece of paper, 3 chips to swap.

  4. challenge-response? by tilminator · · Score: 3, Interesting

    Why is it so hard to implement a challange-response mechanism to avoid airing the entire passport data?

    Especially when they are going to store fingerprints /images/iris scans on the chips, I would expect the passport chip to do the matching up. (Of course, it has to legitimate itself, too.) Just imagine having to change your fingerprints because of identity theft. Americans already have a taste of this with social security numbers.

    BTW, if all you'd like to broadcast is your name and number, just print a barcode. That works perfectly fine in Chile (or Colombia? sorry).

    --
    -- up-modding policy: make a good point, write self-contained.
  5. Security, shmecurity. by RunzWithScissors · · Score: 4, Interesting

    Unfortunately, we've already seen that governments place a higher importance on the appearence of security rather than actual security. For direct evidence, just look at airport screening.

    I'll conceed that x-ray'ing baggage would highlight obvious weapons like knives or guns. However, as we've seen from the likes of Yousef Josef and other terrorists, people can smuggle bomb components on plains using items, such as watches, which would not be picked up by the usual airport screening proceedures. Add to that the ever so effective comparison of the name and date on my boarding pass with the name on whatever casually inspected ID I provide. Please don't even get me started on how rediculous making me take off my shoes is.

    If governments were really serious about airport security, they would adapt a model similar to the one used in Israel. Roving groups of heavily armed, well trained commandos that stop "interesting" individuals and select them for additional screening. However, this method would be too inconvienent and intrusive for travelers (Americans).

    This is the state of governmental security. To the not very determined to violate it, lay individual, it appears that there is SOME kind of security in place. With a slight bit more investigation, someone with a bit of desire can easily violate it, thereby rendering the "security" utterly useless. But hey, they have to have some way to spend our tax dollars, right?

    -Runz

  6. So they can copy the encrypted data, so what? by MCraigW · · Score: 3, Interesting
    Okay, so lets say a terrorist reads your passport RFID chip as you walk by, and makes a copy of the encrypted data on the chip. How does the terrorist use this to gain access to some country so he can blow himself up?

    In the USA the passport jacket will have a metal lining so that the RFID cannot be read when the passport is closed.