Hackers Clone E-Passport

mrops writes "I guess the skeptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'"

"No Shit," ollectively the masses said.

[hkgroove]

But this unfortunately is not going to stop the governments from wasting money on them.

I've got one

[Spad]

I just renewed my passport, hoping to get in before the "biometric" passports became mandatory in the UK (Not that there's actually *any* biometric data on them), but sadly I've ended up with a RFID chip embedded in the back page of my new one.

The booklet that comes with it helpfully suggests ways to damage the chip, such as microwaving it, but doing so will render the passport useless, unfortunately. Anyone know where I can get a good tinfoil wallet from?

Re:I've got one

[Lurker187]

I believe that those anti-static bags that many computer boards come in will block an RFID signal. They certainly look exactly like the bag I was given with my RFID remote toll-paying tag, and putting the tag in the bag supposedly blocks it from being read.

(What, you don't have any old computer parts in their original anti-static bags?!? That's it, no /. for you! ;) )

Re:I've got one

[hkgroove]

Seriously, how the hell is this allowed to happen??

The boxes told them they were lost.

Re:I've got one

[plantman-the-womb-st]

Nope, the keys for my marina are RFID and I tested this very thing. The machine read the card as usual.

Re:I've got one

[chownrus]

I think this will meet your needs: http://www.emvelope.com/products

Re:I've got one

[lga]

The RFID chip is only the first step.

The current chip contains a scanned photo. Future passports will be issued with an ID card which means going to an enrolment centre to get your iris and finger prints scanned and entering all your details into the national identity register. The iris scan may or may not be included in the passport RFID chip and the fingerprints won't be at first.

The price of passports will go up from 51 pounds to 66 pounds in october (they were only 42 pounds last year!) to cover the costs and may rise again when ID card start being issued.

Anyone who wants to avoid the National Identity Register should join the renew for freedom campaign and renew their passport early. It is too late to avoid the biometric passport with RFID, but you will stay off of the NIR and will not have to provide fingerprints and iris scans in person. It will cost you 51 pounds but may well be worth it to avoid having to tell the Identity and Passport service every time you move house.

At least it won't work for a drive-by cloning

[plover]

According to TFA, in order to read the data from the passport you have to enter a key printed in the passport itself. This will at least prevent a surrepetitious cloning while sitting in an airport chair (like the guys who cloned the Mobil SpeedPass keytags.)

Of course, that won't stop the mad bombers with their IEDs from detonating their bombs in the presense of an ePassport. The video from TFA shows yet another weakness in this crappily designed (i.e. vendor driven) system.

Re:At least it won't work for a drive-by cloning

[IAmTheDave]

Well that's fucking secure - chalk up another one for security through stupidity.

Ya know, there is not a thing that Homeland Security has done that has made us more secure. Even the one or two instances where they actually tracked down a terrorist cell instead of wasting government money on vacations and useless Katrina relief trailers could easily have been done by the individual agencies themselves.

It's almost difficult to fathom what anyone that requires this shit is thinking. There is no evaulation of technology, and a complete lack of understanding of security. Unfortunately, those that make the decisions often disregard for political reasons the constant cries of the actual technology folks in those agencies that actually point out these flaws. Unfortunately, their cries fall on deaf ears (although, a big thanks for not giving up the good fight). But politics outweighs information, and RFID gets put into passports, despite the overwhelming evidence that they are a very bad idea.

Almost all of this is politically motivated now, in one of two avenues - to "appear" to be taking some action to protect security, or in an effort to more easily collect information on anyone that steps foot one into this country - be ye citizen or visitor.

Checks and balances, being the glory of the past but just about dead now, make sure that these unilateral decisions can be made without any oversite. And with Bush just giving himself more power (a parody, but eerily poignant) there is no end in site to this stupidity.

RFID is the latest buzz.

[Skynet]

Now if we could only enabled these RFID passports to download XML via SOAP on a Web 2.0 platform with XmlHttpRequest, Ruby on Rails would finally take off.

This isn't news.

[4815162342]

While the headline sounds scary, when you examine it closer, this isn't really surprising. The ability to copy the passport is not the issue here. The key point of the technology was to have the issuing government digitally sign the information contained in the passport. This means that a forger cannot simply tip-ex out the name and and put in a new one ;-) The article did not mention if the German passport contains bio-metric data. i.e. a digital copy of the photo. This combined with a digital signature of the photo would make the system very secure indeed. The passport inspector simply scans the data and compares the photo to the person standing before him. I don't see how this "hack" compromises the security of the system, except in cases where the inspecting authority misuses or misunderstands the basis of security in the system.

Re:This isn't news.

[plover]

The weakness happens if the inspector examines only the paper copy and relies on the electronic copy to perform the security checks in the background. That's likely to become a common occurance -- look at the passport, scan the passport, chat with the guy asking if he's here on business or holiday, wait for a green "OK" screen in the corner of your eye, and wave him through. It'll happen a hundred times a day, and the inspectors will make mistakes.

Probably the better question is "will the bad guys be willing to risk trying this?" No doubt there'll be an endless stream of stolen passport data available on line from crooked hotel clerks -- skimmed e-passport RFID data will be the next hot hacker item for sale.

What's more...

[vain+gloria]

But this unfortunately is not going to stop the governments from wasting money on them.

Our money.

Re:At least it won't work for a drive-by cloning:

[undef]

Safe from surreptitious cloning? Big deal. You routinely hand over your passport at hotels, etc... while in Europe.

Re:And this helps... how?

[Tweekster]

Do you think its hard to snag someones passport?

How about a pickpocket at the airport, they can even turn it in to the lost and found afterwards. Suddenly being John smith isnt that bad now...

and secondly, gee I really wonder if the people at the border are gonna be lazy and not bother to check but simply swipe it.... oh wait they are lazy and will do exactly that!

As for the need to steal a passport right now to do this...wait a week, im sure someone will figure out how to take this one step further.

Not so bad really...

[MobyDisk]

After reading this article, the RFID thing isn't nearly as bad as I thought.

1) They aren't eliminating the physical passports. So all the physical protections (watermarking) still apply.
2) They are shielding the passports so they can't be remotely read.
3) You need to send a cryptographic key which makes it even more difficult to read remotely (although I don't understand how this works).
4) They are hard to tamper with because of the hashes (assuming they are good hashes, this is comparable to watermarks).

Having said that, I'm not sure why the RFID thing is even useful. A bar code would be simpler, although no more or less tamper proof. And there are existing machines which can read passports by scanning them and OCRing. They are very reliable since passports use high-quality printed text with the characters in known fonts and positions.

Specs here

[hughk]

You can find a copy of the specs on the ICAO website.

It doesn't give away a lot, it doesn't have to. A passport must be inspectable by anyone so the spec on how to read it must be pretty much public. There is an (optional) electronic signature mechanism, but this predicates an international public key infrastructure. The bank where I work has enough problems getting one of those together, let alone an international organisation. PKI is very hard. Google for references on this.

Key compromise means that all issues documents are then compromised. Can you imagine a country recalling all its passports?

Secure Documents don't need RFID

[davidwr]

In order to be "secure" against fakery a passport, or any document should:

1) Have an digital signature of all the data, or at least a signature of a strong one-way hash.
2) Have a means to verify the signature, and that the signer's key hasn't been repudiated.
3) Have a means to verify the hash is legit, i.e. rehash the data on the spot.
4) Have a means to verify the data in question matches the printed version of the document, e.g. a computer screen that shows the digitized picture and the other data that should be on the printed document. A human, or perhaps a computer, can then compare that with the actual document.

Steps 1, 2, and 3 are at the heart of any digitally-signature-validation scheme. Step #4 will detect misuse, as someone using a cloned passport will "look" the same as someone using a stolen-but-legitimate one to the checker.

An alternative, where bandwidth is available, is to have the document-issuing authority validate the document: Upload the document to the authority, and have it send back a "valid" or "not valid" response. This is essentially what happens with credit cards: the name, card #, and expiration date are passed on to the bank or the bank's agent, and the merchant gets back a code saying "card is valid," "card not valid," or one of several other codes such as "card reported stolen/missing."

There are still 2 problems with this approach:
1) The identical twin or look-alike problem.
2) Privacy issues if passport data is compromised.

The twin problem is mitigated by the digitized version of the handwritten signature, a fingerprint, notation of scars, or other items which look-alikes are less likely to share. Privacy issues are in principle no more than they are today with stolen passports, ASSUMING no information that is not on the printed passport finds its way to the embedded electronic data. However, electronic data is much easier to deliver to fraudsters than paper data, and passport theives aren't likely to spend the time typing or scanning in data from a paper passport. The best cure for this is to encrypt the data.

RFID is not required for a secure document. All RFID does is make the data easier to read, which is good for those who want to read the passports without contact them, be they freind or foe. Hmm, maybe someone should invent an RFID tag with an "on" switch.

They don't want Americans traveling abroad

[MikeRT]

An insecure, RFID-driven passport is the perfect thing for making it too dangerous for Americans to travel safely abroad. If an American had one of these in Lebanon, Hezbollah could walk through a public place with a RFID reader and discretely find some good targets of hostage-taking opportunity. It'd be easier for the Chinese police, for example, to track American visitors.

Don't go abroad! Don't see the world except through the lens of CNNABCCBSNBCFOXNPR! That's how the political class wants it. A population that is scared to travel is a population that can't as easily see the world on its own and make its own decisions.

Re:They don't want Americans traveling abroad

[el_womble]

Trust me. Foreigners don't need RFID to spot an American from 100 meters :)

RFID tag with an "on" switch

[davidwr]

I'm not even an expert in the field, but an RFID tag with an "on" switch seems pretty obvious. Just put the switch between the antenna and the rest of the device. It can be either a traditional on-off switch or a pressure-sensitive "off when not pressed" switch. Imagine an RFID-enabled passport that ONLY broadcasts when someone was holding down the "broadcast" switch.

Re:And this helps... how?

[Dare+nMc]

>Ah yes, so he could clone someone else's chip, if he can steal their passport, and place it on his own passport.

Except that 2 major stated purposes of RFID in passports is nullified by his actions.

IE:
RFID passports are more secure/no the digital portion can be copied easier than the paper.
RFID passports will speed customs/no the RFID download can't be trusted, without thourgh comparison to the paper.

also Identity theft occurs within families. So if I were 18 year old George W Bush Jr, I snag W Bush Sr's passport, make a copy of the chip, return it. Unless a photo is on the RFID chip, their are only 3 differences in our passports, 1) Age, 2) a additional roman numeral (ie III instead of II) 3) SSN

not to mention their are 3 unrelatead Jim Jones within 5 miles of my house, all within 5 years of age to me, likely at least 2 have the first 3 digits of their SSN the same as me (most SSN's issued in my home state, of simular issue dates started with number in the range of 478 to 480)
So if I were to become a felon on Parol with a travel ban,
1) have my name legaly changed to Jim Jones
2) Break into Jim Jones' houses, cloan digital chip, Jim never knows.
3) I now have 4 passable unique ID's to use anywhere I want, 1 piece of paper, 3 chips to swap.

Security, shmecurity.

[RunzWithScissors]

Unfortunately, we've already seen that governments place a higher importance on the appearence of security rather than actual security. For direct evidence, just look at airport screening.

I'll conceed that x-ray'ing baggage would highlight obvious weapons like knives or guns. However, as we've seen from the likes of Yousef Josef and other terrorists, people can smuggle bomb components on plains using items, such as watches, which would not be picked up by the usual airport screening proceedures. Add to that the ever so effective comparison of the name and date on my boarding pass with the name on whatever casually inspected ID I provide. Please don't even get me started on how rediculous making me take off my shoes is.

If governments were really serious about airport security, they would adapt a model similar to the one used in Israel. Roving groups of heavily armed, well trained commandos that stop "interesting" individuals and select them for additional screening. However, this method would be too inconvienent and intrusive for travelers (Americans).

This is the state of governmental security. To the not very determined to violate it, lay individual, it appears that there is SOME kind of security in place. With a slight bit more investigation, someone with a bit of desire can easily violate it, thereby rendering the "security" utterly useless. But hey, they have to have some way to spend our tax dollars, right?

-Runz