Slashdot Mirror
Hackers Clone E-Passport
mrops writes "I guess the skeptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'"
But this unfortunately is not going to stop the governments from wasting money on them.
While the headline sounds scary, when you examine it closer, this isn't really surprising. The ability to copy the passport is not the issue here. The key point of the technology was to have the issuing government digitally sign the information contained in the passport. This means that a forger cannot simply tip-ex out the name and and put in a new one ;-)
The article did not mention if the German passport contains bio-metric data. i.e. a digital copy of the photo.
This combined with a digital signature of the photo would make the system very secure indeed.
The passport inspector simply scans the data and compares the photo to the person standing before him.
I don't see how this "hack" compromises the security of the system, except in cases where the inspecting authority misuses or misunderstands the basis of security in the system.
There are only 10 types of people in the world. Those who understand binary and those who don't!
Our money.
I believe that those anti-static bags that many computer boards come in will block an RFID signal. They certainly look exactly like the bag I was given with my RFID remote toll-paying tag, and putting the tag in the bag supposedly blocks it from being read.
/. for you! ;) )
(What, you don't have any old computer parts in their original anti-static bags?!? That's it, no
[command INSERTWITTYQUIP failed: insufficient wit]
It doesn't give away a lot, it doesn't have to. A passport must be inspectable by anyone so the spec on how to read it must be pretty much public. There is an (optional) electronic signature mechanism, but this predicates an international public key infrastructure. The bank where I work has enough problems getting one of those together, let alone an international organisation. PKI is very hard. Google for references on this.
Key compromise means that all issues documents are then compromised. Can you imagine a country recalling all its passports?
See my journal, I write things there
In order to be "secure" against fakery a passport, or any document should:
1) Have an digital signature of all the data, or at least a signature of a strong one-way hash.
2) Have a means to verify the signature, and that the signer's key hasn't been repudiated.
3) Have a means to verify the hash is legit, i.e. rehash the data on the spot.
4) Have a means to verify the data in question matches the printed version of the document, e.g. a computer screen that shows the digitized picture and the other data that should be on the printed document. A human, or perhaps a computer, can then compare that with the actual document.
Steps 1, 2, and 3 are at the heart of any digitally-signature-validation scheme. Step #4 will detect misuse, as someone using a cloned passport will "look" the same as someone using a stolen-but-legitimate one to the checker.
An alternative, where bandwidth is available, is to have the document-issuing authority validate the document: Upload the document to the authority, and have it send back a "valid" or "not valid" response. This is essentially what happens with credit cards: the name, card #, and expiration date are passed on to the bank or the bank's agent, and the merchant gets back a code saying "card is valid," "card not valid," or one of several other codes such as "card reported stolen/missing."
There are still 2 problems with this approach:
1) The identical twin or look-alike problem.
2) Privacy issues if passport data is compromised.
The twin problem is mitigated by the digitized version of the handwritten signature, a fingerprint, notation of scars, or other items which look-alikes are less likely to share. Privacy issues are in principle no more than they are today with stolen passports, ASSUMING no information that is not on the printed passport finds its way to the embedded electronic data. However, electronic data is much easier to deliver to fraudsters than paper data, and passport theives aren't likely to spend the time typing or scanning in data from a paper passport. The best cure for this is to encrypt the data.
RFID is not required for a secure document. All RFID does is make the data easier to read, which is good for those who want to read the passports without contact them, be they freind or foe. Hmm, maybe someone should invent an RFID tag with an "on" switch.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Nope, the keys for my marina are RFID and I tested this very thing. The machine read the card as usual.
Say bad words about my book, in cold oatmeal, or I shall sue!
An insecure, RFID-driven passport is the perfect thing for making it too dangerous for Americans to travel safely abroad. If an American had one of these in Lebanon, Hezbollah could walk through a public place with a RFID reader and discretely find some good targets of hostage-taking opportunity. It'd be easier for the Chinese police, for example, to track American visitors.
Don't go abroad! Don't see the world except through the lens of CNNABCCBSNBCFOXNPR! That's how the political class wants it. A population that is scared to travel is a population that can't as easily see the world on its own and make its own decisions.
I'm not even an expert in the field, but an RFID tag with an "on" switch seems pretty obvious. Just put the switch between the antenna and the rest of the device. It can be either a traditional on-off switch or a pressure-sensitive "off when not pressed" switch. Imagine an RFID-enabled passport that ONLY broadcasts when someone was holding down the "broadcast" switch.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I think this will meet your needs: http://www.emvelope.com/products