Slashdot Mirror
E-Passport Cloned In Five Minutes
Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to
clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."
How we know is more important than what we know.
"It is hard to see why anyone would want to access the information on the chip." Hmmm... it's also hard to see why anyone would want my credit card information, SSN, address, etc. I'm sure nobody really wants to know any personal information about me at all, and I'm sure nobody would ever want to forge any of my identifying documentation.
Something is just wrong with the UK's Home Office. Today I read that they will now classify panty theifs as sex offenders, receiving the same long-term classification on the sex offenders' registry as child abusers, rapists, and child pornographers.
Crack - Free with every butt and set of boobs
it is also identity theft.
Engineering is the art of compromise.
As it may be, the people in charge of budgetary approval for the programs which put all of these RFID solutions
into place will steadfastly deny that anything is wrong until they are forced to do so, as agreeing that those are
potentially high security risks would otherwise equate it with having to backtrack on what they previously approved,
even though they were amply forewarned by many in the security-related field.
It's really about not losing face at any cost, lest people start questioning other methods they employ.
Human nature, really. Look no further than the voting machines controversy for parallels here in the US.
Z.
Now another researcher has shown how to clone a European e-Passport in under 5 minutes.
Thanks to a software he himself has developed, called RFdump, he downloads the passport's data onto his computer and then onto a blank chip.
How long would it take for some 3 letter agency to show up at their door in the US?
thegodmovie.com - watch it
It is merely an electronic mechanism that replaces error-prone human readers with electronic systems that can read the same information into a computer system and automatically link the information with a database for easy identification of possible problems.
No one has shown that the passport can be forged. No one has shown that the RFID on the passport can be overwritten. No one has shown that an agent who receives a clones passport can't tell it from an official one. The RFID itself doesn't contain any information that wouldn't be accessible by simply reading the passport.
RFID does not enhance security in any way, but it does not detract from security in any way either. It is simply part of the progression of technology from an error-prone human system to a reliable electronic system.
"It is hard to see why anyone would want to access the information on the chip."
Even if the info on the chip is just the same as what's printed in plain sight as they say... it's still defeating one of the security measures in short shrift. How is that not a concern? The fact that the electronic portion of it can be read and copied without actually needing the item (just need to be near it) is a great concern.
Also, the article states that the key to some encrypted information on the chip is something that's printed, in plain sight, on the passport... oh man.
It's a scary world when those who are old and have little clue about technology (the politicians) are told they need a high tech solution to a security issue. They hear a buzzword (RFID) and tell their people "Get something that used RFID into market STAT!"
Plus, I bet they don't even know what STAT means.
The Open Rights Group(Think UK EFF) have a wiki page that provideds more information on this an othere issues with the British Biometric Passport The European version of the biometric passport is planned to have digital imaging and fingerprint scan biometrics placed on the Radio Frequency chip. The government of UK thinks that the public has a negative opinion of RFID chips so instead they call it a contactless chip.
Yes I'm sure it's not very hard to 'read' what's stored on the Passport - but then it's never been very hard to visually look at it and read the paper - god knows how many photocopies there are of my passport in hotels and car-rentals across the planet.
The point of the RFID passport et al is to be able to verify it's genuine. You wave the passport at a border, it summons the electronic version and a check can be made that they match - i.e. verifies that somebody hasn't inserted an alternate photo etc.
If the RFID is just containing a serial number - then why not just use a barcode etc. If passport is broadcasting full details including photos, then the crack that's interesting is if somebody concocts their own passport - and then gets it recognized as a fully signed valid one.
Seeing as most passport fraud is just a genuine one, obtained by a similar looking (or even using the photo of the person going to use it), non-travelling person - then all these schemes are pointless. The weakest link is right at the start with the passport application process. The person who issues your passport hasn't got the slightest clue who you are - and as passports by their very definition are international, if you have trouble getting one in one country, you can just try from another.
It is hard to see why anyone would want to access the information on the chip.
If no one would want to access that information, then why is it on the chip? Why even bother with the chip? Why even bother with the information?
Would seem a logical question ...
Almost every government IT project is a complete failure in the UK. Strike up another win for cronyism and public-private partnerships. At least seeing that smug criminal Tony Blair imprisoned will take our minds off of how totally fucked the UK is.
1. They claim that there is little useful on a passport's details page. Can someone confirm whether this is the case for the purposes of general information theft?
2. If the passport page contains anything useful, how easy or difficult will it be to get hold of this information? Can you stand next to someone in a queue and scan the passport in their carry bag, or do you actually need to hold it close? My ID card at work has an RFID chip, that works only at about 4cm.
3. Is it correct that forging RFID passports will be more difficult? Obviously, if you used to have to manufacture a passport or switch a picture, and you now need to _both_ do that _and_ insert or change an RFID chip, then that raises the bar. So the followups to this question are;
3a. Will passport controls be replaced by RFID scans, or in addition to? I would hardly think the former, but please inform.
3b. Is it possible to change the information on an RFID chip without actually having physical access to the circuitry? As in, are there read/write scanners so you can avoid having to manufacture a chip and replacing it in a passport?
If the answers to these are no, difficult, yes, in addition to and no/no, then I can certainly see it providing additional security. And vica versa. Someone in the know?
Cheers,
-b.
of copies of the id pages of passports - much the same as you'd have if you'd taken a summer job working for Hertz.
RFID IDs are TERRIBLE for personal security, because it adds RANGE to detection and forgery. Parent post has ABSOLUTELY missed the point.
No one is claiming that magnetic stripes and/or bar codes are bad for security. In both cases they make it very marginally harder to copy and virtually eliminate data-entry errors. RFID has a BIG problem beyond that: It can be read without the knowledge of the holder.
No one can read the inside of my paper passport without me giving it to them - nor my magstripe nor bar code. I have complete control over who sees it. Sure, I might be conned into showing someone, but they have to con me. RFID means that:
1. They can copy my information without me ever showing it to them.
2. They can READ my information without me ever showing them, allowing them to identify me from a distance.
3. Even with a perfectly random RFID system, they can identify your nationality from afar, which obviously may make you a target in some circumstances.
To be SAFE, an RFID system must have a) zero emissions in the closed state (eg a tested foil cover) AND b) No non-random information broadcast from the chip. (that is, a random passportID that is broadcast that has NO other information until you look it up in the appropriate database.)
"b" is necessary because "a" alone still allows someone nearby you to snoop whenever you have to show your passport somewhere.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
....in further breaking news: "...we would like to encourage the terrorist tourism trade to the UK; why would they cause any problems?"
Hard work is just an accumulation of the easy things that you didn't do when you should have.
"What do you expect?" "It's the 3rd world."
They need more "technical assistance" from us who are more developed.
But I am not surprised, after all the US, which is the "most technically advanced" country in the world, cannot secure its borders. But is it?
Throw the researchers in jail for showing the weakness in the system. Problem solved!
"It is hard to see why anyone would want to access the information on the chip."
I think it's time someone cloned his passport and got busted importing drugs or weaponry or child porn or similar while on that passport. Hell, he's probably got a diplomatic passport == no search. Pure gold to anyone wanting to move anything *really* profitable.
This answer "...it's hard to see why...." is a line right out of this show. It doesn't say that the information is worthless, nor does it criticise e-passports for being insecure. Instead it says that the spokesman found something (irrelevant) hard to imagine. That's something completely different.
A masterpiece of misdirection, IMHO and just illustrates how hard it is to get a straight answer out of the b@$+@%ds
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
i'm sure people were wondering "why would you want to fly planes into buildings ?"
A million monkeys and this is the best sig they could come up with...
The answer isn't to come up with some elaborate system like you propose. That's the worst thing to do. The real solution is to ditch these stupid passport schemes.
Passports and other pieces of identification never bring a nation security or safety. The best way to remain safe is to avoid alienating those who could bring you harm. And yes, that means staying out of the affairs of regions on the other side of the world.
You can always get one of these or just wrap your passport in tinfoil.
BRB, I'm making a tinfoil hat for my passport, so it matches mine.
The various articles seem to suggest that the data accessible on the RFID chip is actually printed on the passport anyway. So what's the big deal? For anyone sufficiently inclined to obtain the data they could simply open your passport and read it. Granted the chip makes it easier to obtain this "sensitive" data, but to own and operate the technology to achieve this seems to be no less complex than having a $20 pick-pocket help you get it. In addition, who cares whether it can be copied to another RFID chip? To make that "cloned" data useful, the actual physical passport still needs to be adequately forged and that's not trivial. This "hack" does not seem to have a negative impact on the security of passports. Sure, it doesn't advance their security any, but neither does it detract from it?
The proper response to that spokesman is "Well then, you won't mind lending us your passport for a minute, so we can copy it and put copies on sale in <district with notorious reputation>, will you?".
Some politicians simply need the problem made their personal problem before they'll see it.
So what is the paranoid meant to do to shield their passports? We all joke about the tin-foil, but is there something that actually does the job?
It might not be that big of a deal but the very idea is disturbing. Sure, one could get the data by hiring a pickpocket but that is more troublesome given the fact that the passport holder would surely know that his/her passport was missing and would give warnings/alerts to ensure that it would not be misused. But now, you only need to setup a clever RFID reader/scanner and just sit beside the person. That person would never know what hit him. If someone gets any data from one's passport, that doesn't necessarily mean they would use that to create another passport. Whatever is in that chip could be used for other purposes.
"but to own and operate the technology to achieve this seems to be no less complex than having a $20 pick-pocket help you get it."
... but considering we have this with the banking systems (for the most part), this is not exactly an impossible task.
Do you travel? I ask because I do, and I would like to see a "$20 pick-pocket" take my passport. I don't exactly carry it where this would be possible. And when I'm not carrying it, it's usually in a hotel safe. I tend to want to be able to get back into my country, so I'm carefull like that.
Putting an RFID chip on it changes this game. Unless I have a cage around it, the inside pocket of my jacket and the hotel safe no longer provide any security for the informaion contained therin.
And the idea that "The information printed on the passport is the same" doesn't really hold water. People doing menial jobs are, generally, lazy/unattentive. For example, my wife and I have credit cards that are the kind with your photograph printed on them. I've tried this a number of times (because I'm silly like that), and it has only failed once - I'll take her card and use it (without her with me or in view). Except for *one* time, I've never had a problem using her card. Nevermind that the picture on it obviously isn't me, the name on the card isn't right, and the signature certainly doesn't match.
The only way this passport RFID thing would work is if they actually came up with a worldwide system and simply encoded an ID number into the passport. You wave your passport in front of the reader, and up on the computer screen pops your picture, info, etc from the database. The passport simply becomes record number, with no actual information on/in it.
Of course, this also assumes a computer/database/network system that can not be hacked
- Roach
Insert "China" in that sentence. Or "Iraq".
But then, some politicians simply need their lives ended so someone else can see it.
Don't thank God, thank a doctor!
How about having an electronic switch built in to the passport, so that the chip only works when someone holding it wants it to work. For example, you could set it up so that the chip only works when the passport is opened flat on the details page at the front.
I can't imagine it being that hard in theory, although divising a reliable and rugged switch may be a bit more challenging.
Still, I bet it could be done, and it pretty much eliminates all the concerns about people reading the chip without your permission.
a smart bomb, planted by a terrorist group, to trigger when n passports from a target country are in the vicinity, as long as fewer than x passports from countries friendly to the terrorists are also present.
Alternatively, imagine a government putting monitoring devices in public places, or at the entry ways to residential buildings, and tracking when/if people of certain profiled countries are congregating.
What I worry about is a working hack that allows people to insert a different photograph into the information on the chip. There is not border guard in the world who will reject a passport if his electronic scanner shows the photo of the person standing in front of him.
In the "old days" a passport could have had a new photo glued over the top. These could be spotted and rejected. Any new hacks that had a glued-over photo that corresponded with the pic in the RFID chip, would be far less likely to be picked-up. Guards would believe it, because the technology would convince them the passport was genuine.
In any case, we may get to the situation where nobody would look anyway. I came through the gates of Melbourne Airport in Australia a few days ago with my ePassport. I was told by a border guard that soon I would be able to "check myself in" using the passport, without needing to see a border guard.
If the pattern goes 9am, 10am, 11am, why isn't noon 12am?
The ID cards themselves are just a distraction. The real agenda is the setting up of a big database with information on all citizens. While everyone debates ID cards, they get to do what they want with the database proposal. They can back down on ID cards later, and everyone is happy.
It's complete baloney to have a passport readable from a distance - the ONLY, repeat, ONLY use this has is for covert surveillance, and given the bad implementation even that is questionable.
Anything else could have been done with a 2D barcode. Only visible when opened, dirt cheap readers and reproduction, protection by the same existing methods like lamination or encapsulation.
Cloning a passport has become no harder or easier thanks to RFID. But Identity theft will become much much easier.
Couldn't one kill the RFID chip by putting the passport in a microwave oven for a minute?
I can't imagine the rubber-stamper at immigration control not letting me through because he can't read my RFID tag... I'm sure a good percentage of non-zapped passports would fail to scan for one reason or another. If enough people did it, then they justn wouldn't be able to rely on them, period.
Just once, when one of these government prats is bragging about their latest and greatest hard-to-forge ID paraphernalia, I hope SOME reporter will point out the uncomfortable fact that none of the 9/11 perps were travelling with forged documents. They had passports in their own names, and credit cards. They made NO attempt to conceal their identities, and in fact were most likely hoping to be hailed as heroes by their fellow fanatics.
If the bad guys were still in the business of trying to bring down airplanes, they'd use people with squeaky-clean records to do the attacks. Let's not kid ourselves, they HAVE people with squeaky-clean records.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
"It is hard to see why anyone would want to access the information on the chip."
Then I say, it is hard to see why they needed to introduce such a thing as an e-passport. Or why we've got passports at all.
Have these guys got any detectable brain activity going on when they open their mouths?
It is hard to see why anyone would want to access the information on the chip
No, what it's hard to see is how he managed to get this job. Probably ought to have talked to the guy before giving him the office. But, I guess it takes skill to notice the lack of it.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Many people here seem to make claims on RFID security without knowledge of the technology actually used. I have done some research on the subject so I think I can give some pointers. Details about the technology can be found at ICAO's web page and short presentation on the subject Jacobs/Wichers Schreur.
The communication between the password and the reader is encrypted using information in the Machine Readable Zone at the bottom of the passport. This is the basic way to authorize passport reading. The MRZ-information is generated from the information of the passport holder and random numbers. If bad numbering scheme is used, breaking the encryption is quite possible. If large enough random numbers are used, breaking the encryption with brute force is currently not practical.
The authentication is done using public key cryptography. Currently only Passive Authentication is mandatory, but Active Authentiacation is supported and it is mandatory when fingerprint information is contained in the passport. With only Passive Authentication cloning of MRZ-compromized passport is easy, but with Active Authentication it should be unfeasibly difficult.
Reading and cloning an European RFID passport which is using all available security measures (like the e-passports in Finland) is not as trivia as many people here seem to think. As long as there are no backdoors in the cryptography (e.g. for the intelligence agencies) I think the technology is quite sound. Not using all available cryptography is just bad choise by the goverment issuing the passports.
The scheme in TFA is nothing new and nothing revolutionary. If you have physical access to a passport with only Passive Authentication cloning is trivial, as pointed in TFA. This is actually how the technology was designed to work. Maybe the design is bad, but that is hardly big suprise, since the technology is compromize between many organizations and goverments. When someone clones a passport which has Active Authentication, then that is real news.
The basic idea is automated passport controls - you swipe your passport on a reader and provide a fingerprint - if they match (and match to a record in the database) you are let through. Given a good hash algorithm obtaining the hash code should not be a too big security hole. You still need your fingerprint to get through.
A properly secure system can't rely on the payload or the algorithm being secret. If they have a good implementation then the encrypted/hashed data on the passport can be made public without any security implications. Of course some form of rolling codes would be preferable or a two way system that ensures that one you've used a code you get a new one and the old one becomes invalid.
Ultimately the fingerprint biometrics is the weak link. A biometric measurement shouldn't be possible to clone and it is, at least when used with cheap readers. If you have good enough fingerprint readers (I'm not sure that they exist) then it shouldn't be a problem.
Your birth certificate number could be read as CN.DN.cert-number. You have a social insurance number, social security number, or equivalent. You are numbered by your driver's license, your chequing account, your power bill, and a host of other unique identifiers.
I have no objection to SECURE identification. I object to wasting billions on useless crap.
I do not fail; I succeed at finding out what does not work.
> I do not for a second believe that it has anything to do with national id card proposals.
Correct. So why do you mention it?
...these aren't my real teeth.
The most important question here (and, at the same time, a question I see nobody asking) is: what is the range of these RFID chips?
If they have a range of one or more feet, so that somebody can scan my passport from across the room, then I really see a big privacy and security problem.
If, on the other hand, they have a range of one inch or less, then I don't see any reason of concern: if scanning my passport requires roughly the same effort as stealing it, and also if by scanning it one obtains the same information (d.o.b., height, picture, etc.) that he would have obtained by stealing it, where's the problem here?
This is all far to complicated, I know the real reason nobody would want to read this data: the british government welcomes imigrants with open arms, why bother to try and copy a passport - they give away the real ones in christmas crackers now!
Yes, governments have databases about the citizens of their countries, for tax purposes, medical purposes, driver licensing and so on. That in itself is not unreasonable, as long as the data collected is necessary for the purpose, properly and securely handled, with suitable checks made on those with access to it and confidentiality maintained.
The National Identity Register in the UK, however, will combine most of the existing government databases into a single, centralised point of failure. In practice, it will likely be the case that most government departments and many outside agencies will have access to all of the records about an individual, not just those they have reason to see.
A second major concern is that the NIR will track every time it is checked. That won't help with the identity theft problem that follows from the above, unless the security of access is near-perfect across many thousands of people with access to the database. It will, however, mean that once the national ID card becomes the "easy option" for identity verification, the government has a handy record of each citizen's entire life: where they shop, which financial services they've been using, jobs they've been applying for, where they've travelled and who with, etc. There is simply no need for any state organisation to keep this sort of information about any citizen, other than when conducting legitimate surveillance of a suspect for genuine security purposes, with independent oversight.
Identity thieves, however, already happy to be part of the fastest-growing and most profitable crime wave in recent history, have hit the jackpot. Just along the Slashdot front page from this story as I write this, there is another article estimating that 100 million personal information leaks have occurred within the past couple of years or so. If that combination isn't reason enough to stop the NIR plans right now, I don't know what kind of sanity prevails in the government's universe.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
It ain't the data, it's the LOCATION of the chip and the INTERPRETATION by persons unknown and unaccountable. In this age when travel can indicate evil intent when interpreted by paranoids in dark rooms, you can't imagine?
And if your passport is cloned, how hard would it to build a "case" that YOU cloned it in order to obfuscate your location? Of course, that won't be for long, as you'll disappear to an UNDISCLOSED location.
My God, are they this stupid?
I doubt it.
That said, what irritated me about this particular show, was they started the section about the passport by saying things like "We all have grown used to being protected by our passports" and "the passport system has protected our borders for generations". Tossers. Passports have never "protected" anything, and I resent being spoken to like a 6 year old.
Anyway, quality content it is not.
As a side effect of watching this, and also just my general dislike of all the crap regarding "terrorism" recently, I found myself in a discussion with a friend about the general state of the law here in the UK. First point was the proposed 90 day detention without charge. My friend is all in favour of this law. He believes that "if you've got nothing to hide" then what's the problem. He also believes that the police won't be coming after the likes of "us", just the terrorists (ie. people of asian appearance, Muslims etc). This of course led on to why he believes that is justified. Of course he is a closet racist, so he is never going to side with anybody not "English".
The argument got twisted into discussing WW2, and whether we would all be speaking German, unless the USA had come to our aid. He hates the idea of Hitler and all that he stood for. So, at the risk of invoking Godwin, I tried to point out that Hitlers main approach in the early days, was to blame the Jews for all of Germanys problems, thereby providing the scapegoat to distract attention away from his intentions. And here we are 60 years later with the Muslims being blamed for all societies ills, while in the meantime, a massive power grab by the government is taking place under our noses. My friend also believes that all new born children should have their DNA sampled at birth, and kept in a database, so that in the future, whenever a crime is committed, the police can grab a sample from the scene, and instantly know who committed the crime. How can you reason with someone with that attitude ?
I tried the approach which says that we are all supposed to be free human beings, not farm animals, catalogued and monitored 24/7 but he doesn't accept that. I pointed out that the DNA would only identify a criminal, not locate that person, but apparently that's not an issue either. Even the fact that DNA is not a 100% reliable method, didn't matter to him. Even making the point that the government has a vested interest in making *everybody* a criminal didn't seem to sink in. He still believes that if you are doing nothing wrong ....
I was brought up on the notion that freedom meant freedom to break the law. It is a personal moral choice, and cannot be imposed upon us. What good is a system unless everybody feels some responsibility towards it ?
I can't find a way to get him to engage his mind on this issue objectively. He has the capacity to understand, but seems to be a perfect example of the indoctrinated mindset that has been fostered here over the last few years. There was a glimmer of hope, when, as he was raving about all muslims being terrorists, I pointed out that that obviously wasn't true, I know people from Iran and other Muslim countries and none of them are terrorists, they are mostly all just people the same as us, just trying to get by in life. It is the public perception of these people that has been manipulated by the government and the media, to bend us to their will. My friend went quiet for a few moments at this point, not being able to directly refute it. But I don't think that was enough to change his attitude.
Does anybody know what the estimates are for total number of terrorists in the
Who cares if a passport can be cloned?
Doesn't the real problem occur if information can be forged?
I haven't seen anything that suggests this is possible.
I guess my theory is still correct. No matter what they said about how secure your information is, there is always a back door, a hacker, or mishandled people that can defeat that security.
Then why put it in the passport?
Anyway, it isn't hard to see why:
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Don't forget there are a few million Christians, Jews, and Muslims who read such prophecies and consider it a sign of the apocalypse. It's not relevant to the technology, but it is very relevant to the acceptance of national ID in any form.
I do not fail; I succeed at finding out what does not work.
They could easily make RFID and contact smartcards unclonable by simply using a cipher that is slow in software but small and fast in hardware such as VEST - http://en.wikipedia.org/wiki/VEST or http://www.ecrypt.eu.org/stream/vestp2.html
The 1000-time speed difference between hardware and software makes any RFID or smartcard implementing VEST impossible to clone with software-based smartcards - any normal reader would simply time-out way before the emulator could respond. Even a cheap low-end 1MHz RFID chip would require an impossible 1GHz software smartcard to emulate it. FPGAs won't help either - reprogramming logic makes them inherently big, at least 5x5mm in size, plus the heavy power consumption... Of course, those who want to manufacture their own ASIC chips are welcome to spend $1mln+ on cloning a passport!
/me sighs
When will they learn to use proper ciphers???
my alma mater
Sincerely,
Osama bin Laden
I think someone's misusing the word "clone" here. For that I'd expect to get a genuine-looking passport, with my picture on it (not yours) and with an RFID chip containing relevant data. A copy of the data off your passport is only useful (for creating a passport for me) if I look similar enough to you for your picture to pass as me. I guess that that's not impossible - UK passports are valid for 10 years, so the person in the picture doesn't always look exactly like the person holding the passport.
This isn't to say that passports readable at a distance are a good idea, or that "securing" the biometric data with information available from other sources is, but "someone can read data on an RFID chip with an RFID reader" isn't really a news story. By extension, the photcopy of the back page of my passport that I keep in case the real one gets nicked is as much of a "clone" as this is.
Sure I travel, and like you no pick pocket could take my passport, but the vast majority of people aren't very smart. Regardless, the point was that your eye color, height, and weight can all be obtained by reading the printed info, or perhaps by someone just looking at you as you walk by. There's nothing on the passport that's worth going to the trouble to obtain.