E-Passport Cloned In Five Minutes

Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."

Open Rights Group - Biometric passport

[rimberg]

The Open Rights Group(Think UK EFF) have a wiki page that provideds more information on this an othere issues with the British Biometric Passport The European version of the biometric passport is planned to have digital imaging and fingerprint scan biometrics placed on the Radio Frequency chip. The government of UK thinks that the public has a negative opinion of RFID chips so instead they call it a contactless chip.

Re:RFID is absolutely TERRIBLE for security

[bigberk]

There is a serious misunderstanding of the technology, yes even among slashdot users. The problem is that the media and slashdot refer generically to 'rfid' when they talk about two different things:

1) Simple RFID chips that can be scan and read by anyone
2) Contactless smart cards (ISO 14443 etc), with crypto

Both use the same frequency band and similar hardware, but they are different beasts: one has crypto and the other doth not.

Identity information can be put on a contactless smart card but depending on how it is implemented (hopefully securely) you probably will NEED A KEY otherwise the crypto will prevent access. Take a wireless payment card or credit card (#2 category) for example. You can't just read/dump the bank account numbers on it. There is a crypto protecting the data.

On the other hand, walmart uses the non-crypto rfid chips. Yes you can just read the info on them, there is no encryption.

So when you say "RFID is terrible for personal security" you're right, RFID (#1 above) is completely inappropriate for privacy. But contactless smart cards (#2 above) is totally appropriate, and the passports use #2

The technology used

[Eljas]

Many people here seem to make claims on RFID security without knowledge of the technology actually used. I have done some research on the subject so I think I can give some pointers. Details about the technology can be found at ICAO's web page and short presentation on the subject Jacobs/Wichers Schreur.

The communication between the password and the reader is encrypted using information in the Machine Readable Zone at the bottom of the passport. This is the basic way to authorize passport reading. The MRZ-information is generated from the information of the passport holder and random numbers. If bad numbering scheme is used, breaking the encryption is quite possible. If large enough random numbers are used, breaking the encryption with brute force is currently not practical.

The authentication is done using public key cryptography. Currently only Passive Authentication is mandatory, but Active Authentiacation is supported and it is mandatory when fingerprint information is contained in the passport. With only Passive Authentication cloning of MRZ-compromized passport is easy, but with Active Authentication it should be unfeasibly difficult.

Reading and cloning an European RFID passport which is using all available security measures (like the e-passports in Finland) is not as trivia as many people here seem to think. As long as there are no backdoors in the cryptography (e.g. for the intelligence agencies) I think the technology is quite sound. Not using all available cryptography is just bad choise by the goverment issuing the passports.

The scheme in TFA is nothing new and nothing revolutionary. If you have physical access to a passport with only Passive Authentication cloning is trivial, as pointed in TFA. This is actually how the technology was designed to work. Maybe the design is bad, but that is hardly big suprise, since the technology is compromize between many organizations and goverments. When someone clones a passport which has Active Authentication, then that is real news.

Re:Such ID numbers already exist

[KDR_11k]

Let's not forget we are talking about Europe where many countries issue personal IDs and keep registries of all citizens at several levels with mandatory registration.