Slashdot Mirror

← Back to Stories (view on slashdot.org)

E-Passport Cloned In Five Minutes

Posted by kdawson on from the if-more-proof-were-needed dept.

Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."

6 of 259 comments (clear)

  1. At least they can publish this... by rrohbeck · · Score: 5, Interesting

    Now another researcher has shown how to clone a European e-Passport in under 5 minutes.

    Thanks to a software he himself has developed, called RFdump, he downloads the passport's data onto his computer and then onto a blank chip.

    How long would it take for some 3 letter agency to show up at their door in the US?

    --
    thegodmovie.com - watch it
  2. Re:Well then, by msobkow · · Score: 3, Interesting
    A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."

    But isn't the whole point of a secure passport to secure the identity of an individual? If the identity is not secure, we may as well not waste the time or money.

    --
    I do not fail; I succeed at finding out what does not work.
  3. Re:RFID is absolutely TERRIBLE for security by Ecyrd · · Score: 3, Interesting

    Except that you can use #2 with no crypto or bad crypto as well. Which is exactly what the epassports are doing. They have such bad keys that it is easy to brute-force crack them open in a couple of minutes. Most well-designed systems using the same standard have non-trivial keys, which makes them a lot more secure than the ICAO epassport standard.

    The fun thing is that the moment the standard was created, everyone said that this is going to be a field day for the press when the first researcher figures out that the keys are so weak. The day has arrived :)

    In reality the issue is blown out of proportion: the epassport is not that much of a privacy issue. Tourists can be spotted by a mile away by simply the way that they look and walk, and the smart tourist will leave the passport in the hotel safe anyway, carrying only a photocopy with him. You are in far more trouble if your passport gets stolen than if it gets copied: if you do not have your passport, dealing with any authorities in a strange country is going to be a problem, whereas if your passport gets copied, you still have the original.

    Also, forging a passport is no easier than before - in fact, getting the digital and the physical passport data to match becomes a lot harder with the epassports. Reading something does not mean you can change it and write it back, as surely is well understood by anyone familiar with digital signatures.

  4. Can I zap it? by seanadams.com · · Score: 3, Interesting

    Cloning a passport has become no harder or easier thanks to RFID. But Identity theft will become much much easier.

    Couldn't one kill the RFID chip by putting the passport in a microwave oven for a minute?

    I can't imagine the rubber-stamper at immigration control not letting me through because he can't read my RFID tag... I'm sure a good percentage of non-zapped passports would fail to scan for one reason or another. If enough people did it, then they justn wouldn't be able to rely on them, period.

    1. Re:Can I zap it? by Alioth · · Score: 4, Interesting

      Actually, they can and will deport you if the chip doesn't work.

      You make the invalid assumption that people at immigration desks are reasonable people - they are *not*. Some of them are little Hitlers with bad attitude, and the ones who aren't have their hands tied by the law - they have no discretion at all. If the law says you can't enter without a working chip, the immigration officer (even the world's friendliest and most reasonable one) has no choice but to deport you. Just as they would deport you if your passport photo was mutilated.

      (I'll make one exception for the little Hitlers - one notable aberration is Houston's immigration desks - those people are polite and make you feel welcome to the United States - truly refreshing to get to an immigration desk where it isn't just stony faces and demands to see that you have a return plane ticket. I frequently travel through Houston and they've always had good people there. Dallas Ft.Worth on the other hand - I will never travel through that airport again).

      --
      Oolite: Elite-like game. For Mac, Linux and Windows
  5. Re:Well then, by JimBobJoe · · Score: 4, Interesting

    I guess that's what they call a failure of imagination.

    It's a common failure that occurs in these scenarios.

    As part of my research on driver's licensing issues, when states added photos to driver's licenses (starting in the late 60's) the word "fraud" never entered the picture. Driver's licenses were essentially fraud free documents before the photographs were added--so it really never entered anyone's mind that things would change once the document became more powerful/useful/trusted.