Slashdot Mirror
E-Passport Cloned In Five Minutes
Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to
clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."
How we know is more important than what we know.
"It is hard to see why anyone would want to access the information on the chip." Hmmm... it's also hard to see why anyone would want my credit card information, SSN, address, etc. I'm sure nobody really wants to know any personal information about me at all, and I'm sure nobody would ever want to forge any of my identifying documentation.
Something is just wrong with the UK's Home Office. Today I read that they will now classify panty theifs as sex offenders, receiving the same long-term classification on the sex offenders' registry as child abusers, rapists, and child pornographers.
Crack - Free with every butt and set of boobs
it is also identity theft.
Engineering is the art of compromise.
As it may be, the people in charge of budgetary approval for the programs which put all of these RFID solutions
into place will steadfastly deny that anything is wrong until they are forced to do so, as agreeing that those are
potentially high security risks would otherwise equate it with having to backtrack on what they previously approved,
even though they were amply forewarned by many in the security-related field.
It's really about not losing face at any cost, lest people start questioning other methods they employ.
Human nature, really. Look no further than the voting machines controversy for parallels here in the US.
Z.
Now another researcher has shown how to clone a European e-Passport in under 5 minutes.
Thanks to a software he himself has developed, called RFdump, he downloads the passport's data onto his computer and then onto a blank chip.
How long would it take for some 3 letter agency to show up at their door in the US?
thegodmovie.com - watch it
The Open Rights Group(Think UK EFF) have a wiki page that provideds more information on this an othere issues with the British Biometric Passport The European version of the biometric passport is planned to have digital imaging and fingerprint scan biometrics placed on the Radio Frequency chip. The government of UK thinks that the public has a negative opinion of RFID chips so instead they call it a contactless chip.
It is hard to see why anyone would want to access the information on the chip.
If no one would want to access that information, then why is it on the chip? Why even bother with the chip? Why even bother with the information?
It's a scary world when those who are old and have little clue about technology (the politicians) are told they need a high tech solution to a security issue.
Careful. The hippies used to complain about how all the old farts in power didn't have a clue back then. Now they're running things, and look where we are. I shudder to think about what the world will be like when it's YOUR turn...
Seven puppies were harmed during the making of this post.
but then it's never been very hard to visually look at it and read the paper
Not when it's in my pocket.
I can't believe how juicy this is. Imagine being able to get your dirty fingers on the theft prevention system at the doors or a department store. Just a slight modification of the frequency and code, and let the harvesting begin.
thegodmovie.com - watch it
Plus, I bet they don't even know what STAT means.
Of course they do, many of them are so old, latin was probably their mother-tongue.
No sig.
Cheers,
-b.
of copies of the id pages of passports - much the same as you'd have if you'd taken a summer job working for Hertz.
RFID IDs are TERRIBLE for personal security, because it adds RANGE to detection and forgery. Parent post has ABSOLUTELY missed the point.
No one is claiming that magnetic stripes and/or bar codes are bad for security. In both cases they make it very marginally harder to copy and virtually eliminate data-entry errors. RFID has a BIG problem beyond that: It can be read without the knowledge of the holder.
No one can read the inside of my paper passport without me giving it to them - nor my magstripe nor bar code. I have complete control over who sees it. Sure, I might be conned into showing someone, but they have to con me. RFID means that:
1. They can copy my information without me ever showing it to them.
2. They can READ my information without me ever showing them, allowing them to identify me from a distance.
3. Even with a perfectly random RFID system, they can identify your nationality from afar, which obviously may make you a target in some circumstances.
To be SAFE, an RFID system must have a) zero emissions in the closed state (eg a tested foil cover) AND b) No non-random information broadcast from the chip. (that is, a random passportID that is broadcast that has NO other information until you look it up in the appropriate database.)
"b" is necessary because "a" alone still allows someone nearby you to snoop whenever you have to show your passport somewhere.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
I see you buy your dictionaries from the same place as Alanis Morissette.
Throw the researchers in jail for showing the weakness in the system. Problem solved!
Well, the key needs to be printed somewhere on the passport.
The big, huge security hole though, is that the key is made up of the passport number, the date of birth of the holder, and the expiry date, none of which are hard to come by. For example, the postman delivering your new passport can probably find your date of birth (when did you late get a birthday card?), and can make a pretty good guess as to when it expires (10 years plus or minus a few days), so if he can guess what the passport number is, then he can read and clone your passport without even opening the envelope!
I don't know what idiot dreamed up using that particular data as the 'secret' key, they deserve to be shot. Why not make the key some random digit string, printed inside the passport in machine-readable text? Then it would at least be impossible to read the passport without opening it.
"It is hard to see why anyone would want to access the information on the chip."
I think it's time someone cloned his passport and got busted importing drugs or weaponry or child porn or similar while on that passport. Hell, he's probably got a diplomatic passport == no search. Pure gold to anyone wanting to move anything *really* profitable.
Before the goons come to get me!! I'll say I know NOTHING about these new passports beyond what's on slashdot. I got no expertise in RFID beyond looking at it. A good security system should have something in place to prevent this sort of "cloning" attack... you'd hope like hell that somebody's thought about this!!! and they don't just send the goons to cover it up.. after all, that's the new policy for scientific reports now... and has been the policy for security reports since 9/11.
You can always get one of these or just wrap your passport in tinfoil.
BRB, I'm making a tinfoil hat for my passport, so it matches mine.
The proper response to that spokesman is "Well then, you won't mind lending us your passport for a minute, so we can copy it and put copies on sale in <district with notorious reputation>, will you?".
Some politicians simply need the problem made their personal problem before they'll see it.
Ok, but the fact is that we *already* have a lot of pissed-off people wanting to fuck the "West" in any way they can. We do want to prevent them from entering our countries and doing harm. Far better to stop them at the borders rather than enacting Draconian *internal* security measures to protect against terrorism. And, BTW, there's already a database of passport data (at least in the US) - even in the 80s when I was traveling with my family as a kid, I remember seeing the passport inspectors at JFK keying passport numbers into a terminal.
From a privacy standpoint, a robust passport security system is at the very bottom of my list of worries, as long as the passport is only used as a legitimation for foreign travel.
-b.
Simple: Now you can be blamed for crimes committed with a clone of your passport, because obviously such passports are impossible to clone.
http://outcampaign.org/
Google is your friend.
http://www.google.com/search?q=passport+faraday+c
- Roach
How about having an electronic switch built in to the passport, so that the chip only works when someone holding it wants it to work. For example, you could set it up so that the chip only works when the passport is opened flat on the details page at the front.
I can't imagine it being that hard in theory, although divising a reliable and rugged switch may be a bit more challenging.
Still, I bet it could be done, and it pretty much eliminates all the concerns about people reading the chip without your permission.
Off the top of my head (might be missing something obvious), by forcing the key to be made up of useful data, it becomes impossible to divorce the key from the holder's identifying information, as printed on the passport. By requiring the operator to enter the user's data as part of the key to decode the electronic data, it sort of requires that the printed data match the electronic data. Without this check, the operator would have to visually compare the two, which might make it slightly easier to attempt low-tech forgeries where the information doesn't actually match.
Of course, even if that were one of their reasons behind the design, that wouldn't excuse them from not mixing the passport holder's data with a random number in the manner you suggest.
The ID cards themselves are just a distraction. The real agenda is the setting up of a big database with information on all citizens. While everyone debates ID cards, they get to do what they want with the database proposal. They can back down on ID cards later, and everyone is happy.
Cloning a passport has become no harder or easier thanks to RFID. But Identity theft will become much much easier.
Couldn't one kill the RFID chip by putting the passport in a microwave oven for a minute?
I can't imagine the rubber-stamper at immigration control not letting me through because he can't read my RFID tag... I'm sure a good percentage of non-zapped passports would fail to scan for one reason or another. If enough people did it, then they justn wouldn't be able to rely on them, period.
Just once, when one of these government prats is bragging about their latest and greatest hard-to-forge ID paraphernalia, I hope SOME reporter will point out the uncomfortable fact that none of the 9/11 perps were travelling with forged documents. They had passports in their own names, and credit cards. They made NO attempt to conceal their identities, and in fact were most likely hoping to be hailed as heroes by their fellow fanatics.
If the bad guys were still in the business of trying to bring down airplanes, they'd use people with squeaky-clean records to do the attacks. Let's not kid ourselves, they HAVE people with squeaky-clean records.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Many people here seem to make claims on RFID security without knowledge of the technology actually used. I have done some research on the subject so I think I can give some pointers. Details about the technology can be found at ICAO's web page and short presentation on the subject Jacobs/Wichers Schreur.
The communication between the password and the reader is encrypted using information in the Machine Readable Zone at the bottom of the passport. This is the basic way to authorize passport reading. The MRZ-information is generated from the information of the passport holder and random numbers. If bad numbering scheme is used, breaking the encryption is quite possible. If large enough random numbers are used, breaking the encryption with brute force is currently not practical.
The authentication is done using public key cryptography. Currently only Passive Authentication is mandatory, but Active Authentiacation is supported and it is mandatory when fingerprint information is contained in the passport. With only Passive Authentication cloning of MRZ-compromized passport is easy, but with Active Authentication it should be unfeasibly difficult.
Reading and cloning an European RFID passport which is using all available security measures (like the e-passports in Finland) is not as trivia as many people here seem to think. As long as there are no backdoors in the cryptography (e.g. for the intelligence agencies) I think the technology is quite sound. Not using all available cryptography is just bad choise by the goverment issuing the passports.
The scheme in TFA is nothing new and nothing revolutionary. If you have physical access to a passport with only Passive Authentication cloning is trivial, as pointed in TFA. This is actually how the technology was designed to work. Maybe the design is bad, but that is hardly big suprise, since the technology is compromize between many organizations and goverments. When someone clones a passport which has Active Authentication, then that is real news.
Apply for a bank account/credit card... identity theft stuff. A passport is prime ID. I believe you can do as much with it as with a birth certificate (probably more since you cannot use a birth certificate to get back into the U.S. by air and soon by ground as well). In fact, I wouldn't doubt that you could order a duplicate birth certificate with it... or maybe go to a social security office with it and claim you lost your SSN card and would like to know the number. You could probably cause a lot of problems. Or if you were a terrorist from say Iran, you could fake a U.S. citizenship and get into the country without a hassle. Theft of someone's identity is very serious.
And if they mess up the systems dealing with passports when they become required for all entries to the U.S. including ground entry from Mexico and Canada (and they *will* be required, it was just delayed for a year for ground crossings) there could be a HUGE impact. They are America's two biggest trading partners accounting for something like half of all foreign trade (Canada is the U.S.'s biggest trading partner... Mexico I believe is a close second and maybe soon to pass the Canadians). What if, for example, the trucks all of a sudden couldn't roll across the border because the driver's passports were messed up (in either direction by the way... what American driver is going to want to leave if he/she can't get back in)?
-- I ignore anonymous replies to my comments and postings.
Your birth certificate number could be read as CN.DN.cert-number. You have a social insurance number, social security number, or equivalent. You are numbered by your driver's license, your chequing account, your power bill, and a host of other unique identifiers.
I have no objection to SECURE identification. I object to wasting billions on useless crap.
I do not fail; I succeed at finding out what does not work.
The most important question here (and, at the same time, a question I see nobody asking) is: what is the range of these RFID chips?
If they have a range of one or more feet, so that somebody can scan my passport from across the room, then I really see a big privacy and security problem.
If, on the other hand, they have a range of one inch or less, then I don't see any reason of concern: if scanning my passport requires roughly the same effort as stealing it, and also if by scanning it one obtains the same information (d.o.b., height, picture, etc.) that he would have obtained by stealing it, where's the problem here?
Yes, governments have databases about the citizens of their countries, for tax purposes, medical purposes, driver licensing and so on. That in itself is not unreasonable, as long as the data collected is necessary for the purpose, properly and securely handled, with suitable checks made on those with access to it and confidentiality maintained.
The National Identity Register in the UK, however, will combine most of the existing government databases into a single, centralised point of failure. In practice, it will likely be the case that most government departments and many outside agencies will have access to all of the records about an individual, not just those they have reason to see.
A second major concern is that the NIR will track every time it is checked. That won't help with the identity theft problem that follows from the above, unless the security of access is near-perfect across many thousands of people with access to the database. It will, however, mean that once the national ID card becomes the "easy option" for identity verification, the government has a handy record of each citizen's entire life: where they shop, which financial services they've been using, jobs they've been applying for, where they've travelled and who with, etc. There is simply no need for any state organisation to keep this sort of information about any citizen, other than when conducting legitimate surveillance of a suspect for genuine security purposes, with independent oversight.
Identity thieves, however, already happy to be part of the fastest-growing and most profitable crime wave in recent history, have hit the jackpot. Just along the Slashdot front page from this story as I write this, there is another article estimating that 100 million personal information leaks have occurred within the past couple of years or so. If that combination isn't reason enough to stop the NIR plans right now, I don't know what kind of sanity prevails in the government's universe.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.