Slashdot Mirror
RFID Passports Cloned Without Opening the Package
Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."
10 seconds in the microwave sounds about right!
we make it harder for the terrorists to get passports (ha, yeah right) but make it really easy for them to dup them!
That way, we can insist there are no terrorists, only home grown bad guys, and we can spend a few billion more dollars on less lethal weapons, killing our own citizens in the name of the greater good!
????
Profit!
It was the game show with the Whammies that stole your money. As I recall, there was a guy who watched the show long enough that he figured out a pattern that would let him win every time. He played for like three days, and won a crazy amount of money. The show went of the air, but I remember reading that the programmers who created the game board offered to make it 'true random' for another $600, and the network refused to pay it.
This article reminds me of that story.
I guess they should have considered mailing them inside a sealed aluminum foil pouch inside the envelope. Not that something like that would stop all of the other vulnerabilities, however.
From the Daily Mail article: "More significantly, we had the details which would allow a fraudster, people trafficker or illegal immigrant* to set up a new life in Britain. The criminal could open a bank account, claim state benefits and undertake a myriad financial and legal transactions in someone else's name. "
So basically, exactly what goes on now, except for the new false sense of security. Great!
* I knew they'd bring this up
I'm a libertarian so now I feel justified in supporting open borders. Having enough money to live in a gated community and owning machine guns is a private matter.
One of the primary problems with RFID is that it is "wireless" in nature. It is also designed to be "simplistic" for the simple case of economic savings.
While it is a great technology for information such as Barcode scanning and inventory tracking, its use in biometrics, identification and access controls is less secure. Transmitting significant and irrevocable information in an RFID pulse is irresponsible.
Where a barcode is ubiquitous and the concept of "stealing" it is silly, and even where the ID number of a "proxmity card" employee ID badge is easily revocable, information stored on a passport, such as biometrics, permanent identification numbers and the like are not revocable.
If you have such a passport, it is advisable that you either fry the RFID chip (i am not responsible for the legal issues surrounding it) or you store your passport in a metal safe, where RF cannot pass. There are already bags on the market with an integrated faraday cage, it is not entirely practical to keep your RFID identity perpetually in this bag while traveling (not to mention the headache at the airport screening area with a metal-laced bag).
In short, this new RFID identity system is one of the most ill-advised and potentially dangerous (vulnerable to easy identity theft) systems in recent history, and is simply ASKING for people to duplicate it, while providing no benefit other than the government control ("papers please") that it demands.
Stewed
There are 10 kinds of people in the world. Those who understand binary and those who don't.
Is this really a big deal?
/forged/... it doesn't matter if they can be duplicated.
The issue with RFID passports would be if they could be
Sure, there's a minor privacy issue if the passport can be read by proximity (how close do you need to be? ten inches?), but really... this is blown out of proportion.
You, sir, are an idiot. It has long been a tradition in the cryptoanalysis community to disclose fully your algorithms. This is because most algorithms fail when tested by outside parties so you want peer review to make sure your algorithm doesn't contain a flaw you missed. And keys are set by the user so they can be anything the user wants and being user generated they are private to the user from the get-go. This combination of user-private keys and publically-tested algorithms is the best we've come up with so far and I highly doubt that you would be able to even scratch a current protocol much-less crack it.
I know the average /.'er will be up in arms about how insecure the new passport is but it's simply not one of the design goals.
The primary goal is to have a document that's harder (it's never impossible) to forge and easier to collect and process entry/exits. That's it. End of story.
It's not a silver bullet. Treating it as such is demanding something you won't ever get.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I received one of the new U.S. Passports - the day I handed in my application happened to be the first day of the change, and I had my order expedited, so I have one of the first new passports.
There's no "chip:" the electronic storage is embedded in the photo page of the passport, among a series of wires covered with laminate. The Department of State says the cover of the new passports prevents RFID scanning when closed, which probably explains why the cover is a different thickness and flexibility than the previous passports.
Funny thing, though: the passport itself was opened flat in the shipping envelope from the passport center. So, presumably, it could be read. I wonder what sort of security the USDoS is using on these things?
The article has nothing to do with U.S. passports, since the Brits are using a different RFID mechanism. So, no help there. I wonder how many people read the article summary (which fails to mention this detail - it probably should, since this is a rather U.S.-centric website) without RTFA and are busy microwaving their new U.S. passports?
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
Wow! I did not know that there were any oblivious morons left in the wild.
What number is on your ear tag? OH! are you one of the rare untagged morons? Where is my camera! National Geographic is gonna pay for a photo of a untagged wild moron!
hey, come back! this camera won't steal your soul....... dammit.
Do not look at laser with remaining good eye.
it's = "it is"
its = possessive of "it"
It was the movie with the retard that won some money. As I recall, there was a guy who watched cards long enough that he figured out a pattern that would let him win every time. He played for like three days, and won a crazy amount of money. The movie went to DVD, but I remember reading that the dealers who hosted the game offered to make it 'true random' for another $600, and the pit boss refused to pay it. This article reminds me of that story.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
...that's Adam Laurie! The godlike genius of Shepherd's Bush! Seriously though... he's something of a geek hero to me. Dunno why (apart from respect for a fellow-survivor of Bush) -- lots of other people write code and do research, but he just seems like such a nice chap with it.
Everything I needed to know about life, I learnt from Blake's Seven
That said, it looks like some of these passports are out there already. Secondly, I haven't come across a definitive statement or timeline from DHS as to when RFID passpots will be abandonded.
As a software developer in the RFID industry and trying to effectively merge open source and RFID I always hear these kinds of things from our clients, slashdotters, family and random people on the street. RFID is insecure, it's the end of the world, we are all going to be puppets, you wouldn't believe the kind of responses I get during thanksgiving.
And what I tell everyone is RFID is not the end-all technology to solve every identification need. Also there is no one kind of tag so it is silly to say that RFID in and of itself is insecure.
The truth is that tags can be secure or they can be cheap but very rarely both. It is impossible to be able to have them both with the current economies of scale. The ones used in the passport are most definitely not the high-end tags with memory and cryptographic capabilities. There are some active tags that can do public/private key validation but they also cost a fortune. The governments are going to go with the cheapest version.
They know full well it is going to be cracked. It is not a big deal as it is not that hard to steal or copy the current passport anyways so they have not really digressed. This was meant to be a pilot (that somehow went into production) to check how efficient it could be and also serve as a vehicle for making further enhancements and putting more data.
As other slashdotters have pointed out it is still impossible to actually modify the information on the tags. When this is possible then that is really newsworthy because now people can actually change other people's information and wreak havoc.
But until then there are far easier and cheaper ways to find out someone's Social Security and date of birth on the web.
Software Defined RFID - The Rifidi Emulator
It's you American's who are going to be using these insecure passports so I wouldn't be "haha'ing" at all.
Here's the how-to on forging a new passport:
1. Create a falsified passport jacket capable of holding a chip and antenna.
2. You embed the _right_ chip with the _right_ number encoded (oh yeah, you need to encode the chip) AND the _right_ antenna required for the chip in your garage into the faked passport jacket.
3. Create secure paper used in passport.
4. You'll need to work up all of the print security features.
It's not trivial, it's not a silver bullet it's not a fake ID you used to buy beer in college. Stop expecting more from the new passport than the design requirements fulfill.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
RFID = Ready For Immediate Duplication?
There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
... you have to do it yourself.
If you want something done really wrong (and very expensive) — have the government to do it.
It boggles the mind, that despite continuous and numerous reports of various government screw-ups, the majority of fellow Slashdotters still seem to favor things like "Municipal WiFi"...
Oh, yeah, "local government" is supposed to be better than federal... But is it really? Not in my experience...
In Soviet Washington the swamp drains you.
Our federal government doesn't care about security. If we were secure, they would be out a lot of jobs. It all makes sense once you realize how they work.
Bush's administration isn't the first subversive government we've had, but they are one of the nastiest.
I'm a libertarian so now I feel justified in supporting open borders. Having enough money to live in a gated community and owning machine guns is a private matter.
I, on the other hand, characterize myself as a "Law 'n Order Anarchist" (or "Law 'n Order Minarchist" on even-numbered days). That means I think we should get rid of all (or all but the minimum necessary) of the laws - but believe it must be done in the right ORDER or it makes things worse rather than better.
(Actually, I'm more of a "Constitutional Law 'n Order Anarchist/Minarchist" Let's get there by legal means, such as repeals and amendments.)
A prime example of this order-dependence is the immigration barriers. Open borders would be nice. But you have to remove the cancerous overgrowth of the social services first. Otherwise you get an inrush of people who put a far larger load on the services than any taxes on them cover, while depressing wages and breaking unions. A double pick of the workers' pocket - for the dubious "benefit" of giving employers a break on wages. The mass of workers gets hit twice - once in the paycheck, again in taxes. A perfect, though indirect, example of "corporate welfare".
Then the citizens retaliate in elections. Libertarians, with their track record of going after any piece of their agenda without regard for the consequences of the order, become further marginalized. Naturalizing the incoming won't help Libertarians either: The bulk of their votes will go for more benefits for themselves.
Your situation is another example: To do what you want you need to get rid of the laws that make owning a machine gun or using it for home defense nearly impossible before you retreat to your fortress neighborhood and open the borders. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I know I'm not. I'm not a dyed-in-the-wool free marketeer (or rather I am, but there's no such thing as a truly free market), but a long held belief of theirs is that government produces NOTHING. I don't necessarily agree with that statement 100%, but these new passports are emblematic of what the government is getting into the business of. They are getting into the business of providing security, and, quite frankly, they are not very good at it.
Of all the things I can think of that the government ought to produce for its citizens (efficiency, level playing fields, regulated markets, affordable health care) this garbage - fake security - isn't on the list.
This also works for any implanted chip/scanner/biometric data tracker/etc.
Just hit the thing with a stungun for a second. This also will fry a computer motherboard instantly by just touching the case with the arc.(not that I've done this - lol - just to show how effectively it nukes anything with a microchip in it)
What you are advocating is a card approach which is not compatible with legacy passport systems still in use. The old ways die hard in gov't.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Muni wi-fi is good. Just like freeways.
It gives a lot more power to the people then private corp. would do.
The Kruger Dunning explains most post on
This is so funny (in a sarcastic kind of way),
we keep readin about RFID tags being breached for this, or for that, that the content can be read if you do this, hacked if you do that.
LOL.
How many holes in your armor do you need before you understand that its not bulletproof ?
Its like those electronic voting machines. As far as my knowledge goes, there is yet to exist a tamper proof machine for safe e-Voting. Why are they still going this way how many millions are they gonna spend before they realize it costs less to go the good ole paper ballot way.
Sometimes, simpler is better.
If you look like your passport photo, you're too ill to travel. - Will Kommen
A copy of 'biometric' passport information has no value in a security context. If a copy of a passport is created using the biometric information then, obviously, that biometric information will not match the passport holder which will mean he/she will be identified as carrying a forged passport. If the biometrics are changed the digest of the passport information will be invalid and so, again, he/she will be identified as carrying a forged passport.
This is really only an issue because someone can get your personal information (for use in, for example, financial identity fraud) without having to actually open any of your mail.
]{
...slashdot already covered the exact same story about four months ago.
is there any difference that I have failed to notice?
01110000 01010111 01101110 00110011 01100100
this happen in England.
The Kruger Dunning explains most post on
Is the chip required to get through customs? If not, the procedures is more like:
1. Read and crack data without being detected(this is perhaps easier than stealing a traditional passport).
2. Forge now even more legitimate passport using cracked data.
Nerd rage is the funniest rage.
http://www.immuneid.com/ [immuneid.com] Immune ID works in a very simple, safe and practical way. With Immune ID on documents, credit cards and credentials, the identification device on them will always remain deactivated unless the user activates them through physical touch. Without human contact, any reading and/or writing attempt will fail. Thus, your information is protected from harmful use. The user will also have a visual and/or audio confirmation included in the device*. Immune ID is an innovative protection system for all electronic documents using technologies such as RFID, Rubee, Smart Dots, EAS, etc.: passports, credit cards, driving licenses, access cards, etc. Immune ID eliminates the risk of having all your important and personal information broadcasted on public air, at the reach of anyone who may want to duplicate, steal, modify or use it in dangerous and harmful ways. Immune ID is the best solution for those who want to ensure themselves a safer and protected life.
if it was so hard to forge a passport then they wouldnt need the extra security they claim the rfid chip gives. but guess what, passports are already being forged.
the rfid chip contains photo biometrics certainly (not a high res picture either, theres only a tiny amount of storage space), but fingerprints arent included yet in many cases (and were never mandated by ICAO) it also doesnt include your signature.
so somebody that looks a bit like you, enough to pass casual observation (we all know computer face matching is very unreliable, people are even worse at it), can have a passport with your details on and their own choice of signature, which world+dog will assume is totally authentic, and which they can now use to claim your name and address as their own identity.
What you are advocating is a card approach which is not compatible with legacy passport systems still in use. The old ways die hard in gov't.
Not at all. There's no reason the material the chip is embedded in -and the electrodes are on the surface of - has to have the form factor of a credit card. You can use the the cover of the passport - front or back, outside or inside - just fine.
Passports have had plastic-coated covers for over a decade. There's no reason the plastic layer can't be made thick enough to contain the chip and support its contact patches.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
[most] /. readers should be prepared for: mandatory civilian RFID tags...
get your RFID Experimentation kit now! http://www.thinkgeek.com/geektoys/science/907a/
Am no fek Buddhist, but this is enlightenment.
Isn't this exactly what RFID passports are intended for? I mean, facilitating ID theft? :)
Obviously they need DRM! They need to talk to the bright lights of the DRM field (e.g., Macrovision or the people who came up with ACCS), who have all sorts of sophisticated techniques and years of experience dealing with situations where you are handing over the encrypted content and the key to a third party, but still manage to keep the whole thing secure. :-)
I seem to recall that my database 101 class (using DBaseIV for us greyhairs) had something like a prime directive: Never build structure into your data. Why was the key (apart from the RFID issues) such a bone-headed construct? Or, as I suspect, it's "good enuff for gummint work" at work?
Stop expecting more from the new passport than the design requirements fulfill.
I think the problem we all have is that there is no design requirement fulfilled by RFID here beyond the wiz-bang boy-is-this-cool requirement.
Summary: UK Passports vulnerable to brute force attack
6 ,00.htmlw s/news.html?in_article_id=440069&in_page_id=1770
CVE: None
Date: Mar 07 2007 10:25PM
Credit: Adam Laurie is credited with discovering this issue
Vulnerable: UK Passport >= 2006
Not vulnerable: UK Passport < 2006
Lack of security checking or strong passwords allows an attacker to gain access
to personal details stored on the passport by launching a brute force or
dictionary attack. An attacker would need access to a region of a few
centimeters around the passport, but would not need to the passport itself.
References
* http://www.guardian.co.uk/idcards/story/0,,195022
* http://www.dailymail.co.uk/pages/live/articles/ne
For a cup of hot tea?
Comment removed based on user account deletion
the problem im having with this is the key to the encryption is on the passport itself..anyone can get the information from the chip even if it was copyed with or without opening the packaging. The point of encryting with a key is that nobody else besides the user and receiver(in this case airprot security) never knows the key..
RFID really just needs a simple on/off switch that completes the circuit to its antenna. Is anyone doing this?
;P
My Metro SmartTrip card essentially does this all by itself after sitting in my wallet for a while. The only way it registers to readers is if I flex the card a certain way.
It's only after a year or two when I have to replace the card that the authorities can track my ass once again.
Last night I cloned my passport by putting it in a color copier.
Serisouly, someone who has access to the mail can just open the envelope, copy it, and then re-seal the envelope.
No, I will not work for your startup