RFID Passports Cloned Without Opening the Package

Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."

Does anyone remember Press Your Luck?

[Aurelfell]

It was the game show with the Whammies that stole your money. As I recall, there was a guy who watched the show long enough that he figured out a pattern that would let him win every time. He played for like three days, and won a crazy amount of money. The show went of the air, but I remember reading that the programmers who created the game board offered to make it 'true random' for another $600, and the network refused to pay it.

This article reminds me of that story.

Same old Daily Mail

[goldaryn]

From the Daily Mail article: "More significantly, we had the details which would allow a fraudster, people trafficker or illegal immigrant* to set up a new life in Britain. The criminal could open a bank account, claim state benefits and undertake a myriad financial and legal transactions in someone else's name. "

So basically, exactly what goes on now, except for the new false sense of security. Great!

* I knew they'd bring this up

Re:Same old Daily Mail

[drinkypoo]

For some reason, all the high quality stuff - tools, appliances, etc. come from Germany.

My dad makes the assertion that at least in cars, the germans believe that good components make a good car, whereas the japanese believe that it's good system design that makes the difference. These days, though, both BMWs and Mercedes are big pieces of shit, and VW actually makes a more reliable car. So obviously things are a-movin' and a-shakin' over there.

The Germans DO seem to make the best tools around, though, still. And they make great kitchen appliances :)

Boo to all the American companies who have sacrificed their reputation / name with crappy quality cheesy products made in China, eliminating jobs here in America.

Well, they would have made crap here in America, too. It would just have been more expensive crap.

Boo to all the big-box retailers who think that people only want crappy products. Boo to consumers who put up with that crap and supported this behavior by shopping at Walmart and their ilk while watching all their manufacturing jobs disappear.

Well, this is where I have to part company with you, more about the former than the latter. The big-box retailers don't just think that, they know it, because people buy the cheap crap over the well-made product in almost every situation. A lot of that is that your warranty doesn't mean shit, so you might as well buy some shit. Most consumer electronics these days have what, a 90 day warranty? Wal-Mart will give me that! So why spend $500 for the good shit when I can spend $100 and get the same warranty?

Since the retailers know it, the manufacturers know it too, and they focus on making cheap crap.

As for the consumers shopping at wal-mart, I think the real problem is one of overconsumption. The government wants us all to consume, because it's good for the economy. Problem is, it's not good for us, and when we're all fucked, so will the economy be. Or vice versa - did you know the US dollar and Canadian dollar have reached parity? That is some scary shit if you live in the USA.

But anyway, without overconsumption we would have more money to spend carefully on our purchases, but you can go out any day of the week and see people below the US poverty line pushing their baby in a $300 stroller. The baby is wearing $100 sneakers. They get into a new car which they'll be making payments on long after the car is a pile of shit...

What about US passports?

[Sunburnt]

I received one of the new U.S. Passports - the day I handed in my application happened to be the first day of the change, and I had my order expedited, so I have one of the first new passports.

There's no "chip:" the electronic storage is embedded in the photo page of the passport, among a series of wires covered with laminate. The Department of State says the cover of the new passports prevents RFID scanning when closed, which probably explains why the cover is a different thickness and flexibility than the previous passports.

Funny thing, though: the passport itself was opened flat in the shipping envelope from the passport center. So, presumably, it could be read. I wonder what sort of security the USDoS is using on these things?

The article has nothing to do with U.S. passports, since the Brits are using a different RFID mechanism. So, no help there. I wonder how many people read the article summary (which fails to mention this detail - it probably should, since this is a rather U.S.-centric website) without RTFA and are busy microwaving their new U.S. passports?

Re:Packaging

[Sunburnt]

In every article we've seen on this, there is always the discussion of the government's position of "no one can read it if it's closed". What happened to that? I don't recall my passport arriving opened inside the pouch.

Mine did, actually, but the article is referring to the U.K. passports. Different kind of RFID on the U.S. models, and the cover is definitely a different (and thicker) material than the older passports.

Re:One of the problems with RFID

[Sandbags]

RFID may be easy to copy or crack, but someone gets that info on their screen and still validates it against the hard copy when entering/exiting using a passport. You don't just wave it and go on... Passport information by itself is not enough to steal someone's identity or bank account. You still need physical proof. This first pass with RFID is simply making data tracking easier. It was not designed to be secure, just difficult to completely copy or forge. A truly secure passport system would have to include fingerprinting, pass codes, facial scanning technology, or some other system to prove the identity of the bearer. Of course, the RFID could not be responsible to pass that information, it would likely merely possess some simply information allowing it to access a secure database system that actually contains the remainder of the data. That data could be on a government server, or even an integrated SIM in the passport itself requiring connection to a proprietary system. 3 point data validation would work, but it would be very expensive. You'd still need hard copy for entering nations that do not yet have the technological capacity to electronically scan passports. One solution I hear proposed was that not only would the passport itself have an RFID tag, but also the person himself embedded under the skin, plus the addition of a fingerprint and 6 digit pin number. All 4 would have to match, be combined, and then be compared to a CRC value stored in an international database. All this would be simply for identity confirmation and nothing more, with the FBI and other similar branches still needing to cross validate your identity to your criminal record or a watch list. Are we really that concerned/paranoid?

I'm a "Law 'n Order Anarchist"

[Ungrounded+Lightning]

I'm a libertarian so now I feel justified in supporting open borders. Having enough money to live in a gated community and owning machine guns is a private matter.

I, on the other hand, characterize myself as a "Law 'n Order Anarchist" (or "Law 'n Order Minarchist" on even-numbered days). That means I think we should get rid of all (or all but the minimum necessary) of the laws - but believe it must be done in the right ORDER or it makes things worse rather than better.

(Actually, I'm more of a "Constitutional Law 'n Order Anarchist/Minarchist" Let's get there by legal means, such as repeals and amendments.)

A prime example of this order-dependence is the immigration barriers. Open borders would be nice. But you have to remove the cancerous overgrowth of the social services first. Otherwise you get an inrush of people who put a far larger load on the services than any taxes on them cover, while depressing wages and breaking unions. A double pick of the workers' pocket - for the dubious "benefit" of giving employers a break on wages. The mass of workers gets hit twice - once in the paycheck, again in taxes. A perfect, though indirect, example of "corporate welfare".

Then the citizens retaliate in elections. Libertarians, with their track record of going after any piece of their agenda without regard for the consequences of the order, become further marginalized. Naturalizing the incoming won't help Libertarians either: The bulk of their votes will go for more benefits for themselves.

Your situation is another example: To do what you want you need to get rid of the laws that make owning a machine gun or using it for home defense nearly impossible before you retreat to your fortress neighborhood and open the borders. B-)

Re:The terrorists have won.

[istartedi]

If there are no borders, then there is effectively no government. This is one of my big problems with the Libertarians. Taking away borders would, in theory, lead to anarchy. In practice, any anarchy gives rise to power centers since nature abhors a power vacuum just as much as it abhors a physical vacuum. In the past, this vacuum was filled by feudal systems that coalesced into nation states. In the present, the porosity of borders combined with the mobility and rapid communications of technological society, allows multinational corporations to fill the void. If you support this particular bit of Libertarian ideology, you indirectly support rule by multinational corporations. I know I'll get heated rebuttals on this from Libertarians. The counter-arguments will probably end up sounding a lot like the GPL zealots who argue that their ideal of freedom is more important than having a video driver that works. If we lose control of the borders, we may all end up so poor that we find ourselves dreaming of the day we can afford to buy a PC from WorldMart that runs GNU/Linux at 640 by 480.

Re:RFID is not going to save the world

[drinkypoo]

As a software developer in the RFID industry and trying to effectively merge open source and RFID I always hear these kinds of things from our clients, slashdotters, family and random people on the street. RFID is insecure, it's the end of the world, we are all going to be puppets, you wouldn't believe the kind of responses I get during thanksgiving. And what I tell everyone is RFID is not the end-all technology to solve every identification need. Also there is no one kind of tag so it is silly to say that RFID in and of itself is insecure.

RFID in and of itself causes security problems outside the realm of whether RFID is secure or not.

It is a simple fact that RFID tags are going in everything. Sooner or later they will be as ubiquitous as UPC codes.

It is also a fact that RFID tags can be read at a distance with off the shelf hardware.

It is ALSO a fast that even more RFID tags can be read at a distance with custom hardware.

It is also a fact that RFID tags are going into the soles of shoes and into tires, both cases in which the tag will be very easily readable because it will be both parallel and close to a flat surface that can easily have an antenna embedded within it.

It's easy enough to stop people from reading your passport. Put it in a metal case, or even a mylar bag (although the latter may not be proof against it, while the former is pretty damned good.) But what we NEED to be able to stop is to stop the government from tracking where each and every person is during their every waking hour. RFID tags are smaller than grains of rice now. They can trivially be secreted in your clothing. In fact you could disguise them as little bits of grit! No one is going to be surprised at some grit in their pants cuff.

I think it's quite reasonable to be paranoid about RFID in a world of continual surveillance and when no government has respect for your rights.

Re:RFID is not going to save the world

[drinkypoo]

The bottom line is that RFID is not any more secure or any less secure than what you currently have. Do you have a credit card? A bank card? Then you are have already been violated.

No card in my wallet is remotely readable, at least to the best of my knowledge. You missed the point entirely.

The RFID used in credit cards and passports are HF (13.56 mhz). The range on these tags is incredibly small. Even with the best equipment you cannot read farther than 6 - 12 inches. You can build a fancy contraption with a huge antenna and power co-efficient but you will probably cause a lot of damage to other components before you are going to increase that range not to mention looking like a walking weather station.

All that is required is more gain on the receiving side, which in turn requires intelligent filtering and design to have a useful SnR to begin with. Anyway here is an article about a company with a solution currently in the field for reading HF tags at ranges up to ten meters.

Also, 6-12 inches is enough if you can get people walking through doorways, or walking up and pressing a button on a traffic light, et cetera. You can always also just bump into them and then you can get absolute proximity.

Also HF is notoriously bad at high speed so it is going to be hard for anyone to track your tires much less to hide an antenna in the ground they are quite fragile too. Also the readers themselves require power, circuitry, and ethernet/wireless conection etc etc blah blah. You can see my point.

Making the antenna durable is a triviality. You can place it into the road surface at the same place as the metal detector used to see if your car has pulled up to a light. Want to know what RFIDs are in the tires of an upcoming car? Just switch the light at the right time to stop them. And if they run the light, now you can drag them into court and look up their ass with a flashlight.

I suspect in fact that sooner or later they will devise the technology to use the same loop antenna used to detect your car to read RFID.

The point is that there are far easier ways to steal information. Take for instance myself. I know quite a bit about RFID, I can get acess to the best RFID equipment but even with all that if I wanted to steal your information I would much rather hold you up (or hire someone else to do it) than to devise an elaborate plot where I would have to monitor your habits and then set up readers in your path so that I can get your information.

It's not about stealing information via RFID. Get that idea out of your head right now. It's about uniquely identifying people by their RFID tag constellation, and being able to track them. It's one more piece in the "ubiquitous surveillance" puzzle. Just as RFID can't save the world, it can't doom it, either. It's part of the problem.