RFID Passports Cloned Without Opening the Package

Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."

Does anyone remember Press Your Luck?

[Aurelfell]

It was the game show with the Whammies that stole your money. As I recall, there was a guy who watched the show long enough that he figured out a pattern that would let him win every time. He played for like three days, and won a crazy amount of money. The show went of the air, but I remember reading that the programmers who created the game board offered to make it 'true random' for another $600, and the network refused to pay it.

This article reminds me of that story.

What about US passports?

[Sunburnt]

I received one of the new U.S. Passports - the day I handed in my application happened to be the first day of the change, and I had my order expedited, so I have one of the first new passports.

There's no "chip:" the electronic storage is embedded in the photo page of the passport, among a series of wires covered with laminate. The Department of State says the cover of the new passports prevents RFID scanning when closed, which probably explains why the cover is a different thickness and flexibility than the previous passports.

Funny thing, though: the passport itself was opened flat in the shipping envelope from the passport center. So, presumably, it could be read. I wonder what sort of security the USDoS is using on these things?

The article has nothing to do with U.S. passports, since the Brits are using a different RFID mechanism. So, no help there. I wonder how many people read the article summary (which fails to mention this detail - it probably should, since this is a rather U.S.-centric website) without RTFA and are busy microwaving their new U.S. passports?

Re:One of the problems with RFID

[Sandbags]

RFID may be easy to copy or crack, but someone gets that info on their screen and still validates it against the hard copy when entering/exiting using a passport. You don't just wave it and go on... Passport information by itself is not enough to steal someone's identity or bank account. You still need physical proof. This first pass with RFID is simply making data tracking easier. It was not designed to be secure, just difficult to completely copy or forge. A truly secure passport system would have to include fingerprinting, pass codes, facial scanning technology, or some other system to prove the identity of the bearer. Of course, the RFID could not be responsible to pass that information, it would likely merely possess some simply information allowing it to access a secure database system that actually contains the remainder of the data. That data could be on a government server, or even an integrated SIM in the passport itself requiring connection to a proprietary system. 3 point data validation would work, but it would be very expensive. You'd still need hard copy for entering nations that do not yet have the technological capacity to electronically scan passports. One solution I hear proposed was that not only would the passport itself have an RFID tag, but also the person himself embedded under the skin, plus the addition of a fingerprint and 6 digit pin number. All 4 would have to match, be combined, and then be compared to a CRC value stored in an international database. All this would be simply for identity confirmation and nothing more, with the FBI and other similar branches still needing to cross validate your identity to your criminal record or a watch list. Are we really that concerned/paranoid?