Slashdot Mirror
RFID Passports Cloned Without Opening the Package
Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."
10 seconds in the microwave sounds about right!
It was the game show with the Whammies that stole your money. As I recall, there was a guy who watched the show long enough that he figured out a pattern that would let him win every time. He played for like three days, and won a crazy amount of money. The show went of the air, but I remember reading that the programmers who created the game board offered to make it 'true random' for another $600, and the network refused to pay it.
This article reminds me of that story.
I guess they should have considered mailing them inside a sealed aluminum foil pouch inside the envelope. Not that something like that would stop all of the other vulnerabilities, however.
From the Daily Mail article: "More significantly, we had the details which would allow a fraudster, people trafficker or illegal immigrant* to set up a new life in Britain. The criminal could open a bank account, claim state benefits and undertake a myriad financial and legal transactions in someone else's name. "
So basically, exactly what goes on now, except for the new false sense of security. Great!
* I knew they'd bring this up
One of the primary problems with RFID is that it is "wireless" in nature. It is also designed to be "simplistic" for the simple case of economic savings.
While it is a great technology for information such as Barcode scanning and inventory tracking, its use in biometrics, identification and access controls is less secure. Transmitting significant and irrevocable information in an RFID pulse is irresponsible.
Where a barcode is ubiquitous and the concept of "stealing" it is silly, and even where the ID number of a "proxmity card" employee ID badge is easily revocable, information stored on a passport, such as biometrics, permanent identification numbers and the like are not revocable.
If you have such a passport, it is advisable that you either fry the RFID chip (i am not responsible for the legal issues surrounding it) or you store your passport in a metal safe, where RF cannot pass. There are already bags on the market with an integrated faraday cage, it is not entirely practical to keep your RFID identity perpetually in this bag while traveling (not to mention the headache at the airport screening area with a metal-laced bag).
In short, this new RFID identity system is one of the most ill-advised and potentially dangerous (vulnerable to easy identity theft) systems in recent history, and is simply ASKING for people to duplicate it, while providing no benefit other than the government control ("papers please") that it demands.
Stewed
There are 10 kinds of people in the world. Those who understand binary and those who don't.
I know the average /.'er will be up in arms about how insecure the new passport is but it's simply not one of the design goals.
The primary goal is to have a document that's harder (it's never impossible) to forge and easier to collect and process entry/exits. That's it. End of story.
It's not a silver bullet. Treating it as such is demanding something you won't ever get.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I received one of the new U.S. Passports - the day I handed in my application happened to be the first day of the change, and I had my order expedited, so I have one of the first new passports.
There's no "chip:" the electronic storage is embedded in the photo page of the passport, among a series of wires covered with laminate. The Department of State says the cover of the new passports prevents RFID scanning when closed, which probably explains why the cover is a different thickness and flexibility than the previous passports.
Funny thing, though: the passport itself was opened flat in the shipping envelope from the passport center. So, presumably, it could be read. I wonder what sort of security the USDoS is using on these things?
The article has nothing to do with U.S. passports, since the Brits are using a different RFID mechanism. So, no help there. I wonder how many people read the article summary (which fails to mention this detail - it probably should, since this is a rather U.S.-centric website) without RTFA and are busy microwaving their new U.S. passports?
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
Wow! I did not know that there were any oblivious morons left in the wild.
What number is on your ear tag? OH! are you one of the rare untagged morons? Where is my camera! National Geographic is gonna pay for a photo of a untagged wild moron!
hey, come back! this camera won't steal your soul....... dammit.
Do not look at laser with remaining good eye.
...that's Adam Laurie! The godlike genius of Shepherd's Bush! Seriously though... he's something of a geek hero to me. Dunno why (apart from respect for a fellow-survivor of Bush) -- lots of other people write code and do research, but he just seems like such a nice chap with it.
Everything I needed to know about life, I learnt from Blake's Seven
Yes.
A distinction without a difference. An organisation (and it doesn't matter if this is a terrorist group or a run-of-the-mill little mafia type operation) coöpts a few postal employees. Not particularly hard to do. Those employees use a relatively inexpensive piece of equipment to scan the passports that pass through their hands. This is nearly instantaneous, and non-invasive, so good luck noticing that. The passports go right along to their intended recipients with no delay, and no one's the wiser. Yet the organisation now has all the information needed to create forged passports with valid data, which will raise no flags when used and allow their operatives to assume the identity of the citizen. All the supposed security benefits of the plan are gone, in fact, it's worse than old-style passports from a standpoint of security.
Depends on how good your receiver is. Just because customs will be using an el cheapo setup that needs to be within ten inches to read the signal doesn't mean that no one will be able to construct a better reader. You think that's a *minor* issue? That someone could steal your identity, or detonate a bomb, based on that information without even having to set hands on your passport? Sounds pretty major to me.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
That said, it looks like some of these passports are out there already. Secondly, I haven't come across a definitive statement or timeline from DHS as to when RFID passpots will be abandonded.
As a software developer in the RFID industry and trying to effectively merge open source and RFID I always hear these kinds of things from our clients, slashdotters, family and random people on the street. RFID is insecure, it's the end of the world, we are all going to be puppets, you wouldn't believe the kind of responses I get during thanksgiving.
And what I tell everyone is RFID is not the end-all technology to solve every identification need. Also there is no one kind of tag so it is silly to say that RFID in and of itself is insecure.
The truth is that tags can be secure or they can be cheap but very rarely both. It is impossible to be able to have them both with the current economies of scale. The ones used in the passport are most definitely not the high-end tags with memory and cryptographic capabilities. There are some active tags that can do public/private key validation but they also cost a fortune. The governments are going to go with the cheapest version.
They know full well it is going to be cracked. It is not a big deal as it is not that hard to steal or copy the current passport anyways so they have not really digressed. This was meant to be a pilot (that somehow went into production) to check how efficient it could be and also serve as a vehicle for making further enhancements and putting more data.
As other slashdotters have pointed out it is still impossible to actually modify the information on the tags. When this is possible then that is really newsworthy because now people can actually change other people's information and wreak havoc.
But until then there are far easier and cheaper ways to find out someone's Social Security and date of birth on the web.
Software Defined RFID - The Rifidi Emulator
Here's the how-to on forging a new passport:
1. Create a falsified passport jacket capable of holding a chip and antenna.
2. You embed the _right_ chip with the _right_ number encoded (oh yeah, you need to encode the chip) AND the _right_ antenna required for the chip in your garage into the faked passport jacket.
3. Create secure paper used in passport.
4. You'll need to work up all of the print security features.
It's not trivial, it's not a silver bullet it's not a fake ID you used to buy beer in college. Stop expecting more from the new passport than the design requirements fulfill.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
RFID = Ready For Immediate Duplication?
There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
I'm a libertarian so now I feel justified in supporting open borders. Having enough money to live in a gated community and owning machine guns is a private matter.
I, on the other hand, characterize myself as a "Law 'n Order Anarchist" (or "Law 'n Order Minarchist" on even-numbered days). That means I think we should get rid of all (or all but the minimum necessary) of the laws - but believe it must be done in the right ORDER or it makes things worse rather than better.
(Actually, I'm more of a "Constitutional Law 'n Order Anarchist/Minarchist" Let's get there by legal means, such as repeals and amendments.)
A prime example of this order-dependence is the immigration barriers. Open borders would be nice. But you have to remove the cancerous overgrowth of the social services first. Otherwise you get an inrush of people who put a far larger load on the services than any taxes on them cover, while depressing wages and breaking unions. A double pick of the workers' pocket - for the dubious "benefit" of giving employers a break on wages. The mass of workers gets hit twice - once in the paycheck, again in taxes. A perfect, though indirect, example of "corporate welfare".
Then the citizens retaliate in elections. Libertarians, with their track record of going after any piece of their agenda without regard for the consequences of the order, become further marginalized. Naturalizing the incoming won't help Libertarians either: The bulk of their votes will go for more benefits for themselves.
Your situation is another example: To do what you want you need to get rid of the laws that make owning a machine gun or using it for home defense nearly impossible before you retreat to your fortress neighborhood and open the borders. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If there are no borders, then there is effectively no government. This is one of my big problems with the Libertarians. Taking away borders would, in theory, lead to anarchy. In practice, any anarchy gives rise to power centers since nature abhors a power vacuum just as much as it abhors a physical vacuum. In the past, this vacuum was filled by feudal systems that coalesced into nation states. In the present, the porosity of borders combined with the mobility and rapid communications of technological society, allows multinational corporations to fill the void. If you support this particular bit of Libertarian ideology, you indirectly support rule by multinational corporations. I know I'll get heated rebuttals on this from Libertarians. The counter-arguments will probably end up sounding a lot like the GPL zealots who argue that their ideal of freedom is more important than having a video driver that works. If we lose control of the borders, we may all end up so poor that we find ourselves dreaming of the day we can afford to buy a PC from WorldMart that runs GNU/Linux at 640 by 480.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
The federal, state and city government do a lot of things right. In fact most of there projects are quite successful. The media shines a light on the problems* so thats all most people here.
Most agencies are more fiscally responsible then most corporations.
Go the the ligrary and look at all the projects that get done.
remember, with a company all you here is the success, with the government all you hear about is the problems.
90% of all government projects are done on time, 90% of all corporate projects fail.
*and they should
The Kruger Dunning explains most post on
The issue with RFID passports would be if they could be /forged/... it doesn't matter if they can be duplicated.
Not true.
There's a lot to be said for not bothering to forge passports anyway - sooner or later customs at most first-world countries will probably link up, so the passport number can be checked instantly against a database to make sure the details match up. The only way a "forged" passport will work then is if it's not forged at all, but rather made with the collusion of someone at the passport office.
However, if you can duplicate a passport, you can pretend to be someone else. Someone who (you hope) has no criminal record and is not even vaguely interesting to the authorities. With access to a crooked person in authority, you can confirm this. Without such access, you simply make a few flights and see if you get stopped. The only way I can see around this is if government starts tracking where everyone is, and if the passport handed over at customs belongs to someone you know for a fact was a thousand miles away only ten minutes ago, you know something fishy's going on. But we're a long way from having that level of technology - and while I absolutely hate the sound of it, I wouldn't be even remotely surprised if someone in government is mulling it over right now.
I cannot believe this was voted insightful.
A copy of 'biometric' passport information has no value in a security context. If a copy of a passport is created using the biometric information then, obviously, that biometric information will not match the passport holder which will mean he/she will be identified as carrying a forged passport. If the biometrics are changed the digest of the passport information will be invalid and so, again, he/she will be identified as carrying a forged passport.
This is really only an issue because someone can get your personal information (for use in, for example, financial identity fraud) without having to actually open any of your mail.
]{
I'm a libertarian so now I feel justified in supporting open borders. Having enough money to live in a gated community and owning machine guns is a private matter.
You call yourself a libertarian and you can't see the internal inconsistency in that position?
Sigh, what happened to the good old days when libertarians were people who had read and understood Ayn Rand? Our borders are our gated community, how else keep out people who are opposed to the libertarian ethic? (I.e., who want to take things from us by force or fraud.)
-- Alastair
Is the chip required to get through customs? If not, the procedures is more like:
1. Read and crack data without being detected(this is perhaps easier than stealing a traditional passport).
2. Forge now even more legitimate passport using cracked data.
Nerd rage is the funniest rage.