RFID Passports Cloned Without Opening the Package

Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."

Ohhh

10 seconds in the microwave sounds about right!

Re:Ohhh

[mdm-adph]

I've heard smashing it with a hammer works just as well, and it doesn't invalidate the passport. Someone correct me if I'm wrong about this!

Re:Ohhh

[db32]

Temporal hammer? You would have to smash it before you get it.

Re:Ohhh

[Sunburnt]

Not sure about the effects on a UK passport holder, but you can still use a U.S. passport if the RFID is disabled. The only advantage of having one seems to be shorter lines at Immigration. (Which isn't true yet, at least at LAX as of two weeks ago. They're probably waiting for more people to get the new passports before they set up the equipment.)

Re:Ohhh

[misterhypno]

It doesn't matter if YOU disable the chip, because it can be cloned BEFORE THE OWNER EVER GETS THE FRENORKING THING!!

If you read the article, the cloning took place while it was IN TRANSIT TO the intended receipient - which means that ANYONE getting a Passport through the mail could have their Passport cloned BEFORE they ever GET it.

Without the package that the Passport is shipped in EVER BEING OPENED!

Try reading for content next time.

So, even if you disable the RFID after you GET it, the thing has been compromised BEFORE you ever get your hands ON it!

RFID = Real Fast Identity Destruction... courtesy of Homeland Security and the rest of the paranoids who don't understand technology up on the Hill who probably think that RFID is "totally tubular, man! Like the internets!"

And I will bet long odds that this post gets me audited - again - too.

Re:Ohhh

[Clazzy]

I can see it now, get an RFID-enabled passport and get a tin foil hat for free!

Does anyone remember Press Your Luck?

[Aurelfell]

It was the game show with the Whammies that stole your money. As I recall, there was a guy who watched the show long enough that he figured out a pattern that would let him win every time. He played for like three days, and won a crazy amount of money. The show went of the air, but I remember reading that the programmers who created the game board offered to make it 'true random' for another $600, and the network refused to pay it.

This article reminds me of that story.

Re:Does anyone remember Press Your Luck?

[rufey]

Yes, this really did happen on Press Your Luck. The contestant was Michael Larson. He had spent quite a bit of time before appearing on the show analyzing how the different squares on the board flashed and in what sequence. He managed to win over $100,000 USD on the show.

More can be found at Snopes and at Wikipedia.

Same old Daily Mail

[goldaryn]

From the Daily Mail article: "More significantly, we had the details which would allow a fraudster, people trafficker or illegal immigrant* to set up a new life in Britain. The criminal could open a bank account, claim state benefits and undertake a myriad financial and legal transactions in someone else's name. "

So basically, exactly what goes on now, except for the new false sense of security. Great!

* I knew they'd bring this up

Re:Same old Daily Mail

[drinkypoo]

I knew they'd bring this up

You know, it's not just governments concerned about illegal immigration. It's residents, too. Illegal immigration does help keep prices low, but it also helps drive down wages by reducing the value of laborers.

As such, they would be remiss in not mentioning it, as it is of interest to their readership.

Re:Same old Daily Mail

[drinkypoo]

First off, you need to look at the jobs they do.

Having grown up in Santa Cruz, which is in a highly agricultural area, and now living in Kelseyville, which is/was the Pear capital of the world (lots of pears coming out and grapes going in these days though) I'm pretty highly aware of the jobs they do.

I do know that in the US, there are farms that can not get american laborers at over 10 bucks an hour with benefits.

What? That sentence doesn't really say anything. There are no farms, for example, that could not get American laborers at 30 bucks an hour. That's over 10 bucks an hour. Maybe we could revisit this point?

It's the type of work someone will do day in and day out when setting up a new life.

I'm not sure what that has to do with anything. Lots of people in the US need a new life, too.

So, that farmer cuold pay more, but they don't have the funds right now, and how much are we willing to buy a potato for?

Well, that's precisely my point. The farmer needs to charge more in order to pay more. As long as some employers are happy to hire illegals, they can charge less, and that makes them more competitive. So their competitors are forced to do the same thing.

Consequently we have cheap produce... but it's only cheap at the store. The simple fact is that every taxpayer in America is subsidizing that "cheap" food. We're paying for medical care for these immigrants, for example. Their employers work them part-time or they otherwise do not receive benefits. They do not pay taxes, or if they do pay taxes, their income is underreported and they're using someone else's SSN (in fact one used mine one year, but they reported only a few dollars of income so it didn't actually harm me.) There is also a very real issue with Mexican (in particular) gangs, especially in California. This is not a joke, this is not a made-up problem designed to scare people. It's real, and it's here. And it is largely a result of illegal immigration.

Now, look at the alternative to illegal immigration. If people are here legally then they can afford to report labor code abuses, because they don't just get kicked out of the country when they interface with the law. So this tends to have the result that people who are worked full-time actually get their benefits, and they have health insurance. So now they no longer need to depend on the taxpayer for medical care.

Of course, it also has the effect that food appears more expensive on the store shelf, or in the produce aisle, et cetera. But in fact the ACTUAL costs may go down overall! I say "may" because let's face it, I am not an economist, and I have not run the numbers. But I'm also not a complete idiot and I'm capable of understanding simple cause and effect.

What we have created is a system that encourages unemployment. It reduces not only the total number of jobs, but also the number of jobs capable of supporting a family. Wouldn't it be better if food cost a little more, or in some cases even a lot more, and the actual cost were reflected directly at the store shelf?

Looking at the history of migrant labor, the US was a lot better off when migrant laborers went backa nd forth across the border. It was when it became really difficult to go back did we start to see problems.

That's not really true. We only see different problems now. One issue is that we the US have constantly sought to degrade the quality of life south of the border in order to protect our pool of ready and willing labor. NAFTA, for example, was simply another way to fuck over the Mexicans. And now that manufacturing is cheaper in other countries, we just take whatever is valuable (even for scrap) and abandon the factories to sit and rust on the polluted ground we left them on, and move our manufacturing, so that Mexico really gets nothing out of it. But long be

One of the problems with RFID

[StewedSquirrel]

One of the primary problems with RFID is that it is "wireless" in nature. It is also designed to be "simplistic" for the simple case of economic savings.

While it is a great technology for information such as Barcode scanning and inventory tracking, its use in biometrics, identification and access controls is less secure. Transmitting significant and irrevocable information in an RFID pulse is irresponsible.

Where a barcode is ubiquitous and the concept of "stealing" it is silly, and even where the ID number of a "proxmity card" employee ID badge is easily revocable, information stored on a passport, such as biometrics, permanent identification numbers and the like are not revocable.

If you have such a passport, it is advisable that you either fry the RFID chip (i am not responsible for the legal issues surrounding it) or you store your passport in a metal safe, where RF cannot pass. There are already bags on the market with an integrated faraday cage, it is not entirely practical to keep your RFID identity perpetually in this bag while traveling (not to mention the headache at the airport screening area with a metal-laced bag).

In short, this new RFID identity system is one of the most ill-advised and potentially dangerous (vulnerable to easy identity theft) systems in recent history, and is simply ASKING for people to duplicate it, while providing no benefit other than the government control ("papers please") that it demands.

Stewed

Re:One of the problems with RFID

[Sandbags]

RFID may be easy to copy or crack, but someone gets that info on their screen and still validates it against the hard copy when entering/exiting using a passport. You don't just wave it and go on... Passport information by itself is not enough to steal someone's identity or bank account. You still need physical proof. This first pass with RFID is simply making data tracking easier. It was not designed to be secure, just difficult to completely copy or forge. A truly secure passport system would have to include fingerprinting, pass codes, facial scanning technology, or some other system to prove the identity of the bearer. Of course, the RFID could not be responsible to pass that information, it would likely merely possess some simply information allowing it to access a secure database system that actually contains the remainder of the data. That data could be on a government server, or even an integrated SIM in the passport itself requiring connection to a proprietary system. 3 point data validation would work, but it would be very expensive. You'd still need hard copy for entering nations that do not yet have the technological capacity to electronically scan passports. One solution I hear proposed was that not only would the passport itself have an RFID tag, but also the person himself embedded under the skin, plus the addition of a fingerprint and 6 digit pin number. All 4 would have to match, be combined, and then be compared to a CRC value stored in an international database. All this would be simply for identity confirmation and nothing more, with the FBI and other similar branches still needing to cross validate your identity to your criminal record or a watch list. Are we really that concerned/paranoid?

Because It's a Dumb Chip!

[mpapet]

I know the average /.'er will be up in arms about how insecure the new passport is but it's simply not one of the design goals.

The primary goal is to have a document that's harder (it's never impossible) to forge and easier to collect and process entry/exits. That's it. End of story.

It's not a silver bullet. Treating it as such is demanding something you won't ever get.

Re:Because It's a Dumb Chip!

[EdMack]

You're missing the point. It *is* now easier to forge, since the chip is easily copied without the receiver knowing, and people perceive the chip to be more secure and harder to copy.

What about US passports?

[Sunburnt]

I received one of the new U.S. Passports - the day I handed in my application happened to be the first day of the change, and I had my order expedited, so I have one of the first new passports.

There's no "chip:" the electronic storage is embedded in the photo page of the passport, among a series of wires covered with laminate. The Department of State says the cover of the new passports prevents RFID scanning when closed, which probably explains why the cover is a different thickness and flexibility than the previous passports.

Funny thing, though: the passport itself was opened flat in the shipping envelope from the passport center. So, presumably, it could be read. I wonder what sort of security the USDoS is using on these things?

The article has nothing to do with U.S. passports, since the Brits are using a different RFID mechanism. So, no help there. I wonder how many people read the article summary (which fails to mention this detail - it probably should, since this is a rather U.S.-centric website) without RTFA and are busy microwaving their new U.S. passports?

Re:Embedded Linux is a major security risk

[Lumpy]

Wow! I did not know that there were any oblivious morons left in the wild.
What number is on your ear tag? OH! are you one of the rare untagged morons? Where is my camera! National Geographic is gonna pay for a photo of a untagged wild moron!

hey, come back! this camera won't steal your soul....... dammit.

Re:Packaging

[Sunburnt]

In every article we've seen on this, there is always the discussion of the government's position of "no one can read it if it's closed". What happened to that? I don't recall my passport arriving opened inside the pouch.

Mine did, actually, but the article is referring to the U.K. passports. Different kind of RFID on the U.S. models, and the cover is definitely a different (and thicker) material than the older passports.

That's no "security researcher"...

[OriginalArlen]

...that's Adam Laurie! The godlike genius of Shepherd's Bush! Seriously though... he's something of a geek hero to me. Dunno why (apart from respect for a fellow-survivor of Bush) -- lots of other people write code and do research, but he just seems like such a nice chap with it.

Re:So what?

[Arker]

Is this really a big deal?

Yes.

The issue with RFID passports would be if they could be forged... it doesn't matter if they can be duplicated.

A distinction without a difference. An organisation (and it doesn't matter if this is a terrorist group or a run-of-the-mill little mafia type operation) coöpts a few postal employees. Not particularly hard to do. Those employees use a relatively inexpensive piece of equipment to scan the passports that pass through their hands. This is nearly instantaneous, and non-invasive, so good luck noticing that. The passports go right along to their intended recipients with no delay, and no one's the wiser. Yet the organisation now has all the information needed to create forged passports with valid data, which will raise no flags when used and allow their operatives to assume the identity of the citizen. All the supposed security benefits of the plan are gone, in fact, it's worse than old-style passports from a standpoint of security.

Sure, there's a minor privacy issue if the passport can be read by proximity (how close do you need to be?

Depends on how good your receiver is. Just because customs will be using an el cheapo setup that needs to be within ten inches to read the signal doesn't mean that no one will be able to construct a better reader. You think that's a *minor* issue? That someone could steal your identity, or detonate a bomb, based on that information without even having to set hands on your passport? Sounds pretty major to me.

RFID is not going to save the world

[unPlugged-2.0]

As a software developer in the RFID industry and trying to effectively merge open source and RFID I always hear these kinds of things from our clients, slashdotters, family and random people on the street. RFID is insecure, it's the end of the world, we are all going to be puppets, you wouldn't believe the kind of responses I get during thanksgiving.

And what I tell everyone is RFID is not the end-all technology to solve every identification need. Also there is no one kind of tag so it is silly to say that RFID in and of itself is insecure.

The truth is that tags can be secure or they can be cheap but very rarely both. It is impossible to be able to have them both with the current economies of scale. The ones used in the passport are most definitely not the high-end tags with memory and cryptographic capabilities. There are some active tags that can do public/private key validation but they also cost a fortune. The governments are going to go with the cheapest version.

They know full well it is going to be cracked. It is not a big deal as it is not that hard to steal or copy the current passport anyways so they have not really digressed. This was meant to be a pilot (that somehow went into production) to check how efficient it could be and also serve as a vehicle for making further enhancements and putting more data.

As other slashdotters have pointed out it is still impossible to actually modify the information on the tags. When this is possible then that is really newsworthy because now people can actually change other people's information and wreak havoc.

But until then there are far easier and cheaper ways to find out someone's Social Security and date of birth on the web.

Re:No No! No!

[mpapet]

Here's the how-to on forging a new passport:

1. Create a falsified passport jacket capable of holding a chip and antenna.
2. You embed the _right_ chip with the _right_ number encoded (oh yeah, you need to encode the chip) AND the _right_ antenna required for the chip in your garage into the faked passport jacket.
3. Create secure paper used in passport.
4. You'll need to work up all of the print security features.

It's not trivial, it's not a silver bullet it's not a fake ID you used to buy beer in college. Stop expecting more from the new passport than the design requirements fulfill.

RFID

[mypalmike]

RFID = Ready For Immediate Duplication?

Re:If you want something done right...

[geekoid]

The federal, state and city government do a lot of things right. In fact most of there projects are quite successful. The media shines a light on the problems* so thats all most people here.

Most agencies are more fiscally responsible then most corporations.

Go the the ligrary and look at all the projects that get done.

remember, with a company all you here is the success, with the government all you hear about is the problems.

90% of all government projects are done on time, 90% of all corporate projects fail.

*and they should

Re:So what?

[Kristoph]

I cannot believe this was voted insightful.

A copy of 'biometric' passport information has no value in a security context. If a copy of a passport is created using the biometric information then, obviously, that biometric information will not match the passport holder which will mean he/she will be identified as carrying a forged passport. If the biometrics are changed the digest of the passport information will be invalid and so, again, he/she will be identified as carrying a forged passport.

This is really only an issue because someone can get your personal information (for use in, for example, financial identity fraud) without having to actually open any of your mail.

]{