Slashdot Mirror

← Back to Stories (view on slashdot.org)

RFID Passports Cloned Without Opening the Package

Posted by ScuttleMonkey on from the step-one-cut-a-hole-in-a-box dept.

Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."

7 of 168 comments (clear)

  1. Ohhh by Anonymous Coward · · Score: 5, Funny

    10 seconds in the microwave sounds about right!

    1. Re:Ohhh by misterhypno · · Score: 5, Insightful

      It doesn't matter if YOU disable the chip, because it can be cloned BEFORE THE OWNER EVER GETS THE FRENORKING THING!!

      If you read the article, the cloning took place while it was IN TRANSIT TO the intended receipient - which means that ANYONE getting a Passport through the mail could have their Passport cloned BEFORE they ever GET it.

      Without the package that the Passport is shipped in EVER BEING OPENED!

      Try reading for content next time.

      So, even if you disable the RFID after you GET it, the thing has been compromised BEFORE you ever get your hands ON it!

      RFID = Real Fast Identity Destruction... courtesy of Homeland Security and the rest of the paranoids who don't understand technology up on the Hill who probably think that RFID is "totally tubular, man! Like the internets!"

      And I will bet long odds that this post gets me audited - again - too.

    2. Re:Ohhh by Clazzy · · Score: 5, Funny

      I can see it now, get an RFID-enabled passport and get a tin foil hat for free!

      --
      If we can hit that bull's-eye, the rest of the dominoes will fall like a house of cards... Checkmate.
  2. Does anyone remember Press Your Luck? by Aurelfell · · Score: 5, Interesting

    It was the game show with the Whammies that stole your money. As I recall, there was a guy who watched the show long enough that he figured out a pattern that would let him win every time. He played for like three days, and won a crazy amount of money. The show went of the air, but I remember reading that the programmers who created the game board offered to make it 'true random' for another $600, and the network refused to pay it.

    This article reminds me of that story.

    1. Re:Does anyone remember Press Your Luck? by rufey · · Score: 5, Informative
      Yes, this really did happen on Press Your Luck. The contestant was Michael Larson. He had spent quite a bit of time before appearing on the show analyzing how the different squares on the board flashed and in what sequence. He managed to win over $100,000 USD on the show.

      More can be found at Snopes and at Wikipedia.

  3. One of the problems with RFID by StewedSquirrel · · Score: 5, Insightful

    One of the primary problems with RFID is that it is "wireless" in nature. It is also designed to be "simplistic" for the simple case of economic savings.

    While it is a great technology for information such as Barcode scanning and inventory tracking, its use in biometrics, identification and access controls is less secure. Transmitting significant and irrevocable information in an RFID pulse is irresponsible.

    Where a barcode is ubiquitous and the concept of "stealing" it is silly, and even where the ID number of a "proxmity card" employee ID badge is easily revocable, information stored on a passport, such as biometrics, permanent identification numbers and the like are not revocable.

    If you have such a passport, it is advisable that you either fry the RFID chip (i am not responsible for the legal issues surrounding it) or you store your passport in a metal safe, where RF cannot pass. There are already bags on the market with an integrated faraday cage, it is not entirely practical to keep your RFID identity perpetually in this bag while traveling (not to mention the headache at the airport screening area with a metal-laced bag).

    In short, this new RFID identity system is one of the most ill-advised and potentially dangerous (vulnerable to easy identity theft) systems in recent history, and is simply ASKING for people to duplicate it, while providing no benefit other than the government control ("papers please") that it demands.

    Stewed

    --
    There are 10 kinds of people in the world. Those who understand binary and those who don't.
  4. Re:Same old Daily Mail by drinkypoo · · Score: 5, Insightful

    I knew they'd bring this up

    You know, it's not just governments concerned about illegal immigration. It's residents, too. Illegal immigration does help keep prices low, but it also helps drive down wages by reducing the value of laborers.

    As such, they would be remiss in not mentioning it, as it is of interest to their readership.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"