Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chipped Passport Cloned In Minutes

Posted by samzenpus on from the unsafe-at-any-customs-counter dept.

Death Metal Maniac writes "New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: 'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'"

7 of 326 comments (clear)

  1. Re:Um, well... by Fred_A · · Score: 4, Interesting

    Hasn't this been known for a long time ?

    Some extra security could be added to the chips (proper key signing IIRC) but never is. Everybody knows about this but since it makes the US happy as part of their security theatre, nobody cares.

    --

    May contain traces of nut.
    Made from the freshest electrons.
  2. Re:Um, well... by TheLink · · Score: 4, Interesting

    It's mostly theatre. Bad people get valid passports too.

    Only in a few cases are those passports revoked.

    --
  3. Summary doesn't mention digital signing by Wanderer2 · · Score: 5, Interesting

    The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it.

    The researcher replaced the digital signatures on the passports with ones of his own creation when altering the photographs... if the equipment used to test had actually compared the digital signatures to those on file, it would have immediately spotted the tampering. Problem is most countries aren't sharing their signatures yet, making those checks impotent. For now, at least (and not saying there aren't other vulnerabilities).

    --
    I say we take-off and slashdot the site from orbit... it's the only way to be sure
  4. Re:Electronic voting's cousin? by stainlesssteelpat · · Score: 5, Interesting

    I got one of these new fandangled passports a few years ago when I went to Japan, got fingerprinted electronicly at customs and thought nothing of it, with all the post 9/11 sentiment it sucks but i can't see it going away now. Anyway point is I'm an ex chef (still part time while at uni), so when I flew into newark to go visit my girlfriends parents with her in Fargo I get hustled into an interview room. I thought it was on account of being heavily tattoed and having dreadlocks and being under 30. Anyway, I get grilled by this mean assed gentlemen from customs about how I got this passport. Turns out the damage done to my hands over the course of two years, meant that thier software didn't match the biometric that Japanese customs had put on there. Got sorted out eventually, 2 hours nearly missed my connection from JFK. Was more bemused than anything, US customs don't get Aussie humour thats for sure.

    --
    War is the statesman's game, the priest's delight, the lawyer's jest, the hired assassin's trade.- Shelley
  5. Less than adequate summary. by FlyingBishop · · Score: 4, Interesting

    The article says that the problem is that the public keys to the chips aren't being used. Every country maintains their own database of public keys used to identify the passwords. The databases aren't all properly set up to synchronize, so the system must accept all chips from countries that have not synchronized, basically rendering the encryption moot if you know which countries haven't authenticated properly. So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless. Even if everyone was synchronizing properly, such a system sounds highly vulnerable to a cache poisoning attack of some sort.

  6. Papers, bitte. by monkeyboythom · · Score: 5, Interesting

    I have to say the more we rely on "foolproof" technology, the more we rely on fools to operate the machinery.

    I have to admit the Germans had it nearly right. Almost nothing beat the steely-eyed glare of a Hauptsturmführer asking for your passport -- unless of course you have a John Williams musical score swelling in the background, and even then it would be a life changing, tension filled 2 minutes of your life going by you.

  7. Re:Um, well... by bsDaemon · · Score: 4, Interesting

    My father was an airline pilot for years and recently retired. His opinion of the matter is that the reason TSA searches little old white grannies (and myself -- constantly. I've pretty much given up on flying because I **ALWAYS** get taggged) is that they don't WANT to find anything which they might have to deal with.

    They harass pilots and take their nailclippers -- as if the captain of the plane needs nailclippers to hijack a plane that he's already in command of (mind you, there is a fire ax in the cockpit that can chop through the bulkhead).

    The term the pilots use most often for it all is "political eyewash." Not that it matters, because after 911, passengers aren't just going to sit by for a hijacking ever again. The "rules" have changed. This is no longer the 1980s. Its not like the "Delta Force" movies anymore.

    Racist or not, it would probably be more reasonable to search people who actually fit the known profile of like, you know, everyone who has ever hijacked a plane ever... but that might mean that the TSA people would actually have to do something. Much easier just to harass grannies from Iowa than to try and thwart "terrorism"