Slashdot Mirror
Chipped Passport Cloned In Minutes
Death Metal Maniac writes "New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: 'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'"
Is anyone surprised? At all? Seriously...
Evolution is a state-sponsored, state-protected religion.
I'd like one, preferably with a large memory chip added, so I can combine all my fake passports into one.
Oh, and I'd like some fake passports.
... when you can be a respectable "computer researcher"?
It shows the benefit of this kind of outside security analysis, which should have probably been executed during the development process.
Better the issues be uncovered now than when the issuance is widespread.
There's always a loophole.
Are these electronic passports related to electronic voting?
It's becoming obvious that low-tech paper is preferable in both elections and passports.
Fata viam invenient.
Captain Hammer will save us.
The researcher replaced the digital signatures on the passports with ones of his own creation when altering the photographs... if the equipment used to test had actually compared the digital signatures to those on file, it would have immediately spotted the tampering. Problem is most countries aren't sharing their signatures yet, making those checks impotent. For now, at least (and not saying there aren't other vulnerabilities).
I say we take-off and slashdot the site from orbit... it's the only way to be sure
I'm head of retail logistics, so I have to get back to stocking shelves now.
see, that's why you should take a hammer to that sucker. And when the border guard asks you what happened... say that you sat on it :)
-- All this knowledge is giving me a raging brainer.
Their outright failure to do so for at least a year for the UK and perhaps many more for other countries means that the digital information is less valid than the information imprinted on the card. Less valid because it's far easier to change, and shows no signs of alteration.
In other words, countries that don't authenticate, and rely on the digital information alone are *MORE* insecure and open to falsification than those who do authenticate.
Security: Not a tradeoff of civil liberties, but an intelligent application of a variety of techniques.
Authentication: When available USE IT, don't just put it off and trust easily-modifiable data. When in doubt look at the printed picture and the text. *THAT* is harder to change without showing signs of alternation.
Encryption: I guess if they can't get the key database working for simple authentication (or even a #$&*(#$ hash) they're not going to figure out the encryption stuff either.
Hi Bruce.
Ehud
Come up with a lame technical 'solution' to identity theft to help stop the completely over-hyped global terrorism threat, and then make the whole thing even easier by allowing easy cloning of existing passports. Be in several places at the same time! All you need is one loophole and it propogates.
Additionally, I see no improvements to the initial checking of who is eligible for a passport to try and sort out the Day of the Jackal fraud:
http://en.wikipedia.org/wiki/The_Day_of_the_Jackal
Using some form biometric system that seems to be implicitly trusted is even more dangerous, since if you can get your bogus identity trusted then people aren't ever going to question it.
This was all over the BBC News yesterday. What took so long?
Hey now! This is Slashdot. Taco and Neal and the gang were busy confirming every aspect of the story before they posted it to the front page.
This guy's the limit!
...at least not human technology.
Without exception, everything we try to lock up with a key can be unlocked by someone else. I'd like to hear it from anyone else that they recognize the fact that locks only keep honest people out and then perhaps we can move on to the bigger issue of why they are trying so hard to control honest people.
Who needs passports to get into a country anyway?
lol: You see no door there!
The article says that the problem is that the public keys to the chips aren't being used. Every country maintains their own database of public keys used to identify the passwords. The databases aren't all properly set up to synchronize, so the system must accept all chips from countries that have not synchronized, basically rendering the encryption moot if you know which countries haven't authenticated properly. So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless. Even if everyone was synchronizing properly, such a system sounds highly vulnerable to a cache poisoning attack of some sort.
Don't forget the painstaking grammar and spelling checking.
Plus they had to go through all the archives to make sure it wasn't a dupe.
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
Sounds great, You're in charge to get all the countries in the world to agree to this.
How about an easier task, convince all countries to agree that one server somewhere is where all their trust of their passports is placed.
Really simple. you should have that done by the end of this week right?
Do not look at laser with remaining good eye.
Anyone thinking that this system has a chance of faultless working once you go from design to implementation is a little naive. The theory is simple. In practice its just not going to work.
If you still believe this is possible I've something else that might interest you. I've a formula for turning base metals into gold. If you could just help fund me industrialising it you'll make a tidy profit.
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
Now I could be wrong, but I thought all the 9/11 bombers were legally allowed to be where they were, and were using valid documents?
I think what might have been the case is that they HAD used fake passpports in the past. The way this phrases it though suggests that a better implementation might have helped avoid 9/11, which is news to me.
I think he has a future as a management consultant or an adviser in the Bush Whitehouse for the remainder of his term.
If only someone would invent a device capable of automating those tasks.
So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless.
Technically accurate. But. The chip by itself is worthless. It's only worth something if it counters some kind of threat. This is why security isn't about products or techniques, it's about working systems. If the "chipped passports" don't have a working PKI, then there's really no point to the chips. They go together.
ObQuote: "Security is a process, not a product." -- Bruce Schneier
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Just a few years ago, the same USA demanded that ALL passports to be used while entering the USA had to be machine readable and it is the case now.
And from the people I speak to, lots of people aren't visiting the US due to all the information that the US requires, and the way they're treated at Immigration. Read some of the comments in this, and this, or this.
Yep, I can guess your response: Well don't come here then, we don't want you anyway.
Get your own free personal location tracker
Sorry, we're just well conditioned into the response. "Oh, government fucked up? Must be ours..."
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
So now we can look forward to seeing thousands of people all sporting Osama Bin Laden pictures on their passports. It'll be as fashionable as Che Guevara t-shirts.
The TSA will love it because they can announce that they've caught Bin Laden every day for the next 20 years, thus justifying their continued existence.
I'm not tense. I'm just terribly, terribly, alert.
If memory serves can't the US confiscate anything that contains digital data at their border, therefore couldn't they now just take your passport and never give it back. That could prove to be a issue. Imagine, your going from Canada to the US, you present your passport to the US customs, they take it and then tell you "Nope not allowed in, you don't have your passport." You try to go back into Canada and then they say "We would let you in but since you don't have your passport your stuck, eh?"
-Ours is the wisdom of Solomon, the magic of Merlyn, the fall of Icaris.
I have to say the more we rely on "foolproof" technology, the more we rely on fools to operate the machinery.
I have to admit the Germans had it nearly right. Almost nothing beat the steely-eyed glare of a Hauptsturmführer asking for your passport -- unless of course you have a John Williams musical score swelling in the background, and even then it would be a life changing, tension filled 2 minutes of your life going by you.
History tells us that cryptography usually falls down in implementation, not theory. As soon as you start building networks, selling chip readers, issuing passports then your theory starts to slowly crumble.
Even if the whole chain of trust is perfect it only takes one act of stupidity/corruption by a human to bring the whole thing crashing down.
Passports are also one of the worst possible places for security to fail. Passports, passport readers, etc. can't be updated via a patch, they need to be thrown away and replaced.
The technology for this is in its infancy and rushing out hundreds of millions of passports at an international level is doomed to failure.
I'm sure it won't stop philistine politicians from trying though - after all, it's not their money they're flushing.
No sig today...
Actually, all country trust roots (not _signatures_) end up in an international database, and terminals SHOULD check that passports are signed by one of those. The "hack" does not work for this reason (and relevant countries' terminals do check, even if the standard-testing software does not).
FYI, country certs are also published on human-readable pages, such as these:
http://www.bsi.bund.de/english/topics/csca/index.htm
http://www.bmi.gv.at/csca/startseite.asp
So hypothetically, you could collect these (they won't be changed more than once every few years) and perform your own verification.
FWIR about 1/3 of Iran's population is blonde haired and blue eyed. The Caucuses mountain range (from which we get the term Caucasian) is partly in Iran. So if Iran or part of their population (the government) is evil that whole profiling thing starts to not work real fast.
I'm not arguing against profiling, but stating that 1/3 of Iran's population is "blond haired and blue eyed" is totally misleading.
Caucasian != look like you're from Sweden
About the "whitest" people in Iran are the Azeri, and maybe the Mazandarani, and I highly doubt you'd label any of them blond haired and blue eyed.
http://en.wikipedia.org/wiki/Image:Caucasus-ethnic_en.svg
With the first link, the chain is forged.