Slashdot Mirror
Chipped Passport Cloned In Minutes
Death Metal Maniac writes "New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: 'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'"
Is anyone surprised? At all? Seriously...
Evolution is a state-sponsored, state-protected religion.
I'd like one, preferably with a large memory chip added, so I can combine all my fake passports into one.
Oh, and I'd like some fake passports.
... when you can be a respectable "computer researcher"?
Captain Hammer will save us.
The researcher replaced the digital signatures on the passports with ones of his own creation when altering the photographs... if the equipment used to test had actually compared the digital signatures to those on file, it would have immediately spotted the tampering. Problem is most countries aren't sharing their signatures yet, making those checks impotent. For now, at least (and not saying there aren't other vulnerabilities).
I say we take-off and slashdot the site from orbit... it's the only way to be sure
Their outright failure to do so for at least a year for the UK and perhaps many more for other countries means that the digital information is less valid than the information imprinted on the card. Less valid because it's far easier to change, and shows no signs of alteration.
In other words, countries that don't authenticate, and rely on the digital information alone are *MORE* insecure and open to falsification than those who do authenticate.
Security: Not a tradeoff of civil liberties, but an intelligent application of a variety of techniques.
Authentication: When available USE IT, don't just put it off and trust easily-modifiable data. When in doubt look at the printed picture and the text. *THAT* is harder to change without showing signs of alternation.
Encryption: I guess if they can't get the key database working for simple authentication (or even a #$&*(#$ hash) they're not going to figure out the encryption stuff either.
Hi Bruce.
Ehud
It's becoming obvious that low-tech paper is preferable in both elections and passports.
yes, cos god knows, paper passports were NEVER falsified.
-- All this knowledge is giving me a raging brainer.
I got one of these new fandangled passports a few years ago when I went to Japan, got fingerprinted electronicly at customs and thought nothing of it, with all the post 9/11 sentiment it sucks but i can't see it going away now. Anyway point is I'm an ex chef (still part time while at uni), so when I flew into newark to go visit my girlfriends parents with her in Fargo I get hustled into an interview room. I thought it was on account of being heavily tattoed and having dreadlocks and being under 30. Anyway, I get grilled by this mean assed gentlemen from customs about how I got this passport. Turns out the damage done to my hands over the course of two years, meant that thier software didn't match the biometric that Japanese customs had put on there. Got sorted out eventually, 2 hours nearly missed my connection from JFK. Was more bemused than anything, US customs don't get Aussie humour thats for sure.
War is the statesman's game, the priest's delight, the lawyer's jest, the hired assassin's trade.- Shelley
This was all over the BBC News yesterday. What took so long?
Hey now! This is Slashdot. Taco and Neal and the gang were busy confirming every aspect of the story before they posted it to the front page.
This guy's the limit!
...at least not human technology.
Without exception, everything we try to lock up with a key can be unlocked by someone else. I'd like to hear it from anyone else that they recognize the fact that locks only keep honest people out and then perhaps we can move on to the bigger issue of why they are trying so hard to control honest people.
Who needs passports to get into a country anyway?
lol: You see no door there!
The article says that the problem is that the public keys to the chips aren't being used. Every country maintains their own database of public keys used to identify the passwords. The databases aren't all properly set up to synchronize, so the system must accept all chips from countries that have not synchronized, basically rendering the encryption moot if you know which countries haven't authenticated properly. So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless. Even if everyone was synchronizing properly, such a system sounds highly vulnerable to a cache poisoning attack of some sort.
Why get all physical?
30 seconds on high in the microwave should do the job and leave less traces.
"And when the border guard asks you what happened." the right response would be
"I don't know what you're talking about Sir, there's chips in my passport?"
( or perhaps, depending on available force-points... :)
"Sir, these are not the passports you're looking for"
"Kill 'em all and let Root sort 'em out"
Don't forget the painstaking grammar and spelling checking.
Plus they had to go through all the archives to make sure it wasn't a dupe.
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
Sounds great, You're in charge to get all the countries in the world to agree to this.
How about an easier task, convince all countries to agree that one server somewhere is where all their trust of their passports is placed.
Really simple. you should have that done by the end of this week right?
Do not look at laser with remaining good eye.
Now I could be wrong, but I thought all the 9/11 bombers were legally allowed to be where they were, and were using valid documents?
I think what might have been the case is that they HAD used fake passpports in the past. The way this phrases it though suggests that a better implementation might have helped avoid 9/11, which is news to me.
Hmmmm. OK, but the corollary may well be that pretending something other than paper is any better is also folly!
As some other poster says above, you want a level of security that makes it sufficiently difficult for joe-public to not think about trying to beat it, but not so intrusive as to adversly affect people's lives too much in day-to-day use.
All the claptrap and palaver to do with air travel goes too far down the "intrusive" side of things, without actually offering any greater level of security (hence the term Security Theatre). The attempt to track every individual using ID cards, etc, is also too intrusive, and just as ineffective - whereas a simple chip containing a picture which is displayed when the passport (or credit card) is put into a reader would allow a human to easily compare the picture with the person and thereby foil most of the casual passport/credit card fraud.
Finally, you have to recognise that you CANNOT completely stop people from doing bad things and to think you can will lead to the 1984-type society that most right-minded people fear is where we are going already!
Eclectic beats from Leeds, UK
handmadehands.co.uk
Sucessful paper forgeries are usually more time consuming to create, and require skills that are less common in this day and age.
Or another way, a forged passport is one forged passport. A broken authentication system is a thousand forged passports.
As an aside, there is a parallel between pictures on ID and encryption: A picture on an ID allows me to verify that you look exactly like the guy on the ID (for various definitions of "exactly"), and symmetric encryption allows me to be fairly certain no one is listening in on a communication (assuming protected keys, sufficient key size, etc). But neither allow me to KNOW who you are or who I am communicating with. In other words, both systems fail at authentication, which is, in the end, what passports are trying to provide, and many people think encryption provides.
-- Humans, because the hardware IS the software.
So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless.
Technically accurate. But. The chip by itself is worthless. It's only worth something if it counters some kind of threat. This is why security isn't about products or techniques, it's about working systems. If the "chipped passports" don't have a working PKI, then there's really no point to the chips. They go together.
ObQuote: "Security is a process, not a product." -- Bruce Schneier
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Apathy: one of the greatest gifts you can give a tyranny.
Come play free flash games on Kongregate!
So now we can look forward to seeing thousands of people all sporting Osama Bin Laden pictures on their passports. It'll be as fashionable as Che Guevara t-shirts.
The TSA will love it because they can announce that they've caught Bin Laden every day for the next 20 years, thus justifying their continued existence.
I'm not tense. I'm just terribly, terribly, alert.
I have to say the more we rely on "foolproof" technology, the more we rely on fools to operate the machinery.
I have to admit the Germans had it nearly right. Almost nothing beat the steely-eyed glare of a Hauptsturmführer asking for your passport -- unless of course you have a John Williams musical score swelling in the background, and even then it would be a life changing, tension filled 2 minutes of your life going by you.
Reading the article, it's not as simple as that. There's not just an authentication system that can be toggled on an off. Each country has their own public key, which they can decide to share with other countries. Right now, 45 countries manually share keys. Then of them have signed up to an automated public key database. Only five of them are using it right now. So if you come from a country other than those 45, your passport never gets authenticated anyway. Bureaucracy being what it is, who knows when those numbers will grow much larger.
Also, think about the potential for corruption. All you'd need is someone in the government who you could bribe to give you the private key. Think Pakistan, India, Romania, etc. Then you've actually got an authenticated passport that lulls the passport checker into a false sense of security. They think they've got added security when actually they don't.
History tells us that cryptography usually falls down in implementation, not theory. As soon as you start building networks, selling chip readers, issuing passports then your theory starts to slowly crumble.
Even if the whole chain of trust is perfect it only takes one act of stupidity/corruption by a human to bring the whole thing crashing down.
Passports are also one of the worst possible places for security to fail. Passports, passport readers, etc. can't be updated via a patch, they need to be thrown away and replaced.
The technology for this is in its infancy and rushing out hundreds of millions of passports at an international level is doomed to failure.
I'm sure it won't stop philistine politicians from trying though - after all, it's not their money they're flushing.
No sig today...