Chipped Passport Cloned In Minutes

← Back to Stories (view on slashdot.org)

Chipped Passport Cloned In Minutes

Posted by samzenpus on Wednesday August 6, 2008 @11:57PM from the unsafe-at-any-customs-counter dept.

Death Metal Maniac writes "New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: 'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'"

21 of 326 comments (clear)

Um, well... by superphreak · 2008-08-07 00:02 · Score: 5, Insightful

Is anyone surprised? At all? Seriously...

--
Evolution is a state-sponsored, state-protected religion.
1. Re:Um, well... by Anonymous Coward · 2008-08-07 00:05 · Score: 5, Funny
  
  Well, they didn't make him take his shoes off - so no, I am not surprised.
2. Re:Um, well... by Swizec · 2008-08-07 00:21 · Score: 5, Insightful
  
  At the same time, you don't want your security to be so over the top that it is either prohibitive such that people are encouraged to find a work around, or it's just plain ineffectual.
  
  Oh you mean like DRM? Prohibitive and ineffectual never stopped corporations before, why would it the government?
3. Re:Um, well... by Dog-Cow · 2008-08-07 00:50 · Score: 5, Funny
  
  -1, Unintelligible.
4. Re:Um, well... by Hal_Porter · 2008-08-07 01:52 · Score: 5, Insightful
  
  This is more like PGP signing. DRM has a flaw in that the user must be able to decrypt so the decryption key must be available. PGP signing is much more secure since you only need to know the private key if you sign. Verifying is done with the public key which is not secret.
  The passport contains data - name, address, photograph (and in future fingerprints and retinal scans). When the passport is made this data is digitally signed with the private key in some secure system.
  There is a trust chain from the per country CSCA (Country Signing Certificate Authority) down to the DS (Data Signers) down to the passports.
  See here, page 13
  http://www.rfidsec07.etsit.uma.es/slides/present/slides-1.1.pdf
  In the UK as far as I know there is only one DS, the Foreign and Commonwealth Office even for passports issued overseas (I got mine renewed from a non biometric one in Stockholm and the issuer is still marked as FCO not British Embassy Stockholm). So to check the trust chain you need the public keys for the CSCA and the DS that made a passport. The article says that "But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it." But elsewhere it says "Some of the 45 countries, including Britain, swap codes manually, but criminals could use fake e-passports from countries that do not share key codes, which would then go undetected at passport control". True, but if you used a clone British Passport anywhere with access to the shared keys it will be caught if you don't know the British private CSCA key. And any country that doesn't share it's public key could be threatened with being dropped from visa waiver programs, so it's fair to assume that given time they all will. Any country who leaked their private key could be handled the same way.
  As someone commented to the article
  
  Seemingly Mr Van Beek created only a copy of personal data with fake certificates, keys and signatures to fool only the reader he was using. In real life if he could have been able to put the chip into a real passport control systems where data is checked against the CSCA and DS certificates he would have been arrested at the same moment.
  The problem with not having a PKD is that people who don't have access to manually swapped public keys cannot verify the passport. But I bet the scanners in airports do. Installing 45 CSCA keys, one per country, and one or more DS keys per country is not very hard to do.
  I actually wonder how serious this is - of course a faked passport will not be detected by software that cannot verify the trust chain. The systems at airports can do this from what I've read.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
5. Re:Um, well... by conspirator57 · 2008-08-07 03:24 · Score: 5, Insightful
  
  FWIR about 1/3 of Iran's population is blonde haired and blue eyed. The Caucuses mountain range (from which we get the term Caucasian) is partly in Iran. So if Iran or part of their population (the government) is evil that whole profiling thing starts to not work real fast.
  How about the government leaves us alone and sees to its actual responsibilities and, oh i don't know, obeys its own laws and attempts to embody American ideals? Just a suggestion.
  
  --
  "If still these truths be held to be
  Self evident."
  -Edna St. Vincent Millay
6. Re:Um, well... by bigstrat2003 · 2008-08-07 04:44 · Score: 5, Insightful
  
  Really, this lets the gov't track the millions of people who use passports easily but has no effect on criminals or those NOT from the USA. Personally I'd be more worried about the 20-something male muslum flying in to the US and then around from city to city than grandma taking a vacation to canada which now requires a passport. Yes, it's profiling. But when was the last time someone's mid-western 68 year old white grandmother went on a shooting/terror spree?
  I dunno, personally, I don't want government-sanctioned racism. But that's just me.
  
  --
  "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
I want one! by PC+and+Sony+Fanboy · 2008-08-07 00:03 · Score: 5, Funny

I'd like one, preferably with a large memory chip added, so I can combine all my fake passports into one.

Oh, and I'd like some fake passports.
Don't worry... by rarel · 2008-08-07 00:11 · Score: 5, Funny

Captain Hammer will save us.
Summary doesn't mention digital signing by Wanderer2 · 2008-08-07 00:11 · Score: 5, Interesting

The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it.
The researcher replaced the digital signatures on the passports with ones of his own creation when altering the photographs... if the equipment used to test had actually compared the digital signatures to those on file, it would have immediately spotted the tampering. Problem is most countries aren't sharing their signatures yet, making those checks impotent. For now, at least (and not saying there aren't other vulnerabilities).

--
I say we take-off and slashdot the site from orbit... it's the only way to be sure
Authentication requires ... um... authentication by gavron · 2008-08-07 00:15 · Score: 5, Funny

If the passport authorities of the world want to authenticate a passport they *MUST* check its signature to ensure it is valid.
Their outright failure to do so for at least a year for the UK and perhaps many more for other countries means that the digital information is less valid than the information imprinted on the card. Less valid because it's far easier to change, and shows no signs of alteration.
In other words, countries that don't authenticate, and rely on the digital information alone are *MORE* insecure and open to falsification than those who do authenticate.
Security: Not a tradeoff of civil liberties, but an intelligent application of a variety of techniques.
Authentication: When available USE IT, don't just put it off and trust easily-modifiable data. When in doubt look at the printed picture and the text. *THAT* is harder to change without showing signs of alternation.
Encryption: I guess if they can't get the key database working for simple authentication (or even a #$&*(#$ hash) they're not going to figure out the encryption stuff either.
Hi Bruce.
Ehud
Re:Electronic voting's cousin? by pha7boy · 2008-08-07 00:18 · Score: 5, Insightful

It's becoming obvious that low-tech paper is preferable in both elections and passports.
yes, cos god knows, paper passports were NEVER falsified.

--
-- All this knowledge is giving me a raging brainer.
Re:Electronic voting's cousin? by stainlesssteelpat · 2008-08-07 00:21 · Score: 5, Interesting

I got one of these new fandangled passports a few years ago when I went to Japan, got fingerprinted electronicly at customs and thought nothing of it, with all the post 9/11 sentiment it sucks but i can't see it going away now. Anyway point is I'm an ex chef (still part time while at uni), so when I flew into newark to go visit my girlfriends parents with her in Fargo I get hustled into an interview room. I thought it was on account of being heavily tattoed and having dreadlocks and being under 30. Anyway, I get grilled by this mean assed gentlemen from customs about how I got this passport. Turns out the damage done to my hands over the course of two years, meant that thier software didn't match the biometric that Japanese customs had put on there. Got sorted out eventually, 2 hours nearly missed my connection from JFK. Was more bemused than anything, US customs don't get Aussie humour thats for sure.

--
War is the statesman's game, the priest's delight, the lawyer's jest, the hired assassin's trade.- Shelley
Re:Yesterday's News Today! by gEvil+(beta) · 2008-08-07 00:23 · Score: 5, Funny

This was all over the BBC News yesterday. What took so long?

Hey now! This is Slashdot. Taco and Neal and the gang were busy confirming every aspect of the story before they posted it to the front page.

--
This guy's the limit!
Watch what you're doing by ivothamdrup · 2008-08-07 00:24 · Score: 5, Funny

The tests were conducted by Jeroen van Beek, a security researcher at the University of Amsterdam
... and now a no-fly list nominee for engaging in terrorist activities.
Re:Yesterday's News Today! by lilomar · 2008-08-07 00:32 · Score: 5, Funny

Don't forget the painstaking grammar and spelling checking.
Plus they had to go through all the archives to make sure it wasn't a dupe.

--
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
Re:If one man can do it... by Lumpy · 2008-08-07 00:47 · Score: 5, Insightful

Sounds great, You're in charge to get all the countries in the world to agree to this.
How about an easier task, convince all countries to agree that one server somewhere is where all their trust of their passports is placed.
Really simple. you should have that done by the end of this week right?

--
Do not look at laser with remaining good eye.
Misleading info? by Daemonic · 2008-08-07 00:55 · Score: 5, Informative

The article contains the line:

Many of the 9/11 bombers had travelled on fake passports.

Now I could be wrong, but I thought all the 9/11 bombers were legally allowed to be where they were, and were using valid documents?
I think what might have been the case is that they HAD used fake passpports in the past. The way this phrases it though suggests that a better implementation might have helped avoid 9/11, which is news to me.
Re:Electronic voting's cousin? by AGMW · 2008-08-07 01:02 · Score: 5, Insightful

Pretending that paper is somehow better is folly.
Hmmmm. OK, but the corollary may well be that pretending something other than paper is any better is also folly!
As some other poster says above, you want a level of security that makes it sufficiently difficult for joe-public to not think about trying to beat it, but not so intrusive as to adversly affect people's lives too much in day-to-day use.
All the claptrap and palaver to do with air travel goes too far down the "intrusive" side of things, without actually offering any greater level of security (hence the term Security Theatre). The attempt to track every individual using ID cards, etc, is also too intrusive, and just as ineffective - whereas a simple chip containing a picture which is displayed when the passport (or credit card) is put into a reader would allow a human to easily compare the picture with the person and thereby foil most of the casual passport/credit card fraud.
Finally, you have to recognise that you CANNOT completely stop people from doing bad things and to think you can will lead to the 1984-type society that most right-minded people fear is where we are going already!

--
Eclectic beats from Leeds, UK
handmadehands.co.uk
Re:Electronic voting's cousin? by LaminatorX · 2008-08-07 01:16 · Score: 5, Insightful

Sucessful paper forgeries are usually more time consuming to create, and require skills that are less common in this day and age.
Or another way, a forged passport is one forged passport. A broken authentication system is a thousand forged passports.
Papers, bitte. by monkeyboythom · 2008-08-07 02:39 · Score: 5, Interesting

I have to say the more we rely on "foolproof" technology, the more we rely on fools to operate the machinery.
I have to admit the Germans had it nearly right. Almost nothing beat the steely-eyed glare of a Hauptsturmführer asking for your passport -- unless of course you have a John Williams musical score swelling in the background, and even then it would be a life changing, tension filled 2 minutes of your life going by you.