Slashdot Mirror
Hackers Clone Elvis' Passport
Barence writes "Hackers have released source code that allows the 'backup' of RFID-protected passports, although the tool can potentially be used to create fake or cloned documents. The Hacker's Choice, a non-commercial group of computer security experts, has released a video showing a cloned passport being approved by a security scanner at a Dutch airport. When the reader scans the passport, it is revealed to belong to one Elvis Aaron Presley, complete with picture. Reports of the hackers serenading security staff with 'Are You Clonesome Tonight' are unconfirmed."
Elvis has left the building
I am not stubborn. I am right!
...welcome our new Elvis passport bearing overlords.
That little problem goes right away... just add "Elvis Aaron Presley" to the no-fly list.
We is all secured again, and permanently this time!
I wonder if it would be possible to just have a bunch of RFID chips along with your passport so they weren't sure which one they were reading? Although elvis would probably give it away :P
Won't work. Elvis is everywhere
Personally, I'd be rather careful when it comes to ID fraud... Don't want to end up doing the Jailhouse Rock
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
Security scanners with suspicious minds.
This
I dare anyone to fake the ID of Osama Bin Laden and try to get to the US.
Love many, trust a few, do harm to none.
Joke <----------------
Your head <----------------
Why don't you actually try clicking the link?
Good old Neo-con Steve will help us out of the financial crisis. Look how well he did in the french debates last night!
This "hack" just worked because scanner they used to validate the passport permitted self signed certificates.
Of course, it is good to show that scanners must be properly configured to be any good.
Hopefully that fake Elvis passport will get in the wrong hands, that would help spotting illegal immigrants and terrorists trying to enter the country. Gotcha!
Please remove your blue suede shoes.
One that doesn't require flash.
Comment removed based on user account deletion
You can't clone Elvis' passport; They didn't have access to the original.
They created a passport with fake details which matched the identity of another person. Nothing was cloned. I bet it wasn't even his passport picture, but a stock photo from the web.
Finally had enough. Come see us over at https://soylentnews.org/
I have no idea what kind of console that is, but it doesn't look like much of a "security console" to me.
This movie only shows that they have succesfully created a cloned passport, and that the scanner does not do any security checks. This was already demonstrated some time ago at a local town hall.
Doing this again at an airport adds nothing but hype. It does not prove that security in those things is broken.
Don't worry, it's all just 1's and 0's anyway...
"Never let a computer do a job that can be done by a human."
I just can't agree with this.
People can be fooled easily enough and the more that's automated properly the better. A human(well thousands of them) *could* do all the interest calculations at your bank but it would be stupid to do it that way.
There are loads of jobs out there which are better done by machines.
And loads of jobs that need to be double checked by machines after originally being done by Humans. Come on we need jobs too! Just because Computers are relatively cheap to feed and don't pay income tax doesn't mean they're the best tool in the shed.
ASdpojd pja oh sorry laptop i didn't mean to insult you.
signature is pants
Myth: Confirmed!
Hahahahahahahahahahahahahahahaha! Hahahahahahahahahahaha!
Of course we already knew, when U.S. passport encryption was broken in all of 2 hours, that this was inevitable.
And the government did it all in the name of more "security".
But as we know, it is actually less freedom, and LESS security. This is just more proof.
When i read the headline, i thought they had made an Elvis clone from leftover DNA on his old passport. :(
From the related article:
"Thanks to the ePassports is it now possible to build Smart-IED's. A Smart-IED waits until a specific person passes by before detonating or let's say until there are more than 10 americans in the room. Boom." -John Doe
isn't that lovely.
- js.
http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html
This isn't a security scanner anymore than the previous scanner he checked out at his local Govt building - in fact it's probably nearly the same damned thing! This is simply a device that is showing the data on the chip - I'm not convinced that it is doing ANY security checks that a "real" security scanner would do. How smart would it be to put a machine out with the same checks as a security portal to allow counterfeiters to practice on? Umm, Duh?? Cloning easy, modifying of data NOT!
Yes, the data has been modified and the signature broken, it remains to be seen what the scanner will do when it sees a broken signature or self signed cert on the passport. As was explained in the talk at BH SOME countries HAVE exchanged PKI information so at least some countries ought to be aware of what the signature SHOULD look like and SHOULD be able to spot fakes. It's also not clear that modifying the security file on the passport to change what security protections it reports isn't going to be spotted either since passing THAT information is also possible. Lastly, passing trusted PKI around need not actually take place - if I see 500 German passports who ALL have the same PKI signature and 1 that doesn't it's a pretty good bet that the *1* has an issue! No secret squirrel passing of certificates required in that case.
Bottom line is - no one knows exactly what the various security stations will actually check for and how closely they really follow the lax security of the Gold Disk standard that much of this presenters testing was based off of. The only way to know any of this is to attempt to USE one of these or get the Govt's to talk - what are the chances of THAT?!
So, interesting demo but I'm not convinced it proves that fake passports with *modified* data can be made. At least some better understanding of how the data is being stored and interacted with has occurred I'd say...
Build it, Drive it, Improve it! Hybridz.org
Backup? Seriously? Who on earth needs to "back up" their passport data? And what possible use is a "back up" of your passport data? You can't legally create yourself a new one if the original is lost.
Look, I'm not a fan of the enormous faith being placed in insecure formats on passports. And I'm sure people want to point out security flaws, and I'm fine with that.
But publishing an obvious exploit under the guise of a "backup tool" is just BEGGING for people to sit up and take notice of "gee, maybe we need to rethink the notion of 'backing up' always being fair use...."
RFID does not protect technology. Saying something is "RFID-protected" is just like saying "my access point is WiFi -protected". Eh?
RFID is a carrier technology, with a number of different frequency bands, with each of their own application area: some can be read from afar, some offer high transfer speeds, some work well close to metal, some need large antennas and some need small ones.
Some RFID tags just contain an ID (and are usually of high range and low speed), and some tags contain loads of data (meaning a low range and high speed). Unfortunately, people tend to lump all RFID as a single thing, which muddles things somewhat. However, they have no more in common than say, HAM radio and WiFi. You can't say that WiFi is bad because HAM radio lacks security ;-)
For conspiracy theorists: Elvis' middle name was Aron, not Aaron, right?
Wikipedia says "Presley's genuine birth certificate reads "Elvis Aaron Presley" (as written by a doctor). There is also a souvenir birth certificate that reads "Elvis Aron Presley." When Presley did sign his middle name, he used Aron. It reads 'Aron' on his marriage certificate and on his army duffel bag. Aron was apparently the spelling the Presleys used to make it similar to the middle name of Elvis' stillborn twin, Jesse Garon. Elvis later sought to change the name's spelling to the traditional and biblical Aaron. In the process he learned that "official state records had always listed it as Aaron. Therefore, he always was, officially, Elvis Aaron Presley." Knowing Presley's plans for his middle name, Aaron is the spelling his father chose for Elvis' tombstone, and it is the spelling his estate has designated as the official spelling whenever the middle name is used today. His death certificate says "Elvis Aron Presley." This quirk has helped inflame the "Elvis is not dead" conspiracy theories."
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
He left out a key word: "better", so rewrite it as this:
Never let a computer do a job that can be done better by a human
As you said, there are lots of jobs that computers are better at; I imagine the best case scenario (in a dream world?), when it comes to security, would be a combination of computer and human security.
But that's just my armchair opinion.
For just a minute, I thought hackers had successfully cloned Elvis. Then I saw it was just his passport.
Oh well, it's a start.
SJW: Someone who has run out of real oppression, and has to fake it.
I've seen some time ago on BBC Lukas Gruenwald from Germany reading his own passport data.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
Anyone who knows ANYTHING about Elvis lore, knows that his name was oddly spelled:
Elvis ARON Presley.
Any technology distinguishable from magic is insufficiently advanced.
This proves it -- everybody owes The King something...
and racier too. Times article
This is of course fake. He was Elvis for real.
Some of you may feel this is not "newsworthy", but this illustrates a very important point. Lets look at the whole voting machine mess. The machines were CERTIFIED by the States they were used in. That means that the certifying body agreed that they met all requirements. Yet, once hackers found all of the security flaws in the system, the voting machine manufacturers were "lynched" in the court of public opinion. Lets look at the whole financial mess we are in. The Federal Government is paid by taxpayers to oversee our economy. They failed miserably at this task, and now are trying to saddle taxpayers with the burden of fixing the mess. Ultimately, our Government and the Governments of other nations approved this RFID Passport System...a system which was, at least in part, intended to address security concerns. Now that it is coming out that this too is a failure DUE TO A LACK OF OVERSIGHT AND ACCOUNTABILITY AT THE GOVERNMENT LEVEL, who is going to be blamed this time? Security experts have nearly exhausted themselves trying to get the message out about a lack of security in RFID Passports (and other RFID systems), but are all but ignored. Ultimately, we are all getting what we deserve, because we are simply allowing those we have put in charge of assuring our well being to fail over and over again, and we simply foist the blame on everyone else but those we have employed to prevent these messes from happening. WAKE UP SHEEPLE !!!!
The data, photo and all, are actually stored on the passport? Why doesn't the passport just have an ID that's linked to the TSA's database and the rest of the information pulled from there?
This seems like really bad architecture if true...
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
No No No... we all know that the ancient people of the earth had it all figured out. They were actually communicating with gods at the time unlike modern men who are just out of touch.
Actually, even cloned passports are an issue. They're just one you can't do a lot about very easily.
They're an issue because if you can find someone who looks vaguely like you and clone their passport with or without their cooperation, you can assume their identify. Just alter your features a bit from what is in the picture. If they have medium-long hair, get a buzz cut. If they have no facial hair, grow a bear, mustache. Or vice versa. This is especially effective if you are in a minority in the country you are using the passport, as the "they all look alike" effect will carry you very far. For extra measure you can practice forging their signature.
Yes, it's a less effective exploit, but one that is a lot harder to guard against. Even if you put more biometric data in the passport like fingerprints, retinal scans or even DNA, the realities of passport processing lines make it unlikely you will be caught.
...like creating opaque financial derivatives that crash the banking system.
I mean, that's a pretty dumb quote to begin with, isn't it? I cannot think of ANY job that absolutely cannot be done by a human, while possible for a computer. We haven't invented true AI yet, have we?
There are jobs which would take infinitely longer for humans to do, but they still CAN be done, theoretically, I guess.
I pwn this comment. "The Fine Print" says so.
Yep, this was the picture.
You can't handle the truth.
Everybody knows Elvis is still alive.
It seems no one knows that Elvis's middle name was Aron, not Aaron. So who are the dummies here?
There are pros and cons of both humans and computers.
One big drawback with computers is that when you find a way to fool them, you can use that over and over again (until a human intervenes).
A human can realise that the ruleset is inadequate for the job, and raise questions. Like if a passport image checks out with the facial recognition that matches facial features, but the person on the picture is clearly asian while the person in front of him is caucasian. A fully automated system would let this pass over and over again, never realising it was making mistakes.
That said, a human system will never be smarter than the human who does the job. And when the key factor for hiring someone isn't how clever they are, but how little you can get away with paying, don't expect too much bright individual thinking.
My recommendation: Test the problem solving ability and common sense of security screeners, and refuse anyone with less than average skills. And pay enough that you will get applicants who are smart. Then pay a small bonus for every person rightfully detained, and a small malus for every false positive, incorrectly detained person.
You can entice a human person to think and do a better job, but you can't entice a computer.
...But an astute security screener would note that Elvis Aron Presley's middle name was misspelled, and have cops swarming all over the passport holder in seconds.
go get it
I'm too young to get all the jokes in the comments! :(
"When information is power, privacy is freedom" - Jah-Wren Ryel
Look, population was lower back then, and they just ran out of good lookin' "Mr. January"s, okay?
The fact that the type of cloning mentioned in this article does not necessarily require cracking does not mean that it was not done or not doable. Quite the contrary. These stories have been all over the internet. First, a biometric passport issued by the Dutch government was cracked in under 2 hours (and read from a distance, by the way). An article about that was linked to right here on Slashdot:
http://yro.slashdot.org/article.pl?sid=08/08/07/0214220
This type of passport meets international standards and is accepted by the UK and the rest of the EU, as well as the US. In fact these are the standards that the United States insisted upon and uses itself. Here is another article about that (pdf):
http://www-scf.usc.edu/~sheetals/publications/RFID_epassport.pdf
And finally, if you do not believe that RFID chips that ARE IN USE in the United States are crackable, yet meet the standards of International Civil Aviation Organisation (ICAO) -- which is the relevant standards body here -- here is yet another article explaining it:
http://www.guardian.co.uk/technology/2006/nov/17/news.homeaffairs
There are many, many articles out there about this, but these three should be enough to convince a reasonable person. Your claim that I don't know what I am talking about won't wash. It was done. It is demonstrable and provable.
The problem here is that YOU are confusing the encryption itself with the implementation. If the implementation is poor (as it is in the passports), any encryption is crackable. The UK passports that were cracked used 3DES. Big deal! They are so poorly implemented that they WERE cracked, and quite easily. So take off your own tinfoil blinders, and take a real look around you. Obviously you do not understand as much about this subject as you think. So go learn something yourself, before making such smug smart-assed remarks to other people.
Quote: "Figuring out the 3DES key ... is != to 'cracking it'"
If getting someone's encryption key is not "cracking" their encrypted data, then what is? I would be interested to know your definition. In just about everybody else's opinion, getting someone's encryption key is "cracking" their encryption.
(We are NOT talking here about "cracking" 3DES... that is another subject entirely. If you thought so, I do not know where you got that idea. I never made that claim. This conversation is about "cracking" specific instances of encryption. Nobody mentioned anything about breaking general encryption algorithms. Nor -- as was precisely my point -- is it necessary to do so. I stated that the PASSPORT's encryption had been cracked -- and it had. I sure as hell did not say that 3DES had been! Apparently you have assumed I am some kind of idiot. Try again.)
In any case, since you brought it up "A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports."
If that ain't changing the data on an INTERNATIONAL STANDARD passport (read those other articles!), then what is? You took a case where it was clearly done, and then claim it isn't so. Sorry... but you will have to supply some solid citations to demonstrate this. You have cited nothing to actually dispute that this was done, you have merely offered your opinion. So... since you insisted that I supply citations, do the same. Who knows? Maybe you will even convince me. But if you do not, then I am done with this discussion; I have provided citations, you have not.
As for your last comment, I did NOT claim that 3DES was cracked. I do not know where you got the idea... as you say yourself, the cracking of an encryption key is NOT the same as breaking the general encryption algorithm. I claimed only the former, never the latter. Get it straight. At least then maybe you would at least understand what you are arguing about.
from the first article: "But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year.
Even then, the system will be fully secure only if every e-passport country has joined.
Some of the 45 countries, including Britain, swap codes manually, but criminals could use fake e-passports from countries that do not share key codes, which would then go undetected at passport control. "
And further: "The International Civil Aviation Organisation said: 'The PKD ensures that e-passports used at border control points . . . are genuine and unaltered. In effect it renders the passport fool-proof. However, all states issuing e-passports must join the PKD, otherwise that assurance cannot be given.'"
So passports are STILL vulnerable, regardless of your precious PKI signature. Funny how YOU did not notice that.
Once again, as I mentioned before, we are speaking of the differences between the security of strong encryption, and the security of the actual implementation.
Given the half-assed implementations, I maintain that they still give us LESS security, not more.
As I stated from the very first, and repeatedly thereafter, it is the IMPLEMENTATIONS that are weak, not the crypto. But for some reason you don't seem to have picked up on that. Further, you appear to be a selective reader. The case is very clear: until ALL signatory nations start using the PKD, these passports are vulnerable. This is without regard to your precious PKI signature, which (again until they all sign up) is not even required for the non-complying nations. This means the system DOES NOT WORK as it is supposed to!
I do believe that the system is not secure, but that is not my argument here, and never was. The implementation is pathetic: not only do the passports themselves give away the keys, but until ALL signatory nations start using the PKD (something that will probably never happen), the system is just plain broken. It has a hole in it the size of an oil barge.
But my final comment is this: you have offered NOTHING here to support your argument except your own opinion. You have had AT LEAST three opportunities to present some facts or citations here to support your argument, but despite repeated requests you have completely failed to do so.
Cite some independently verifiable facts to support your argument, or go away. That's the way it works. I did, you have not. Unless you do, I have nothing further to say to you.
I absolutely agree, especially when it comes to repetitive jobs. Humans get bored and lose interest in repetitive things quickly; computers, on the other hand, are infinitely patient and don't take shortcuts after too long (well, unless they've been programmed that way/poorly... remember how that one version of Windows deleted command.com if the system was on for 90 consecutive days?)
Sanity is like a condom: rather have it and not need it, than need it and not have it.
You don't seem to get the point. I don't know why you don't get it. I am not going to call you dense, but you are sure acting that way.
(1) I made that claim that a passport was successfully altered (actually, first, that the data was cracked). You insisted that I cite references that this was done. I did so.
(2) You then claimed that they weren't really altered sufficiently to fool the machines, because of your oh-so-sweet PKI signature (which you are still insisting matters).
(3) So I pointed out -- and cited references to show -- WHY the PKI signature is irrelvant: because only 5 out of 45 nations use it, and so it is quite possible to fake a passport (from 40 out of the 45 that nations!), because no PKI signature is required for passports from those nations! Why have you not been getting this point??? The issue was: the electronics of passports CAN BE altered -- in a short time even -- to pass security. Clearly, this is demonstrated, because you can easily make one that IS NOT REQUIRED TO HAVE A SIGNATURE!!!
(4) THEN (still refusing to cite ANY actual evidence to support your position, even though you insisted I do so), you changed the subject and claimed that even that doesn't matter, because you still have to print the passport. [Hint here, guy: that is off-topic. We were talking about the RFID, not the printing. Further, the reason RFIDs exist in passports in the first place is because it *IS* possible to print fakes, which has been and *IS BEING* done. So even if this were not a straw-man argument, it is still clearly irrelevant to the real issue here.]
(5) Finally (I could go on but there is no need), although you have had plenty of opportunity and have been asked several times, you STILL have not provided ANY citations or other evidence that anything you are saying has any credibility at all! You actually have the cojones to argue that my argument does not matter because it is not proven, even though I have cited evidence and you have not. The excuse you gave above is nothing but LAME. The relevant information is out there. You insisted that I find some. You have either not bothered to find your own, or failed to do so... it matters very little which.
Which means, plain and simple, that you lose the argument... by your own rules. Goodbye.
P.S. I do not think the sky is falling. On the contrary, I have made the point several times (though not elaborated on it) that this system is broken and so is LESS secure than no such system at all. I do not argue that the sky is falling because it is not as secure as it should be. Rather, I am arguing (from the standpoint of a computer programmer and certified systems tech with many years experience), that the RFID system should not exist at all, for the simple reason that it never will be secure enough. Just like DRM, it is a wild-goose-chase that is doomed to failure.