Hackers Clone Elvis' Passport

← Back to Stories (view on slashdot.org)

Hackers Clone Elvis' Passport

Posted by samzenpus on Wednesday October 1, 2008 @09:30PM from the don't-mess-with-the-king dept.

Barence writes "Hackers have released source code that allows the 'backup' of RFID-protected passports, although the tool can potentially be used to create fake or cloned documents. The Hacker's Choice, a non-commercial group of computer security experts, has released a video showing a cloned passport being approved by a security scanner at a Dutch airport. When the reader scans the passport, it is revealed to belong to one Elvis Aaron Presley, complete with picture. Reports of the hackers serenading security staff with 'Are You Clonesome Tonight' are unconfirmed."

53 of 164 comments (clear)

Min score:

Reason:

Sort:

Obligatory by Gandalf_Greyhame · 2008-10-01 21:31 · Score: 5, Funny

Elvis has left the building

--
I am not stubborn. I am right!
1. Re:Obligatory by Anonymous Coward · 2008-10-01 21:35 · Score: 5, Funny
  
  On a day when we are going to be giving hundreds of billions to dodgy bankers, on a day when suicide bombs have returned to Baghdad, on a day when the most influential vice-presidential nominees for a lifetime will go toe-to-toe, surely there is more important news for /. to report!
2. Re:Obligatory by BlueStrat · 2008-10-01 21:52 · Score: 5, Funny
  
  Elvis has left the building
  Elvis has left the building
  And the other Elvis has left the building
  There, fixed that for you.
  Cheers!
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
3. Re:Obligatory by tinkertim · 2008-10-01 21:59 · Score: 4, Funny
  
  Elvis has left the building
  Elvis has left the building
  And the other Elvis has left the building
  There, fixed that for you.
  Cheers!
  Strat
  Well, sort of .. but where do I find MAX_ELVIS ?
4. Re:Obligatory by JustOK · 2008-10-01 22:36 · Score: 2, Funny
  
  with his blue suede shoe bombs
  
  --
  rewriting history since 2109
5. Re:Obligatory by El_Muerte_TDS · 2008-10-01 23:25 · Score: 5, Funny
  
  There, fixed that for you.
  Thank you, Thank you very much.
  Elvis
6. Re:Obligatory by Chris+Mattern · 2008-10-01 23:28 · Score: 4, Funny
  
  Well, sort of .. but where do I find MAX_ELVIS ?
  #include <rock-n-roll.h>
7. Re:Obligatory by ehaggis · 2008-10-01 23:37 · Score: 2, Funny
  
  I'm sorry, he cannot leave the building, he no longer has a valid passport.
  
  --
  One ring to bind them - should probably have more fiber and less rings in their diet.
8. Re:Obligatory by dkleinsc · 2008-10-01 23:43 · Score: 4, Interesting
  
  Ever since that cracker got me
  I found a new place to dwell.
  It's down at the end of cloned street
  At pwned hotel.
  (chorus)
  You make me so cloned baby,
  I get so cloned,
  I get so cloned I could die (again and again).
  And although its always crowded,
  You still can find some room.
  Where broken hearted users
  Do cry away their gloom.
  (chorus)
  Well, the spammer's mail keeps flowin,
  And the desk clerks dressed in black.
  Well they been so long on cloned street
  They ain't ever gonna look back.
  (chorus)
  Hey now, if a cracker gets you,
  And you got a tale to tell,
  just take a walk down cloned street
  To pwned hotel.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
9. Re:Obligatory by theeddie55 · 2008-10-02 00:07 · Score: 3, Informative
  
  if slashdot reported everything that was "at some level" technology news, it would just be a news site.
  
  --
  Blazing Spiders
10. Re:Obligatory by RemoWilliams84 · 2008-10-02 00:57 · Score: 5, Funny
  
  That would be the greatest rick roll ever. Have them scan your passport and it come back with Rick Astley's picture followed by you singing never gonna give you up at the top of your lungs. I'm beginning to see a whole reality show here.
  
  --
  "I don't have to think. I only have to do it. The results are always perfect, but that's old news." - Meat Puppets
11. Re:Obligatory by Trespass · 2008-10-02 04:30 · Score: 2
  
  if slashdot reported everything that was "at some level" technology news, it would just be a news site.
  No, it would be a conspiracy theory clearinghouse.
I can fix that for you... by codefrog · 2008-10-01 21:37 · Score: 5, Funny

That little problem goes right away... just add "Elvis Aaron Presley" to the no-fly list.
We is all secured again, and permanently this time!
1. Re:I can fix that for you... by RuBLed · 2008-10-01 21:46 · Score: 5, Funny
  
  Elvis will be so pissed when he returns in 2012.
2. Re:I can fix that for you... by davester666 · 2008-10-01 22:30 · Score: 5, Funny
  
  He's coming back for the Olympics? So, he's just be away all this time getting back in shape?
  
  --
  Sleep your way to a whiter smile...date a dentist!
3. Re:I can fix that for you... by master5o1 · 2008-10-01 23:18 · Score: 2, Funny
  
  Yeah he's going to make that opening ceremony so much better than China's. Oh wait I don't think you can get more awesome than a publicly displayed BSOD.
  
  --
  signature is pants
4. Re:I can fix that for you... by EasyTarget · 2008-10-01 23:35 · Score: 5, Funny
  
  Hello,
  You have used our copyrighted phrase '2012', thereby destroying the branding of the British Olympics. You owe us 12Bn poonds.
  We look forward to recieving your remittance by return.
  - IOC IP enforcement department.
  
  --
  "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
5. Re:I can fix that for you... by Anonymous Coward · 2008-10-02 00:45 · Score: 2, Informative
  
  Elvis will be so pissed when he returns in 2012.
  "Score:5, Interesting"
  Try again, modboys. Sometimes I wonder what you guys are thinking when you moderate posts like this. Don't you see that it should have been modded informative instead of interesting. Amateurs.
6. Re:I can fix that for you... by Sebilrazen · 2008-10-02 00:50 · Score: 3, Informative
  
  How the hell did this get modded "interesting"?? Is there some widely accepted theory about Elvis returning in 2012 I've missed?
  Who the hell gets mod points nowadays?
  Probably related to the end of the Mayan Long Count calendar, which was really accurate for 5,125 years, but it all of a sudden ends on the Winter Solstice in 2012, nobody knows what's going to happen.
  
  I like to think of it as Peter Venkman said, "Human sacrifice, dogs and cats living together... mass hysteria!" Elvis caused mass hysteria, ergo Elvis comes back.
  
  --
  "There are no facts, only interpretations." --Friedrich Nietzsche.
7. Re:I can fix that for you... by seededfury · 2008-10-02 02:44 · Score: 4, Informative
  
  "nobody knows what's going to happen."
  
  yes we do. Life goes in earth's new cycle of 26,000 years...
  
  Prophecy is bullshit stemming from a religious mind.
  from http://www.crawford2000.co.uk/maya.htm
  "Over a year's time the Sun transits through the twelve houses of the zodiac. Many of us know this by what "Sun sign" is associated with our birthday. Upping the scale to the Platonic Year - the 26,000 year long cycle - we are shifting, astrologically, from the Age of Pisces to the Age of Aquarius. The Mayan calendar does not really "end" in 2012, but rather, all the cycles turn over and start again, vibrating to a new era. It is as if humanity and the Earth will graduate in the eyes of the Father Sun and Grandmother Milky Way. "
  
  For as long as I have been alive, doom and the end have always been so close but unfortunately it's always a lie.
He doesn't need to fly by mangu · 2008-10-01 21:44 · Score: 2, Funny

just add "Elvis Aaron Presley" to the no-fly list
Won't work. Elvis is everywhere
Re:hilarious! by BackwardHatClub · 2008-10-01 21:44 · Score: 2, Insightful

The 4 hour stop at security would be really hilarious...!
Be careful... by Anton+Styles · 2008-10-01 21:46 · Score: 3, Insightful

Personally, I'd be rather careful when it comes to ID fraud... Don't want to end up doing the Jailhouse Rock

--
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
1. Re:Be careful... by technolectro · 2008-10-01 21:51 · Score: 2, Funny
  
  You have a Suspicious Mind.
2. Re:Be careful... by Thiez · 2008-10-01 23:01 · Score: 2, Insightful
  
  Actually, the Dutch don't own a little piece of Cuba, so no need to panic. Also, laws are relatively sane, so I doubt the people who did this are going to get in trouble, especially since the copied passpart is so obviously fake, and merely proof-of-concept instead of something to be used in an evil plot to take over the world.
3. Re:Be careful... by Patrick+Georgi · 2008-10-01 23:36 · Score: 4, Interesting
  
  At least in Germany, ID cards are considered to be federal property, so changing data on it could be considered malicious mischief.
4. Re:Be careful... by Incadenza · 2008-10-01 23:47 · Score: 5, Insightful
  
  In the Netherlands passports are state property to. If your passport gets lost, you have to pay for a replacement (obviously) *plus* you get fined for losing government property!
5. Re:Be careful... by EasyTarget · 2008-10-01 23:48 · Score: 3, Insightful
  
  Unfortunately the current mob in (sort of ) charge here are right up the illiberal-fuck brigade's arse.
  When it was recently demonstrated that the new national travelcard is broken (Mifare) the response was a typical mixture of outrage, damming everybody as criminal, and refusing to accept that people with science degrees are a darn sight smarter than the bunch of PR/MBA wankers who fell for the Mifare sales spin.
  
  --
  "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
6. Re:Be careful... by Anonymous Coward · 2008-10-01 23:53 · Score: 2, Insightful
  
  Except in the video, you see they are using a simple blank card. So the ID cards where not from the government in the first place.
  The detection equipment is probably build and bought by private companies, so fooling these also do not involve the government either.
7. Re:Be careful... by Thiez · 2008-10-02 00:06 · Score: 3, Insightful
  
  The card they use in the video doesn't appear to be a real passport, only the chip (that may or may not have been removed from a password). Even if what they did is illegal, I would be extremely suprised if anyone involved were to end up in prison, although they may be fined, especially if they got the chip out of a real passport (like you suggested).
Osama Bin Laden by Krneki · 2008-10-01 21:47 · Score: 5, Funny

I dare anyone to fake the ID of Osama Bin Laden and try to get to the US.

--
Love many, trust a few, do harm to none.
1. Re:Osama Bin Laden by plasmacutter · 2008-10-01 22:19 · Score: 5, Funny
  
  I would suggest a very fat white guy in a flannel shirt : )
  
  --
  VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
2. Re:Osama Bin Laden by Anonymous Coward · 2008-10-01 22:41 · Score: 2, Funny
  
  Imagine a plane full of Osama Bin Ladens arriving to the US.
  I'd pay to see that :D
3. Re:Osama Bin Laden by Oktober+Sunset · 2008-10-01 22:49 · Score: 2, Funny
  
  Well I triple DOG dare you to do it.
  
  --
  What if Tetris was invented by Nazis?
4. Re:Osama Bin Laden by Anonymous Coward · 2008-10-01 22:55 · Score: 4, Funny
  
  This is slashdot. That doesnt really narrow it down now does it? :P
5. Re:Osama Bin Laden by MadMidnightBomber · 2008-10-01 23:03 · Score: 5, Funny
  
  It's OK - they already assume everyone who isn't white is Osama Bin Laden.
  
  --
  "It doesn't cost enough, and it makes too much sense."
Misconfigured scanner by Anonymous Coward · 2008-10-01 21:51 · Score: 2, Informative

This "hack" just worked because scanner they used to validate the passport permitted self signed certificates.
Of course, it is good to show that scanners must be properly configured to be any good.
1. Re:Misconfigured scanner by prefect42 · 2008-10-01 22:54 · Score: 2, Interesting
  
  Schneier looks to be wrong about multiple CAs. They don't cause the problem he's talking about.
  Without having a global CA:
  UKCA can make certs
  USCA can make certs
  I trust certs from both CAs. I only trust UKCA with certs /C=UK and USCA with /C=US. Both CAs can make certificates for the other country, but that doesn't mean the end user trusts it.
  jh
  
  --
  jh
Before passing through security by BackwardHatClub · 2008-10-01 21:59 · Score: 5, Funny

Please remove your blue suede shoes.
1. Re:Before passing through security by zwarte+piet · 2008-10-01 22:59 · Score: 2, Funny
  
  Why? Nobody is going to step on them..... because they're: 1) for the money 2) for the show
Comment removed by account_deleted · 2008-10-01 22:11 · Score: 5, Informative

Comment removed based on user account deletion
Bad title by L4t3r4lu5 · 2008-10-01 22:27 · Score: 4, Insightful

You can't clone Elvis' passport; They didn't have access to the original.

They created a passport with fake details which matched the identity of another person. Nothing was cloned. I bet it wasn't even his passport picture, but a stock photo from the web.

--
Finally had enough. Come see us over at https://soylentnews.org/
1. Re:Bad title by wvmarle · 2008-10-02 01:20 · Score: 4, Insightful
  
  Which, from the face of it, makes the feat even more impressive. Cloning means "simply" reading the data from one passport, and copying it onto another. It is not necessary to decrypt this data, as long as the chip is tricked into releasing it.
  Instead, they created a completely new data set, put this on the chip, and programmed the chip so it correctly answers to the challenge posed by the reader.
  Now the idea of having the data encrypted in the passport chip may be wishful thinking of course... I would expect it is encrypted, if not then it's of course one step less for these hackers. At the very least I would expect some cryptographic checksum, based on some secret key or so, to verify that the passport (i.e. the data on the chip) has been government issued.
  No matter what, a neat hack, and scary that it is possible in the first place.
2. Re:Bad title by apt142 · 2008-10-02 06:15 · Score: 2, Funny
  
  The mystery of the Elvii is a deep and dangerous one.
  
  --
  Star Pirates
That's not a security console... by Neelix21 · 2008-10-01 22:59 · Score: 2, Insightful

I have no idea what kind of console that is, but it doesn't look like much of a "security console" to me.
This movie only shows that they have succesfully created a cloned passport, and that the scanner does not do any security checks. This was already demonstrated some time ago at a local town hall.
Doing this again at an airport adds nothing but hype. It does not prove that security in those things is broken.

--
Don't worry, it's all just 1's and 0's anyway...
1. Re:That's not a security console... by Ren+Hoak · 2008-10-01 23:28 · Score: 5, Insightful
  
  It does not prove that security in those things is broken.
  Ok, so by your words, being able to create a document that contains blatantly false information, and successfully using that document to bypass security doesn't prove that "security in those things is broken". What, pray tell, would be required beyond this to demonstrate that security is broken? Because, you see, in my simple view of things, if you are "Bob" and security is on the lookout for "Bob", and you show them a modified password claiming that you're "Neil", and security lets you through because as far as they can tell you aren't "Bob", security has been compromised. When security is based on human inspection of said passport, clearly it's subject to human error. When security is electronically based, such as the case with RFID, all but the most basic of human interaction should be removed from the "is this a real passport?" equation.
Never let a computer do a job that can be done by by HungryHobo · 2008-10-01 23:00 · Score: 4, Insightful

"Never let a computer do a job that can be done by a human."
I just can't agree with this.
People can be fooled easily enough and the more that's automated properly the better. A human(well thousands of them) *could* do all the interest calculations at your bank but it would be stupid to do it that way.
There are loads of jobs out there which are better done by machines.
Hahahahahaha by Jane+Q.+Public · 2008-10-02 00:06 · Score: 3, Informative

Hahahahahahahahahahahahahahahaha! Hahahahahahahahahahaha!

Of course we already knew, when U.S. passport encryption was broken in all of 2 hours, that this was inevitable.

And the government did it all in the name of more "security".

But as we know, it is actually less freedom, and LESS security. This is just more proof.
Sorry, proves nothing by BLKMGK · 2008-10-02 00:57 · Score: 2, Interesting

This isn't a security scanner anymore than the previous scanner he checked out at his local Govt building - in fact it's probably nearly the same damned thing! This is simply a device that is showing the data on the chip - I'm not convinced that it is doing ANY security checks that a "real" security scanner would do. How smart would it be to put a machine out with the same checks as a security portal to allow counterfeiters to practice on? Umm, Duh?? Cloning easy, modifying of data NOT!
Yes, the data has been modified and the signature broken, it remains to be seen what the scanner will do when it sees a broken signature or self signed cert on the passport. As was explained in the talk at BH SOME countries HAVE exchanged PKI information so at least some countries ought to be aware of what the signature SHOULD look like and SHOULD be able to spot fakes. It's also not clear that modifying the security file on the passport to change what security protections it reports isn't going to be spotted either since passing THAT information is also possible. Lastly, passing trusted PKI around need not actually take place - if I see 500 German passports who ALL have the same PKI signature and 1 that doesn't it's a pretty good bet that the *1* has an issue! No secret squirrel passing of certificates required in that case.
Bottom line is - no one knows exactly what the various security stations will actually check for and how closely they really follow the lax security of the Gold Disk standard that much of this presenters testing was based off of. The only way to know any of this is to attempt to USE one of these or get the Govt's to talk - what are the chances of THAT?!
So, interesting demo but I'm not convinced it proves that fake passports with *modified* data can be made. At least some better understanding of how the data is being stored and interacted with has occurred I'd say...

--
Build it, Drive it, Improve it! Hybridz.org
Obvious Fake by jea6 · 2008-10-02 01:10 · Score: 3, Informative

For conspiracy theorists: Elvis' middle name was Aron, not Aaron, right?
Wikipedia says "Presley's genuine birth certificate reads "Elvis Aaron Presley" (as written by a doctor). There is also a souvenir birth certificate that reads "Elvis Aron Presley." When Presley did sign his middle name, he used Aron. It reads 'Aron' on his marriage certificate and on his army duffel bag. Aron was apparently the spelling the Presleys used to make it similar to the middle name of Elvis' stillborn twin, Jesse Garon. Elvis later sought to change the name's spelling to the traditional and biblical Aaron. In the process he learned that "official state records had always listed it as Aaron. Therefore, he always was, officially, Elvis Aaron Presley." Knowing Presley's plans for his middle name, Aaron is the spelling his father chose for Elvis' tombstone, and it is the spelling his estate has designated as the official spelling whenever the middle name is used today. His death certificate says "Elvis Aron Presley." This quirk has helped inflame the "Elvis is not dead" conspiracy theories."

--

sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Who should be held accountable for this? by dma1965 · 2008-10-02 02:41 · Score: 2, Insightful

Some of you may feel this is not "newsworthy", but this illustrates a very important point. Lets look at the whole voting machine mess. The machines were CERTIFIED by the States they were used in. That means that the certifying body agreed that they met all requirements. Yet, once hackers found all of the security flaws in the system, the voting machine manufacturers were "lynched" in the court of public opinion. Lets look at the whole financial mess we are in. The Federal Government is paid by taxpayers to oversee our economy. They failed miserably at this task, and now are trying to saddle taxpayers with the burden of fixing the mess. Ultimately, our Government and the Governments of other nations approved this RFID Passport System...a system which was, at least in part, intended to address security concerns. Now that it is coming out that this too is a failure DUE TO A LACK OF OVERSIGHT AND ACCOUNTABILITY AT THE GOVERNMENT LEVEL, who is going to be blamed this time? Security experts have nearly exhausted themselves trying to get the message out about a lack of security in RFID Passports (and other RFID systems), but are all but ignored. Ultimately, we are all getting what we deserve, because we are simply allowing those we have put in charge of assuring our well being to fail over and over again, and we simply foist the blame on everyone else but those we have employed to prevent these messes from happening. WAKE UP SHEEPLE !!!!
Even real cloning is an issue by illegalcortex · 2008-10-02 03:25 · Score: 2, Insightful

Actually, even cloned passports are an issue. They're just one you can't do a lot about very easily.
They're an issue because if you can find someone who looks vaguely like you and clone their passport with or without their cooperation, you can assume their identify. Just alter your features a bit from what is in the picture. If they have medium-long hair, get a buzz cut. If they have no facial hair, grow a bear, mustache. Or vice versa. This is especially effective if you are in a minority in the country you are using the passport, as the "they all look alike" effect will carry you very far. For extra measure you can practice forging their signature.
Yes, it's a less effective exploit, but one that is a lot harder to guard against. Even if you put more biometric data in the passport like fingerprints, retinal scans or even DNA, the realities of passport processing lines make it unlikely you will be caught.
Re:I'm confused by Sique · 2008-10-02 03:50 · Score: 2, Insightful

Because passport data is supposed to be read by foreign authorities. Or would you vote for a big worldwide database containing all humans passport data, and accessible by every gouvernment of the world?

--
.sig: Sique *sigh*