Slashdot Mirror
Researchers Find Problems With RFID Passport Cards
An anonymous reader writes "Researchers at the University of Washington have found that RFID tags used in two new types of border-crossing documents in the US are vulnerable to snooping and copying. The information in these tags could be copied on to another, off-the-shelf tag, which might be used to impersonate the legitimate holder of the card." You can also read the summary of the researchers' report.
i hear most americans don't have password to begin with
I guess there's going to shortly be a huge market for small Faraday cages so we can carry our passports around without being identity-raped.
Bear shits in woods, news at 11.
FTFA:
We show that a key anti-cloning feature proposed by the U.S. Department of Homeland Security (the tag-unique TID) remains undeployed in these cards.
Did they compare the efficiency of copying passports w/ and w/out RFID?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
So, if I want to be Elvis all I need is one of those new passports.
Cool.
Love many, trust a few, do harm to none.
Maybe researches at Washington University should spend more time reading tech news than wasting research time and funds on proving the proven eh.
Please, someone in authority with intelligence tell me what to think about this. Oh.. wait... that's never going to happen is it.
I guess this is especially bad, considering their security!
Researchers discovered that the exact same thing that Slashdot users said would happen years ago, is happening. BREAKING NEWS.
You know, it'd be nice if one of these things actually caught us by surprise for once instead of seeing the government wanting to implement a multi-billion dollar program that is hacked before it is even designed.
...know about this? Because if not, please for the love of God don't tell him.
FAQs are evil.
This is about the umpteenth time we hear about this. Somehow, I can't believe anymore that putting these chips in passports was meant to increase security. The question is...what _was_ the purpose?
Please correct me if I got my facts wrong.
Part of creating a more authoritarian society is to keep your populace under fear. To have the more knowledgeable elements of your population know just how close they are to losing their freedom due to a modern equivalent of a filing error is entirely intentional.
No-one in government/civil service wants these documents to be 100% secure. A few accidental misidentifications will keep everyone realising how powerless they are, and a few "accidental" misidentifications will be used to conveniently eliminate specific undesirables.
Summary: If you fear that your identity will be stolen now, the government is operating as intended.
No shit, Sherlock.
Athy, athier, athiest.
Comment removed based on user account deletion
Damn it, now I have to take off my tinfoil hat and use the tinfoil to protect my RFID!
the question im asking right now is not "why didnt everyone just listen to me when i said it was a problem" but, "does this make me a researcher too??"
Good people go to bed earlier.
people will no longer have the desire to do such nefarious things as clone passports. And if they do, he'll simply sit down with them and reason with them, and they will see the light and cease their evil ways. And the world will be as one, and we'll all join hands in a giant ring around the globe and sing Kumbayah as we sway back and forth.
Yet more proof that rolling out new, unproven and only vaguely understood technology on a large scale is likely to backfire in interesting ways. Sure you can iron out the bugs later, but it means that you're not now providing the best security you know you can. The state of the art in hard-to-forge documents still is without RFID and will remain so for at least a decade.
What utter bozos decided this was a good idea, again?
The persons who got the brilliant idea to but remote readable technology into passports should be hit with a cluestick the size of the Eiffel-tower.
Like it would be such a big problem to put such a card into a reader with connection points
Even if you do a convincing forgery of the card itself, you run a risk of discovery. Using the RFID data as an index into the government database, the border agent's computer system will pull up the photo (or other biometric data) of the genuine cardholder. If they are paying attention, they will see that you are not the right person, and bust you for forgery.
Also, each RFID passport card comes with a foil-lined sleeve that protects it from both physical damage and RFID skimming. I always keep mine in the sleeve when not in use. If others do the same, this vulnerability will be restricted to places where the cards are used, i.e., border crossings. Lurking around border crossings to clone RFID data seems like another risky strategy.
I see nothing that prevents Tina Fey from using Sarah Palin's passport.
I work with motorola canopy gear to bring people broadband to remote areas using RF. It's amazing how simple it is to steal some of our stream, access people's "radio's" and routers and so on...
I guess if the global government wants to put a definitive leash on us, they'll have to pursue other avenues.
otherwise - I can't wait to hack my RF brain chip!
Someone call the Mythbusters! Oh, someone did? Darn.
My web domain.
Seems like we in the UK just bend over and do whatever the US administration wants these days. We don't get to vote for the US leaders, but then, given the farce of the last couple of elections, it seems like the US don't either.
Be VERY RFID http://www.cafepress.com/berfid
If they are paying attention, they will see that you are not the right person, and bust you for forgery.
And therein lies the problem.
Well, it doesn't seem to be in the fine print of my new passport (without RFID!), but my old one states:
THIS PASSPORT IS THE PROPERTY OF THE UNITED STATES OF GOVERNMENT.
Followed by a paragraph titled:
ALTERATION OR MUTILATION OF PASSPORT
Prosecution (Title 18, U.S. Code, Section 1543), etc ...
I wonder if the new ones state: "This passport is only valid with a functioning RFID chip."
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Would keeping my passport in an anti-static bag that computer parts come with prevent it from being read? And does anyone know where I can get an RFID reader cheap? (cuz I don't trust the /. crowd to really know the answer to the first question.)
Also, what anti-copying technology could they possibly be talking about. It seems to me that unless the RFID chips have evolved into active things that actually read some transmitted data, decrypt it (proving you have the secret key without revealing the secret key) and send it back, RFID couldn't possibly be anything more than a bar code that doesn't require line-of-sight. 'splain it to me, Lucy.
The RFID passport cards may come with a foil sleeve, but the RFID passports themselves do not. Mine got accidentally left in a hot car in the middle of summer for 5-6 hours (before I even got my hands on it! Apparently, you aren't supposed to let it get above 80 F for very long...), then some heavy textbooks were accidentally dropped on it, and it may have got accidentally bent... and I still got one of those RFID-resistant passport things since I needed one anyways and actually wrapping my passport in tinfoil didn't seem economical. Although, I helped both my siblings who have passport cards line a pocket of their wallets with foil.
My wife just got her new RFID passport two days ago and it did not come with any sort of "sleeve".
All you people who said I was full of sh** when this subject last came up on slashdot.
Also, each RFID passport card comes with a foil-lined sleeve that protects it from both physical damage and RFID skimming. I always keep mine in the sleeve when not in use.
I don't remember getting a foil-lined sleeve with my RFID passport.
Hell, even my aging grandmother could find flaws in the RFID passports.
Our greatest enemy is neither a single man, nor is it a nation, it is, as it has always been, our own greed.
In theory your own border guards may be able to validate the identity of a passport holder. In reality, if you go to the US with a UK passport, I don't think the US will allow the UK immigration officials access to their database. In reality they will just use the image on the chip (maybe).
See my journal, I write things there
1. Forging the card is easy. You don't need access to the original, you just need to know what it's supposed to look like. They all look the same, and the info you need is on the chip. Convenient, huh?
2. I didn't get a foil sleeve with my new RFID passport. Nor did either of the other two people in my household who got theirs at about the same time.
3. "Lurking around border crossings" is perfectly safe, and not suspicious. I've crossed lots of borders and one thing they all have in common is large numbers of people standing around.
If the masses can keep you down, you're not the Ubermensch.
There are already several of these available for wallets and passports, if you don't just want to build your own.
It's easy to make up motivations, since it's completely unprovable. The more believable it is the better, and people will make up motivations that fit their own biases, so you can believe whatever you want. I prefer being more rational; do you have evidence for this? Has it happened in the past? Where and when? Do you have any evidence whatsoever that this is not just due to incompetence rather than conspiracy? How do you know that "no-one in government/civil service wants these documents to be 100% secure?" Do you know everyone in government and civil service, and have you asked them? If not, are you some kind of magical mind-reader? And how likely is it that literally nobody in government wants what's right for America? Nobody? There is no more sweeping generalization.
Love, Squeedle
In February 2005, cryptographers were already saying things like "Until further notice all new designs should use SHA-256" due to recently discovered weaknesses in SHA-1. It hasn't been cracked, and it's not in immediate danger, but in any system that will be around for decades to come it is an unwise choice.
How does someone use a microwave oven to zap the embedded RFID without leaving a noticeable mark on the passport (like a burn mark after too much power/time)? Maybe there's some amount of popcorn kernels that can pop before burning the passport, then stop the process after the chip is fried, before some larger amount of kernels pop before the passport burns?
--
make install -not war
I was in the back of a police car and the police opened the door and kept it wide open so these people who jumped a friend and I could easily jump in and attack us. they tried to use fear to get us to confess to something that we never did (hence why they intimidated us by putting us in their car and driving us over to where we got jumped by a gang, and talked to the gang leader, which they let stand right next to the open door.
same thing. Our government is stripping us of our security and letting us know they are, while telling us they arent.
some good 'ol mindfucking.
"Microwave"
While forging the card isn't "easy" by any reasonable definition of the word, even a perfect forgery isn't enough. The picture (and in future, other biometrics) of the genuine passport holder will be stored in the government database, and called up via the index stored in the RFID chip. No matter how good the forgery, if the guards are paying attention to the computer output you stand a significant risk of being caught.
Implantable RFIDs are typically enclosed in glass capsules. However, the type typically used for this kind of application is a minimally-protected microchip surrounded by a coil of fine wire that is used for both communication and power. The kind used in department stores is usually a chip at the center of a printed (rather coarse) spiral coil, mounted on a paper or polymer base with an adhesive applied to one side. This kind is often read-only with only a few bits of information. They are usually about 1.5" square.
Whichever type, the microscopic structure of the chips is most vulnerable to being burnt out by a minimal amount of microwave radiation. Even a small burst of microwave radiation, in even a miniscule coil, should generate more than enough current to fry the chips. If kept to a short burst, this should not leave visible damage.
However, depending on the construction, if it is left in the microwave for more than about a second, the coil could generate currents that might melt or burn other surrounding structure.
I would recommend trying multiple short bursts, of no more than 1 second.
I should have stated "more than enough voltage to fry the chips". Apologies for any inconvenience.
As stated, it is easy to block any signal coming off an RFID tag (Faraday cage, easily created with foil or the like) to prevent tracking. Heck, just put the tag close to your person, such as in breast pocket, and it becomes extremely difficult to read due to the water content in your body.
But I think it somewhat funny the level of worry - when I assume most of you have a cell phone, no? If so, you can be easily tracked, and much more...