Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Problems With RFID Passport Cards

Posted by timothy on from the clearly-unpossible dept.

An anonymous reader writes "Researchers at the University of Washington have found that RFID tags used in two new types of border-crossing documents in the US are vulnerable to snooping and copying. The information in these tags could be copied on to another, off-the-shelf tag, which might be used to impersonate the legitimate holder of the card." You can also read the summary of the researchers' report.

12 of 172 comments (clear)

  1. Breaking news: by cosmocain · · Score: 4, Interesting
    The left hand doesn't know what the right hand is doing.

    FTFA:

    We show that a key anti-cloning feature proposed by the U.S. Department of Homeland Security (the tag-unique TID) remains undeployed in these cards.

  2. Again by RAMMS+EIN · · Score: 4, Interesting

    This is about the umpteenth time we hear about this. Somehow, I can't believe anymore that putting these chips in passports was meant to increase security. The question is...what _was_ the purpose?

    --
    Please correct me if I got my facts wrong.
    1. Re:Again by jlarocco · · Score: 3, Interesting

      This is about the umpteenth time we hear about this. Somehow, I can't believe anymore that putting these chips in passports was meant to increase security. The question is...what _was_ the purpose?

      First, the article isn't talking about passports. It's talking about the new passport cards. It's not necessarily a given that the same RFID chip is used in both of them.

      Second, passport cards aren't even required. You can get a regular passport with or without getting the card. The cards have nothing to do with extra security and everything to do with making travel between the US, Canada and Mexico more convenient.

      Third, the RFID chip in regular passports isn't required either. You can get the passport, smash the chip with a hammer, and use it just like a regular old passport.

      In any case, it's 100x easier to just order somebody's birth certificate, make a fake ID, and order a legit passport in their name.

      --
      Maybe not
    2. Re:Again by TheP4st · · Score: 2, Interesting

      The data can't be altered because it's digitally-signed.

      mmkay..

      --
      "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
    3. Re:Again by hughk · · Score: 2, Interesting

      In addition the RFID contain the same information you see in the passport, so that you can check that against the database and future use would allow checking the RFID stored photo with a camera scan to verify ID.

      No. A friend of a friend got his new RFID chipped passport in the US. He refused to accept the passport without the chip being checked. This was good because it was someone else's chip in his passport. The manufacturing process has got screwed up and the wrong data was recorded in the passport.

      The reaction of the staff was not surprised although they didn't say how often it had happened.

      --
      See my journal, I write things there
  3. this is intentional by Anonymous Coward · · Score: 5, Interesting

    Part of creating a more authoritarian society is to keep your populace under fear. To have the more knowledgeable elements of your population know just how close they are to losing their freedom due to a modern equivalent of a filing error is entirely intentional.

    No-one in government/civil service wants these documents to be 100% secure. A few accidental misidentifications will keep everyone realising how powerless they are, and a few "accidental" misidentifications will be used to conveniently eliminate specific undesirables.

    Summary: If you fear that your identity will be stolen now, the government is operating as intended.

  4. Re:Anonymous Coward by txoof · · Score: 4, Interesting

    A moulding nail works great for smashing the hell out of just the RFID chip. My new AmEx came with one and I immediately crushed the hell out of it. I was thinking about doing the same to my new passport when it arrives. I decided that the plausible deniability might be a little slim for a precisely placed hole over the chip though. Perhaps another destructive method might be in order. Who knows what might happen if I accidentaly stood too close to a strong microwave emitter... I hear that the microwave oven is good for drying out wet passports too.

    --
    This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
  5. Re:nothing to worry by SL+Baur · · Score: 5, Interesting

    Oh yeah. Nothing to worry about. One of the main stated reasons they started introducing these things was to facilitate entry to Great Britain. I've never been to Europe, have no planned trips there for maybe the rest of my life. Wonderful.

    Another danger is that the tags can be read from as far as 150 feet away in some situations, so criminals could read them without being detected.

    s/criminals/kidnappers/ which IS an issue in places I travel. Those RFID thingies shout out, "I'm an American citizen, kidnap me!".

    Although the tags don't contain personal information, they could be used to track a person's movements through ongoing surveillance, they said.

    See previous comment.

    Though there's no reason for panic, "Our hearts should start to beat a little faster," Kohno said.

    Bwahahahaha. Can I please have my paper only passport back, please? It's for my safety and think of my children.

  6. Re:Anonymous Coward by HungryHobo · · Score: 2, Interesting

    It will be considered a mangled document. Never mind that it's also an old style passport, if the RFID tag is broken then it's considered the same as if the passport was dipped in ink or burned too badly to read.

    The fun starts when you consider that RFID tags break if exposed to too stong a signal of the kind used in RFID scanners. You could build one fairly easily, stick it in your backpack and hang out or even walk through somewhere with a lot of tourists.

  7. Re:Anonymous Coward by dyingtolive · · Score: 2, Interesting

    I think the whole point is that (omitting the mangled document thing from the other reply) it prevents anyone else from reading/stealing/monitoring your data and hopefully would just be manually read and you would be on your way.

    --
    Support the EFF and Creative Commons. The war is coming, and they're supporting you...
  8. So what? You still need to forge the card itself by jjo · · Score: 4, Interesting
    Just cloning the RFID code isn't a particularly safe way to forge a border-crossing card. With a blank RFID card carrying cloned data you are running the risk that the border agents will examine your bogus RFID card, see that it's not geniuine, and bust you for forgery.

    Even if you do a convincing forgery of the card itself, you run a risk of discovery. Using the RFID data as an index into the government database, the border agent's computer system will pull up the photo (or other biometric data) of the genuine cardholder. If they are paying attention, they will see that you are not the right person, and bust you for forgery.

    Also, each RFID passport card comes with a foil-lined sleeve that protects it from both physical damage and RFID skimming. I always keep mine in the sleeve when not in use. If others do the same, this vulnerability will be restricted to places where the cards are used, i.e., border crossings. Lurking around border crossings to clone RFID data seems like another risky strategy.

  9. Re:How should I respond to this? by SharpFang · · Score: 4, Interesting

    8. Shut up. This is to stop the terrorists. And you don't want to support terrorism, do you?
    9. Shut up. This is to protect the children. And you don't want to support pedophilia, do you?
    10. This is a classified information you were not authorised to obtain. Please lay on the ground face down and place your hands on your head.

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2