Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Problems With RFID Passport Cards

Posted by timothy on from the clearly-unpossible dept.

An anonymous reader writes "Researchers at the University of Washington have found that RFID tags used in two new types of border-crossing documents in the US are vulnerable to snooping and copying. The information in these tags could be copied on to another, off-the-shelf tag, which might be used to impersonate the legitimate holder of the card." You can also read the summary of the researchers' report.

20 of 172 comments (clear)

  1. Breaking news: by cosmocain · · Score: 4, Interesting
    The left hand doesn't know what the right hand is doing.

    FTFA:

    We show that a key anti-cloning feature proposed by the U.S. Department of Homeland Security (the tag-unique TID) remains undeployed in these cards.

  2. Re:Anonymous Coward by L4t3r4lu5 · · Score: 4, Informative

    Already been done.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  3. Elvis by Krneki · · Score: 5, Funny

    So, if I want to be Elvis all I need is one of those new passports.

    Cool.

    --
    Love many, trust a few, do harm to none.
    1. Re:Elvis by Yvanhoe · · Score: 4, Informative

      You may or may not be aware that this very hack happened with the European version of the RFID passport in september :

      http://hackaday.com/2008/09/30/cloning-and-modifying-e-passports/

      By the way, the most "funny" thing I saw about RFID passports was that in Pakistan, at least one occurrence of "American passport bearer detection" has occurred in a market crowd. Fortunately, the goal was then to steal the passport, not behead the bearer.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    2. Re:Elvis by value_added · · Score: 4, Funny

      Elvis would be a good choice when registering to vote in Chicago. For border crossings, I'd recommend using Cat Stevens.

  4. How should I respond to this? by retech · · Score: 5, Funny
    1. I am shocked!
    2. I am outraged!
    3. I am indignant!
    4. Tubes, what tubes?
    5. This is why I wrap all my important body parts in tinfoil.
    6. Why didn't we know about this sooner?
    7. If it's not on BoingBoing I don't believe it.

    Please, someone in authority with intelligence tell me what to think about this. Oh.. wait... that's never going to happen is it.

    1. Re:How should I respond to this? by SharpFang · · Score: 4, Interesting

      8. Shut up. This is to stop the terrorists. And you don't want to support terrorism, do you?
      9. Shut up. This is to protect the children. And you don't want to support pedophilia, do you?
      10. This is a classified information you were not authorised to obtain. Please lay on the ground face down and place your hands on your head.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  5. Again by RAMMS+EIN · · Score: 4, Interesting

    This is about the umpteenth time we hear about this. Somehow, I can't believe anymore that putting these chips in passports was meant to increase security. The question is...what _was_ the purpose?

    --
    Please correct me if I got my facts wrong.
    1. Re:Again by will_die · · Score: 5, Informative

      The purpose was to decrease the time it took to process a passport aka person. Bar codes can have problems being read and take more time to scan then RFIDs. In addition the RFID contain the same information you see in the passport, so that you can check that against the database and future use would allow checking the RFID stored photo with a camera scan to verify ID.

      The problems mentioned here and elsewhere are that you can copy an RFID make a duplicate of it. With a regular passport that is not really a problem, excluding privacy since they contain personnal data but the US system and others are suppose to be encrypted so you cannot get the info without the physical passport so you can get the key, because your passport is checked against the database entery and then the person doing the check is suppose to compare the computer to the passport to the holder and they should all match. In this case the problem is that these are passport cards, not regular passports, designed for people who cross the borders all time and this will allow for quick processing with the passport card never being checked by human; same system that you have for toll road cards.
      Since these cards and also drivers licenses are not encrypted and not checked by humans an evil person could copy the card, get your PIN and then have easy access to cross the border, provided they don't have sort of facial recognition system, being implemented, that checks your passport card against the database against the facial recognition system.

    2. Re:Again by Yer+Mum · · Score: 4, Informative

      My first reaction would be to say that you are kidding, but then this is yet another example of policy laundering.

      In the UK the government said it was because it was being deployed by the US.

      Basically it was a working group from the US, UK, Canada, Australia, and New Zealand which pushed it onto the ICAO and then each country was forced to grudgingly and unwillingly implement this standard which they previously pushed for.

  6. this is intentional by Anonymous Coward · · Score: 5, Interesting

    Part of creating a more authoritarian society is to keep your populace under fear. To have the more knowledgeable elements of your population know just how close they are to losing their freedom due to a modern equivalent of a filing error is entirely intentional.

    No-one in government/civil service wants these documents to be 100% secure. A few accidental misidentifications will keep everyone realising how powerless they are, and a few "accidental" misidentifications will be used to conveniently eliminate specific undesirables.

    Summary: If you fear that your identity will be stolen now, the government is operating as intended.

  7. Re:Anonymous Coward by txoof · · Score: 4, Interesting

    A moulding nail works great for smashing the hell out of just the RFID chip. My new AmEx came with one and I immediately crushed the hell out of it. I was thinking about doing the same to my new passport when it arrives. I decided that the plausible deniability might be a little slim for a precisely placed hole over the chip though. Perhaps another destructive method might be in order. Who knows what might happen if I accidentaly stood too close to a strong microwave emitter... I hear that the microwave oven is good for drying out wet passports too.

    --
    This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
  8. Re:nothing to worry by SL+Baur · · Score: 5, Interesting

    Oh yeah. Nothing to worry about. One of the main stated reasons they started introducing these things was to facilitate entry to Great Britain. I've never been to Europe, have no planned trips there for maybe the rest of my life. Wonderful.

    Another danger is that the tags can be read from as far as 150 feet away in some situations, so criminals could read them without being detected.

    s/criminals/kidnappers/ which IS an issue in places I travel. Those RFID thingies shout out, "I'm an American citizen, kidnap me!".

    Although the tags don't contain personal information, they could be used to track a person's movements through ongoing surveillance, they said.

    See previous comment.

    Though there's no reason for panic, "Our hearts should start to beat a little faster," Kohno said.

    Bwahahahaha. Can I please have my paper only passport back, please? It's for my safety and think of my children.

  9. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  10. Re:nothing to worry by ettlz · · Score: 5, Informative

    One of the main stated reasons they started introducing these things was to facilitate entry to Great Britain.

    Really?! Because I thought here in the UK, one of the main stated reasons they started introducing RFID passports was to facilitate entry to the United States!

  11. Tinfoil anyone? by dword · · Score: 4, Funny

    Damn it, now I have to take off my tinfoil hat and use the tinfoil to protect my RFID!

  12. Re:nothing to worry by TheRaven64 · · Score: 4, Insightful

    One of the main stated reasons they started introducing these things was to facilitate entry to Great Britain.

    Actually, much of Europe. But talk to your government about that - they started the tit-for-tat escalating entry requirements. When someone enters the US now, they are photographed and fingerprinted, and the only reason I didn't require a biometric passport for entry last time I went was because there was a temporary visa waiver program in place for people without biometric passports.

    Most of the stupid entry requirements for Americans entering other countries are due to politicians responding to pressure from their constituents complaining about being treated like criminals when they enter the USA.

    --
    I am TheRaven on Soylent News
  13. Re:question to those who read the article by NoisySplatter · · Score: 5, Insightful

    They still can't.

    From the article:
    "Although the tags don't contain personal information, they could be used to track a person's movements through ongoing surveillance..."

    Considering the "passport" is the entire document and the tag itself contains no identifying information they still can't clone your passport at a distance. They could clone the tag inside it, but the process of faking your passport would still involve creating the paper hard copy. I'd say if they still have to do everything they used to and also something new then it's more secure, not less.

    Of course the ability to recognize and track a person's movements through the use of RFID is still worrying, but it's no easier to fake a passport than it used to be.

    --
    In Soviet Russia meme tires of you!
  14. Re:nothing to worry by niiler · · Score: 4, Insightful

    Are you ready for the inevitable conspiracy theory? Here it is, cooked up between my wife and myself after discussing the implications of renewing our passports shortly.

    The problems are actually a feature. Let me explain. Remember how the old Soviet-bloc countries didn't like their nationals traveling because they would see how much better the rest of the world was? (Don't get me wrong, I like it here just fine.) Well, if everyone who hears about this says "I guess I won't be traveling any time soon", it effectively stops travel (usually by the intelligentia) all the while allowing the govt to say "We have no travel restrictions on our own citizens".

    Of course, all this is nonsense. Our current administration would never feign incompetence to obtain other goals. Yet there's plenty of other information that suggests there's no tom-foolery about this and that the incompetence is real.

    So in short, I'm not sure which it is, but the bottom line for me is that I'm waiting until the last minute in the hopes that some of the recommended features are implemented by then.

  15. So what? You still need to forge the card itself by jjo · · Score: 4, Interesting
    Just cloning the RFID code isn't a particularly safe way to forge a border-crossing card. With a blank RFID card carrying cloned data you are running the risk that the border agents will examine your bogus RFID card, see that it's not geniuine, and bust you for forgery.

    Even if you do a convincing forgery of the card itself, you run a risk of discovery. Using the RFID data as an index into the government database, the border agent's computer system will pull up the photo (or other biometric data) of the genuine cardholder. If they are paying attention, they will see that you are not the right person, and bust you for forgery.

    Also, each RFID passport card comes with a foil-lined sleeve that protects it from both physical damage and RFID skimming. I always keep mine in the sleeve when not in use. If others do the same, this vulnerability will be restricted to places where the cards are used, i.e., border crossings. Lurking around border crossings to clone RFID data seems like another risky strategy.