Slashdot Mirror
Hackers Clone Passports In Driveby RFID Heist
pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.
Jules Verne called, he wants his time-machine back.
Dupe story:
http://it.slashdot.org/article.pl?sid=09/02/02/2224255
----- The internet has given everyone the ability to have their voice heard equally as loud.. even if they shouldn't be
They're not real passports and nothing was cloned. Nothing new.....
The RFID is the most important part. Check the rest of the web for more info.
Never trust a man wearing a coat and tie!
Slim pickings methinks.
He might have better luck sitting outside the international departures terminal(s) at the airport. I'm sure he won't attract much attention there.
Recall the man who made his own airline tickets
not all that long ago?
Recall the sh*t storm that brought about ?
Folks are learning the best way to keep the
lawyers and police off their back is to prove
the point, but don't go as far as producing any
thing illegal.
Some sort of Faraday Cage will block RFID, or at least their power supply. I do not know whether ferromatnetics like iron and steel are more effective than non-magnetics like aluminum.
The summary clearly says:
During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said.
Anyone with even minimal English fluency would understand this as saying that he collected the data but didn't do anything with it.
We don't even need an automotive analogy, since the data was collected from one car by reading passport RFIDs in other passing cars.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.
Per usual, security usually fails because of the user.
"When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
I was going to post this too. A simple solution would be to make a passport holder that blocked the RFID signals, that you could purchase if you wanted to be sure your details weren't being scanned from afar.
Sniffing is actually a good way to get the data... it's not unfair at all... What is a shame is the RFID company that sued him... instead of working on a solution with him.
I can't call that English
As a very frequent traveller, (including to some fairly scary places), I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport. Works a treat. Why do this, well:
1. FTA:
Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a âkill codeâ(TM) (which can wipe the cardâ(TM)s data) and a âlock codeâ(TM) that prevents the tagâ(TM)s data being changed.
However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.
2. What information can they get? Well, depending on the passport type, at least your picture, and sometimes your fingerprints too.
See:
http://en.wikipedia.org/wiki/Biometric_passport
And all this while you are having a drink at a roadside café with your passport 'safely' in your pocket...
How did you test this to make sure?
This guy is way out there
Unfair because he didn't make a fake passport? What are the editors gonna say when he DOES make an illegal fake passport? That too is unfair because he didn't actually attempt to fly with it to prove it would pass the passport security checks?
He got the data. He can write it back into another cloned RFID chip. Good enough I say to prove the point that it can be done. No need to go further, I'm sure the gov't already wants to silence him, don't give them a good ripe excuse to do so!
Well, depending on the passport type, at least your picture, and sometimes your fingerprints too. See: http://en.wikipedia.org/wiki/Biometric_passport
US Passport card != ICAO passport
Bam! Problem solved. Nothing more to see here folks, let's move it along.
A simpler solution would be for the U.S. government to stop paying taxpayer money to embed RFID chips into passports. That saves money and eliminates the risks to everyone, not just the tech-savvy.
I wonder how much money the government would save if they just stopped doing everything that is stupid. (I realize that in order to do that Congress would have to agree on what constitutes stupidity, and agreeing on things ain't their strong suit. Still, I wonder how much money.)
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Thinkgeek actually makes a passport holder that blocks RFID signals. http://www.thinkgeek.com/gadgets/security/910f/
And not only passports, I just won a fight with my credit card company (Chase) about their use of RFIDs in their new credit cards. I refused to carry them and came close to canceling the account before they finally sent me a new card without one. By that time I had two useless cards with the RFID chips in them, so I stuck them in the microwave to see what would happen. It was spectacular. A couple of seconds and they burst into flame! And to my surprise, there was an embedded loop antenna in the cards that extended most of the card's length and about half the width. Someone could have read that card from a hundred meters with even simple equipment. Oh, and the icing on the cake: every time I called about this issue they tried to sell me extra "protection" against identity theft. I think it was "only" $9 a month.
BillyDoc
Yes, but your linked page also states
Availability: [ info ]
Out of stock. (Est. 1-3 Weeks)
[ Email me when available ]
This product is not available
for purchase at this time.
Of course he only sniffed the data and didn't make a fake passport.. If merely sniffing the data proves your point, why would you subject yourself to penalties for forgery ?
I certainly would have stopped at successfully sniffing the data. besides all a terrorist has to do is rig the bomb so it will automatically go off when it detects a pre-specified number of US RFID passports in the vicinity.. Now, don't you feel that RFID in your passport has made you more secure ?
far...out
Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?
But the fact that you could use this technique to drive around and look for American citizens. Maybe combined with triangulation and there is your kidnap victim...
Even if he didn't go all out making a passport (which would get him in a world of trouble), he showed proof of concept for getting the data and how simple it was to do so.
If I build this device and go sit outside an airport, I won't pick up most passports due to the RFID chips being "blocked". I don't think that's hard to imagine. But if I'm looking to steal data, all I need is that 1% (or less) to have their RFID passport "open".
I understand the want of the RFID chip in a passport. The guard can easily scan it and pull up all relevant data he needs on me. But there still needs to be a second verification of some sort in place.
It's important to remember, no security is flawless. We can just do the best job we can with the tools we've got.
just use one of those innocuous bags or envelopes that hard drives and PC boards come in. They block the signals pretty well since they block static electricity, they'll block the signal as well. Unless the "cruiser" uses a signal strong enough to penetrate, which would mean that it would probably be detrimental to the person holding the passport, too, it might give them away. (As if the giant power supply wouldn't.)
Wow, they moved on from cloning RFID tags to cloning
tags!
The new standardized EU passports have digital biometric information on them too. Although I don't think it is RFID.
Last time I used my passport, I had to specifically show the first page (where my photo is) faced down to the reader. Other page/orientation combinations didn't work.
So I think they read the information by infra-red. I didn't Google, it's only a guess.
I have such a wallet that I bought from Ebay. To test it I put my cellphone in and called it. The phone rang just like it should. Is there a better way to test the effectiveness of these wallets?
It is dangerous to be right when the government is wrong.
The information he read was from an EPC Class1 Gen2 encoded UHF tag. It was encoded as a Global Document Type Identifier (GDTI-96). The Company Prefix is 0893599002, and the Document Type is 1. The serial numbers of the documents are there, but I'm not going to post them. I don't have access to the GS1 Company Prefix database, and it's not searchable here. - anyone else have those mappings?
It is trivial to program an arbitrary tag ID into a blank Gen2 tag - I do it all the time wrt DOD-encoded tags.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
What is the point in putting RFID into passports other than to make them easier targets for cracking?
Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.
I have a bad feeling about this...
The sin cards used in cellular phones use an algorithm to confirm identity. The network will transmit a number that is then manipulated to form a new number by the phone. The number is transmitted and compared to what the network was expecting from the individual the phone is claiming to be. If they match then the person is who they say they are. The algorithm is impossible to duplicate without having the sin card and brute forcing to find the algorithm(still next to impossible). The credit card industry is now introducing this because it makes it impossible for someone sniffing the data transferred to use it productively.
A cellphone has a powered transmitter, and a boosted receiver with a specialised antenna. An RFID chip must rely solely on the radio energy it receives to power itself up and transmit back, so I'm not sure that a cellphone is an adequate test.
The signal power you're talking about for a phone is going to be so much higher, and likely at totally different frequencies.
I think the only way to test it effectively would be to see if the RFID reader at the airport still works with the wallet, assuming the person working the desk doesn't mind you testing it out.
Security doesn't fail because of the user; if the user is getting it wrong then it is bad security. Theoretical security is (in principle) not hard. Practical security is very hard indeed, and easy to get wrong. Is there any reason this card needs RFID as opposed to a standard credit-card style chip which requires physical contact?
[FUCK BETA]
Like the one at Thinkgeek?
If you want results, try it in Washington DC.
-- I was raised on the command line, bitch
I don't think that Mr. Paget was trying to make a point for "hey, look, Passport data!" at all. In fact, he states in his video himself that all he got were the unique IDs for the RFID, which have a prefix which indicates whether it is, say, a passport.
What I got from his video - and which is a perfectly valid argument against RFID *in general* - is that he now -has- that unique ID. Presumably, you are the only one with your (passport) ID. Next up, link that to an RFID scanned at the very same time.. except this time it's just some grocery store's RFID. It doesn't come with encryption up the wazoo - why would it.. it's just for you to get grocery 'discounts' and for them to know wtf a person may be buying throughout periods of time. But instead of a store ID that correlates to name data somewhere in their database, they decided to just store the name right on the card itself.
Now you have a name to go with the ID from the passport. Congratulations, you can now track not just an ID, but a person.
Yes, I know, you're still 'only tracking that one RFID chip', and sure.. it could be on somebody else's person. Again, though, with a (passport) ID - how likely is that?
Proof once again that the "editors" don't even read Slashdot any more. Dupe from yesterday, Taco. Yesterday.
If you were blocking sigs, you wouldn't have to read this.
How did you test this to make sure?
In a link in the old article was the full testing. In a nutshell, they cloned some Washington Drivers licenses into the same chip. Then tested sending the kill command at low power, when there is not enough power to complete the operation, the chip reports a low power comman fail. After the power needed to produce low power fails and kills, it was tested on real licenses to see if the kill was enabled or protected by a PIN. It is unprotected.
Here is the info;
PDF alert http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/EPC_RFID/Gen2authentication--22Oct08a.pdf
See table 4 in the PDF for the kill bit testing on Washington State Drivers Licenses.
The truth shall set you free!
RFID blocking wallet --> http://www.thinkgeek.com/gadgets/security/8cdd/
Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport
Perhaps he wanted to avoid going to jail? This is a case where it's sufficient to show that a forgery is possible, without breaking the law and actually doing it.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
Just replying to confirm that the ThinkGeek wallets DO, in fact, work as advertised. I realized this after trying to leave my office's parking lot by fruitlessly waiving my newly-acquired RFID-blocking wallet (with parking pass inside) at the entry gate's sensor.
Why make up a story title whose claims are unsupported by TFA? Nothing was 'cloned' here. And the 'cloning' that is mentioned in the summary refers to the RFID chip, not the passport as a whole. Does Taco not understand the difference, or does he see his role as editor in making stuff up? Neither possibility is very flattering, IMO.
It was a poem you insensitive clod!
I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport.
Note that you're talking about something completely different.
The US passport CARD is different from the passport BOOK which you use in international travel. The passport card only works when traveling between the US and Canada or Mexico; it's not accepted anywhere else.
If your passport BOOK is a US-issued one, you don't need the tinfoil because it's already built into the cover. Even if it weren't, the BOOK requires a cryptographic authentication using a key derived from data printed on the inside of the book, so someone has to either see the inside of your book or guess the data.
The CARD does not require cryptographic authentication and has no closeable cover.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
For example, computers could be much more secure if people change their passwords every month
Really? What happens on day 32 that I need to change my password to prevent? What threat cannot be realized in a month, but can be realized in two?
The idea behind changing passwords is to have a new password before the current one can be broken by a determined attacker. The current reality is that a weak password can be broken in hours, and a strong password can't be broken in anyone's lifetime.
Changing passwords monthly (or daily for that matter) is not effective if you use weak passwords and it's not needed if you use strong passwords.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
To test they can't read it? Simple, asked the guy at the airport to try and read my passport while it was still in the wallet.
...except when you pulled your passport out of the holder to use it, and got it scanned not only by the customs agent, but by the guy sitting on a chair nearby stealing your info, who knows that the airport is a great place to come and do that. Seriously, why would they think it is a good idea to put your data into a form that broadcasts over the air? There are lots of good uses for RFID, and I can't see how this is one of them.
Relying on the end user for security is a bad idea. It is very easy for example to overestimate the user's intelligence. In practice people often simply don't understand what security issues there are and what to do about them, even after being told of said issues. And if they do, it is often very hard to understand the implications, not just because it's hard, but also because the consequences can be out of reach of most people's imagination. This then leads to the security issue sinking on the user's priority ladder, causing the user to disregard it in favour of, say, convenience. And even if you can make them grasp all that, you've still got to remember that the end user probably comes in contact with lots more products, each of which may have something associated with them to be mindful of, security related or otherwise. Can you really expect people to juggle all that in their heads all the time? I think even highly intelligent people will unavoidably have a security lapse every now and then if you rely on them to be mindful of it all the time.
It's absolutely worth noting this is about cloning US Passport Cards, which are completely useless outside the US, not real passports.
Passport Cards use a simple RFID system (EPC) where the chip simply spits its ID number out.
Passports, on the other hand, require a reader to authenticate by passing a hash of (passport number, date of birth, date of expiry). I don't think that's nearly enough information to ensure security, but at least it's better than nothing.
Why don't they just put a little cpu in there to add some random numbers (maybe a timestamp) and sign the whole message - changing every minute or some such interval?
I believe the article is talking about passport cards , and not about passport books . It's quite a bit harder to read RFID data from a passport book since "the passport cover contains a radio-frequency shield, so the cover must be opened for the data to be read."
That would require we as humans stop doing stupid things. Putting on makeup in a car, talking on a cell phone, having sex. All done in a car moving at highspeed usually.
He is just skimming IDs, not cloning or even collecting any information of worth. Its no different than some retard driving around with a wifi scanner collecting SSIDs and MACs for a bunch of WPA2 networks - its not the same as getting into the systems behind them. I guess I am new here, but I expect this kind of cheap overblown title from trash like Wired, not from /.
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
My province, Manitoba, has just come up with these ID cards that will let you cross US land & sea borders. They're apparently credit card sized, but a bit thicker, and work on RFID. Supposedly the RFID chip only contains a unique identifier. If that's the case, an attacker would have to have physical access to your card to clone it, because the unique identifier would do nothing.
The province includes a protective sleeve which must be removed to be read by RFID readers at the border crossings. Even the envelope they mail it to you in has RFID protection. Obviously their consultations yielded a bunch of people who were concerned about this, not to mention the Privacy act and other considerations.
These are only for people without passports, and are not valid for air travel, or entry into any country other than the US.
What kind of encryption do they use? Do they just unlock the chip, or is the actual data encrypted? Can I build my own passport reader to see what's stored on my passport?
NT
Let's draw a line between "stupidity" and "selling off the entire human race into slavery."
Maybe the post is also a poem?
I have a passport card and they give you a foil lined sleeve to keep it in.
Haven't looked at your passport or traveled outside the country much lately, hm? There are machine-readable bar codes in US passports now, in addition to RFID. The "government workers" you unfairly malign regularly open and slide passports through readers/recorders, in the US and lots of other countries.
I had assumed it was a terribly awful haiku.
Once you pull your passport out and open it, anyone in line-of-sight can read it with or without RFID. As it turns out, light transmits your password information over the air well.
If you want to bash RFID feel free, but please pick a threat that's actually related to its use.
Faraday cage for your passport, only $50... http://www.thinkgeek.com/homeoffice/gear/a7a2/
A Faraday cage, must totally enclose the device, i.e. no magnetic flux lines can leave the cage, and terminate outside the cage.
so unless you have a tiny phone I doubt a wallet was designed to totally contain an object the size of a phone
I always thought of Creationism as the Raving Right's version of the Loony Left's Anthropogenic Global Warming-brightmal
this kind of technology makes people and their information LESS secure, rather than more. Because it makes it far too easy to read someone else's information and clone it.
The RFID Nazis will be quick to tell you that there is also a unique encryption key in the passports, but as has been pointed out elsewhere, only 5 of the 45 signatory nations supply their keys to the international database, and as long as any of those 45 nations fail to do so, the keys are meaningless because it is possible to clone passports from any of the non-compliant nations.
And we KNOW that it is possible to physically duplicate passports effectively... after all, that was the justification for using RFID in the first place. So that isn't an argument.
First off, RFIDs in passports do vary by region, but there is an international standard. The RFID actually carries a lot more than "just" the database key (I will get back to the key in a moment). It also carries other personal information that the passport contains, such as name, address, and physical characteristics (height, weight, hair and eye color, etc.). Failure to carry that additional information would drastically compromise any "security" that the RFID promised.
The RFID also carries an "ID" number in addition to the database key. Unfortunately for the RFID concept, the ID number (not the unique key) of a blank RFID can be given whatever value the writer wishes. The upshot of this is, ALL the information from a passport (ID, physical and other information) can easily be read and cloned, except for the key. This cloned information can also be altered before it is written to another RFID chip.
Now, as for the database key (which is not the same as the ID): the database system is based on an agreement between 45 countries to form a standard, common database for passports. Here is the problem: as of today, only 5 of those 45 countries are supplying the database with RFID keys. And -- as anyone knowledgeable about the passport system will tell you if they are honest -- as long as ANY of the signatory nations fail to comply by supplying their unique keys, the database system is completely useless, because it is possible to clone all the other information and thus create a fake passport from ANY of those other 40 countries.
And if you know anything about international politics, you would know that it is about as likely as a snowball in hell that all 45 nations will ever comply.
So today -- and for the foreseeable future -- the "unique key" of a passport RFID is effectively useless for security. Anyone knowledgeable about the system can read an RFID remotely, clone (and alter) the personal data contained, and forge a passport from any of the 40 nations that do not comply with the database standard.
You must have some kind of super vision to be able to read a passport, or any other normally written characters at 25 feet. Definitely line of sight, definitely in range of RFID readers. Probably not in range of your eyesight.
Sure, this breaks down at ~10 feet or so, but come on, your response seems lacking in sense.
See my comment above. The digital "signing" of the passport IDs is effectively useless for security against a knowledgeable forger.
This is "feel-good" security, or as Bruce Schneier calls it, "Security Theater". It makes people feel safer but in effect (because it does give a false sense of security but is so easily circumvented), the ACTUAL effect is to make people less secure.
http://www.passport-stronghold.com/products.html
They already exist and I've seen more stylish ones than these.
There is much more to a passport RFID than just that, and in fact the "key" is effectively useless against a knowledgeable forger. See my comment further above for more explanation.
I wasn't bashing RFID, and said so in my post. I was pointing at, to put it in your sort of wording, a threat related to this particular use of it. You point out exactly the problem with your own argument: line of sight. Turns out that most people, if another person is peering over their shoulder at a document in their hands, will believe that their documents are being read. Whereas if you're holding it closed, or handing it to one specific person to be examined, you don't expect some person near you, who can't see the contents, to be able to read them.
Do you really not see a security difference between a passport that someone else can read only if they are near enough to see it clearly, manage to maneuver themselves into a position to be able to read it,if all the relevant pages are turned for them, and one that someone can read fully just by being nearby? You can exert some control over who visibly can see the pages of your passport, and you expect to shield sensitive information from view in public environments. You have no control over who can read your passport's radio transmissions.
In general, what people have been calling "stupid" here are the "security experts" who have designed this fatally flawed system, and the government wonks who caused it to be implemented. I don't think cries of "stupidity!" have often been aimed at end-users, however you must admit that the average citizen knows little about these issues. In which case the term "ignorant" is more appropriate than "stupid" anyway.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
It has been illegal in California since October to sniff for RFID unless you're in law enforcement. What Chris did is illegal.
Although the cover may protect it, data encryption by itself won't protect you from malicious people keeping track of your movements. It's an easy thing to keep track of say everyone's movements at some kind of gate, and later adding a photo to whatever unique encrypted data is read from the chip. I could gather a few months worth of data at a public place, then pinpoint someone in a crowd and see exactly how often they were there, how long, and so on. All it takes is one easy unique way to distinguish a person (not necessarily identify, although coupling it with other systems may make that possible), and it opens up a lot of interesting ways to keep track of people.
When you stay in a hotel in most countries, they keep your passport for a while. And they don't keep it in your tinfoil wallet. They ability to read your passport from the hotel lobby is bad for a number of reasons, from simple cloning to identifying the guests of some nationality before the shooting starts.
Socialism: a lie told by totalitarians and believed by fools.
Assuming the document ID (any identifiable string) can be determined at a distance, yes.
There are two solutions to this. The first is the fact that the RF technology used by these chips does not work well at long ranges. In lab environments it's possible to get distances of up to a meter, but in the real world the limit is around 10 cm, assuming nothing is between card antenna and reader antenna (and assuming reader antenna is a high-gain type). The super long-range stunts you read about use a battery-powered repeater placed within a few centimeters of the card.
Note that the above applies to the passport books. I'm not sure what the passport cards use, but it appears to be a different RFID technology which supports longer-range operation. It's highly likely that they also do not contain the same level of personal information that is in the books, simply because the 900 Mhz RFIDs (unlike the 13.56 Mhz contactless smart cards) don't provide the same storage capabilities.
The other solution is ATR randomization. When powered by the reader field the chip transmits an "Answer To Reset" which includes some unique identifying information. Many researchers have called on the ICAO to specify that this should be randomized, exactly to prevent the sort of thing you describe. Manufacturers produce chips that do randomization. AFAIK, the US state dept. is not yet using them, although it's not unlikely that within a few years there will be no chips on the market that do NOT randomize their ATRs.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
A simple solution would be public key cryptography. Not storing any data about the person on the RFID, just a govt. issued digital signature of e.g. holders dob, name and passport number. Then an attacker would need to be able to read (as in take a look at it) the passport to be able to duplicate it, which would make this type of sniffing attacks useless. It would also allow anybody _shown the passport_ to verify the authenticity of the signed, printed information against the public government CoA.
While it would still be possible to copy the signature with access to the printed-only information that was signed, this could be mitigated by distributing blacklists for known dupes.
Alternatively, if you are government, index the passport data by the signature for easy wireless retrieval from a central database at a secure terminal. That way you don't necessarily need to even look at what's printed on the passport, just compare the facial features/fingerprints/retinal scan vs whatcha got in the database.
Can't believe the stupidity of the RFID passport schemes in most 'civilized' countries.
Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action."
Revenge is a dish best served cold.
Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport.
So what? The fact that he so easily grabbed that data is unnerving, and the availability of such personal information has ramifications far beyond a mere fake passport. It's good that he's showing the State Department's plan for what it always was: defective by design.
The higher the technology, the sharper that two-edged sword.
I was going to post this too. A simple solution would be to make a passport holder that blocked the RFID signals, that you could purchase if you wanted to be sure your details weren't being scanned from afar.
So it should be OK if you could trivially clone anyone who didn't want to spend extra money protecting themself?
(scans passport) - "well, either you are who you say you are, or you're one of the 98% of americans who didn't bother to implement electromagnetic jamming on their wallets"
Well, the option is there to sate all the "government can't tell me what to do!" types, leaving it up to the individual to decide if it's worth it.
to any great extent, it was an article about someone who had cloned a passport, altered the data, and then tried the RFID on an airport reader, which showed the passport holder to be Elvis Presley.
The important part of course being that the personal data (not just an ID) can be altered. I have already discussed the problem with the encryption key.
Here is a link to an article about the prior data diddling that has been done:
http://arstechnica.com/security/news/2008/10/rfid-passport-hack-has-scanners-seeing-visions-of-elvis.ars
With very little effort you can find more information via Google, for example about the 45 signatory countries and the difficulty of not having them all aboard. That's how I found out about the situation... a few minutes with Google.
that is included on the chip, for lookup by readers according to the ICAO specifications. It is NOT the "ID" of the RFID chip, which can be given any value when the data is written to the chip by the burner. The unique keys are implanted in the chips at the time of manufacture and are in fact the only data on the RFID that cannot be written with custom data.
But once again, it has been admitted that as long as any of the 45 signatory nations do not supply their IDs to the database, it will be possible to forge passports from those countries. Without the unique number in the database, the readers don't have anything to look up except the data that is on the chip itself.
I don't have time to go hunting for citations right now. If you are truly interested in finding out about this you can spend a few minutes on Google and find it yourself, from sources that are plenty reputable enough to convince any reasonable person. It wasn't hard for me to find it, at all. But I am not going to go look this evening, I have other things to do.
Do you trust that unknown guy across the side with his scanner? ...
He might just have cloned your cards without you knowing it
This is a proof of concept which is very close to an authentication reality disaster ...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
The Kill-Pin can be used to hide tracking information without the owner of the password knowing this.
It has already been proven before.
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Heise Security has been proving before the cordless phones in Europe working with the DECT algorithm are all vulnerable to easy eavesdropping.
SIM Cards are only smartcards; which can still be copied over with enough funds a/o materials.
I don't really know if we can rely fully on this...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
here and pdf.
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Now we got nobody to test the RFID security in jail! ;)
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
See the link to the article above. Believe me, this was all hashed out before, when that article first reached Slashdot, and they did indeed do it.
That's right. After all it is more convenient to have cards with special RFID blocking cases, then to go through the hassle of having to hand over a card so its magnetic strip can be swiped.
I love ssergorp
I find it pretty surprising that in one message you can write such things as "you don't know what you are talking about", and then in another message try to pump me for information.
It looks like you will either have to do your own research on the matter, or remain ignorant, because the one insult is plenty, thank you very much. You can go get your information elsewhere.
I will cut an anticipated reply ("you won't answer because you can't") off at the pass, and state that yes, I could in fact explain this all fully for you (now that I am back and have some time), and cite references, but now I have no reason to do so, so I shall not. Find them yourself.
I will give you just one hint and say that at least some of the information is linked to in the LAST Slashdot thread that had to do with this very same subject. In fact much of what you are saying was echoed, several times, in that discussion, by people who weren't up on the technology or policies.
There are multiple technologies, all called RFID. Some of them have very short range (like the ISO 14443 used in the passports, also known as NFC), which has pretty much a maximum distance of one metre (due to the coupling it uses).
However, there are other technologies which allow far longer reading range - such as the one used in these inconveniently named "passport cards". The EZPass cards can be read from the range of several metres fairly easily.
Don't confuse these "far field" and "near field" RFID technologies. They are physically quite different beasts.
Or just buy one of the Nokia phones which already have an RFID/NFC reader in them (yes, it can read passports).
http://europe.nokia.com/A4991361
Yes, correct. Some of the passports out there already provide ATR randomization providing random anticollision IDs for each query, so there's no unique data which can be used to identify the passport.
Unfortunately this is not widely used yet, though in all honesty, following your cell phone IMEI or Bluetooth code is far easier than trying to read the passport anticol id - you need a really large and expensive infrastructure in order to have any sort of massive tracking capability for this near field RFID...
in all honesty, following your cell phone IMEI or Bluetooth code is far easier than trying to read the passport anticol id
Excellent point. I wonder how many of these people that wrap their passports in tinfoil are carrying a powered-on cellphone which, as you point out, is not only nicely unique but transmits a nice, strong signal that is -- by design! -- detectable for tens of kilometers, rather than centimeters.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
A Faraday cage, must totally enclose the device, i.e. no magnetic flux lines can leave the cage, and terminate outside the cage.
so unless you have a tiny phone I doubt a wallet was designed to totally contain an object the size of a phone
I see, thanks. I'm no electrical engineer, so this was not all that clear to me. Tell me, assuming average human adult cranial dimensions, what size should a real tinfoil hat be then?
It is dangerous to be right when the government is wrong.
Think of a Tyvec painters suit, but made out of tinfoil, with see through mesh screen.. Caveat. Mesh will only work for specific wavelengths. A modern laser microphone is impervious to your tinfoil sillyness
I always thought of Creationism as the Raving Right's version of the Loony Left's Anthropogenic Global Warming-brightmal