Hackers Clone Passports In Driveby RFID Heist

pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.

I feel deja vu.. from monday

[uncledrax]

Jules Verne called, he wants his time-machine back.

Dupe story:
http://it.slashdot.org/article.pl?sid=09/02/02/2224255

Bring out the T I N F O I L !

[redelm]

Seriously ... not tinfoil hats but around your wallet. These RFIDs seem to have greater range than advertised and that is a huge security risk for sniffing.

Some sort of Faraday Cage will block RFID, or at least their power supply. I do not know whether ferromatnetics like iron and steel are more effective than non-magnetics like aluminum.

How's it unfair?

[jc42]

The summary clearly says:

During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said.

Anyone with even minimal English fluency would understand this as saying that he collected the data but didn't do anything with it.

We don't even need an automotive analogy, since the data was collected from one car by reading passport RFIDs in other passing cars.

Protective Sleeve

[Jamie's+Nightmare]

The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.

Per usual, security usually fails because of the user.

Re:Protective Sleeve

[dotancohen]

The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.

Per usual, security usually fails because of the user.

I don't know about the Passport Card, but the US Passport comes with no such sleeve.

Re:Protective Sleeve

[NeutronCowboy]

I believe the foil sleeve is actually built into the binding. My girlfriend got a new passport, and the cover and back are a lot thicker than the old passports. It seems that there is some extra layer in there.

I haven't tested the efficiency of the new passport design, but I'll be getting a passport carrier that is lined with foil.

Re:Bring out the T I N F O I L !

[jo_ham]

I was going to post this too. A simple solution would be to make a passport holder that blocked the RFID signals, that you could purchase if you wanted to be sure your details weren't being scanned from afar.

Re:Bring out the T I N F O I L !

[dlaudel]

Thinkgeek actually makes a passport holder that blocks RFID signals. http://www.thinkgeek.com/gadgets/security/910f/

Re:Tinfoil is the answer. Seriously!

[swillden]

I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport.

Note that you're talking about something completely different.

The US passport CARD is different from the passport BOOK which you use in international travel. The passport card only works when traveling between the US and Canada or Mexico; it's not accepted anywhere else.

If your passport BOOK is a US-issued one, you don't need the tinfoil because it's already built into the cover. Even if it weren't, the BOOK requires a cryptographic authentication using a key derived from data printed on the inside of the book, so someone has to either see the inside of your book or guess the data.

The CARD does not require cryptographic authentication and has no closeable cover.

Re:Why do passports need RFID?

[swillden]

Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense [wikipedia.org]? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.

The chips in passport books (not cards) ARE the same sort of device that's in the CAC. The old CAC cards are contact-only, which doesn't work well for a passport book because it would be difficult to build a reader. The CACs are being replaced by PIV cards which are dual-interface (contact and contactless).

Other than the contact vs RF interface, though, these so-called RFIDs in passport books (not cards) are exactly the same sort of technology as CAC cards. The chips have plenty of storage and provide cryptographic authentication capabilities.

It appears that a different, longer-range technology with no cryptographic authentication requirements was used for the passport cards.

Don't get one. Get a passport book. It costs a little more, but it can be used for visiting countries other than Canada and Mexico, and it doesn't have these security issues.

Re:*US Passport Cards*, not real passports

[HikingStick]

It's also important to note that real U.S. passports actually have shielding (effectively, a Farraday cage) built into the covers so that the RFID chip is only able to be powered and transmit when the passport is opened.

Re:Why is this unfair?

[techess]

You may not even have to find someone who looks all that similar. My husband and I just got our passports renewed and the new "theft prevention" measures makes id'ing someone by the photo difficult. There are so many wavy multicolored lines over the picture that it is very difficult to make out any distinguishing features. We can barely recognize ourselves.