Slashdot Mirror
Hackers Clone Passports In Driveby RFID Heist
pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.
Recall the man who made his own airline tickets
not all that long ago?
Recall the sh*t storm that brought about ?
Folks are learning the best way to keep the
lawyers and police off their back is to prove
the point, but don't go as far as producing any
thing illegal.
As a very frequent traveller, (including to some fairly scary places), I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport. Works a treat. Why do this, well:
1. FTA:
Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a âkill codeâ(TM) (which can wipe the cardâ(TM)s data) and a âlock codeâ(TM) that prevents the tagâ(TM)s data being changed.
However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.
2. What information can they get? Well, depending on the passport type, at least your picture, and sometimes your fingerprints too.
See:
http://en.wikipedia.org/wiki/Biometric_passport
And all this while you are having a drink at a roadside café with your passport 'safely' in your pocket...
The protective sleeve only works if you never have to open the passport.
Of course, you might want to open the passport to, say, actually use it as ID. Or maybe just to let something read the RFID chip...
----------------------------------- My Other Sig Is Hilarious -----------------------------------
True. Your computer records matching up is becoming increasingly more important than you actually showing up. A matching RFID would make things much easier.
Face your daemons!
Making security difficult and then blaming people for its failure is no solution.
For example, computers could be much more secure if people change their passwords every month and passwords must be a string of at least 120 random letters. Except that everyone will write down their password or never log out or let their computer go to sleep. You now have your nice super-duper security protocol all set, but your computer is less secure than ever because you've made it impossible to use.
How many people will use that sleeve if you have to struggle with it every time you have to show your passport? How long will that sleeve last? How vulnerable do people understand their passport to be? Do people even understand that their passport could be read while riding in a taxi?
A better solution would be to put this "sleeve" inside the passport. The pages where the RFID chip is on should be the sleeve. When the passport is closed, the chip is protected. The chip can only be read when the passport is opened.
Of course, that's even if this type of security even works.
Security doesn't fail because of the user; if the user is getting it wrong then it is bad security. Theoretical security is (in principle) not hard. Practical security is very hard indeed, and easy to get wrong. Is there any reason this card needs RFID as opposed to a standard credit-card style chip which requires physical contact?
[FUCK BETA]
Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport
Perhaps he wanted to avoid going to jail? This is a case where it's sufficient to show that a forgery is possible, without breaking the law and actually doing it.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
...except when you pulled your passport out of the holder to use it, and got it scanned not only by the customs agent, but by the guy sitting on a chair nearby stealing your info, who knows that the airport is a great place to come and do that. Seriously, why would they think it is a good idea to put your data into a form that broadcasts over the air? There are lots of good uses for RFID, and I can't see how this is one of them.
I'm not sure what your definition of "stealing" is, but he certainly didn't deprive the people of their personal information.
The RFID chips in the passports are designed to spew forth their data when asked for it. You can't accuse someone of "stealing" information that they read off a billboard, which is effectively how the RFID chips in these passports work. (I said effectively, so don't go down the tired road of debating which perfect analogy fits)
That's just not true. Maybe *you* should check the rest of the web for more info. The RFID chip only stores a database key - everything else is grabbed from the database using that key. In other words cloning somebody else's RFID is pointless because then it'll be showing the original owner's photo on the security guy's computer display. If the security guy isn't paying attention, then that's a problem with or without the RFID.
Ok, so instead of grabbing the RFID of the first guy that walks past, instead they wait around until they see someone that fairly closely resembles them and take that RFID instead.
Passports aren't even the biggest concern here though, it's more the move to put RFID into all manner if inappropriate items like credit cards, phones (which are then tied to credit cards), clothing (yes really, and not just for inventory tracking), and probably lots of other things we haven't thought of yet. It's one thing for them to clone your passport, it's another entirely for them to clone your credit card.
Also, the passport card isn't even required.
Curiosity was framed, Ignorance killed the cat.
I believe the article is talking about passport cards , and not about passport books . It's quite a bit harder to read RFID data from a passport book since "the passport cover contains a radio-frequency shield, so the cover must be opened for the data to be read."
He is just skimming IDs, not cloning or even collecting any information of worth. Its no different than some retard driving around with a wifi scanner collecting SSIDs and MACs for a bunch of WPA2 networks - its not the same as getting into the systems behind them. I guess I am new here, but I expect this kind of cheap overblown title from trash like Wired, not from /.
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
You're missing the point.
It doesn't need a very large power source. It's still a landmine, and it needs to be very near to its target to have maximum effect. So, use weight or inductance or whatever to trigger the thing, not to explode, but to look for RFID tags. The rest of the time the added parts can be powered completely off.
The antenna isn't really much of a problem. RFID is generally UHF, which penetrates stuff pretty well, while still high enough in frequency that a surprisingly high amount of antenna gain can be contained within a very small package.
And the point is this: You can plant it on a roadway, and avoid killing the locals, but still have a fair chance at killing civilians of whatever RFID-toting nationality you choose. It's like a smart bomb for terrorists. And so, much like a cruise missile, it doesn't matter if it is expensive.
Kid-proof tablet..
You don't even even seem to know what the passport card is or you would realize why it will never be mandatory. It's a passport replacement for people who live near the border, who frequently need to travel accross the border. It allows you to get into/out of Canada, Mexico, Bermuda, and a couple of Carribean countries. Making it required would just be silly. Get a clue.
And about regular passports...
You missed the point entirely. I wasn't saying the passport card would be mandatory, but that they'll try to make having a RFID enabled passport mandatory. That is, there' won't be a "regular passport", only RFID passports.
Do you have any evidence at all to support the "destroying the RFID chip will invalidate the passport" claim? I think you're just making shit up to scare people.
I'm not claiming it's currently illegal to do so, or that doing so will invalidate the passport currently, I'm just saying that's the way I think they'll steer it. If it becomes regular practice to destroy the RFID chip they'll pass legislation making it illegal to destroy it, and if it isn't a regular thing, doing so is guaranteed to earn you extra scrutiny at security checks. At the very least they could claim a fried RFID as probable cause for any search they feel like carrying out. That's just the way the government works, they pass a vague ill-defined law and when people object that it will have all kinds of side effects they get told "don't worry, we won't use it that way", which lasts all of about 10 minutes before yes, they use it in exactly that way.
Curiosity was framed, Ignorance killed the cat.
Quite. And in a more general sense: Can (we) geeks in general PLEASE stop referring to users as "stupid" simply because they are NOT AS DEEPLY INTO THE SAME SHIT WE ARE?! I'm highly intelligent (recorded IQ over 160), and frankly, I HAVE OTHER STUFF ON MY MIND when I'm traveling (like "Where's the freakin WC?", and "After 19 hours in the air, I'm hungry and tired and miserable."). For dear FSM's sake, if there is anything wrong with security design -- or product design in general -- all over the Earth it is this same ignorant, even STUPID, attitude on the part of the designers.
Although the cover may protect it, data encryption by itself won't protect you from malicious people keeping track of your movements. It's an easy thing to keep track of say everyone's movements at some kind of gate, and later adding a photo to whatever unique encrypted data is read from the chip. I could gather a few months worth of data at a public place, then pinpoint someone in a crowd and see exactly how often they were there, how long, and so on. All it takes is one easy unique way to distinguish a person (not necessarily identify, although coupling it with other systems may make that possible), and it opens up a lot of interesting ways to keep track of people.