Hackers Clone Passports In Driveby RFID Heist

pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.

There is a very good reason he didn't clone it. .

[nehumanuscrede]

Recall the man who made his own airline tickets
not all that long ago?

Recall the sh*t storm that brought about ?

Folks are learning the best way to keep the
lawyers and police off their back is to prove
the point, but don't go as far as producing any
thing illegal.

Tinfoil is the answer. Seriously!

[Bearhouse]

As a very frequent traveller, (including to some fairly scary places), I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport. Works a treat. Why do this, well:

1. FTA:

Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a âkill codeâ(TM) (which can wipe the cardâ(TM)s data) and a âlock codeâ(TM) that prevents the tagâ(TM)s data being changed.

However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.

2. What information can they get? Well, depending on the passport type, at least your picture, and sometimes your fingerprints too.
See:
http://en.wikipedia.org/wiki/Biometric_passport

And all this while you are having a drink at a roadside café with your passport 'safely' in your pocket...

Re:Protective Sleeve

[qazwart]

Making security difficult and then blaming people for its failure is no solution.

For example, computers could be much more secure if people change their passwords every month and passwords must be a string of at least 120 random letters. Except that everyone will write down their password or never log out or let their computer go to sleep. You now have your nice super-duper security protocol all set, but your computer is less secure than ever because you've made it impossible to use.

How many people will use that sleeve if you have to struggle with it every time you have to show your passport? How long will that sleeve last? How vulnerable do people understand their passport to be? Do people even understand that their passport could be read while riding in a taxi?

A better solution would be to put this "sleeve" inside the passport. The pages where the RFID chip is on should be the sleeve. When the passport is closed, the chip is protected. The chip can only be read when the passport is opened.

Of course, that's even if this type of security even works.

-1, Wrong

[u38cg]

Security doesn't fail because of the user; if the user is getting it wrong then it is bad security. Theoretical security is (in principle) not hard. Practical security is very hard indeed, and easy to get wrong. Is there any reason this card needs RFID as opposed to a standard credit-card style chip which requires physical contact?