Hackers Clone Passports In Driveby RFID Heist

pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.

Why is this unfair?

[jimwelch]

The RFID is the most important part. Check the rest of the web for more info.

Re:Why is this unfair?

And who really cares? Are you more worried that someone will dupe your information so that when they do "bad stuff" in the overseas country you are in you get nailed hard? Or because it is trivial for a terrorist to rig a bomb on a vehicle to detonate only when three Americans are within range? If you haven't thought that last one through it is very scary. You could plant bombs thoroughly in buses, private vehicles, trains, etc., then watch the spectacle. Random acts of violence with no bomb expert anywhere near the scene of the crime before they blow.

In the US you would likely get a coordinated response and vehicle searches to this sort of tactic, but if the devices are planted widely that can freeze transportation as every moving vehicle has to be inspected. In countries with a less coordinated response you wouldn't freeze transportation as effectively, but it would instill quite a bit of fear and having a longer lasting effect.

But no, I'm sure you're right, the only issue is being able to duplicate someone's passport.

Re:Why is this unfair?

[Curunir_wolf]

The passport card is just a stop-gap measure for use until the DHS can bludgeon all the states into implementing the Real ID requirements. Once everyone with a driver's license is Real ID'd, they'll start adding the RFID (they've already specified a lot of information has to be added to the "MRZ" - machine readable zone, they just haven't yet specified that the MRZ has to be implemented with RFID). Once they get the facial recognition stuff working right, they won't need the reader to track you, they'll have a database of everybody's face, and will know where you are at all times. Check out Connecting the dots .

Re:Who carries their US passport in the US?

[Clover_Kicker]

Is his gear fast enough to sniff passports from cars moving at highway speeds? He could drive on public highways leading to the airport, or just sit in the parking lot of gas stations close to the airport.

Unfair for what?

Unfair because he didn't make a fake passport? What are the editors gonna say when he DOES make an illegal fake passport? That too is unfair because he didn't actually attempt to fly with it to prove it would pass the passport security checks?

He got the data. He can write it back into another cloned RFID chip. Good enough I say to prove the point that it can be done. No need to go further, I'm sure the gov't already wants to silence him, don't give them a good ripe excuse to do so!

Re:Tinfoil is the answer. Seriously!

And not only passports, I just won a fight with my credit card company (Chase) about their use of RFIDs in their new credit cards. I refused to carry them and came close to canceling the account before they finally sent me a new card without one. By that time I had two useless cards with the RFID chips in them, so I stuck them in the microwave to see what would happen. It was spectacular. A couple of seconds and they burst into flame! And to my surprise, there was an embedded loop antenna in the cards that extended most of the card's length and about half the width. Someone could have read that card from a hundred meters with even simple equipment. Oh, and the icing on the cake: every time I called about this issue they tried to sell me extra "protection" against identity theft. I think it was "only" $9 a month.

BillyDoc

Forgery is illegal.. how is it unfair ?

[brufar]

Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport.

Of course he only sniffed the data and didn't make a fake passport.. If merely sniffing the data proves your point, why would you subject yourself to penalties for forgery ?

U.S.C. Â 1543 provides:

Whoever falsely makes, forges, counterfeits, mutilates, or alters any passport or instrument purporting to be a passport, with intent that the same may be used; or

Whoever willfully and knowingly uses, or attempts to use, or furnishes to another for use any such false, forged, counterfeited, mutilated, or altered passport or instrument purporting to be a passport, or any passport validly issued which has become void by the occurrence of any condition therein prescribed invalidating the same

Shall be fined not more than $2,000 or imprisoned not more than five years, or both.

I certainly would have stopped at successfully sniffing the data. besides all a terrorist has to do is rig the bomb so it will automatically go off when it detects a pre-specified number of US RFID passports in the vicinity.. Now, don't you feel that RFID in your passport has made you more secure ?

Security threat

[grolaw]

Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?

Re:Security threat

[vlm]

Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?

RFID passports are the ultimate tool for terrorists. You have to wonder if the government people pushing them are sleeper cell agents or something. Maybe just good ole americans but taking bribes from terrorists.

In the old days they set off IEDs using switches. Follow the wires back to they hidey hold and shoot them. End of terror threat.

Then they moved to cell phone (a most impressive "ringtone"). With some cooperation w/ the phone company, you track down the caller and shoot them (only the stupid ones of course, the smart ones smash the caller phone seconds after the callee phone goes boom and both will have clean records)

Now you just build a mine that waits for a passport RFID. No need to decode fully, just, is there a passport signal, if so kaboom. No way whatsoever to stop them anymore.

You're doing a heck of a job, american passport design department! Heck of a job stacking up american corpses I mean.

The biggest risc is not cloning

[chrisarn]

But the fact that you could use this technique to drive around and look for American citizens. Maybe combined with triangulation and there is your kidnap victim...

More details

[Muad'Dave]

The information he read was from an EPC Class1 Gen2 encoded UHF tag. It was encoded as a Global Document Type Identifier (GDTI-96). The Company Prefix is 0893599002, and the Document Type is 1. The serial numbers of the documents are there, but I'm not going to post them. I don't have access to the GS1 Company Prefix database, and it's not searchable here. - anyone else have those mappings?

It is trivial to program an arbitrary tag ID into a blank Gen2 tag - I do it all the time wrt DOD-encoded tags.

Why do passports need RFID?

[Logical+Zebra]

What is the point in putting RFID into passports other than to make them easier targets for cracking?

Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.

A politician needs to consult an engineer

[Demonantis]

The sin cards used in cellular phones use an algorithm to confirm identity. The network will transmit a number that is then manipulated to form a new number by the phone. The number is transmitted and compared to what the network was expecting from the individual the phone is claiming to be. If they match then the person is who they say they are. The algorithm is impossible to duplicate without having the sin card and brute forcing to find the algorithm(still next to impossible). The credit card industry is now introducing this because it makes it impossible for someone sniffing the data transferred to use it productively.

Re:The kill bit testing

[Technician]

How did you test this to make sure?

In a link in the old article was the full testing. In a nutshell, they cloned some Washington Drivers licenses into the same chip. Then tested sending the kill command at low power, when there is not enough power to complete the operation, the chip reports a low power comman fail. After the power needed to produce low power fails and kills, it was tested on real licenses to see if the kill was enabled or protected by a PIN. It is unprotected.

Here is the info;
PDF alert http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/EPC_RFID/Gen2authentication--22Oct08a.pdf

See table 4 in the PDF for the kill bit testing on Washington State Drivers Licenses.

Re:Protective Sleeve

[Shadow-isoHunt]

Actually the sleeve tends to make the passport stay partially open and act as a parabola, amplifying the signal from a distance.

Re:Passport?

Nothing new until this is used to clone a passport that will withstand scrutiny by US Immigration officials.

You seem to have a lot of misplaced faith in these immigration officials.