Slashdot Mirror


Hackers Clone Passports In Driveby RFID Heist

pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.

7 of 251 comments (clear)

  1. Why is this unfair? by jimwelch · · Score: 3, Interesting

    The RFID is the most important part. Check the rest of the web for more info.

    --
    Never trust a man wearing a coat and tie!
  2. Forgery is illegal.. how is it unfair ? by brufar · · Score: 3, Interesting

    Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport.

    Of course he only sniffed the data and didn't make a fake passport.. If merely sniffing the data proves your point, why would you subject yourself to penalties for forgery ?

    U.S.C. Â 1543 provides:

    Whoever falsely makes, forges, counterfeits, mutilates, or alters any passport or instrument purporting to be a passport, with intent that the same may be used; or

    Whoever willfully and knowingly uses, or attempts to use, or furnishes to another for use any such false, forged, counterfeited, mutilated, or altered passport or instrument purporting to be a passport, or any passport validly issued which has become void by the occurrence of any condition therein prescribed invalidating the same

    Shall be fined not more than $2,000 or imprisoned not more than five years, or both.

    I certainly would have stopped at successfully sniffing the data. besides all a terrorist has to do is rig the bomb so it will automatically go off when it detects a pre-specified number of US RFID passports in the vicinity.. Now, don't you feel that RFID in your passport has made you more secure ?

    --
    far...out
  3. Security threat by grolaw · · Score: 4, Interesting

    Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?

    1. Re:Security threat by vlm · · Score: 4, Interesting

      Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?

      RFID passports are the ultimate tool for terrorists. You have to wonder if the government people pushing them are sleeper cell agents or something. Maybe just good ole americans but taking bribes from terrorists.

      In the old days they set off IEDs using switches. Follow the wires back to they hidey hold and shoot them. End of terror threat.

      Then they moved to cell phone (a most impressive "ringtone"). With some cooperation w/ the phone company, you track down the caller and shoot them (only the stupid ones of course, the smart ones smash the caller phone seconds after the callee phone goes boom and both will have clean records)

      Now you just build a mine that waits for a passport RFID. No need to decode fully, just, is there a passport signal, if so kaboom. No way whatsoever to stop them anymore.

      You're doing a heck of a job, american passport design department! Heck of a job stacking up american corpses I mean.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  4. More details by Muad'Dave · · Score: 3, Interesting

    The information he read was from an EPC Class1 Gen2 encoded UHF tag. It was encoded as a Global Document Type Identifier (GDTI-96). The Company Prefix is 0893599002, and the Document Type is 1. The serial numbers of the documents are there, but I'm not going to post them. I don't have access to the GS1 Company Prefix database, and it's not searchable here. - anyone else have those mappings?

    It is trivial to program an arbitrary tag ID into a blank Gen2 tag - I do it all the time wrt DOD-encoded tags.

    --
    Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
  5. Why do passports need RFID? by Logical+Zebra · · Score: 5, Interesting

    What is the point in putting RFID into passports other than to make them easier targets for cracking?

    Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.

    --
    I have a bad feeling about this...
  6. Re:Protective Sleeve by Shadow-isoHunt · · Score: 3, Interesting

    Actually the sleeve tends to make the passport stay partially open and act as a parabola, amplifying the signal from a distance.

    --
    www.isoHunt.com