Slashdot Mirror
Hackers Clone Passports In Driveby RFID Heist
pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.
Jules Verne called, he wants his time-machine back.
Dupe story:
http://it.slashdot.org/article.pl?sid=09/02/02/2224255
----- The internet has given everyone the ability to have their voice heard equally as loud.. even if they shouldn't be
The RFID is the most important part. Check the rest of the web for more info.
Never trust a man wearing a coat and tie!
Recall the man who made his own airline tickets
not all that long ago?
Recall the sh*t storm that brought about ?
Folks are learning the best way to keep the
lawyers and police off their back is to prove
the point, but don't go as far as producing any
thing illegal.
Some sort of Faraday Cage will block RFID, or at least their power supply. I do not know whether ferromatnetics like iron and steel are more effective than non-magnetics like aluminum.
The summary clearly says:
During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said.
Anyone with even minimal English fluency would understand this as saying that he collected the data but didn't do anything with it.
We don't even need an automotive analogy, since the data was collected from one car by reading passport RFIDs in other passing cars.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.
Per usual, security usually fails because of the user.
"When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
I was going to post this too. A simple solution would be to make a passport holder that blocked the RFID signals, that you could purchase if you wanted to be sure your details weren't being scanned from afar.
As a very frequent traveller, (including to some fairly scary places), I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport. Works a treat. Why do this, well:
1. FTA:
Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a âkill codeâ(TM) (which can wipe the cardâ(TM)s data) and a âlock codeâ(TM) that prevents the tagâ(TM)s data being changed.
However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.
2. What information can they get? Well, depending on the passport type, at least your picture, and sometimes your fingerprints too.
See:
http://en.wikipedia.org/wiki/Biometric_passport
And all this while you are having a drink at a roadside café with your passport 'safely' in your pocket...
Is his gear fast enough to sniff passports from cars moving at highway speeds? He could drive on public highways leading to the airport, or just sit in the parking lot of gas stations close to the airport.
Thinkgeek actually makes a passport holder that blocks RFID signals. http://www.thinkgeek.com/gadgets/security/910f/
And not only passports, I just won a fight with my credit card company (Chase) about their use of RFIDs in their new credit cards. I refused to carry them and came close to canceling the account before they finally sent me a new card without one. By that time I had two useless cards with the RFID chips in them, so I stuck them in the microwave to see what would happen. It was spectacular. A couple of seconds and they burst into flame! And to my surprise, there was an embedded loop antenna in the cards that extended most of the card's length and about half the width. Someone could have read that card from a hundred meters with even simple equipment. Oh, and the icing on the cake: every time I called about this issue they tried to sell me extra "protection" against identity theft. I think it was "only" $9 a month.
BillyDoc
Of course he only sniffed the data and didn't make a fake passport.. If merely sniffing the data proves your point, why would you subject yourself to penalties for forgery ?
I certainly would have stopped at successfully sniffing the data. besides all a terrorist has to do is rig the bomb so it will automatically go off when it detects a pre-specified number of US RFID passports in the vicinity.. Now, don't you feel that RFID in your passport has made you more secure ?
far...out
Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?
But the fact that you could use this technique to drive around and look for American citizens. Maybe combined with triangulation and there is your kidnap victim...
Wow, they moved on from cloning RFID tags to cloning
tags!
The information he read was from an EPC Class1 Gen2 encoded UHF tag. It was encoded as a Global Document Type Identifier (GDTI-96). The Company Prefix is 0893599002, and the Document Type is 1. The serial numbers of the documents are there, but I'm not going to post them. I don't have access to the GS1 Company Prefix database, and it's not searchable here. - anyone else have those mappings?
It is trivial to program an arbitrary tag ID into a blank Gen2 tag - I do it all the time wrt DOD-encoded tags.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
What is the point in putting RFID into passports other than to make them easier targets for cracking?
Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.
I have a bad feeling about this...
The sin cards used in cellular phones use an algorithm to confirm identity. The network will transmit a number that is then manipulated to form a new number by the phone. The number is transmitted and compared to what the network was expecting from the individual the phone is claiming to be. If they match then the person is who they say they are. The algorithm is impossible to duplicate without having the sin card and brute forcing to find the algorithm(still next to impossible). The credit card industry is now introducing this because it makes it impossible for someone sniffing the data transferred to use it productively.
A cellphone has a powered transmitter, and a boosted receiver with a specialised antenna. An RFID chip must rely solely on the radio energy it receives to power itself up and transmit back, so I'm not sure that a cellphone is an adequate test.
The signal power you're talking about for a phone is going to be so much higher, and likely at totally different frequencies.
I think the only way to test it effectively would be to see if the RFID reader at the airport still works with the wallet, assuming the person working the desk doesn't mind you testing it out.
Security doesn't fail because of the user; if the user is getting it wrong then it is bad security. Theoretical security is (in principle) not hard. Practical security is very hard indeed, and easy to get wrong. Is there any reason this card needs RFID as opposed to a standard credit-card style chip which requires physical contact?
[FUCK BETA]
if it's RFID then the speed of the sources shouldn't really matter all that much. You're not going to get much doppler shift on a source moving 70mph.
It pays to be obvious, especially if you have a reputation for being subtle.
How did you test this to make sure?
In a link in the old article was the full testing. In a nutshell, they cloned some Washington Drivers licenses into the same chip. Then tested sending the kill command at low power, when there is not enough power to complete the operation, the chip reports a low power comman fail. After the power needed to produce low power fails and kills, it was tested on real licenses to see if the kill was enabled or protected by a PIN. It is unprotected.
Here is the info;
PDF alert http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/EPC_RFID/Gen2authentication--22Oct08a.pdf
See table 4 in the PDF for the kill bit testing on Washington State Drivers Licenses.
The truth shall set you free!
Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport
Perhaps he wanted to avoid going to jail? This is a case where it's sufficient to show that a forgery is possible, without breaking the law and actually doing it.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
Just replying to confirm that the ThinkGeek wallets DO, in fact, work as advertised. I realized this after trying to leave my office's parking lot by fruitlessly waiving my newly-acquired RFID-blocking wallet (with parking pass inside) at the entry gate's sensor.
I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport.
Note that you're talking about something completely different.
The US passport CARD is different from the passport BOOK which you use in international travel. The passport card only works when traveling between the US and Canada or Mexico; it's not accepted anywhere else.
If your passport BOOK is a US-issued one, you don't need the tinfoil because it's already built into the cover. Even if it weren't, the BOOK requires a cryptographic authentication using a key derived from data printed on the inside of the book, so someone has to either see the inside of your book or guess the data.
The CARD does not require cryptographic authentication and has no closeable cover.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Why make up a story title whose claims are unsupported by TFA? Nothing was 'cloned' here.
The cloned chip article is here;
http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/EPC_RFID/Gen2authentication--22Oct08a.pdf
It was on pasport and Washington Driver license chips.
The truth shall set you free!
...except when you pulled your passport out of the holder to use it, and got it scanned not only by the customs agent, but by the guy sitting on a chair nearby stealing your info, who knows that the airport is a great place to come and do that. Seriously, why would they think it is a good idea to put your data into a form that broadcasts over the air? There are lots of good uses for RFID, and I can't see how this is one of them.
It's absolutely worth noting this is about cloning US Passport Cards, which are completely useless outside the US, not real passports.
Passport Cards use a simple RFID system (EPC) where the chip simply spits its ID number out.
Passports, on the other hand, require a reader to authenticate by passing a hash of (passport number, date of birth, date of expiry). I don't think that's nearly enough information to ensure security, but at least it's better than nothing.
I believe the article is talking about passport cards , and not about passport books . It's quite a bit harder to read RFID data from a passport book since "the passport cover contains a radio-frequency shield, so the cover must be opened for the data to be read."
He is just skimming IDs, not cloning or even collecting any information of worth. Its no different than some retard driving around with a wifi scanner collecting SSIDs and MACs for a bunch of WPA2 networks - its not the same as getting into the systems behind them. I guess I am new here, but I expect this kind of cheap overblown title from trash like Wired, not from /.
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
Quite. And in a more general sense: Can (we) geeks in general PLEASE stop referring to users as "stupid" simply because they are NOT AS DEEPLY INTO THE SAME SHIT WE ARE?! I'm highly intelligent (recorded IQ over 160), and frankly, I HAVE OTHER STUFF ON MY MIND when I'm traveling (like "Where's the freakin WC?", and "After 19 hours in the air, I'm hungry and tired and miserable."). For dear FSM's sake, if there is anything wrong with security design -- or product design in general -- all over the Earth it is this same ignorant, even STUPID, attitude on the part of the designers.
A Faraday cage, must totally enclose the device, i.e. no magnetic flux lines can leave the cage, and terminate outside the cage.
so unless you have a tiny phone I doubt a wallet was designed to totally contain an object the size of a phone
I always thought of Creationism as the Raving Right's version of the Loony Left's Anthropogenic Global Warming-brightmal
this kind of technology makes people and their information LESS secure, rather than more. Because it makes it far too easy to read someone else's information and clone it.
The RFID Nazis will be quick to tell you that there is also a unique encryption key in the passports, but as has been pointed out elsewhere, only 5 of the 45 signatory nations supply their keys to the international database, and as long as any of those 45 nations fail to do so, the keys are meaningless because it is possible to clone passports from any of the non-compliant nations.
And we KNOW that it is possible to physically duplicate passports effectively... after all, that was the justification for using RFID in the first place. So that isn't an argument.
Although the cover may protect it, data encryption by itself won't protect you from malicious people keeping track of your movements. It's an easy thing to keep track of say everyone's movements at some kind of gate, and later adding a photo to whatever unique encrypted data is read from the chip. I could gather a few months worth of data at a public place, then pinpoint someone in a crowd and see exactly how often they were there, how long, and so on. All it takes is one easy unique way to distinguish a person (not necessarily identify, although coupling it with other systems may make that possible), and it opens up a lot of interesting ways to keep track of people.
Assuming the document ID (any identifiable string) can be determined at a distance, yes.
There are two solutions to this. The first is the fact that the RF technology used by these chips does not work well at long ranges. In lab environments it's possible to get distances of up to a meter, but in the real world the limit is around 10 cm, assuming nothing is between card antenna and reader antenna (and assuming reader antenna is a high-gain type). The super long-range stunts you read about use a battery-powered repeater placed within a few centimeters of the card.
Note that the above applies to the passport books. I'm not sure what the passport cards use, but it appears to be a different RFID technology which supports longer-range operation. It's highly likely that they also do not contain the same level of personal information that is in the books, simply because the 900 Mhz RFIDs (unlike the 13.56 Mhz contactless smart cards) don't provide the same storage capabilities.
The other solution is ATR randomization. When powered by the reader field the chip transmits an "Answer To Reset" which includes some unique identifying information. Many researchers have called on the ICAO to specify that this should be randomized, exactly to prevent the sort of thing you describe. Manufacturers produce chips that do randomization. AFAIK, the US state dept. is not yet using them, although it's not unlikely that within a few years there will be no chips on the market that do NOT randomize their ATRs.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.