Hackers Clone Passports In Driveby RFID Heist

pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.

I feel deja vu.. from monday

[uncledrax]

Jules Verne called, he wants his time-machine back.

Dupe story:
http://it.slashdot.org/article.pl?sid=09/02/02/2224255

Re:I feel deja vu.. from monday

H. G. Wells called. He wants his story back.

Why is this unfair?

[jimwelch]

The RFID is the most important part. Check the rest of the web for more info.

Re:Why is this unfair?

[orclevegam]

That's just not true. Maybe *you* should check the rest of the web for more info. The RFID chip only stores a database key - everything else is grabbed from the database using that key. In other words cloning somebody else's RFID is pointless because then it'll be showing the original owner's photo on the security guy's computer display. If the security guy isn't paying attention, then that's a problem with or without the RFID.

Ok, so instead of grabbing the RFID of the first guy that walks past, instead they wait around until they see someone that fairly closely resembles them and take that RFID instead.

Passports aren't even the biggest concern here though, it's more the move to put RFID into all manner if inappropriate items like credit cards, phones (which are then tied to credit cards), clothing (yes really, and not just for inventory tracking), and probably lots of other things we haven't thought of yet. It's one thing for them to clone your passport, it's another entirely for them to clone your credit card.

Also, the passport card isn't even required.

... yet. Pretty soon it will be mandatory, and destroying the RFID chip in your passport will invalidate the passport and earn you a full body cavity search for your trouble no doubt.

Re:Why is this unfair?

[crabboy.com]

Check the rest of the web for more info.

I've been checking the rest of the web, and so far I've come up with almost nothing but porn. I don't see what that has to do with RIFD's...

Re:Why is this unfair?

[techess]

You may not even have to find someone who looks all that similar. My husband and I just got our passports renewed and the new "theft prevention" measures makes id'ing someone by the photo difficult. There are so many wavy multicolored lines over the picture that it is very difficult to make out any distinguishing features. We can barely recognize ourselves.

There is a very good reason he didn't clone it. .

[nehumanuscrede]

Recall the man who made his own airline tickets
not all that long ago?

Recall the sh*t storm that brought about ?

Folks are learning the best way to keep the
lawyers and police off their back is to prove
the point, but don't go as far as producing any
thing illegal.

Bring out the T I N F O I L !

[redelm]

Seriously ... not tinfoil hats but around your wallet. These RFIDs seem to have greater range than advertised and that is a huge security risk for sniffing.

Some sort of Faraday Cage will block RFID, or at least their power supply. I do not know whether ferromatnetics like iron and steel are more effective than non-magnetics like aluminum.

How's it unfair?

[jc42]

The summary clearly says:

During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said.

Anyone with even minimal English fluency would understand this as saying that he collected the data but didn't do anything with it.

We don't even need an automotive analogy, since the data was collected from one car by reading passport RFIDs in other passing cars.

Re:How's it unfair?

[Hyppy]

I'm not sure what your definition of "stealing" is, but he certainly didn't deprive the people of their personal information.

The RFID chips in the passports are designed to spew forth their data when asked for it. You can't accuse someone of "stealing" information that they read off a billboard, which is effectively how the RFID chips in these passports work. (I said effectively, so don't go down the tired road of debating which perfect analogy fits)

Protective Sleeve

[Jamie's+Nightmare]

The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.

Per usual, security usually fails because of the user.

Re:Protective Sleeve

[houghi]

The thing is very small. I have embedded it in a pilots cap, that way I have an alibi that I was elsewhere when I actually am somewhere completely different. The governement things they are smart, but I am one step ahead of them.

Be explaining more later, but there is a knock on the door.

Re:Protective Sleeve

[qazwart]

Making security difficult and then blaming people for its failure is no solution.

For example, computers could be much more secure if people change their passwords every month and passwords must be a string of at least 120 random letters. Except that everyone will write down their password or never log out or let their computer go to sleep. You now have your nice super-duper security protocol all set, but your computer is less secure than ever because you've made it impossible to use.

How many people will use that sleeve if you have to struggle with it every time you have to show your passport? How long will that sleeve last? How vulnerable do people understand their passport to be? Do people even understand that their passport could be read while riding in a taxi?

A better solution would be to put this "sleeve" inside the passport. The pages where the RFID chip is on should be the sleeve. When the passport is closed, the chip is protected. The chip can only be read when the passport is opened.

Of course, that's even if this type of security even works.

Re:Protective Sleeve

[dotancohen]

The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.

Per usual, security usually fails because of the user.

I don't know about the Passport Card, but the US Passport comes with no such sleeve.

Re:Protective Sleeve

[Shadow-isoHunt]

Actually the sleeve tends to make the passport stay partially open and act as a parabola, amplifying the signal from a distance.

Re:Protective Sleeve

[NeutronCowboy]

I believe the foil sleeve is actually built into the binding. My girlfriend got a new passport, and the cover and back are a lot thicker than the old passports. It seems that there is some extra layer in there.

I haven't tested the efficiency of the new passport design, but I'll be getting a passport carrier that is lined with foil.

Re:Bring out the T I N F O I L !

[jo_ham]

I was going to post this too. A simple solution would be to make a passport holder that blocked the RFID signals, that you could purchase if you wanted to be sure your details weren't being scanned from afar.

Tinfoil is the answer. Seriously!

[Bearhouse]

As a very frequent traveller, (including to some fairly scary places), I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport. Works a treat. Why do this, well:

1. FTA:

Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a âkill codeâ(TM) (which can wipe the cardâ(TM)s data) and a âlock codeâ(TM) that prevents the tagâ(TM)s data being changed.

However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.

2. What information can they get? Well, depending on the passport type, at least your picture, and sometimes your fingerprints too.
See:
http://en.wikipedia.org/wiki/Biometric_passport

And all this while you are having a drink at a roadside café with your passport 'safely' in your pocket...

Re:Bring out the T I N F O I L !

[dlaudel]

Thinkgeek actually makes a passport holder that blocks RFID signals. http://www.thinkgeek.com/gadgets/security/910f/

Forgery is illegal.. how is it unfair ?

[brufar]

Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport.

Of course he only sniffed the data and didn't make a fake passport.. If merely sniffing the data proves your point, why would you subject yourself to penalties for forgery ?

U.S.C. Â 1543 provides:

Whoever falsely makes, forges, counterfeits, mutilates, or alters any passport or instrument purporting to be a passport, with intent that the same may be used; or

Whoever willfully and knowingly uses, or attempts to use, or furnishes to another for use any such false, forged, counterfeited, mutilated, or altered passport or instrument purporting to be a passport, or any passport validly issued which has become void by the occurrence of any condition therein prescribed invalidating the same

Shall be fined not more than $2,000 or imprisoned not more than five years, or both.

I certainly would have stopped at successfully sniffing the data. besides all a terrorist has to do is rig the bomb so it will automatically go off when it detects a pre-specified number of US RFID passports in the vicinity.. Now, don't you feel that RFID in your passport has made you more secure ?

Security threat

[grolaw]

Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?

Re:Security threat

[vlm]

Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?

RFID passports are the ultimate tool for terrorists. You have to wonder if the government people pushing them are sleeper cell agents or something. Maybe just good ole americans but taking bribes from terrorists.

In the old days they set off IEDs using switches. Follow the wires back to they hidey hold and shoot them. End of terror threat.

Then they moved to cell phone (a most impressive "ringtone"). With some cooperation w/ the phone company, you track down the caller and shoot them (only the stupid ones of course, the smart ones smash the caller phone seconds after the callee phone goes boom and both will have clean records)

Now you just build a mine that waits for a passport RFID. No need to decode fully, just, is there a passport signal, if so kaboom. No way whatsoever to stop them anymore.

You're doing a heck of a job, american passport design department! Heck of a job stacking up american corpses I mean.

Re:There is a very good reason he didn't clone it.

[bytethese]

Wow, they moved on from cloning RFID tags to cloning
tags!

More details

[Muad'Dave]

The information he read was from an EPC Class1 Gen2 encoded UHF tag. It was encoded as a Global Document Type Identifier (GDTI-96). The Company Prefix is 0893599002, and the Document Type is 1. The serial numbers of the documents are there, but I'm not going to post them. I don't have access to the GS1 Company Prefix database, and it's not searchable here. - anyone else have those mappings?

It is trivial to program an arbitrary tag ID into a blank Gen2 tag - I do it all the time wrt DOD-encoded tags.

Why do passports need RFID?

[Logical+Zebra]

What is the point in putting RFID into passports other than to make them easier targets for cracking?

Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.

Re:Why do passports need RFID?

[swillden]

Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense [wikipedia.org]? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.

The chips in passport books (not cards) ARE the same sort of device that's in the CAC. The old CAC cards are contact-only, which doesn't work well for a passport book because it would be difficult to build a reader. The CACs are being replaced by PIV cards which are dual-interface (contact and contactless).

Other than the contact vs RF interface, though, these so-called RFIDs in passport books (not cards) are exactly the same sort of technology as CAC cards. The chips have plenty of storage and provide cryptographic authentication capabilities.

It appears that a different, longer-range technology with no cryptographic authentication requirements was used for the passport cards.

Don't get one. Get a passport book. It costs a little more, but it can be used for visiting countries other than Canada and Mexico, and it doesn't have these security issues.

-1, Wrong

[u38cg]

Security doesn't fail because of the user; if the user is getting it wrong then it is bad security. Theoretical security is (in principle) not hard. Practical security is very hard indeed, and easy to get wrong. Is there any reason this card needs RFID as opposed to a standard credit-card style chip which requires physical contact?

Re:Tinfoil is the answer. Seriously!

[swillden]

I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport.

Note that you're talking about something completely different.

The US passport CARD is different from the passport BOOK which you use in international travel. The passport card only works when traveling between the US and Canada or Mexico; it's not accepted anywhere else.

If your passport BOOK is a US-issued one, you don't need the tinfoil because it's already built into the cover. Even if it weren't, the BOOK requires a cryptographic authentication using a key derived from data printed on the inside of the book, so someone has to either see the inside of your book or guess the data.

The CARD does not require cryptographic authentication and has no closeable cover.

Re:*US Passport Cards*, not real passports

[HikingStick]

It's also important to note that real U.S. passports actually have shielding (effectively, a Farraday cage) built into the covers so that the RFID chip is only able to be powered and transmit when the passport is opened.

Re:Mod parent up

[ROU+Nuisance+Value]

Quite. And in a more general sense: Can (we) geeks in general PLEASE stop referring to users as "stupid" simply because they are NOT AS DEEPLY INTO THE SAME SHIT WE ARE?! I'm highly intelligent (recorded IQ over 160), and frankly, I HAVE OTHER STUFF ON MY MIND when I'm traveling (like "Where's the freakin WC?", and "After 19 hours in the air, I'm hungry and tired and miserable."). For dear FSM's sake, if there is anything wrong with security design -- or product design in general -- all over the Earth it is this same ignorant, even STUPID, attitude on the part of the designers.