Hackers Clone Passports In Driveby RFID Heist

pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.

There is a very good reason he didn't clone it. .

[nehumanuscrede]

Recall the man who made his own airline tickets
not all that long ago?

Recall the sh*t storm that brought about ?

Folks are learning the best way to keep the
lawyers and police off their back is to prove
the point, but don't go as far as producing any
thing illegal.

Protective Sleeve

[Jamie's+Nightmare]

The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.

Per usual, security usually fails because of the user.

Re:There is a very good reason he didn't clone it.

[bytethese]

Wow, they moved on from cloning RFID tags to cloning
tags!

Re:I feel deja vu.. from monday

H. G. Wells called. He wants his story back.

Why do passports need RFID?

[Logical+Zebra]

What is the point in putting RFID into passports other than to make them easier targets for cracking?

Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.

Re:Tinfoil is the answer. Seriously!

[swillden]

I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport.

Note that you're talking about something completely different.

The US passport CARD is different from the passport BOOK which you use in international travel. The passport card only works when traveling between the US and Canada or Mexico; it's not accepted anywhere else.

If your passport BOOK is a US-issued one, you don't need the tinfoil because it's already built into the cover. Even if it weren't, the BOOK requires a cryptographic authentication using a key derived from data printed on the inside of the book, so someone has to either see the inside of your book or guess the data.

The CARD does not require cryptographic authentication and has no closeable cover.